Merge branch 'XS-8.3'

Signed-off-by: Samuel Verschelde <[email protected]>
xcp-ng-rpms · Aug 12, 2024 · 6c42a6b · 6c42a6b
2 parents 1e045e1 + 608b454
commit 6c42a6b
Show file tree

Hide file tree

Showing 6 changed files with 406 additions and 129 deletions.
diff --git a/SOURCES/openssh-6.6p1-systemd.patch b/SOURCES/openssh-6.6p1-systemd.patch
diff --git a/SOURCES/openssh-9.8p1-cve-2024-6387.patch b/SOURCES/openssh-9.8p1-cve-2024-6387.patch
@@ -0,0 +1,78 @@
+From 81c1099d22b81ebfd20a334ce986c4f753b0db29 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Thu, 6 Jun 2024 17:15:25 +0000
+Subject: [PATCH] upstream: Add a facility to sshd(8) to penalise particular
+
+problematic client behaviours, controlled by two new sshd_config(5) options:
+PerSourcePenalties and PerSourcePenaltyExemptList.
+
+When PerSourcePenalties are enabled, sshd(8) will monitor the exit
+status of its child pre-auth session processes. Through the exit
+status, it can observe situations where the session did not
+authenticate as expected. These conditions include when the client
+repeatedly attempted authentication unsucessfully (possibly indicating
+an attack against one or more accounts, e.g. password guessing), or
+when client behaviour caused sshd to crash (possibly indicating
+attempts to exploit sshd).
+
+When such a condition is observed, sshd will record a penalty of some
+duration (e.g. 30 seconds) against the client's address. If this time
+is above a minimum threshold specified by the PerSourcePenalties, then
+connections from the client address will be refused (along with any
+others in the same PerSourceNetBlockSize CIDR range).
+
+Repeated offenses by the same client address will accrue greater
+penalties, up to a configurable maximum. A PerSourcePenaltyExemptList
+option allows certain address ranges to be exempt from all penalties.
+
+We hope these options will make it significantly more difficult for
+attackers to find accounts with weak/guessable passwords or exploit
+bugs in sshd(8) itself.
+
+PerSourcePenalties is off by default, but we expect to enable it
+automatically in the near future.
+
+much feedback markus@ and others, ok markus@
+
+OpenBSD-Commit-ID: 89ded70eccb2b4926ef0366a4d58a693de366cca
+
+XenServer changes:
+This is a partial backport of the fix for CVE-2024-6387.
+The existing code in XenServer is not vulnerable to the specific issue
+exploited in CVE-2024-6387 since the buggy code is #ifdef'd out.
+However, the signal handler may potentially call malloc() in other code
+paths. A call to malloc() in a signal handler could race with another
+memory allocator call which could then be exploited. Therefore, backport
+the relevant part of the upstream fix which removes the potentially
+buggy code completely.
+
+This is not a complete backport since the upstream fix is part of a
+large commit that changes far more than fixing the immediate issue with
+the signal handler.
+
+Signed-off-by: Ross Lagerwall <[email protected]>
+diff --git a/sshd.c b/sshd.c
+index 408a9bfbbe03..704e98a3dde2 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -357,6 +357,8 @@ main_sigchld_handler(int sig)
+ 	errno = save_errno;
+ }
+
++#define EXIT_LOGIN_GRACE       3       /* login grace period exceeded */
++
+ /*
+  * Signal handler for the alarm after the login grace period has expired.
+  */
+@@ -375,10 +377,7 @@ grace_alarm_handler(int sig)
+ 		signal(SIGTERM, SIG_IGN);
+ 		kill(0, SIGTERM);
+ 	}
+-
+-	/* Log error and exit. */
+-	sigdie("Timeout before authentication for %s port %d",
+-	    ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
++	_exit(EXIT_LOGIN_GRACE);
+ }
+
+ static void
diff --git a/SOURCES/openssh-9.8p1-systemd-1.patch b/SOURCES/openssh-9.8p1-systemd-1.patch
@@ -0,0 +1,60 @@
+From 166927fd410823eec8a7b2472463db51e0e6fef5 Mon Sep 17 00:00:00 2001
+From: "[email protected]" <[email protected]>
+Date: Tue, 12 Nov 2019 22:32:48 +0000
+Subject: [PATCH] upstream: add xvasprintf()
+
+OpenBSD-Commit-ID: e5e3671c05c121993b034db935bce1a7aa372247
+---
+ xmalloc.c | 21 ++++++++++++++-------
+ xmalloc.h |  4 +++-
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 9cd0127dd3c7..b48d33bbf68c 100644
+--- a/xmalloc.c
++++ b/xmalloc.c
+@@ -95,6 +95,17 @@ xstrdup(const char *str)
+ 	return cp;
+ }
+
++int
++xvasprintf(char **ret, const char *fmt, va_list ap)
++{
++	int i;
++
++	i = vasprintf(ret, fmt, ap);
++	if (i < 0 || *ret == NULL)
++		fatal("xvasprintf: could not allocate memory");
++	return i;
++}
++
+ int
+ xasprintf(char **ret, const char *fmt, ...)
+ {
+@@ -102,11 +113,7 @@ xasprintf(char **ret, const char *fmt, ...)
+ 	int i;
+
+ 	va_start(ap, fmt);
+-	i = vasprintf(ret, fmt, ap);
++	i = xvasprintf(ret, fmt, ap);
+ 	va_end(ap);
+-
+-	if (i < 0 || *ret == NULL)
+-		fatal("xasprintf: could not allocate memory");
+-
+-	return (i);
++	return i;
+ }
+diff --git a/xmalloc.h b/xmalloc.h
+index 1d5f62df77a3..abaf7ada2c6c 100644
+--- a/xmalloc.h
++++ b/xmalloc.h
+@@ -24,3 +24,5 @@ char	*xstrdup(const char *);
+ int	 xasprintf(char **, const char *, ...)
+                 __attribute__((__format__ (printf, 2, 3)))
+                 __attribute__((__nonnull__ (2)));
++int	 xvasprintf(char **, const char *, va_list)
++		__attribute__((__nonnull__ (2)));
+-- 
+2.45.2
+