Updating 'openssh' to 8.5p1 to fix CVE-2021-28041. (#737) (#738)

* Updating 'openssh' to 8.5p1. * Removing regressions test fixes - already part of new version. * Enabling running more tests.
2021-03-11 18:43:17 -08:00 · 2021-03-11 18:43:17 -08:00 · 99281a23bf
parent 27b2a5ba92
commit 99281a23bf
7 changed files with 15 additions and 70 deletions
--- a/SPECS/openssh/CVE-2019-16905.patch
+++ b/SPECS/openssh/CVE-2019-16905.patch
@ -1,12 +0,0 @@
--- ./sshkey-xmss-orig.c	2020-10-19 13:08:05.657397679 -0700
-+++ ./sshkey-xmss.c	2020-10-19 13:07:42.953419382 -0700
-@@ -977,7 +977,8 @@
- 		goto out;
- 	}
- 	/* check that an appropriate amount of auth data is present */
-	if (sshbuf_len(encoded) < encrypted_len + authlen) {
-+	if (sshbuf_len(encoded) < authlen ||
-+		sshbuf_len(encoded) - authlen < encrypted_len) {
- 		r = SSH_ERR_INVALID_FORMAT;
- 		goto out;
- 	}
--- a/SPECS/openssh/CVE-2020-14145.nopatch
+++ b/SPECS/openssh/CVE-2020-14145.nopatch
@ -1 +0,0 @@
-The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
--- a/SPECS/openssh/CVE-2020-15778.nopatch
+++ b/SPECS/openssh/CVE-2020-15778.nopatch
@ -1 +0,0 @@
-The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
--- a/SPECS/openssh/openssh.signatures.json
+++ b/SPECS/openssh/openssh.signatures.json
@ -1,7 +1,7 @@
 {
 "Signatures": {
  "blfs-systemd-units-20191026.tar.xz": "10f20d2f8db4dc48b4f9257c47821df238808fca3566c65a8c7e2284172da789",
-  "openssh-8.0p1.tar.gz": "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68",
+  "openssh-8.5p1.tar.gz": "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25",
  "sshd-keygen.service": "331515a4fb37951122ac8447111b126368386a49ac429f500fe3819ba25a70be",
  "sshd.service": "9233e23c1cc89316630ce25e14403f8cdb8503cf4235cc1d864770b5b56e28d2"
 }
--- a/SPECS/openssh/openssh.spec
+++ b/SPECS/openssh/openssh.spec
@ -1,8 +1,8 @@
 %define systemd_units_rel 20191026
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
-Version:        8.0p1
-Release:        13%{?dist}
+Version:        8.5p1
+Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -13,13 +13,9 @@ Source1:        http://www.linuxfromscratch.org/blfs/downloads/stable-systemd/bl
 Source2:        sshd.service
 Source3:        sshd-keygen.service
 Patch0:         blfs_systemd_fixes.patch
-Patch1:         CVE-2019-16905.patch
-Patch2:         regress-test-future-cert-fix.patch
 # Nopatches section
 # Community agreed to not patch this
 Patch100:       CVE-2007-2768.nopatch
-Patch101:       CVE-2020-14145.nopatch
-Patch102:       CVE-2020-15778.nopatch
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  groff
 BuildRequires:  krb5-devel
@ -63,8 +59,6 @@ This provides the ssh server daemons, utilities, configuration and service files
 %setup -q
 tar xf %{SOURCE1} --no-same-owner
 %patch0
-%patch1
-%patch2 -p1

 %build
 %configure \
@ -117,7 +111,7 @@ fi
 cp %{buildroot}%{_bindir}/scp %{_bindir}
 chmod g+w . -R
 useradd test -G root -m
-sudo -u test -s /bin/bash -c "PATH=$PATH make tests"
+sudo -u test -s /bin/bash -c "PATH=$PATH TEST_SSH_UNSAFE_PERMISSIONS=1 make tests"

