[AUTO-CHERRYPICK] openssh: fix "regresshion" CVE, CVE-2024-6387, with patch from debian. - branch main (#9565)

CBL-Mariner-Bot · SeanDougherty · jslobodzian · commit 450c3cc9a477 · 2024-07-11T05:20:53.000-07:00
Co-authored-by: SeanDougherty &lt;sdougherty@microsoft.com&gt;
diff --git a/SPECS/openssh/CVE-2024-6387.patch b/SPECS/openssh/CVE-2024-6387.patch
@@ -0,0 +1,32 @@
+From 46bbf63bfa678cfb48ba8f2c0012101db5b3c691 Mon Sep 17 00:00:00 2001
+From: Sean Dougherty <sdougherty@microsoft.com>
+Date: Tue, 2 Jul 2024 18:20:49 +0000
+Subject: [PATCH] Description: fix signal handler race condition for
+ Regresshion CVE. https://nvd.nist.gov/vuln/detail/CVE-2024-6387
+
+---
+ log.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/log.c b/log.c
+index 99bf046..2d231ca 100644
+--- a/log.c
++++ b/log.c
+@@ -451,12 +451,13 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+-
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
+-- 
+2.39.4
+
diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec
@@ -3,7 +3,7 @@
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
 Version:        %{openssh_ver}
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -46,6 +46,8 @@ Patch318:       CVE-2023-48795-0008-upstream-Limit-number-of-entries-in-SSH2_MSG
 Patch319:       CVE-2023-48795-0009-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
 # Patch for CVE-2023-28531 can be removed if openssh is upgraded to version 9.3p1 or greater
 Patch350:       CVE-2023-28531.patch
+# Patch for CVE-2024-6387 can be removed if openssh is upgraded to version 9.8p1 or greater
+Patch351:       CVE-2024-6387.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  e2fsprogs-devel
@@ -131,6 +133,7 @@ popd
 %patch318 -p1 -b .cve-2023-48795-0008
 %patch319 -p1 -b .cve-2023-48795-0009
 %patch350 -p1 -b .cve-2023-28531
+%patch351 -p1 -b .cve-2024-6387
 
 %build
 export CFLAGS="$CFLAGS -fpic"
@@ -287,6 +290,9 @@ fi
 %{_mandir}/man8/ssh-sk-helper.8.gz
 
 %changelog
+* Tue Jul 2 2024 Sean Dougherty <sdougherty@microsoft.com> - 8.9p1-6
+- Add patch for CVE-2024-6387 (a.k.a. "regresshion") using Debian's source as guidance.
+
 * Tue Jun 25 2024 Sam Meluch <sammeluch@microsoft.com> - 8.9p1-5
 - Add patch for CVE-2023-28531
 
