[PATCH 0/1] openssh: Fix CVE-2015-8325

[PATCH 0/1] openssh: Fix CVE-2015-8325

[Leo Famulari]

Debian has applied an upstream patch to fix CVE-2015-8325 [0][1][2] in
OpenSSH [3].

OpenSSH builds and seems to work with this patch.

I can't find any public and "official" announcement of this issue yet.
For example, not from Mitre or OpenSSH themselves, aside from the
OpenSSH commit log. For this reason, I want to wait for an "okay" from
other Guix developers.

Please advise, and feel free to apply the patch yourself if appropriate.

[0]
https://security-tracker.debian.org/tracker/CVE-2015-8325

[1]
https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755

[2]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325

[3]
http://www.openssh.com/portable.html

Leo Famulari (1):
  gnu: openssh: Fix CVE-2015-8325.

 gnu-system.am                                    |  1 +
 gnu/packages/patches/openssh-CVE-2015-8325.patch | 31 ++++++++++++++++++++++++
 gnu/packages/ssh.scm                             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssh-CVE-2015-8325.patch

-- 
2.7.3

[PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.

[Leo Famulari]

* gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/ssh.scm (openssh): Use it.
---
 gnu-system.am                                    |  1 +
 gnu/packages/patches/openssh-CVE-2015-8325.patch | 31 ++++++++++++++++++++++++
 gnu/packages/ssh.scm                             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/openssh-CVE-2015-8325.patch

diff --git a/gnu-system.am b/gnu-system.am
index cd1c663..273e9df 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -631,6 +631,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/openimageio-boost-1.60.patch		\
   gnu/packages/patches/openjpeg-CVE-2015-6581.patch		\
   gnu/packages/patches/openjpeg-use-after-free-fix.patch	\
+  gnu/packages/patches/openssh-CVE-2015-8325.patch		\
   gnu/packages/patches/openssl-runpath.patch			\
   gnu/packages/patches/openssl-c-rehash-in.patch		\
   gnu/packages/patches/orpheus-cast-errors-and-includes.patch	\
diff --git a/gnu/packages/patches/openssh-CVE-2015-8325.patch b/gnu/packages/patches/openssh-CVE-2015-8325.patch
new file mode 100644
index 0000000..8063e64
--- /dev/null
+++ b/gnu/packages/patches/openssh-CVE-2015-8325.patch
@@ -0,0 +1,31 @@
+From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 13 Apr 2016 10:39:57 +1000
+Subject: ignore PAM environment vars when UseLogin=yes
+
+If PAM is configured to read user-specified environment variables
+and UseLogin=yes in sshd_config, then a hostile local user may
+attack /bin/login via LD_PRELOAD or similar environment variables
+set via PAM.
+
+CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+---
+ session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/session.c b/session.c
+index 4859245..4653b09 100644
+--- a/session.c
++++ b/session.c
+@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
+ 	 * Pull in any environment variables that may have
+ 	 * been set by PAM.
+ 	 */
+-	if (options.use_pam) {
++	if (options.use_pam && !options.use_login) {
+ 		char **p;
+ 
+ 		p = fetch_pam_child_environment();
+-- 
+cgit v0.11.2
+
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index eaf57ac..b8f107b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -126,7 +126,8 @@ a server that supports the SSH-2 protocol.")
                          (string-append "http://ftp2.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
                                         tail))))
             (sha256 (base32
-                     "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"))))
+                     "132lh9aanb0wkisji1d6cmsxi520m8nh7c7i9wi6m1s3l38q29x7"))
+            (patches (search-patches "openssh-CVE-2015-8325.patch"))))
    (build-system gnu-build-system)
    (inputs `(("groff" ,groff)
              ("openssl" ,openssl)
-- 
2.7.3

Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> * gnu-system.am (dist_patch_DATA): Add it.
> * gnu/packages/ssh.scm (openssh): Use it.

The explanation in the OpenSSH commit log is clear IMO and the fix looks
reasonable, so I’d say go for it…

… but I can’t seem to find the change in the authoritative repo:

  http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

Am I missing something?

Ludo’.

Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.

[Leo Famulari]

On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> > * gnu-system.am (dist_patch_DATA): Add it.
> > * gnu/packages/ssh.scm (openssh): Use it.
> 
> The explanation in the OpenSSH commit log is clear IMO and the fix looks
> reasonable, so I’d say go for it…
> 
> … but I can’t seem to find the change in the authoritative repo:
> 
>   http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c

The web page for the portable version of OpenSSH [0] (which is what we
package) says this:

"Normal OpenSSH development produces a very small, secure, and easy to
maintain version for the OpenBSD project. The OpenSSH Portability Team
takes that pure version and adds portability code so that OpenSSH can
run on many other operating systems (Unfortunately, in particular since
OpenSSH does authentication, it runs into a *lot* of differences between
Unix operating systems)."

The bug is related to how sshd interacts with PAM. My understanding is
that OpenBSD does not use PAM, so the bug would not exist in their
repository.

[0] FYI, I could not load this site over HTTPS
http://www.openssh.com/portable.html This page also links to the
repository that contains the patch.

Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
>> > * gnu-system.am (dist_patch_DATA): Add it.
>> > * gnu/packages/ssh.scm (openssh): Use it.
>> 
>> The explanation in the OpenSSH commit log is clear IMO and the fix looks
>> reasonable, so I’d say go for it…
>> 
>> … but I can’t seem to find the change in the authoritative repo:
>> 
>>   http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
>
> The web page for the portable version of OpenSSH [0] (which is what we
> package) says this:
>
> "Normal OpenSSH development produces a very small, secure, and easy to
> maintain version for the OpenBSD project. The OpenSSH Portability Team
> takes that pure version and adds portability code so that OpenSSH can
> run on many other operating systems (Unfortunately, in particular since
> OpenSSH does authentication, it runs into a *lot* of differences between
> Unix operating systems)."
>
> The bug is related to how sshd interacts with PAM. My understanding is
> that OpenBSD does not use PAM, so the bug would not exist in their
> repository.
>
> [0] FYI, I could not load this site over HTTPS
> http://www.openssh.com/portable.html This page also links to the
> repository that contains the patch.

Oh, OK, thanks for the clarification.  Well, go for it!

Ludo’.

Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.

[Leo Famulari]

On Sun, Apr 17, 2016 at 04:26:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> >> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
> >> > * gnu-system.am (dist_patch_DATA): Add it.
> >> > * gnu/packages/ssh.scm (openssh): Use it.

> Oh, OK, thanks for the clarification.  Well, go for it!

Applied as 67157996e23f1d6135659d91c1a15e3ac4afd4e0