 %pre server
 getent group sshd >/dev/null || groupadd -g 50 sshd
@ -180,6 +174,7 @@ rm -rf %{buildroot}/*
 %{_bindir}/ssh-copy-id
 %{_libexecdir}/ssh-keysign
 %{_libexecdir}/ssh-pkcs11-helper
+%{_libexecdir}/ssh-sk-helper
 %{_mandir}/man1/scp.1.gz
 %{_mandir}/man1/ssh-agent.1.gz
 %{_mandir}/man1/ssh-keygen.1.gz
@ -191,8 +186,16 @@ rm -rf %{buildroot}/*
 %{_mandir}/man1/sftp.1.gz
 %{_mandir}/man8/ssh-keysign.8.gz
 %{_mandir}/man8/ssh-pkcs11-helper.8.gz
+%{_mandir}/man8/ssh-sk-helper.8.gz

 %changelog
+* Thu Mar 11 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.5p1-1
+- Updating to 8.5p1 to patch CVE-2021-28041.
+- Added "TEST_SSH_UNSAFE_PERMISSIONS=1" to enable running more tests.
+- Removing patch for CVE-2019-16905, since it's already part of this version.
+- Removing nopatch for CVE-2020-14145 and CVE-2020-15778, since the fixes are included in this version.
+- Removing regressions test fixes - already part of this version.
+
 * Mon Dec 28 2020 Thomas Crain <thcrain@microsoft.com> - 8.0p1-13
 - Add BRs for check section
 - Add patch fixing cert-hostkey and cert-userkey regression tests
--- a/SPECS/openssh/regress-test-future-cert-fix.patch
+++ b/SPECS/openssh/regress-test-future-cert-fix.patch
@ -1,44 +0,0 @@
-From d62a8caee3324abc5e921269d975db986585c7d3 Mon Sep 17 00:00:00 2001
-From: Thomas Crain <thcrain@microsoft.com>
-Date: Tue, 5 Jan 2021 11:13:12 -0800
-Subject: [PATCH] Patch regression tests with future dates
-
-The future is now, at least according to the regression tests. Tests expecting
-2020-01-01 to be in the future are invalid now, so we give those tests new
-future dates. 
-
-Patch adapted from https://github.com/openssh/openssh-portable/commit/ff31f15773ee173502eec4d7861ec56f26bba381
---
- regress/cert-hostkey.sh | 2 +-
- regress/cert-userkey.sh | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
-index 3ce77796..74d5a530 100644
--- a/regress/cert-hostkey.sh
-+++ b/regress/cert-hostkey.sh
-@@ -248,7 +248,7 @@ test_one() {
- test_one "user-certificate"	failure "-n $HOSTS"
- test_one "empty principals"	success "-h"
- test_one "wrong principals"	failure "-h -n foo"
-test_one "cert not yet valid"	failure "-h -V20200101:20300101"
-+test_one "cert not yet valid"	failure "-h -V20970101:20990101"
- test_one "cert expired"		failure "-h -V19800101:19900101"
- test_one "cert valid interval"	success "-h -V-1w:+2w"
- test_one "cert has constraints"	failure "-h -Oforce-command=false"
-diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
-index 6849e992..de455b86 100644
--- a/regress/cert-userkey.sh
-+++ b/regress/cert-userkey.sh
-@@ -327,7 +327,7 @@ test_one() {
- test_one "correct principal"	success "-n ${USER}"
- test_one "host-certificate"	failure "-n ${USER} -h"
- test_one "wrong principals"	failure "-n foo"
-test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
-+test_one "cert not yet valid"	failure "-n ${USER} -V20970101:20990101"
- test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
- test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
- test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
-- 
-2.25.1
-
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -3805,8 +3805,8 @@
        "type": "other",
        "other": {
          "name": "openssh",
-          "version": "8.0p1",
-          "downloadUrl": "https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz"
+          "version": "8.5p1",
+          "downloadUrl": "https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz"
        }
      }
    },
				`@ -1 +0,0 @@`
				`The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.`