openssh: fix for CVE-2014-2532

sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.

(From OE-Core rev: a8d3b8979c27a8dc87971b66a1d9d9282f660596)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
	meta/recipes-connectivity/openssh/openssh_6.5p1.bb

diff --git a/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch
new file mode 100644 (file)
index 0000000..3deaf3f
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/openssh-CVE-2014-2532.patch
@@ -0,0 +1,22 @@
+Upstream-Status: Backport
+
+Fix for CVE-2014-2532
+
+Backported from openssh-6.6p1.tar.gz
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+--- a/session.c
++++ b/session.c
+@@ -955,6 +955,11 @@
+       u_int envsize;
+       u_int i, namelen;
+ 
++      if (strchr(name, '=') != NULL) {
++              error("Invalid environment variable \"%.100s\"", name);
++              return;
++      }
++
+       /*
+        * If we're passed an uninitialized list, allocate a single null
+        * entry before continuing.

diff --git a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
index d19cc5a6b2fcc28ddd2325e86d7e3ae65d1917c7..5e6c03c4a5d85efe0d684e27b3e1b34763fe9934 100644 (file)
--- a/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.5p1.bb
@@ -27,7 +27,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://sshd.socket \
            file://sshd@.service \
            file://sshdgenkeys.service \
-           file://volatiles.99_sshd "
+           file://volatiles.99_sshd \
+           file://openssh-CVE-2014-2532.patch"
 
 PAM_SRC_URI = "file://sshd"