wok-current rev 25725

Patch openssh CVE-2024-6387
author Stanislas Leduc <shann@slitaz.org>
date Mon Jul 01 15:09:44 2024 +0000 (5 months ago)
parents c848b3839e4a
children 45e49949a208
files openssh-pam/receipt openssh-pam/stuff/CVE-2024-6387.patch openssh-pam/stuff/openssh openssh/receipt openssh/stuff/CVE-2024-6387.patch
line diff
     1.1 --- a/openssh-pam/receipt	Tue Jun 25 14:51:14 2024 +0000
     1.2 +++ b/openssh-pam/receipt	Mon Jul 01 15:09:44 2024 +0000
     1.3 @@ -32,6 +32,10 @@
     1.4  # Rules to configure and make the package.
     1.5  compile_rules()
     1.6  {
     1.7 +        # Patch CVE-2024-6387
     1.8 +        # see https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
     1.9 +        patch -p1 < $stuff/CVE-2024-6387.patch
    1.10 +
    1.11  	unset LD # for cross compiling with --disable-strip
    1.12  	./configure					\
    1.13  		--prefix=/usr				\
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/openssh-pam/stuff/CVE-2024-6387.patch	Mon Jul 01 15:09:44 2024 +0000
     2.3 @@ -0,0 +1,17 @@
     2.4 +--- a/log.c
     2.5 ++++ b/log.c
     2.6 +@@ -451,12 +451,14 @@
     2.7 + sshsigdie(const char *file, const char *func, int line, int showfunc,
     2.8 +     LogLevel level, const char *suffix, const char *fmt, ...)
     2.9 + {
    2.10 ++#if 0
    2.11 + 	va_list args;
    2.12 + 
    2.13 + 	va_start(args, fmt);
    2.14 + 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
    2.15 + 	    suffix, fmt, args);
    2.16 + 	va_end(args);
    2.17 ++#endif
    2.18 + 	_exit(1);
    2.19 + }
    2.20 + 
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/openssh-pam/stuff/openssh	Mon Jul 01 15:09:44 2024 +0000
     3.3 @@ -0,0 +1,69 @@
     3.4 +#!/bin/sh
     3.5 +# /etc/init.d/openssh : Start, stop and restart OpenSSH server on SliTaz, at
     3.6 +# boot time or with the command line.
     3.7 +#
     3.8 +# To start OpenSSH server at boot time, just put openssh in the $RUN_DAEMONS
     3.9 +# variable of /etc/rcS.conf and configure options with /etc/daemons.conf
    3.10 +#
    3.11 +. /etc/init.d/rc.functions
    3.12 +. /etc/daemons.conf
    3.13 +
    3.14 +NAME=OpenSSH
    3.15 +DESC="$(_ '%s server' OpenSSH)"
    3.16 +DAEMON=/usr/sbin/sshd
    3.17 +OPTIONS=$OPENSSH_OPTIONS
    3.18 +PIDFILE=/var/run/sshd.pid
    3.19 +
    3.20 +[ -d /var/run/sshd ] || mkdir -p /var/run/sshd
    3.21 +
    3.22 +case "$1" in
    3.23 +	start)
    3.24 +		# We need rsa and dsa host key file to start dropbear.
    3.25 +		for type in rsa dsa ecdsa ed25519 ; do
    3.26 +			[ -s /etc/ssh/ssh_host_${type}_key ] && continue
    3.27 +			_ 'Generating OpenSSH %s key... ' $type
    3.28 +			ssh-keygen -t $type -f /etc/ssh/ssh_host_${type}_key -C '' -N ''
    3.29 +		done
    3.30 +		if active_pidfile $PIDFILE sshd ; then
    3.31 +			_ '%s is already running.' $NAME
    3.32 +			exit 1
    3.33 +		fi
    3.34 +		if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then
    3.35 +		    	tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent'
    3.36 +			$tcp22new --set --name DEFAULT --rsource
    3.37 +			limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource'
    3.38 +			$tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : "
    3.39 +			$tcp22new --update $limit -j DROP
    3.40 +		fi
    3.41 +		action 'Starting %s: %s...' "$DESC" $NAME
    3.42 +		$DAEMON $OPTIONS
    3.43 +		status
    3.44 +		;;
    3.45 +	stop)
    3.46 +		if ! active_pidfile $PIDFILE sshd ; then
    3.47 +			_ '%s is not running.' $NAME
    3.48 +			exit 1
    3.49 +		fi
    3.50 +		action 'Stopping %s: %s...' "$DESC" $NAME
    3.51 +		kill $(cat $PIDFILE)
    3.52 +		status
    3.53 +		;;
    3.54 +	restart)
    3.55 +		if ! active_pidfile $PIDFILE sshd ; then
    3.56 +			_ '%s is not running.' $NAME
    3.57 +			exit 1
    3.58 +		fi
    3.59 +		action 'Restarting %s: %s...' "$DESC" $NAME
    3.60 +		kill $(cat $PIDFILE)
    3.61 +		sleep 2
    3.62 +		$DAEMON $OPTIONS
    3.63 +		status
    3.64 +		;;
    3.65 +	*)
    3.66 +		emsg "<n><b>$(_ 'Usage:')</b> $0 [start|stop|restart]"
    3.67 +		newline
    3.68 +		exit 1
    3.69 +		;;
    3.70 +esac
    3.71 +
    3.72 +exit 0
     4.1 --- a/openssh/receipt	Tue Jun 25 14:51:14 2024 +0000
     4.2 +++ b/openssh/receipt	Mon Jul 01 15:09:44 2024 +0000
     4.3 @@ -35,6 +35,10 @@
     4.4  # Rules to configure and make the package.
     4.5  compile_rules()
     4.6  {
     4.7 +	# Patch CVE-2024-6387
     4.8 +	# see https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
     4.9 +	patch -p1 < $stuff/CVE-2024-6387.patch
    4.10 +
    4.11  	unset LD # for cross compiling with --disable-strip
    4.12  	./configure					\
    4.13  		--prefix=/usr				\
     5.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     5.2 +++ b/openssh/stuff/CVE-2024-6387.patch	Mon Jul 01 15:09:44 2024 +0000
     5.3 @@ -0,0 +1,17 @@
     5.4 +--- a/log.c
     5.5 ++++ b/log.c
     5.6 +@@ -451,12 +451,14 @@
     5.7 + sshsigdie(const char *file, const char *func, int line, int showfunc,
     5.8 +     LogLevel level, const char *suffix, const char *fmt, ...)
     5.9 + {
    5.10 ++#if 0
    5.11 + 	va_list args;
    5.12 + 
    5.13 + 	va_start(args, fmt);
    5.14 + 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
    5.15 + 	    suffix, fmt, args);
    5.16 + 	va_end(args);
    5.17 ++#endif
    5.18 + 	_exit(1);
    5.19 + }
    5.20 +