unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] openssh: Fix CVE-2015-8325
@ 2016-04-15 18:22 Leo Famulari
  2016-04-15 18:22 ` [PATCH 1/1] gnu: " Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-04-15 18:22 UTC (permalink / raw)
  To: guix-devel

Debian has applied an upstream patch to fix CVE-2015-8325 [0][1][2] in
OpenSSH [3].

OpenSSH builds and seems to work with this patch.

I can't find any public and "official" announcement of this issue yet.
For example, not from Mitre or OpenSSH themselves, aside from the
OpenSSH commit log. For this reason, I want to wait for an "okay" from
other Guix developers.

Please advise, and feel free to apply the patch yourself if appropriate.

[0]
https://security-tracker.debian.org/tracker/CVE-2015-8325

[1]
https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

[2]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325

[3]
http://www.openssh.com/portable.html

Leo Famulari (1):
  gnu: openssh: Fix CVE-2015-8325.

 gnu-system.am                                    |  1 +
 gnu/packages/patches/openssh-CVE-2015-8325.patch | 31 ++++++++++++++++++++++++
 gnu/packages/ssh.scm                             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssh-CVE-2015-8325.patch

-- 
2.7.3

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
  2016-04-15 18:22 [PATCH 0/1] openssh: Fix CVE-2015-8325 Leo Famulari
@ 2016-04-15 18:22 ` Leo Famulari
  2016-04-15 21:27   ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-04-15 18:22 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/ssh.scm (openssh): Use it.
---
 gnu-system.am                                    |  1 +
 gnu/packages/patches/openssh-CVE-2015-8325.patch | 31 ++++++++++++++++++++++++
 gnu/packages/ssh.scm                             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssh-CVE-2015-8325.patch

diff --git a/gnu-system.am b/gnu-system.am
index cd1c663..273e9df 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -631,6 +631,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/openimageio-boost-1.60.patch		\
   gnu/packages/patches/openjpeg-CVE-2015-6581.patch		\
   gnu/packages/patches/openjpeg-use-after-free-fix.patch	\
+  gnu/packages/patches/openssh-CVE-2015-8325.patch		\
   gnu/packages/patches/openssl-runpath.patch			\
   gnu/packages/patches/openssl-c-rehash-in.patch		\
   gnu/packages/patches/orpheus-cast-errors-and-includes.patch	\
diff --git a/gnu/packages/patches/openssh-CVE-2015-8325.patch b/gnu/packages/patches/openssh-CVE-2015-8325.patch
new file mode 100644
index 0000000..8063e64
--- /dev/null
+++ b/gnu/packages/patches/openssh-CVE-2015-8325.patch
@@ -0,0 +1,31 @@
+From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: ignore PAM environment vars when UseLogin=yes
+
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/session.c b/session.c
+index 4859245..4653b09 100644
+--- a/session.c
++++ b/session.c
+@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
+ 	 * Pull in any environment variables that may have
+ 	 * been set by PAM.
+ 	 */
+-	if (options.use_pam) {
++	if (options.use_pam && !options.use_login) {
+ 		char **p;
+ 
+ 		p = fetch_pam_child_environment();
+-- 
+cgit v0.11.2
+
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index eaf57ac..b8f107b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -126,7 +126,8 @@ a server that supports the SSH-2 protocol.")
                          (string-append "http://ftp2.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
                                         tail))))
             (sha256 (base32
-                     "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"))))
+                     "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"))
+            (patches (search-patches "openssh-CVE-2015-8325.patch"))))
    (build-system gnu-build-system)
    (inputs `(("groff" ,groff)
              ("openssl" ,openssl)
-- 
2.7.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
  2016-04-15 18:22 ` [PATCH 1/1] gnu: " Leo Famulari
@ 2016-04-15 21:27   ` Ludovic Courtès
  2016-04-15 21:47     ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2016-04-15 21:27 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> * gnu-system.am (dist_patch_DATA): Add it.
> * gnu/packages/ssh.scm (openssh): Use it.

