wok-current rev 25725
Patch openssh CVE-2024-6387
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Mon Jul 01 15:09:44 2024 +0000 (4 months ago) |
| parents | c848b3839e4a |
| children | 45e49949a208 |
| files | openssh-pam/receipt openssh-pam/stuff/CVE-2024-6387.patch openssh-pam/stuff/openssh openssh/receipt openssh/stuff/CVE-2024-6387.patch |
line diff
1.1 --- a/openssh-pam/receipt Tue Jun 25 14:51:14 2024 +0000 1.2 +++ b/openssh-pam/receipt Mon Jul 01 15:09:44 2024 +0000 1.3 @@ -32,6 +32,10 @@ 1.4 # Rules to configure and make the package. 1.5 compile_rules() 1.6 { 1.7 + # Patch CVE-2024-6387 1.8 + # see https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt 1.9 + patch -p1 < $stuff/CVE-2024-6387.patch 1.10 + 1.11 unset LD # for cross compiling with --disable-strip 1.12 ./configure \ 1.13 --prefix=/usr \
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/openssh-pam/stuff/CVE-2024-6387.patch Mon Jul 01 15:09:44 2024 +0000 2.3 @@ -0,0 +1,17 @@ 2.4 +--- a/log.c 2.5 ++++ b/log.c 2.6 +@@ -451,12 +451,14 @@ 2.7 + sshsigdie(const char *file, const char *func, int line, int showfunc, 2.8 + LogLevel level, const char *suffix, const char *fmt, ...) 2.9 + { 2.10 ++#if 0 2.11 + va_list args; 2.12 + 2.13 + va_start(args, fmt); 2.14 + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, 2.15 + suffix, fmt, args); 2.16 + va_end(args); 2.17 ++#endif 2.18 + _exit(1); 2.19 + } 2.20 +
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/openssh-pam/stuff/openssh Mon Jul 01 15:09:44 2024 +0000 3.3 @@ -0,0 +1,69 @@ 3.4 +#!/bin/sh 3.5 +# /etc/init.d/openssh : Start, stop and restart OpenSSH server on SliTaz, at 3.6 +# boot time or with the command line. 3.7 +# 3.8 +# To start OpenSSH server at boot time, just put openssh in the $RUN_DAEMONS 3.9 +# variable of /etc/rcS.conf and configure options with /etc/daemons.conf 3.10 +# 3.11 +. /etc/init.d/rc.functions 3.12 +. /etc/daemons.conf 3.13 + 3.14 +NAME=OpenSSH 3.15 +DESC="$(_ '%s server' OpenSSH)" 3.16 +DAEMON=/usr/sbin/sshd 3.17 +OPTIONS=$OPENSSH_OPTIONS 3.18 +PIDFILE=/var/run/sshd.pid 3.19 + 3.20 +[ -d /var/run/sshd ] || mkdir -p /var/run/sshd 3.21 + 3.22 +case "$1" in 3.23 + start) 3.24 + # We need rsa and dsa host key file to start dropbear. 3.25 + for type in rsa dsa ecdsa ed25519 ; do 3.26 + [ -s /etc/ssh/ssh_host_${type}_key ] && continue 3.27 + _ 'Generating OpenSSH %s key... ' $type 3.28 + ssh-keygen -t $type -f /etc/ssh/ssh_host_${type}_key -C '' -N '' 3.29 + done 3.30 + if active_pidfile $PIDFILE sshd ; then 3.31 + _ '%s is already running.' $NAME 3.32 + exit 1 3.33 + fi 3.34 + if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then 3.35 + tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent' 3.36 + $tcp22new --set --name DEFAULT --rsource 3.37 + limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource' 3.38 + $tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : " 3.39 + $tcp22new --update $limit -j DROP 3.40 + fi 3.41 + action 'Starting %s: %s...' "$DESC" $NAME 3.42 + $DAEMON $OPTIONS 3.43 + status 3.44 + ;; 3.45 + stop) 3.46 + if ! active_pidfile $PIDFILE sshd ; then 3.47 + _ '%s is not running.' $NAME 3.48 + exit 1 3.49 + fi 3.50 + action 'Stopping %s: %s...' "$DESC" $NAME 3.51 + kill $(cat $PIDFILE) 3.52 + status 3.53 + ;; 3.54 + restart) 3.55 + if ! active_pidfile $PIDFILE sshd ; then 3.56 + _ '%s is not running.' $NAME 3.57 + exit 1 3.58 + fi 3.59 + action 'Restarting %s: %s...' "$DESC" $NAME 3.60 + kill $(cat $PIDFILE) 3.61 + sleep 2 3.62 + $DAEMON $OPTIONS 3.63 + status 3.64 + ;; 3.65 + *) 3.66 + emsg "<n><b>$(_ 'Usage:')</b> $0 [start|stop|restart]" 3.67 + newline 3.68 + exit 1 3.69 + ;; 3.70 +esac 3.71 + 3.72 +exit 0
4.1 --- a/openssh/receipt Tue Jun 25 14:51:14 2024 +0000 4.2 +++ b/openssh/receipt Mon Jul 01 15:09:44 2024 +0000 4.3 @@ -35,6 +35,10 @@ 4.4 # Rules to configure and make the package. 4.5 compile_rules() 4.6 { 4.7 + # Patch CVE-2024-6387 4.8 + # see https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt 4.9 + patch -p1 < $stuff/CVE-2024-6387.patch 4.10 + 4.11 unset LD # for cross compiling with --disable-strip 4.12 ./configure \ 4.13 --prefix=/usr \
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/openssh/stuff/CVE-2024-6387.patch Mon Jul 01 15:09:44 2024 +0000 5.3 @@ -0,0 +1,17 @@ 5.4 +--- a/log.c 5.5 ++++ b/log.c 5.6 +@@ -451,12 +451,14 @@ 5.7 + sshsigdie(const char *file, const char *func, int line, int showfunc, 5.8 + LogLevel level, const char *suffix, const char *fmt, ...) 5.9 + { 5.10 ++#if 0 5.11 + va_list args; 5.12 + 5.13 + va_start(args, fmt); 5.14 + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, 5.15 + suffix, fmt, args); 5.16 + va_end(args); 5.17 ++#endif 5.18 + _exit(1); 5.19 + } 5.20 +