summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorbsiegert <bsiegert@pkgsrc.org>2016-03-15 20:54:07 +0000
committerbsiegert <bsiegert@pkgsrc.org>2016-03-15 20:54:07 +0000
commit403f796724c009dfce0bdd4ec22a47e9af7c3fe4 (patch)
treea5eba38cc61af62dca258947f8be90093a2a7d1f /security
parent696d51c7d05930e9aef3526fe8393ec3f78fa97a (diff)
downloadpkgsrc-403f796724c009dfce0bdd4ec22a47e9af7c3fe4.tar.gz
Update openssh to 7.2.2 (7.2p2).
Changes since OpenSSH 7.2p1 =========================== This release fixes a security bug: * sshd(8): sanitise X11 authentication credentials to avoid xauth command injection when X11Forwarding is enabled. Full details of the vulnerability are available at: http://www.openssh.com/txt/x11fwd.adv
Diffstat (limited to 'security')
-rw-r--r--security/openssh/Makefile7
-rw-r--r--security/openssh/PLIST4
-rw-r--r--security/openssh/distinfo21
-rw-r--r--security/openssh/patches/patch-clientloop.c18
-rw-r--r--security/openssh/patches/patch-packet.c16
-rw-r--r--security/openssh/patches/patch-readconf.c25
-rw-r--r--security/openssh/patches/patch-ssh.c23
-rw-r--r--security/openssh/patches/patch-sshd.c53
8 files changed, 57 insertions, 110 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 9a2378d521c..351d3932d73 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.242 2016/03/05 11:29:23 jperkin Exp $
+# $NetBSD: Makefile,v 1.243 2016/03/15 20:54:07 bsiegert Exp $
-DISTNAME= openssh-7.1p1
-PKGNAME= ${DISTNAME:S/p1/.1/}
-PKGREVISION= 4
+DISTNAME= openssh-7.2p2
+PKGNAME= ${DISTNAME:S/p2/.2/}
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
diff --git a/security/openssh/PLIST b/security/openssh/PLIST
index ebe150ae24d..e18d93a97c3 100644
--- a/security/openssh/PLIST
+++ b/security/openssh/PLIST
@@ -1,7 +1,6 @@
-@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.18 2016/03/15 20:54:07 bsiegert Exp $
bin/scp
bin/sftp
-bin/slogin
bin/ssh
bin/ssh-add
bin/ssh-agent
@@ -13,7 +12,6 @@ libexec/ssh-pkcs11-helper
${PLIST.prng}libexec/ssh-rand-helper
man/man1/scp.1
man/man1/sftp.1
-man/man1/slogin.1
man/man1/ssh-add.1
man/man1/ssh-agent.1
man/man1/ssh-keygen.1
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 747daee1ff3..a8f162f80e1 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,12 +1,9 @@
-$NetBSD: distinfo,v 1.99 2016/02/26 21:06:38 tez Exp $
+$NetBSD: distinfo,v 1.100 2016/03/15 20:54:07 bsiegert Exp $
-SHA1 (openssh-7.1p1-hpn-20150822.diff.bz2) = 444a2fbd80d57ff93b53ade84ec162e2a2f3aa67
-RMD160 (openssh-7.1p1-hpn-20150822.diff.bz2) = 87fb6887d9ccb4b305ff3c25fd5f67847d9996d1
-Size (openssh-7.1p1-hpn-20150822.diff.bz2) = 12173 bytes
-SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6
-RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07
-SHA512 (openssh-7.1p1.tar.gz) = f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7
-Size (openssh-7.1p1.tar.gz) = 1493170 bytes
+SHA1 (openssh-7.2p2.tar.gz) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38
+RMD160 (openssh-7.2p2.tar.gz) = d18d73719ceeefa5116b5b741124f3604d7ddb99
+SHA512 (openssh-7.2p2.tar.gz) = 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b
+Size (openssh-7.2p2.tar.gz) = 1499808 bytes
SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83
SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
@@ -14,7 +11,7 @@ SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374
SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
-SHA1 (patch-clientloop.c) = a99fa9ff36e0068c059ee9daa392d06c01d1761c
+SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7
SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
@@ -23,15 +20,13 @@ SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac
SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee
-SHA1 (patch-packet.c) = d302a0802861287e9a5230bbe2a1018c5dc17d28
SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
-SHA1 (patch-readconf.c) = e1663d4d9a7ca8de8f87ba42d7b764923cdcc5db
SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
SHA1 (patch-session.c) = 2aa1d95a35b52519c4921494855f861dc1380f3b
SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
-SHA1 (patch-ssh.c) = 00897c09b7d3037713c579cbc41301623d4c2ebf
+SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = 85a9f50c8b1bdcc44156e2b457a583ccdbc5821b
+SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac
SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e
diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c
index a0937955e63..e615c28f34a 100644
--- a/security/openssh/patches/patch-clientloop.c
+++ b/security/openssh/patches/patch-clientloop.c
@@ -1,12 +1,12 @@
-$NetBSD: patch-clientloop.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $
Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
---- clientloop.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- clientloop.c.orig 2016-03-09 18:04:48.000000000 +0000
+++ clientloop.c
-@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display
struct stat st;
u_int now, x11_timeout_real;
@@ -14,13 +14,13 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
+ int is_path_to_socket = 0;
+#endif /* __APPLE__ */
+
- xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
-@@ -330,6 +334,33 @@ client_x11_get_proto(const char *display
- debug("x11_get_proto: DISPLAY not set");
- return;
- }
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display
+ }
+
+ if (xauth_path != NULL) {
+#if __APPLE__
+ {
+ /*
@@ -51,7 +51,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
-@@ -421,6 +452,9 @@ client_x11_get_proto(const char *display
+@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display
if (!got_data) {
u_int32_t rnd = 0;
diff --git a/security/openssh/patches/patch-packet.c b/security/openssh/patches/patch-packet.c
deleted file mode 100644
index 2c5f1a455da..00000000000
--- a/security/openssh/patches/patch-packet.c
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-packet.c,v 1.1 2016/02/26 21:06:38 tez Exp $
-
-Fix for CVE-2016-1907
-from https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0
-
-
---- packet.c.orig 2016-02-26 18:42:38.037291000 +0000
-+++ packet.c
-@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u
- logit("Bad packet length %u.", state->packlen);
- if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
- return r;
-+ return SSH_ERR_CONN_CORRUPT;
- }
- sshbuf_reset(state->incoming_packet);
- } else if (state->packlen == 0) {
diff --git a/security/openssh/patches/patch-readconf.c b/security/openssh/patches/patch-readconf.c
deleted file mode 100644
index 79e5a01cbdf..00000000000
--- a/security/openssh/patches/patch-readconf.c
+++ /dev/null
@@ -1,25 +0,0 @@
-$NetBSD: patch-readconf.c,v 1.1 2016/01/18 12:53:26 jperkin Exp $
-
-Disable roaming.
-
---- readconf.c.orig 2015-08-21 04:49:03.000000000 +0000
-+++ readconf.c
-@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
- options->tun_remote = -1;
- options->local_command = NULL;
- options->permit_local_command = -1;
-- options->use_roaming = -1;
-+ options->use_roaming = 0;
- options->visual_host_key = -1;
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
-@@ -1833,8 +1833,7 @@ fill_default_options(Options * options)
- options->tun_remote = SSH_TUNID_ANY;
- if (options->permit_local_command == -1)
- options->permit_local_command = 0;
-- if (options->use_roaming == -1)
-- options->use_roaming = 1;
-+ options->use_roaming = 0;
- if (options->visual_host_key == -1)
- options->visual_host_key = 0;
- if (options->ip_qos_interactive == -1)
diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c
index 32c1235f15b..43e615ed32b 100644
--- a/security/openssh/patches/patch-ssh.c
+++ b/security/openssh/patches/patch-ssh.c
@@ -1,26 +1,15 @@
-$NetBSD: patch-ssh.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-ssh.c,v 1.6 2016/03/15 20:54:07 bsiegert Exp $
Interix support
-Disable roaming
---- ssh.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- ssh.c.orig 2016-03-09 18:04:48.000000000 +0000
+++ ssh.c
-@@ -1084,7 +1084,7 @@ main(int ac, char **av)
- "disabling");
- options.update_hostkeys = 0;
+@@ -1097,7 +1097,7 @@ main(int ac, char **av)
}
+ if (options.connection_attempts <= 0)
+ fatal("Invalid number of ConnectionAttempts");
-#ifndef HAVE_CYGWIN
-+#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
if (original_effective_uid != 0)
options.use_privileged_port = 0;
#endif
-@@ -1932,9 +1932,6 @@ ssh_session2(void)
- fork_postauth();
- }
-
-- if (options.use_roaming)
-- request_roaming();
--
- return client_loop(tty_flag, tty_flag ?
