Merging 9.3p2 to deal wth CVE-2023-38408. No other changes

aside from a version bump

Author: rapier1

README

@@ -1,4 +1,4 @@
-See https://www.openssh.com/releasenotes.html#9.3p1 for the release
+See https://www.openssh.com/releasenotes.html#9.3p2 for the release
 notes.
 
 Please read https://www.openssh.com/report.html for bug reporting

contrib/redhat/openssh.spec

@@ -1,4 +1,4 @@
-%global ver 9.3p1
+%global ver 9.3p2
 %global rel 1%{?dist}
 
 # OpenSSH privilege separation requires a user & group ID

contrib/suse/openssh.spec

@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	9.3p1
+Version:	9.3p2
 URL:		https://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz

hpnssh-agent.1

@@ -111,9 +111,27 @@ environment variable).
 .It Fl O Ar option
 Specify an option when starting
 .Nm .
-Currently only one option is supported:
+Currently two options are supported:
+.Cm allow-remote-pkcs11
+and
 .Cm no-restrict-websafe .
-This instructs
+.Pp
+The
+.Cm allow-remote-pkcs11
+option allows clients of a forwarded
+.Nm
+to load PKCS#11 or FIDO provider libraries.
+By default only local clients may perform this operation.
+Note that signalling that a
+.Nm
+client remote is performed by
+.Xr ssh 1 ,
+and use of other tools to forward access to the agent socket may circumvent
+this restriction.
+.Pp
+The
+.Cm no-restrict-websafe ,
+instructs
 .Nm
 to permit signatures using FIDO keys that might be web authentication
 requests.

ssh-agent.c

@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
 /* Pattern-list of allowed PKCS#11/Security key paths */
 static char *allowed_providers;
 
+/*
+ * Allows PKCS11 providers or SK keys that use non-internal providers to
+ * be added over a remote connection (identified by [email protected]).
+ */
+static int remote_add_provider;
+
 /* locking */
 #define LOCK_SIZE	32
 #define LOCK_SALT_SIZE	16
@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
 		if (strcasecmp(sk_provider, "internal") == 0) {
 			debug_f("internal provider");
 		} else {
+			if (e->nsession_ids != 0 && !remote_add_provider) {
+				verbose("failed add of SK provider \"%.100s\": "
+				    "remote addition of providers is disabled",
+				    sk_provider);
+				goto out;
+			}
 			if (realpath(sk_provider, canonical_provider) == NULL) {
 				verbose("failed provider \"%.100s\": "
 				    "realpath: %s", sk_provider,
@@ -1391,6 +1403,11 @@ process_add_smartcard_key(SocketEntry *e)
 		error_f("failed to parse constraints");
 		goto send;
 	}
+	if (e->nsession_ids != 0 && !remote_add_provider) {
+		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+		    "providers is disabled", provider);
+		goto send;
+	}
 	if (realpath(provider, canonical_provider) == NULL) {
 		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
 		    provider, strerror(errno));
@@ -2050,7 +2067,9 @@ main(int ac, char **av)
 			break;
 		case 'O':
 			if (strcmp(optarg, "no-restrict-websafe") == 0)
-				restrict_websafe  = 0;
+				restrict_websafe = 0;
+			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
+				remote_add_provider = 1;
 			else
 				fatal("Unknown -O option");
 			break;

ssh-pkcs11.c

@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
 		error("dlopen %s failed: %s", provider_id, dlerror());
 		goto fail;
 	}
-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
-		goto fail;
-	}
+	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
 	p = xcalloc(1, sizeof(*p));
 	p->name = xstrdup(provider_id);
 	p->handle = handle;

version.h

@@ -2,6 +2,6 @@
 
 #define SSH_VERSION	"OpenSSH_9.3"
 
-#define SSH_PORTABLE	"p1"
-#define SSH_HPN         "-hpn17v13"
+#define SSH_PORTABLE	"p2"
+#define SSH_HPN         "-hpn17v14"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN