Add SA-17:01.

3 files changed, 345 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-SA-17:01.openssh.asc b/share/security/advisories/FreeBSD-SA-17:01.openssh.asc
new file mode 100644
index 0000000000..07ea5bbbff
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-17:01.openssh.asc
@@ -0,0 +1,158 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:01.openssh                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSH multiple vulnerabilities
+
+Category:       contrib
+Module:         OpenSSH
+Announced:      2017-01-11
+Affects:        All supported versions of FreeBSD.
+Corrected:      2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE)
+                2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7)
+                2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE)
+                2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16)
+CVE Name:       CVE-2016-10009, CVE-2016-10010
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access.
+
+OpenSSH supports accessing keys provided by a PKCS#11 token.
+
+II.  Problem Description
+
+The ssh-agent(1) agent supports loading a PKCS#11 module from outside a
+trusted whitelist.  An attacker can request loading of a PKCS#11 module
+across forwarded agent-socket. [CVE-2016-10009]
+
+When privilege separation is disabled, forwarded Unix domain sockets
+would be created by sshd(8) with the privileges of 'root' instead of
+the authenticated user. [CVE-2016-10010]
+
+III. Impact
+
+A remote attacker who have control of a forwarded agent-socket on a
+remote system and have the ability to write files on the system
+running ssh-agent(1) agent can run arbitrary code under the same user
+credential.  Because the attacker must already have some control on
+both systems, it is relatively hard to exploit this vulnerability in
+a practical attack. [CVE-2016-10009]
+
+When privilege separation is disabled (on FreeBSD, privilege separation
+is enabled by default and has to be explicitly disabled), an authenticated
+attacker can potentially gain root privileges on systems running OpenSSH
+server. [CVE-2016-10010]
+
+IV.  Workaround
+
+Systems not running ssh-agent(1) and sshd(8) services are not affected.
+
+System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009.
+
+System administrators should enable privilege separation when running
+OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc
+# gpg --verify openssh.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Kill all running ssh-agent(1) process and restart sshd(8) service.
+A reboot is recommended but not required.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r311915
+releng/10.3/                                                      r311916
+stable/11/                                                        r311915
+releng/11.0/                                                      r311916
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssh.com/txt/release-7.4>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yuAACgkQ7Wfs1l3P
+auebFA//TGtwrub7JNTgKdc5qnpw+s8W1j0AnQ4wTaJ6v7zNyUB0DG+LHW4uXCwR
+xc9Etd2mhY26wJIUxx0Z3oArcqVBGpCGbozuIOU6AdgmHdOL3ddj8aq4SuC0PyMA
+0OvNgZIRPZxEm81MP+6/GES4JLmOumiNeAG/MrtITGJDP/K5vVPIst/+F7OJ4P2+
+OGrjqBWmAz2EMG62QUJI8oSwB+FJpXtWHKOC4fPGibAQe3vF1WequbcDkLsYl1pX
+Ktlk/qh9ivaQreM9rHkUDF0PYwFdsXzveze/TLNbEo+w43v/PAlyR+xw2+22VjGK
