Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh: patch CVE-2024-45337 #11820

Merged
merged 3 commits into from
Jan 9, 2025
+87 −3
Merged

gh: patch CVE-2024-45337 #11820

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a25db91
gh: patch CVE-2024-45337
mfrw Jan 8, 2025
6ad7fe4
Merge branch 'fasttrack/3.0' into mfrw/gh-CVE-2024-45337
jslobodzian Jan 9, 2025
d96da48
Merge branch 'fasttrack/3.0' into mfrw/gh-CVE-2024-45337
jslobodzian Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/gh/CVE-2024-45337.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 66fd5d19c5ea8c7f4f7ff69bcc93a7c8231ce4cf Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Tue, 3 Dec 2024 09:03:03 -0800
Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache

Users of the the ssh package seem to extremely commonly misuse the
PublicKeyCallback API, assuming that the key passed in the last call
before a connection is established is the key used for authentication.
Some users then make authorization decisions based on this key. This
property is not documented, and may not be correct, due to the caching
behavior of the package, resulting in users making incorrect
authorization decisions about the connection.

This change makes the cache a one entry FIFO cache, making the assumed
property, that the last call to PublicKeyCallback represents the key
actually used for authentication, actually hold.

Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and
Jules Duvivier from the Platform.sh / Upsun engineering team
for reporting this issue.

Fixes golang/go#70779
Fixes CVE-2024-45337

Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Signed-off-by: Muhammad Falak R Wani <[email protected]>
---
vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index c2dfe32..39dcc09 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
}

// cachedPubKey contains the results of querying whether a public key is
-// acceptable for a user.
+// acceptable for a user. This is a FIFO cache.
type cachedPubKey struct {
user string
pubKeyData []byte
@@ -157,7 +157,13 @@ type cachedPubKey struct {
perms *Permissions
}

-const maxCachedPubKeys = 16
+// maxCachedPubKeys is the number of cache entries we store.
+//
+// Due to consistent misuse of the PublicKeyCallback API, we have reduced this
+// to 1, such that the only key in the cache is the most recently seen one. This
+// forces the behavior that the last call to PublicKeyCallback will always be
+// with the key that is used for authentication.
+const maxCachedPubKeys = 1

// pubKeyCache caches tests for public keys. Since SSH clients
// will query whether a public key is acceptable before attempting to
@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {

// add adds the given tuple to the cache.
func (c *pubKeyCache) add(candidate cachedPubKey) {
- if len(c.keys) < maxCachedPubKeys {
- c.keys = append(c.keys, candidate)
+ if len(c.keys) >= maxCachedPubKeys {
+ c.keys = c.keys[1:]
}
+ c.keys = append(c.keys, candidate)
}

// ServerConn is an authenticated SSH connection, as seen from the
--
2.34.1

10 changes: 7 additions & 3 deletions SPECS/gh/gh.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: GitHub official command line tool
Name: gh
Version: 2.62.0
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -15,6 +15,8 @@ Source1: %{name}-%{version}-vendor.tar.gz

Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch
Patch1: CVE-2024-54132.patch
Patch2: CVE-2024-45337.patch

BuildRequires: golang < 1.23
BuildRequires: git
Requires: git
Expand All @@ -25,10 +27,9 @@ Requires: git
GitHub official command line tool.

%prep
%autosetup -p1 -n cli-%{version}
%autosetup -p1 -n cli-%{version} -a1

%build
tar --no-same-owner -xf %{SOURCE1}
export GOPATH=%{our_gopath}
# No mod download use vednor cache locally
export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
Expand Down Expand Up @@ -57,6 +58,9 @@ make test
%{_datadir}/zsh/site-functions/_gh

%changelog
* Wed Jan 08 2025 Muhammad Falak <[email protected]> - 2.62.0-3
- Patch CVE-2024-45337

* Fri Dec 13 2024 Sandeep Karambelkar <[email protected]> - 2.62.0-2
- Patch CVE-2024-54132

Expand Down
Loading