https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt """ [...] Preliminary note: OpenSSH is one of the most secure software in the world; this vulnerability is one slip-up in an otherwise near-flawless implementation. Its defense-in-depth design and code are a model and an inspiration, and we thank OpenSSH's developers for their exemplary work. We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration. On investigation, we realized that this vulnerability is in fact a regression of CVE-2006-5051 ("Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code"), which was reported in 2006 by Mark Dowd. This regression was introduced in October 2020 (OpenSSH 8.5p1) by commit 752250c ("revised log infrastructure for OpenSSH"), which accidentally removed an "#ifdef DO_LOG_SAFE_IN_SIGHAND" from sigdie(), a function that is directly called by sshd's SIGALRM handler. In other words: - OpenSSH < 4.4p1 is vulnerable to this signal handler race condition, if not backport-patched against CVE-2006-5051, or not patched against CVE-2008-4109, which was an incorrect fix for CVE-2006-5051; - 4.4p1 <= OpenSSH < 8.5p1 is not vulnerable to this signal handler race condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" that was added to sigdie() by the patch for CVE-2006-5051 transformed this unsafe function into a safe _exit(1) call); - 8.5p1 <= OpenSSH < 9.8p1 is vulnerable again to this signal handler race condition (because the "#ifdef DO_LOG_SAFE_IN_SIGHAND" was accidentally removed from sigdie()). This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd's privileged code, which is not sandboxed and runs with full privileges. We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001. [...] """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=083d7d12832b91073f5cac94df2ba067495857a7 commit 083d7d12832b91073f5cac94df2ba067495857a7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 08:40:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 08:40:45 +0000 net-misc/openssh: add 9.8_p1 This fixes CVE-2024-6387 but I'm going to backport a fix to 9.7 shortly as 9.8_p1 isn't a good stable candidate given it's only just been released and has many other changes. Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/Manifest | 2 + net-misc/openssh/openssh-9.8_p1.ebuild | 398 +++++++++++++++++++++++++++++++++ 2 files changed, 400 insertions(+)
Upstream made patch suggestions at https://marc.info/?l=oss-security&m=171982317624594&w=2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1633ef45475afb9eea04e9cf27021c9d994af338 commit 1633ef45475afb9eea04e9cf27021c9d994af338 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 08:51:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 08:54:59 +0000 net-misc/openssh: backport CVE-2024-6387 fix to 9.6_p1-r5, 9.7_p1-r6 This applies upstream's backport suggestions from https://marc.info/?l=oss-security&m=171982317624594&w=2 for both CVE-2024-6387 and a "minor logic error in ObscureKeystrokeTiming". Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> .../files/openssh-9.6_p1-CVE-2024-6387.patch | 19 + .../openssh/files/openssh-9.6_p1-chaff-logic.patch | 16 + net-misc/openssh/openssh-9.6_p1-r5.ebuild | 392 ++++++++++++++++++++ net-misc/openssh/openssh-9.7_p1-r6.ebuild | 400 +++++++++++++++++++++ 4 files changed, 827 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9aab3ef968b7a6d58fa215223d116b98af7d399 commit b9aab3ef968b7a6d58fa215223d116b98af7d399 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 09:59:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 10:22:02 +0000 net-misc/openssh: restart sshd on major version upgrades openssh-9.8_p1 again breaks cross-version compatibility, meaning that a running sshd with 9.7_p1 will no longer be able to accept connections after upgrading to 9.8_p1. We tried doing a news item on this in the past (bug #709748) and it ended up being insufficient and poorly coordinated (as you really need it again when stabling). Nobody is going to thank us for leaving their sshd broken, so pick the lesser evil and attempt to restart sshd on major version upgrades. This is especially important as people may be racing to upgrade to 9.8_p1 for the CVE-2024-6387 fix (although we have backported a fix to older versions). I also note there's precedent here with e.g. the systemd rebuild where it's done to avoid immediate breakage of user sessions. Thanks to kerframil who proposed a snippet for this some time ago whose work I've lifted here. Bug: https://bugs.gentoo.org/709748 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> ...nssh-9.8_p1.ebuild => openssh-9.8_p1-r1.ebuild} | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+)
Filed a stablereq for 9.7_p1-r6, see https://bugs.gentoo.org/935275#c0. It's not strictly a dependency for this bug as explained there but it maybe simplifies the GLSA and such and allows cleanup...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da4d673c8709506f7aaaa5316f7fc3ccf2178b17 commit da4d673c8709506f7aaaa5316f7fc3ccf2178b17 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-01 11:11:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-01 11:11:56 +0000 net-misc/openssh: drop 9.6_p1-r4, 9.7_p1-r2, 9.7_p1-r3, 9.7_p1-r5 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/openssh-9.6_p1-r4.ebuild | 390 ---------------------------- net-misc/openssh/openssh-9.7_p1-r2.ebuild | 403 ----------------------------- net-misc/openssh/openssh-9.7_p1-r3.ebuild | 404 ------------------------------ net-misc/openssh/openssh-9.7_p1-r5.ebuild | 398 ----------------------------- 4 files changed, 1595 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=812073712b87f878fc20506cca474c045b6a8b7e commit 812073712b87f878fc20506cca474c045b6a8b7e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 18:03:48 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-07-01 18:06:02 +0000 [ GLSA 202407-09 ] OpenSSH: Remote Code Execution Bug: https://bugs.gentoo.org/935271 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202407-09.xml | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=615ab9d0a7ea42e3fa992a2f728c45019f8706c2 commit 615ab9d0a7ea42e3fa992a2f728c45019f8706c2 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2024-07-02 17:02:29 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2024-07-02 17:07:07 +0000 net-misc/openssh-contrib: Revbump, add fix for CVE-2024-6387 Bug: https://bugs.gentoo.org/935271 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> .../files/openssh-9.6_p1-CVE-2024-6387.patch | 19 ++++++++++++++ .../files/openssh-9.6_p1-chaff-logic.patch | 16 ++++++++++++ .../files/openssh-9.6_p1-fix-xmss-c99.patch | 20 +++++++++++++++ .../files/openssh-9.7_p1-X509-CVE-2024-6387.patch | 29 ++++++++++++++++++++++ ...-r3.ebuild => openssh-contrib-9.7_p1-r4.ebuild} | 11 +++++++- 5 files changed, 94 insertions(+), 1 deletion(-)
*** Bug 935388 has been marked as a duplicate of this bug. ***
