diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2017-01-13 23:23:35 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2017-01-13 23:23:35 +0000 |
commit | 4e5701f44f64cee3b7fffd712cb0950ee65414b8 (patch) | |
tree | df561c4b57ea54ed7732290672305948c478f0f8 /security/openssh-portable | |
parent | 358c4690a3eafbbb8534b205c28a04caaf51d641 (diff) | |
download | ports-4e5701f44f64cee3b7fffd712cb0950ee65414b8.tar.gz ports-4e5701f44f64cee3b7fffd712cb0950ee65414b8.zip |
Notes
Diffstat (limited to 'security/openssh-portable')
-rw-r--r-- | security/openssh-portable/Makefile | 2 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.1 | 36 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-ssh-agent.c | 130 |
3 files changed, 150 insertions, 18 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 357dbef50b32..3238c70afda6 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 7.3p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1 index 3acde74be9fe..5edff7769268 100644 --- a/security/openssh-portable/files/patch-ssh-agent.1 +++ b/security/openssh-portable/files/patch-ssh-agent.1 @@ -4,9 +4,12 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.1.orig 2015-05-29 03:27:21.000000000 -0500 -+++ ssh-agent.1 2015-06-02 09:45:37.025390000 -0500 -@@ -43,7 +43,7 @@ +Add a -P option to specify PKCS11_WHITELIST + + +--- ssh-agent.1.orig 2016-07-27 17:54:27.000000000 -0500 ++++ ssh-agent.1 2017-01-11 19:05:12.513900000 -0600 +@@ -43,10 +43,11 @@ .Sh SYNOPSIS .Nm ssh-agent .Op Fl c | s @@ -15,7 +18,30 @@ disconnected. .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash .Op Fl t Ar life -@@ -128,6 +128,8 @@ ++.Op Fl P Ar pkcs11_whitelist + .Op Ar command Op Ar arg ... + .Nm ssh-agent + .Op Fl c | s +@@ -121,6 +122,18 @@ + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++.It Fl P ++Specify a pattern-list of acceptable paths for PKCS#11 shared libraries ++that may be added using the ++.Fl s ++option to ++.Xr ssh-add 1 . ++The default is to allow loading PKCS#11 libraries from ++.Dq /usr/lib/*,/usr/local/lib/* . ++PKCS#11 libraries that do not match the whitelist will be refused. ++See PATTERNS in ++.Xr ssh_config 5 ++for a description of pattern-list syntax. + .It Fl s + Generate Bourne shell commands on + .Dv stdout . +@@ -135,6 +148,8 @@ .Xr ssh-add 1 overrides this value. Without this option the default maximum lifetime is forever. @@ -23,4 +49,4 @@ disconnected. +Exit after the last client has disconnected. .El .Pp - If a commandline is given, this is executed as a subprocess of the agent. + If a command line is given, this is executed as a subprocess of the agent. diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 540f8b4e7b8b..75243fa5c57e 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -8,9 +8,39 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines Add a -x option that causes ssh-agent(1) to exit when all clients have disconnected. ---- ssh-agent.c.orig 2015-05-29 03:27:21.000000000 -0500 -+++ ssh-agent.c 2015-06-02 09:46:54.719580000 -0500 -@@ -157,15 +157,34 @@ static long lifetime = 0; +Add a -P option to specify PKCS11_WHITELIST (fixes CVE-2016-10009) + + +--- ssh-agent.c.orig 2016-07-27 17:54:27.000000000 -0500 ++++ ssh-agent.c 2017-01-11 19:02:59.600125000 -0600 +@@ -83,11 +83,16 @@ + #include "misc.h" + #include "digest.h" + #include "ssherr.h" ++#include "match.h" + + #ifdef ENABLE_PKCS11 + #include "ssh-pkcs11.h" + #endif + ++#ifndef DEFAULT_PKCS11_WHITELIST ++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" ++#endif ++ + typedef enum { + AUTH_UNUSED, + AUTH_SOCKET, +@@ -135,6 +140,9 @@ + char socket_name[PATH_MAX]; + char socket_dir[PATH_MAX]; + ++/* PKCS#11 