+fxTL8Gk2tMQfahGZwFmmQFPLcwNRcdjgnZcRRHA3z8vKgM831A53gV3KskUwZl4V
+DyKdXtl44zrZ7PtPJ1gJkPK6B8zzfjnSwzPC51pDjh30ps28Rgfc6JOyjxhX5BJ4
+sXvQ3meiEfVgVq3DpTqQ3mZVQ1pRF+yhPf1Ptts9fQzAD95JsFF0WT0nzbYoB2VY
+KrU4V7d/Ys+HIeQWgDwZlFuLOULlVZDW/H55PT5Tx9JvP5vRlZS/w2HHN7wwy8n5
+tNX9mcH8DuG7X/jWDR9ompbJp5uZqcKWVMHPQY7fnaLSJoQMqrpPgZ9tsw6wq347
+Vslm3qQwUTSGRagH0rBuHiVJmY/AeqY3lvsaZklWGIYMRjmUeA0=
+=3z/p
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-17:01/openssh.patch b/share/security/patches/SA-17:01/openssh.patch
new file mode 100644
index 0000000000..d876999eb5
--- /dev/null
+++ b/share/security/patches/SA-17:01/openssh.patch
@@ -0,0 +1,170 @@
+--- crypto/openssh/serverloop.c.orig
++++ crypto/openssh/serverloop.c
+@@ -995,7 +995,7 @@
+ 
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+-	    !no_port_forwarding_flag) {
++	    !no_port_forwarding_flag && use_privsep) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
+ 	} else {
+@@ -1279,7 +1279,7 @@
+ 
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+-		    || no_port_forwarding_flag) {
++		    || no_port_forwarding_flag || !use_privsep) {
+ 			success = 0;
+ 			packet_send_debug("Server has disabled port forwarding.");
+ 		} else {
+--- crypto/openssh/ssh-agent.1.orig
++++ crypto/openssh/ssh-agent.1
+@@ -48,6 +48,7 @@
+ .Op Fl a Ar bind_address
+ .Op Fl E Ar fingerprint_hash
+ .Op Fl t Ar life
++.Op Fl P Ar pkcs11_whitelist
+ .Op Ar command Op Ar arg ...
+ .Nm ssh-agent
+ .Op Fl c | s
+@@ -122,6 +123,18 @@
+ Kill the current agent (given by the
+ .Ev SSH_AGENT_PID
+ environment variable).
++.It Fl P
++Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
++that may be added using the
++.Fl s
++option to
++.Xr ssh-add 1 .
++The default is to allow loading PKCS#11 libraries from
++.Dq /usr/lib/*,/usr/local/lib/* .
++PKCS#11 libraries that do not match the whitelist will be refused.
++See PATTERNS in
++.Xr ssh_config 5
++for a description of pattern-list syntax.
+ .It Fl s
+ Generate Bourne shell commands on
+ .Dv stdout .
+--- crypto/openssh/ssh-agent.c.orig
++++ crypto/openssh/ssh-agent.c
+@@ -84,11 +84,16 @@
+ #include "misc.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "match.h"
+ 
+ #ifdef ENABLE_PKCS11
+ #include "ssh-pkcs11.h"
+ #endif
+ 
++#ifndef DEFAULT_PKCS11_WHITELIST
++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
++#endif
++
+ #if defined(HAVE_SYS_PRCTL_H)
+ #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
+ #endif
+@@ -140,6 +145,9 @@
+ char socket_name[PATH_MAX];
+ char socket_dir[PATH_MAX];
+ 
++/* PKCS#11 path whitelist */
++static char *pkcs11_whitelist;
++
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+@@ -761,7 +769,7 @@
+ static void
+ process_add_smartcard_key(SocketEntry *e)
+ {
+-	char *provider = NULL, *pin;
++	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
+ 	int r, i, version, count = 0, success = 0, confirm = 0;
+ 	u_int seconds;
+ 	time_t death = 0;
+@@ -793,10 +801,21 @@
+ 			goto send;
+ 		}
+ 	}
++	if (realpath(provider, canonical_provider) == NULL) {
++		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
++		    provider, strerror(errno));
++		goto send;
++	}
++	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
++		verbose("refusing PKCS#11 add of \"%.100s\": "
++		    "provider not whitelisted", canonical_provider);
++		goto send;
++	}
