diff options
| author | taca <taca> | 2014-10-08 15:50:22 +0000 |
|---|---|---|
| committer | taca <taca> | 2014-10-08 15:50:22 +0000 |
| commit | fb87103077c3d41989efc5d50aa6ab0f911fac28 (patch) | |
| tree | 2aec85d46f8250821203a9a314ec5cb1d10da805 /security/openssh | |
| parent | 3073c4124adf0984adce7d7055f4f881c53a4877 (diff) | |
| download | pkgsrc-fb87103077c3d41989efc5d50aa6ab0f911fac28.tar.gz | |
Add fix for CVE-2014-2653 from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513.
Bump PKGREVISION.
Diffstat (limited to 'security/openssh')
| -rw-r--r-- | security/openssh/Makefile | 4 | ||||
| -rw-r--r-- | security/openssh/distinfo | 3 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sshconnect.c | 87 |
3 files changed, 91 insertions, 3 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index f0422e731ff..75b601c77e6 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.220 2014/05/29 23:37:20 wiz Exp $ +# $NetBSD: Makefile,v 1.221 2014/10/08 15:50:22 taca Exp $ DISTNAME= openssh-6.6p1 PKGNAME= openssh-6.6.1 -PKGREVISION= 2 +PKGREVISION= 3 SVR4_PKGNAME= ossh CATEGORIES= security MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 0dcbf48a9bd..148dbd4413b 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.86 2014/03/29 09:38:11 taca Exp $ +$NetBSD: distinfo,v 1.87 2014/10/08 15:50:22 taca Exp $ SHA1 (openssh-6.6p1-hpnssh14v4.diff.gz) = 1cb86c7151ea4c805cfb1197eac13844cd8f2f2c RMD160 (openssh-6.6p1-hpnssh14v4.diff.gz) = 292cea7880ff66040d915f2d5957dd27d0835984 @@ -26,6 +26,7 @@ SHA1 (patch-scp.c) = 97e33843cc1b93babb6c45225c07ac74555e6d54 SHA1 (patch-session.c) = 55e84175c7294816107c970f002401d1766f7095 SHA1 (patch-sftp-common.c) = 5b36300c6a83ceef2340c2cee3be211eaf39ecdd SHA1 (patch-ssh.c) = 8965e0458aabc137fa3b5e53c6573c0f0fba8280 +SHA1 (patch-sshconnect.c) = 7bee56ee50ec26913999296eefa93c0be63a9e75 SHA1 (patch-sshd.c) = 43b3e4383142303a5d1158f08baee4a27f2f7b13 SHA1 (patch-sshpty.c) = 9f08f899919d05567998087a060b90800c2c7b11 SHA1 (patch-uidswap.c) = 0b76322d47b9e14bb2828bc143645d38028bdafd diff --git a/security/openssh/patches/patch-sshconnect.c b/security/openssh/patches/patch-sshconnect.c new file mode 100644 index 00000000000..527ba9bb96d --- /dev/null +++ b/security/openssh/patches/patch-sshconnect.c @@ -0,0 +1,87 @@ +$NetBSD: patch-sshconnect.c,v 1.1 2014/10/08 15:50:22 taca Exp $ + +Fix for CVE-2014-2653 from +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513. + +--- sshconnect.c.orig 2014-02-06 22:24:34.000000000 +0000 ++++ sshconnect.c +@@ -1213,6 +1213,51 @@ fail: + return -1; + } + ++static int ++check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key) ++{ ++ int rc = -1; ++ int flags = 0; ++ Key *raw_key = NULL; ++ ++ if (!options.verify_host_key_dns) ++ goto done; ++ ++ /* XXX certs are not yet supported for DNS; try looking the raw key ++ * up in the DNS anyway. ++ */ ++ if (key_is_cert(host_key)) { ++ debug2("Extracting key from cert for SSHFP lookup"); ++ raw_key = key_from_private(host_key); ++ if (key_drop_cert(raw_key)) ++ fatal("Couldn't drop certificate"); ++ host_key = raw_key; ++ } ++ ++ if (verify_host_key_dns(host, hostaddr, host_key, &flags)) ++ goto done; ++ ++ if (flags & DNS_VERIFY_FOUND) { ++ ++ if (options.verify_host_key_dns == 1 && ++ flags & DNS_VERIFY_MATCH && ++ flags & DNS_VERIFY_SECURE) { ++ rc = 0; ++ } else if (flags & DNS_VERIFY_MATCH) { ++ matching_host_key_dns = 1; ++ } else { ++ warn_changed_key(host_key); ++ error("Update the SSHFP RR in DNS with the new " ++ "host key to get rid of this message."); ++ } ++ } ++ ++done: ++ if (raw_key) ++ key_free(raw_key); ++ return rc; ++} ++ + /* returns 0 if key verifies or -1 if key does NOT verify */ + int + verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) +@@ -1224,25 +1269,8 @@ verify_host_key(char *host, struct socka + debug("Server host key: %s %s", key_type(host_key), fp); + free(fp); + +- /* XXX certs are not yet supported for DNS */ +- if (!key_is_cert(host_key) && options.verify_host_key_dns && +- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { +- if (flags & DNS_VERIFY_FOUND) { +- +- if (options.verify_host_key_dns == 1 && +- flags & DNS_VERIFY_MATCH && +- flags & DNS_VERIFY_SECURE) +- return 0; +- +- if (flags & DNS_VERIFY_MATCH) { +- matching_host_key_dns = 1; +- } else { +- warn_changed_key(host_key); +- error("Update the SSHFP RR in DNS with the new " +- "host key to get rid of this message."); +- } +- } +- } ++ if (check_host_key_sshfp(host, hostaddr, host_key) == 0) ++ return 0; + + return check_host_key(host, hostaddr, options.port, host_key, RDRW, + options.user_hostfiles, options.num_user_hostfiles, |