Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport the security patch of CVE-2024-39894 #1401

Open
wants to merge 1 commit into
base: releng/14.0
Choose a base branch
from
Open

Backport the security patch of CVE-2024-39894 #1401

wants to merge 1 commit into from

Conversation

Crispy-fried-chicken
Copy link

Hi,
we find the recurring vulnerability which shares the similarity of CVE-2024-39894 in you project with the version of release/14.0.0 and release/13.3.0. The patch of this CVE is openssh/openssh-portable@146c420 and we find that you've already fix it in the main branch, which is the commit b81424a. Is there a need to backport it?

@Crispy-fried-chicken
OpenSSH: correct logic error in ObscureKeystrokeTiming
fb78b23 
Cherry-pick fix:
upstream: when sending ObscureKeystrokeTiming chaff packets, we
can't rely on channel_did_enqueue to tell that there is data to send. This
flag indicates that the channels code enqueued a packet on _this_ ppoll()
iteration, not that data was enqueued in _any_ ppoll() iteration in the
timeslice. ok markus@

OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136

Obtained from:	openssh-portable 146c420d29d0
Reviewed by:	gordon
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45823
@jlduran
Copy link
Contributor

jlduran commented Sep 2, 2024

It's already in stable/14, and in stable/13. Patches to releng branches must go through the Security Officer.

@Crispy-fried-chicken
Copy link
Author

It's already in stable/14, and in stable/13. Patches to releng branches must go through the Security Officer.

So how can I do? or there is no need to backport?

@jlduran
Copy link
Contributor

jlduran commented Sep 3, 2024

I can answer the easy part:

This pull request cannot be accepted as is. If you consider that this bug1 should have received a Security Advisory, then you should follow this procedure: https://www.freebsd.org/security/.

Footnotes

  1. Logic error in ssh(1) ObscureKeystrokeTiming

    In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an OpenSSH server version 9.5 or later, a logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective - a passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because both fake and real keystroke packets were being sent unconditionally.

    This bug was found by Philippos Giavridis and also independently by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the University of Cambridge Computer Lab.

    Worse, the unconditional sending of both fake and real keystroke packets broke another long-standing timing attack mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for traffic received on TTYs in echo-off mode, such as when entering a password into su(8) or sudo(8). This bug rendered these fake keystroke echoes ineffective and could allow a passive observer of a SSH session to once again detect when echo was off and obtain fairly limited timing information about keystrokes in this situation (20ms granularity by default).

    This additional implication of the bug was identified by Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and we thank them for their detailed analysis.

    This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Crispy-fried-chicken @jlduran