- options.escape_char : SSH_ESCAPECHAR_NONE, id);
- }
diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c
index 36b0419e342..d57b45a10c4 100644
--- a/security/openssh/patches/patch-sshd.c
+++ b/security/openssh/patches/patch-sshd.c
@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $
* Interix support
* Revive tcp_wrappers support.
---- sshd.c.orig 2015-08-21 04:49:03.000000000 +0000
+--- sshd.c.orig 2016-03-09 18:04:48.000000000 +0000
+++ sshd.c
-@@ -126,6 +126,13 @@
+@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
@@ -19,7 +19,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
-@@ -237,7 +244,11 @@ int *startup_pipes = NULL;
+@@ -236,7 +243,11 @@ int *startup_pipes = NULL;
int startup_pipe; /* in child */
/* variables used for privilege separation */
@@ -31,34 +31,41 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
struct monitor *pmonitor = NULL;
int privsep_is_preauth = 1;
-@@ -644,10 +655,15 @@ privsep_preauth_child(void)
- /* XXX not ready, too heavy after chroot */
- do_setusercontext(privsep_pw);
- #else
+@@ -632,7 +643,7 @@ privsep_preauth_child(void)
+ demote_sensitive_data();
+
+ /* Demote the child */
+- if (getuid() == 0 || geteuid() == 0) {
++ if (getuid() == ROOTUID || geteuid() == ROOTUID) {
+ /* Change our root directory */
+ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
+ fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
+@@ -643,10 +654,15 @@ privsep_preauth_child(void)
+ /* Drop our privileges */
+ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ (u_int)privsep_pw->pw_gid);
+#ifdef HAVE_INTERIX
+ if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
+ fatal("setuser: %.100s", strerror(errno));
+#else
- gidset[0] = privsep_pw->pw_gid;
- if (setgroups(1, gidset) < 0)
- fatal("setgroups: %.100s", strerror(errno));
- permanently_set_uid(privsep_pw);
+ gidset[0] = privsep_pw->pw_gid;
+ if (setgroups(1, gidset) < 0)
+ fatal("setgroups: %.100s", strerror(errno));
+ permanently_set_uid(privsep_pw);
+#endif /* HAVE_INTERIX */
- #endif
+ }
}
-@@ -715,11 +731,18 @@ privsep_preauth(Authctxt *authctxt)
+@@ -713,10 +729,17 @@ privsep_preauth(Authctxt *authctxt)
+ /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
- /* Demote the child */
-- if (getuid() == 0 || geteuid() == 0)
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ /* We need to do this before we chroot() so we can read sshd.sb */
+ if (box != NULL)
+ ssh_sandbox_child(box);
+#endif
-+ if (getuid() == ROOTUID || geteuid() == ROOTUID)
- privsep_preauth_child();
+ privsep_preauth_child();
setproctitle("%s", "[net]");
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
if (box != NULL)
@@ -67,7 +74,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
return 0;
}
-@@ -733,7 +756,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -730,7 +753,7 @@ privsep_postauth(Authctxt *authctxt)
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -76,7 +83,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
#endif
/* File descriptor passing is broken or root login */
use_privsep = 0;
-@@ -1489,8 +1512,10 @@ main(int ac, char **av)
+@@ -1497,8 +1520,10 @@ main(int ac, char **av)
av = saved_argv;
#endif
@@ -88,7 +95,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
-@@ -1919,7 +1944,7 @@ main(int ac, char **av)
+@@ -1925,7 +1950,7 @@ main(int ac, char **av)
(st.st_uid != getuid () ||
(st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
#else
@@ -97,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
#endif
fatal("%s must be owned by root and not group or "
"world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1942,8 +1967,10 @@ main(int ac, char **av)
+@@ -1948,8 +1973,10 @@ main(int ac, char **av)
* to create a file, and we can't control the code in every
* module which might be used).
*/
@@ -108,7 +115,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $
if (rexec_flag) {
rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-@@ -2139,6 +2166,25 @@ main(int ac, char **av)
+@@ -2145,6 +2172,25 @@ main(int ac, char **av)
audit_connection_from(remote_ip, remote_port);
#endif