path whitelist */ ++static char *pkcs11_whitelist; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -150,15 +158,34 @@ static int fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -45,7 +75,50 @@ disconnected. } static void -@@ -939,6 +958,10 @@ new_socket(sock_type type, int fd) +@@ -738,7 +765,7 @@ + static void + process_add_smartcard_key(SocketEntry *e) + { +- char *provider = NULL, *pin; ++ char *provider = NULL, *pin, canonical_provider[PATH_MAX]; + int r, i, version, count = 0, success = 0, confirm = 0; + u_int seconds; + time_t death = 0; +@@ -770,10 +797,21 @@ + goto send; + } + } ++ if (realpath(provider, canonical_provider) == NULL) { ++ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", ++ provider, strerror(errno)); ++ goto send; ++ } ++ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) { ++ verbose("refusing PKCS#11 add of \"%.100s\": " ++ "provider not whitelisted", canonical_provider); ++ goto send; ++ } ++ debug("%s: add %.100s", __func__, canonical_provider); + if (lifetime && !death) + death = monotime() + lifetime; + +- count = pkcs11_add_provider(provider, pin, &keys); ++ count = pkcs11_add_provider(canonical_provider, pin, &keys); + for (i = 0; i < count; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; +@@ -781,8 +819,8 @@ + if (lookup_identity(k, version) == NULL) { + id = xcalloc(1, sizeof(Identity)); + id->key = k; +- id->provider = xstrdup(provider); +- id->comment = xstrdup(provider); /* XXX */ ++ id->provider = xstrdup(canonical_provider); ++ id->comment = xstrdup(canonical_provider); /* XXX */ + id->death = death; + id->confirm = confirm; + TAILQ_INSERT_TAIL(&tab->idlist, id, next); +@@ -945,6 +983,10 @@ { u_int i, old_alloc, new_alloc; @@ -56,33 +129,47 @@ disconnected. set_nonblock(fd); if (fd > max_fd) -@@ -1166,7 +1189,7 @@ static void +@@ -1172,8 +1214,8 @@ usage(void) { fprintf(stderr, - "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" +- " [-t life] [command [arg ...]]\n" + "usage: ssh-agent [-c | -s] [-Ddx] [-a bind_address] [-E fingerprint_hash]\n" - " [-t life] [command [arg ...]]\n" ++ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n" " ssh-agent [-c | -s] -k\n"); exit(1); -@@ -1197,6 +1220,7 @@ main(int ac, char **av) + } +@@ -1204,6 +1246,7 @@ /* drop */ setegid(getgid()); setgid(getgid()); + setuid(geteuid()); - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ -@@ -1210,7 +1234,7 @@ main(int ac, char **av) + platform_disable_tracing(0); /* strict=no */ + +@@ -1214,7 +1257,7 @@ __progname = ssh_get_progname(av[0]); seed_rng(); - while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) { switch (ch) { case 'E': fingerprint_hash = ssh_digest_alg_by_name(optarg); -@@ -1249,6 +1273,9 @@ main(int ac, char **av) +@@ -1229,6 +1272,11 @@ + case 'k': + k_flag++; + break; ++ case 'P': ++ if (pkcs11_whitelist != NULL) ++ fatal("-P option already specified"); ++ pkcs11_whitelist = xstrdup(optarg); ++ break; + case 's': + if (c_flag) + usage(); +@@ -1253,6 +1301,9 @@ usage(); } break; @@ -92,3 +179,22 @@ disconnected. default: usage(); } +@@ -1263,6 +1314,9 @@ + if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) + usage(); + ++ if (pkcs11_whitelist == NULL) ++ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST); ++ + if (ac == 0 && !c_flag && !s_flag) { + shell = getenv("SHELL"); + if (shell != NULL && (len = strlen(shell)) > 2 && +@@ -1410,7 +1464,7 @@ + signal(SIGTERM, cleanup_handler); + nalloc = 0; + +- if (pledge("stdio cpath unix id proc exec", NULL) == -1) ++ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) + fatal("%s: pledge: %s", __progname, strerror(errno)); + platform_pledge_agent(); + |