The explanation in the OpenSSH commit log is clear IMO and the fix looks
reasonable, so I’d say go for it…

… but I can’t seem to find the change in the authoritative repo:

  http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

Am I missing something?

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
  2016-04-15 21:27   ` Ludovic Courtès
@ 2016-04-15 21:47     ` Leo Famulari
  2016-04-17 14:26       ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-04-15 21:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> > * gnu-system.am (dist_patch_DATA): Add it.
> > * gnu/packages/ssh.scm (openssh): Use it.
> 
> The explanation in the OpenSSH commit log is clear IMO and the fix looks
> reasonable, so I’d say go for it…
> 
> … but I can’t seem to find the change in the authoritative repo:
> 
>   http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

The web page for the portable version of OpenSSH [0] (which is what we
package) says this:

"Normal OpenSSH development produces a very small, secure, and easy to
maintain version for the OpenBSD project. The OpenSSH Portability Team
takes that pure version and adds portability code so that OpenSSH can
run on many other operating systems (Unfortunately, in particular since
OpenSSH does authentication, it runs into a *lot* of differences between
Unix operating systems)."

The bug is related to how sshd interacts with PAM. My understanding is
that OpenBSD does not use PAM, so the bug would not exist in their
repository.

[0] FYI, I could not load this site over HTTPS
http://www.openssh.com/portable.html This page also links to the
repository that contains the patch.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
  2016-04-15 21:47     ` Leo Famulari
@ 2016-04-17 14:26       ` Ludovic Courtès
  2016-04-17 17:56         ` Leo Famulari
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2016-04-17 14:26 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
>> > * gnu-system.am (dist_patch_DATA): Add it.
>> > * gnu/packages/ssh.scm (openssh): Use it.
>> 
>> The explanation in the OpenSSH commit log is clear IMO and the fix looks
>> reasonable, so I’d say go for it…
>> 
>> … but I can’t seem to find the change in the authoritative repo:
>> 
>>   http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
>
> The web page for the portable version of OpenSSH [0] (which is what we
> package) says this:
>
> "Normal OpenSSH development produces a very small, secure, and easy to
> maintain version for the OpenBSD project. The OpenSSH Portability Team
> takes that pure version and adds portability code so that OpenSSH can
> run on many other operating systems (Unfortunately, in particular since
> OpenSSH does authentication, it runs into a *lot* of differences between
> Unix operating systems)."
>
> The bug is related to how sshd interacts with PAM. My understanding is
> that OpenBSD does not use PAM, so the bug would not exist in their
> repository.
>
> [0] FYI, I could not load this site over HTTPS
> http://www.openssh.com/portable.html This page also links to the
> repository that contains the patch.

Oh, OK, thanks for the clarification.  Well, go for it!

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
  2016-04-17 14:26       ` Ludovic Courtès
@ 2016-04-17 17:56         ` Leo Famulari
  0 siblings, 0 replies; 6+ messages in thread
From: Leo Famulari @ 2016-04-17 17:56 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Sun, Apr 17, 2016 at 04:26:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> >> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> >> > * gnu-system.am (dist_patch_DATA): Add it.
> >> > * gnu/packages/ssh.scm (openssh): Use it.

> Oh, OK, thanks for the clarification.  Well, go for it!

Applied as 67157996e23f1d6135659d91c1a15e3ac4afd4e0

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-04-17 17:55 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-15 18:22 [PATCH 0/1] openssh: Fix CVE-2015-8325 Leo Famulari
2016-04-15 18:22 ` [PATCH 1/1] gnu: " Leo Famulari
2016-04-15 21:27   ` Ludovic Courtès
2016-04-15 21:47     ` Leo Famulari
2016-04-17 14:26       ` Ludovic Courtès
2016-04-17 17:56         ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).