280068 – security/openssh-portable: Security fix for CVE-2024-6387

Bug 280068 - security/openssh-portable: Security fix for CVE-2024-6387

Summary: security/openssh-portable: Security fix for CVE-2024-6387

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Bryan Drewery

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-07-01 10:51 UTC by Bernard Spil
Modified:	2024-07-03 10:05 UTC (History)
CC List:	6 users (show)

See Also:

Flags:	bdrewery: maintainer-feedback+

Attachments
git diff for security/openssh-portable (1.68 KB, patch) 2024-07-01 10:51 UTC, Bernard Spil	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernard Spil freebsd_committer

2024-07-01 10:51:19 UTC

Created attachment 251810 [details]
git diff for security/openssh-portable

```
security/openssh-portable: Security fix for CVE-2024-6387

PR:
Security:
```

Patch from FreeBSD 14.1-p2

Comment 1 Bernard Spil freebsd_committer

2024-07-01 11:07:31 UTC

Dang... Staged the changes to create a patch, and forgot to unstage before committing the vuxml entry.

So forward in 66a620a734b489596452f342224330207c6e23b1
And backwards in 6c74a768ede70109e336be37bf3fe2ae655cd2b6

Can't revert the PORTREVISION bump.

Sorry...

Comment 2 Dave Hayes 2024-07-01 17:51:26 UTC

I'm confused. You reverted the patch for the CVE? Why?

Comment 3 Bryan Drewery freebsd_committer

2024-07-01 20:09:07 UTC

I don't know why this was reverted but I am updating the port to 9.8 right now.

Comment 4 Bryan Drewery freebsd_committer

2024-07-01 20:48:15 UTC

9.8 is more involved and risky. Please commit this patch if it is a valid workaround for now and backport to quarterly.

Comment 5 Jason Tubnor 2024-07-01 23:19:37 UTC

Any update when the patch will hit latest and quarterly for those that track portable rather than base?

Comment 6 Bernard Spil freebsd_committer

2024-07-02 13:18:09 UTC

(In reply to Dave Hayes from comment #2)

It's not my port, so requires maintainer-approval before committing.

Comment 7 Bernard Spil freebsd_committer

2024-07-02 13:21:41 UTC

(In reply to Bryan Drewery from comment #4)

Currently travelling...

There's https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html from djm which has an extra patch in there vs. Base.

Noticed that 9.8 wasn't trivial to port, so patched 9.7

Comment 8 commit-hook freebsd_committer

2024-07-02 16:12:11 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b31ce1eeeb40098b213a153e10530a196b52322

commit 7b31ce1eeeb40098b213a153e10530a196b52322
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-07-02 16:08:13 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-07-02 16:08:13 +0000

    security/openssh-portable: Bring in patches for recent CVES

    Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
    PR:     280068

 security/openssh-portable/Makefile                 |  2 +-
 .../openssh-portable/files/patch-9.8-cves (new)    | 56 ++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

Comment 9 commit-hook freebsd_committer

2024-07-02 16:12:13 UTC

A commit in branch 2024Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=82c70bd1c2dbe11711390d24b0666cb31f5c4222

commit 82c70bd1c2dbe11711390d24b0666cb31f5c4222
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2024-07-02 16:08:13 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2024-07-02 16:10:56 +0000

    security/openssh-portable: Bring in patches for recent CVES

    Source: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
    PR:     280068
    (cherry picked from commit 7b31ce1eeeb40098b213a153e10530a196b52322)

 security/openssh-portable/Makefile                 |  2 +-
 .../openssh-portable/files/patch-9.8-cves (new)    | 56 ++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

Comment 10 Dave Hayes 2024-07-02 16:47:03 UTC

Thank you very much for the fix!

Comment 11 Jason Tubnor 2024-07-02 22:14:26 UTC

Thank you.

For those tracking, it appears the cluster hasn't completed builds and pushed out to nodes so you may want to build yourself.

Comment 12 Einar Bjarni Halldórsson 2024-07-03 10:05:57 UTC

Is the vuxml entry wrong or the version string of the patched version?

{
    "pkg_count": 1,
    "packages": {
        "openssh-portable": {
            "version": "9.7.p1_2,1",
            "issue_count": 1,
            "issues": [
                {
                    "Affected versions": [
                        "< 9.7_1,1"
                    ],
                    "description": "OpenSSH -- Race condition resulting in potential remote code execution",
                    "cve": [
                        "CVE-2024-6387"
                    ],
                    "url": "https://vuxml.FreeBSD.org/freebsd/f1a00122-3797-11ef-b611-84a93843eb75.html"
                }
            ],
            "reverse dependencies": [

            ]
        }
    }
}