++	debug("%s: add %.100s", __func__, canonical_provider);
+ 	if (lifetime && !death)
+ 		death = monotime() + lifetime;
+ 
+-	count = pkcs11_add_provider(provider, pin, &keys);
++	count = pkcs11_add_provider(canonical_provider, pin, &keys);
+ 	for (i = 0; i < count; i++) {
+ 		k = keys[i];
+ 		version = k->type == KEY_RSA1 ? 1 : 2;
+@@ -804,8 +823,8 @@
+ 		if (lookup_identity(k, version) == NULL) {
+ 			id = xcalloc(1, sizeof(Identity));
+ 			id->key = k;
+-			id->provider = xstrdup(provider);
+-			id->comment = xstrdup(provider); /* XXX */
++			id->provider = xstrdup(canonical_provider);
++			id->comment = xstrdup(canonical_provider); /* XXX */
+ 			id->death = death;
+ 			id->confirm = confirm;
+ 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+@@ -1200,7 +1219,7 @@
+ {
+ 	fprintf(stderr,
+ 	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+-	    "                 [-t life] [command [arg ...]]\n"
++	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ 	    "       ssh-agent [-c | -s] -k\n");
+ 	fprintf(stderr, "  -x          Exit when the last client disconnects.\n");
+ 	exit(1);
+@@ -1246,7 +1265,7 @@
+ 	__progname = ssh_get_progname(av[0]);
+ 	seed_rng();
+ 
+-	while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
++	while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
+ 		switch (ch) {
+ 		case 'E':
+ 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
+@@ -1261,6 +1280,11 @@
+ 		case 'k':
+ 			k_flag++;
+ 			break;
++		case 'P':
++			if (pkcs11_whitelist != NULL)
++				fatal("-P option already specified");
++			pkcs11_whitelist = xstrdup(optarg);
++			break;
+ 		case 's':
+ 			if (c_flag)
+ 				usage();
+@@ -1298,6 +1322,9 @@
+ 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+ 		usage();
+ 
++	if (pkcs11_whitelist == NULL)
++		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
++
+ 	if (ac == 0 && !c_flag && !s_flag) {
+ 		shell = getenv("SHELL");
+ 		if (shell != NULL && (len = strlen(shell)) > 2 &&
+@@ -1445,7 +1472,7 @@
+ 	signal(SIGTERM, cleanup_handler);
+ 	nalloc = 0;
+ 
+-	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
++	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+ 		fatal("%s: pledge: %s", __progname, strerror(errno));
+ 	platform_pledge_agent();
+ 
diff --git a/share/security/patches/SA-17:01/openssh.patch.asc b/share/security/patches/SA-17:01/openssh.patch.asc
new file mode 100644
index 0000000000..92781c143e
--- /dev/null
+++ b/share/security/patches/SA-17:01/openssh.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.16 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlh1yvIACgkQ7Wfs1l3P
+aueENxAA2X3idqTkyums/ZHD7VJm1XKo+Nyoa1iGHjxcBpipjKfzvx7fSzHdNWLu
+wFVAr7XAqtpQF8EzkhzdrN/tGVOpc+qqQv4MwGPmG8SgOnRHIgbscOwIdeDixp40
+wMtLoP8QGxoYZlT7mPmkLqumtz+f22nO7BZCXOtY/f1e7weGBhoau1+s4ozHLpoA
+10dCHTmofGoWjSBVK/m25GZQ+dE4NjvLxTpysYq+ehDSfwRSn8fhYjqc98gEwz2q
+/FCtxT8wkrnRrCyIs7Wh4it76XhTZL/tXrTgtpZPBbyNkoNn40YJM9fs9EOZ2X+/
+N5f996ApeX6QHkALMjOwTpmPT9QfkJcqv3Q52ie9CaNQW2Eh/aHUWZywgUnoZcr1
+TfUm3uUTj9HQYS/IzdJHEuVZ/S4X2SEnVG/MtcVGWaKACL5ePRzo/wngV/IoM9x/
+yiW0MuzLRXEZPcO/oEcSLCsVzAv8FT4UBVEteIDyWKJAkLX0jAFMniiITAxxIMAa
+SHHHQPms7udVbBTXdbRbaWuMQFxVfeahTT0os0zLxBsGteKzFF1L69RvNx0dh8oY
+kJaFU93N5T1yoen2QEkoDqfYskIVsDzQpyNT9pS6pdZKXDwK2/y73XXmOD5jblp2
+5z3BNFdxoN647AAXr9+0TYm1Ax4TDoAmJlPOZroWPqJ0Bpoc4XI=
+=avDp
+-----END PGP SIGNATURE-----