Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.
I'm doing the bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=704e9eeeaeb28174462b3a4c68376f43bbfa6765 commit 704e9eeeaeb28174462b3a4c68376f43bbfa6765 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-19 14:41:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-19 14:41:16 +0000 net-misc/openssh: add 9.3_p2 Bug: https://bugs.gentoo.org/910553 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/Manifest | 2 + net-misc/openssh/openssh-9.3_p2.ebuild | 379 +++++++++++++++++++++++++++++++++ 2 files changed, 381 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=6394ef8ae23b1cf183b45b603eceea6389a3c371 commit 6394ef8ae23b1cf183b45b603eceea6389a3c371 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-07-20 02:17:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-20 02:18:28 +0000 [ GLSA 202307-01 ] OpenSSH: Remote Code Execution Bug: https://bugs.gentoo.org/892936 Bug: https://bugs.gentoo.org/905299 Bug: https://bugs.gentoo.org/910553 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202307-01.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86ac5c16e3149458710b691e1cad81c50be8d661 commit 86ac5c16e3149458710b691e1cad81c50be8d661 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-30 16:26:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-30 16:42:29 +0000 sys-devel/binutils: add various hardening options to 2.41 Newer Binutils has its several configure arguments we can use: * --enable-textrel-check={warning,error} * --enable-warn-execstack=yes (*) * --enable-warn-rwx-segments=yes (*) * --enable-default-execstack=no We chuck these in now unconditionally (with some stricter changes for USE=hardened, as described below) except for those marked with (*) where we whitelist certain arches (amd64/arm64/x86 for now) because the autoconf logic is broken, see https://sourceware.org/bugzilla/show_bug.cgi?id=29592 (it both needs --enable...=no rather than --disable, but it also breaks arches where executable stacks are unavoidable.) In the past (see 47b8db23ff55dd29992198dfbadda53984a4ab2d, e4b8746852919960969944904c59334cecddfe25 in binutils-patches.git), we patched Binutils to always warn on textrels opt-out on a per-build basis with '--no-warn-shared-textrel'). From >= Binutils 2.35, upstream has a '--enable-textrel-check=warning' configure option we use. For USE=hardened, our new changes for TEXTRELs are equivalent to `-z text` which make TEXTRELs fatal. Now, while at it, also make TEXTRELs fatal on musl unconditionally because musl doesn't support them and they explode at runtime. Yet another reason to get rid of them entirely. So, in summary: there's several changes here: * Make textrels fatal for USE=hardened (we've warned about them for a while on all profiles) * Make textrels fatal for musl (they don't work there at all, bug #707660) * Disable implicit/automatic executable stacks for USE=hardened (plan to do this in general later on) * Warn on executable stacks in general * Warn on RWX segments in general See also https://www.redhat.com/en/blog/linkers-warnings-about-executable-stacks-and-segments for more information. All of this came to mind again after reading the Qualys writeup for the recent OpenSSH bug (bug #910553): https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt. (Note their use of various gadgets involving these.) Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=29592 Bug: https://bugs.gentoo.org/707660 Bug: https://bugs.gentoo.org/869881 Bug: https://bugs.gentoo.org/871150 Bug: https://bugs.gentoo.org/910553 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/binutils/binutils-2.41.ebuild | 43 +++++++++++++++++++++++------- sys-devel/binutils/binutils-9999.ebuild | 47 ++++++++++++++++++++++++--------- 2 files changed, 68 insertions(+), 22 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceede2829d93ddc41a45fb1502e537f369fff5c0 commit ceede2829d93ddc41a45fb1502e537f369fff5c0 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-12-28 03:07:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-12-28 03:07:11 +0000 net-misc/openssh: drop 9.3_p1-r1, 9.3_p2 Bug: https://bugs.gentoo.org/910553 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/Manifest | 4 - net-misc/openssh/openssh-9.3_p1-r1.ebuild | 380 ----------------------------- net-misc/openssh/openssh-9.3_p2.ebuild | 383 ------------------------------ 3 files changed, 767 deletions(-)