Fix two vulnerabilities in OpenSSH:

 - X11 forwarding information disclosure (CVE-2008-1483)
 - ForceCommand bypass vulnerability

4 files changed, 52 insertions, 12 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 41ac038232a..1409e032c2f 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.186 2008/01/18 05:09:39 tnn Exp $
+# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $
 
 DISTNAME=		openssh-4.7p1
 PKGNAME=		openssh-4.7.1
-PKGREVISION=		2
+PKGREVISION=		3
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 12dbcd838c6..99c040501d5 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.66 2007/09/19 13:42:02 taca Exp $
+$NetBSD: distinfo,v 1.67 2008/04/03 07:59:08 tonnerre Exp $
 
 SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c
 RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e
@@ -20,7 +20,7 @@ SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc
 SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = a70da4f5942553a42fa935b82172e601b29951df
+SHA1 (patch-ao) = 1061066758f7fe2fca630b15a55cbdc1ab041758
 SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a
 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
@@ -28,3 +28,4 @@ SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
 SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
+SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88
diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao
index 5533c0d999f..103c10ac9eb 100644
--- a/security/openssh/patches/patch-ao
+++ b/security/openssh/patches/patch-ao
@@ -1,8 +1,17 @@
-$NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ao,v 1.10 2008/04/03 07:59:08 tonnerre Exp $
 
---- session.c.orig	2006-10-29 17:01:29.000000000 +0900
+--- session.c.orig	2007-08-16 13:28:04.000000000 +0000
 +++ session.c
-@@ -956,7 +956,7 @@ read_etc_default_login(char ***env, u_in
+@@ -347,7 +347,7 @@ do_authenticated1(Authctxt *authctxt)
+ 				break;
+ 			}
+ 			debug("Received TCP/IP port forwarding request.");
+-			if (channel_input_port_forward_request(s->pw->pw_uid == 0,
++			if (channel_input_port_forward_request(s->pw->pw_uid == ROOTUID,
+ 			    options.gateway_ports) < 0) {
+ 				debug("Port forwarding failed.");
+ 				break;
+@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -11,7 +20,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *she
+@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
@@ -20,7 +29,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
  				SUPERUSER_PATH : _PATH_STDPATH);
  		}
  # endif /* HAVE_CYGWIN */
-@@ -1179,6 +1179,18 @@ do_setup_env(Session *s, const char *she
+@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -39,7 +48,19 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1289,9 +1301,9 @@ do_nologin(struct passwd *pw)
+@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel
+ 	do_xauth =
+ 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
+ 
+-	/* ignore _PATH_SSH_USER_RC for subsystems */
+-	if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
++	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
++	if (!s->is_subsystem && options.adm_forced_command == NULL &&
++	    (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ 		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
+ 		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
+ 		if (debug_flag)
+@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw)
  void
  do_setusercontext(struct passwd *pw)
  {
@@ -51,7 +72,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
  	{
  
  #ifdef HAVE_SETPCRED
-@@ -1333,11 +1345,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -65,7 +86,7 @@ $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
  		endgrent();
  #ifdef GSSAPI
  		if (options.gss_authentication) {
-@@ -2095,7 +2109,7 @@ session_pty_cleanup2(Session *s)
+@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
new file mode 100644
index 00000000000..581b9f1afab
--- /dev/null
+++ b/security/openssh/patches/patch-ax
@@ -0,0 +1,18 @@
+$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
+
+Don't deadlock on exit with multiple X forwarded channels.
+Don't use X11 port which can't be bound on all IP families.
+Fixes CVE-2008-1483.
+
+--- channels.c.orig	2007-06-25 09:04:47.000000000 +0000
++++ channels.c
+@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
+ 				debug2("bind port %d: %.100s", port, strerror(errno));
+ 				close(sock);
+ 
+-				if (ai->ai_next)
+-					continue;
+-
+ 				for (n = 0; n < num_socks; n++) {
+ 					close(socks[n]);
+ 				}