From 3a474cb62eea4170bd4e58b05b7969e011995447 Mon Sep 17 00:00:00 2001 From: lingsheng <860373352@qq.com> Date: Mon, 29 Apr 2024 07:21:45 +0000 Subject: [PATCH] fix CVE-2020-35850 Signed-off-by: lingsheng <860373352@qq.com> (cherry picked from commit 7cb13c1d265c257dc49772f65509effc100bc621) --- backport-CVE-2020-35850.patch | 78 +++++++++++++++++++++++++++++++++++ cockpit.spec | 9 +++- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-35850.patch diff --git a/backport-CVE-2020-35850.patch b/backport-CVE-2020-35850.patch new file mode 100644 index 0000000..f82908b --- /dev/null +++ b/backport-CVE-2020-35850.patch @@ -0,0 +1,78 @@ +From 29500b32c66dff16ec4aabf119a5772f007a007e Mon Sep 17 00:00:00 2001 +From: Martin Pitt +Date: Wed, 5 Apr 2023 17:03:45 +0200 +Subject: [PATCH] ws: Disallow direct URL logins with LoginTo=false + +The current documentation of LoginTo= isn't very specific about what +exactly happens with a "false" value; but it is plausible for an admin +to assume that "false" would disallow logging into a remote host +completely -- not merely hide the "Connect to:" field and then allowing +a direct URL login anyway. + +It is sometimes important to disallow direct SSH logins from the login +page on publicly exposed bastion hosts, as this functionality allows +unauthenticated remote users to: + + - scan the internal network for existing hosts, which might otherwise + not be accessible directly from the internet + (Fixes #18540, https://bugzilla.redhat.com/show_bug.cgi?id=2167006) + + - scan the cockpit-ws host or internal network hosts for open ports + (Fixes #15077, https://bugzilla.redhat.com/show_bug.cgi?id=2018741) + +So change ws to reject direct URL logins with `LoginTo=false`. This +happens most naturally in cockpit_session_launch(), as we still want to +allow remote URLs from the shell's host switcher in already +authenticated sessions. This will not produce a very friendly error +message, but it doesn't have to be -- at that point specifying direct +URLs can be considered hacking anyway. + +Clarify the documentation accordingly. +Reference:https://github.com/cockpit-project/cockpit/commit/29500b32c66dff16ec4aabf119a5772f007a007e +Conflict:return NULL -> goto out;adapt context;delete test +--- + doc/man/cockpit.conf.xml | 12 +++++++++--- + src/ws/cockpitauth.c | 7 +++++++ + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/doc/man/cockpit.conf.xml b/doc/man/cockpit.conf.xml +index 798e1f3f5bf..eced0ebaaa2 100644 +--- a/doc/man/cockpit.conf.xml ++++ b/doc/man/cockpit.conf.xml +@@ -87,9 +87,15 @@ ForwardedForHeader = X-Forwarded-For + + + When set to true the Connect to option +- on the login screen is visible and allows logging into another server. If this +- option is not specified then it will be automatically detected based on whether +- the cockpit-ssh process is available or not. ++ on the login screen is visible and allows logging into another server. When set to ++ false, direct remote logins are disallowed. If this option is not specified ++ then it will be automatically detected based on whether the ++ cockpit-ssh process is available or not. ++ ++ If cockpit-ws is exposed to the public internet, and also has access to a private ++ internal network, it is recommended to explicitly set LoginTo=false. This prevents ++ unauthenticated remote attackers from scanning the internal network for existing machines ++ and open ports. + + + +diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c +index bc62663d78a..9639a9c84de 100644 +--- a/src/ws/cockpitauth.c ++++ b/src/ws/cockpitauth.c +@@ -1011,6 +1011,13 @@ cockpit_session_create (CockpitAuth *self, + goto out; + } + ++ /* this might be unset, which means "allow if cockpit-ssh is installed"; if it isn't, this will fail later on */ ++ if (host && !cockpit_conf_bool ("WebService", "LoginTo", TRUE)) { ++ g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED, ++ "Direct remote login is disabled"); ++ goto out; ++ } ++ + /* These are the credentials we'll carry around for this session */ + creds = build_session_credentials (self, connection, headers, + application, type, authorization); diff --git a/cockpit.spec b/cockpit.spec index 2c66ebe..4498390 100644 --- a/cockpit.spec +++ b/cockpit.spec @@ -1,7 +1,7 @@ %bcond_with pcp Name: cockpit Version: 178 -Release: 13 +Release: 14 Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers License: LGPLv2+ URL: https://cockpit-project.org/ @@ -10,6 +10,7 @@ Source0: https://github.com/cockpit-project/cockpit/releases/download/%{v Patch6000: CVE-2019-3804.patch Patch6001: backport-0001-CVE-2021-3660.patch Patch6002: backport-0002-CVE-2021-3660.patch +Patch6003: backport-CVE-2020-35850.patch BuildRequires: gcc BuildRequires: pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel @@ -208,6 +209,12 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true %doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz} %changelog +* Sun Apr 28 2024 lingsheng - 178-14 +- Type:CVE +- ID:CVE-2020-35850 +- SUG:restart +- DESC:fix CVE-2020-35850 + * Tue Jan 10 2023 zhangpan - 178-13 - Type:NA - Id:NA -- Gitee