From 76f4e48631d7b09fb243b47d7b393d100d3741b7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 13 Jul 2022 13:17:47 +1000 Subject: [PATCH] Only refuse to use OpenSSL 3.0.4 on x86_64. The potential RCE only impacts x86_64, so only refuse to use it if we're targetting a potentially impacted architecture. ok djm@ --- configure.ac | 10 +++++++++- regress/keyscan.sh | 13 +++++++++++++ sftp-server-main.c | 2 -- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 6ebdd06a2..0c6a57ebc 100644 --- a/configure.ac +++ b/configure.ac @@ -2796,7 +2796,6 @@ if test "x$openssl" = "xyes" ; then ;; 101*) ;; # 1.1.x 200*) ;; # LibreSSL - 3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;; 300*) # OpenSSL 3; we use the 1.1x API CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" @@ -2820,6 +2819,15 @@ if test "x$openssl" = "xyes" ; then ] ) + case "$host" in + x86_64-*) + case "$ssl_library_ver" in + 3000004*) + AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) + ;; + esac + esac + # Sanity check OpenSSL headers AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_RUN_IFELSE( diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 75a14ee0e..0b8c33aa4 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh @@ -23,3 +23,16 @@ for t in $SSH_KEYTYPES; do fail "ssh-keyscan -t $t failed with: $r" fi done + +stop_sshd +sleep 1 + +trace "keyscan banner length" +banner="" +for i in `seq 245 256`; do + trace "keyscan length $i" + banner=`perl -le "print 'A'x$i"` + (printf "SSH-2.0-${banner}" | ${NC} -N -l $PORT >/dev/null) & + ${SSHKEYSCAN} -p $PORT 127.0.0.1 + sleep 3 +done diff --git a/sftp-server-main.c b/sftp-server-main.c index 06566d36e..2c70f89bc 100644 --- a/sftp-server-main.c +++ b/sftp-server-main.c @@ -42,8 +42,6 @@ main(int argc, char **argv) /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); - seed_rng(); - if ((user_pw = getpwuid(getuid())) == NULL) { fprintf(stderr, "No user found for uid %lu\n", (u_long)getuid());