Add patches to fix the problem reported by Secunia Advisory SA22091 (also

CVS-2006-4924); "OpenSSH Identical Blocks Denial of Service Vulnerability"
referring to OpenBSD's CVS repository.

Bump PKGREVISION.

5 files changed, 167 insertions, 5 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index be64925d94b..4f15df452bb 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.169 2006/06/04 14:56:37 joerg Exp $
+# $NetBSD: Makefile,v 1.170 2006/09/27 16:10:59 taca Exp $
 
 DISTNAME=		openssh-4.3p1
 PKGNAME=		openssh-4.3.1
+PKGREVISION=		1
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 104ea2b664a..888d400b619 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.52 2006/02/23 19:02:50 joerg Exp $
+$NetBSD: distinfo,v 1.53 2006/09/27 16:10:59 taca Exp $
 
-SHA1 (openssh-4.3p1.tar.gz) = b1f379127829e7e820955b2825130edd1601ba59
-RMD160 (openssh-4.3p1.tar.gz) = c1d69873ecc453b40d825a2f1b3a0909da815f5e
-Size (openssh-4.3p1.tar.gz) = 940777 bytes
 SHA1 (openssh-4.3p1-hpn11.diff) = 22f2c99d314abc400bd1731d9c35b0540cbf2eae
 RMD160 (openssh-4.3p1-hpn11.diff) = c3b807437fd9f40f2ab73c52586de194b84cce6e
 Size (openssh-4.3p1-hpn11.diff) = 11024 bytes
+SHA1 (openssh-4.3p1.tar.gz) = b1f379127829e7e820955b2825130edd1601ba59
+RMD160 (openssh-4.3p1.tar.gz) = c1d69873ecc453b40d825a2f1b3a0909da815f5e
+Size (openssh-4.3p1.tar.gz) = 940777 bytes
 SHA1 (patch-aa) = 213f5f5a3c7ae0bceafac1b169063fc71806dc7c
 SHA1 (patch-ab) = 6c71ad1a39a1d6f7e48fc244993a4189c2cd9ef7
 SHA1 (patch-ac) = 8c625fdaca4d73c27e4e68b5bb3aa54327eb61ff
@@ -29,3 +29,6 @@ SHA1 (patch-at) = ffbcb38cf8578f05319b2af9cfcdb5ada2a57e78
 SHA1 (patch-au) = 052b0b6d8869ad09144e4fc9e1b3c5e03c669c44
 SHA1 (patch-av) = 5543fcf94eaad26e27043c1527921e23ecfefc77
 SHA1 (patch-aw) = 95d49965b0f24bf117e790785d3a8ef553865bda
+SHA1 (patch-ax) = 2c6923c767e7549d746d35358ecef2156012b227
+SHA1 (patch-ay) = e64d4266556ce05a5fd5e14ee4e988e7bf075576
+SHA1 (patch-az) = 341c42c82ddb6177bd8ac41813d6ad1e4b6e3839
diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
new file mode 100644
index 00000000000..4f5282ce59f
--- /dev/null
+++ b/security/openssh/patches/patch-ax
@@ -0,0 +1,107 @@
+$NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.c.orig	Mon Sep 22 20:04:23 2003
++++ deattack.c
+@@ -27,6 +27,24 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/
+ #include "xmalloc.h"
+ #include "deattack.h"
+ 
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be 
++ * exploited to create a limited denial of service attack. 
++ * 
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so. 
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32 
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL	32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS	(32 * 1024)
+ #define SSH_BLOCKSIZE	(8)
+@@ -56,17 +74,12 @@ crc_update(u_int32_t *a, u_int32_t b)
+ 
+ /* detect if a block is used in a particular pattern */
+ static int
+-check_crc(u_char *S, u_char *buf, u_int32_t len,
+-	  u_char *IV)
++check_crc(u_char *S, u_char *buf, u_int32_t len)
+ {
+ 	u_int32_t crc;
+ 	u_char *c;
+ 
+ 	crc = 0;
+-	if (IV && !CMP(S, IV)) {
+-		crc_update(&crc, 1);
+-		crc_update(&crc, 0);
+-	}
+ 	for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+ 		if (!CMP(S, c)) {
+ 			crc_update(&crc, 1);
+@@ -82,12 +95,12 @@ check_crc(u_char *S, u_char *buf, u_int3
+ 
+ /* Detect a crc32 compensation attack on a packet */
+ int
+-detect_attack(u_char *buf, u_int32_t len, u_char *IV)
++detect_attack(u_char *buf, u_int32_t len)
+ {
+ 	static u_int16_t *h = (u_int16_t *) NULL;
+ 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ 	u_int32_t i, j;
+-	u_int32_t l;
++	u_int32_t l, same;
+ 	u_char *c;
+ 	u_char *d;
+ 
+@@ -111,15 +124,9 @@ detect_attack(u_char *buf, u_int32_t len
+ 
+ 	if (len <= HASH_MINBLOCKS) {
+ 		for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {
+-			if (IV && (!CMP(c, IV))) {
+-				if ((check_crc(c, buf, len, IV)))
+-					return (DEATTACK_DETECTED);
+-				else
+-					break;
+-			}
+ 			for (d = buf; d < c; d += SSH_BLOCKSIZE) {
+ 				if (!CMP(c, d)) {
+-					if ((check_crc(c, buf, len, IV)))
++					if ((check_crc(c, buf, len)))
+ 						return (DEATTACK_DETECTED);
+ 					else
+ 						break;
+@@ -130,21 +137,11 @@ detect_attack(u_char *buf, u_int32_t len
+ 	}
+ 	memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+ 
+-	if (IV)
+-		h[HASH(IV) & (n - 1)] = HASH_IV;
+-
+-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ 		    i = (i + 1) & (n - 1)) {
+-			if (h[i] == HASH_IV) {
+-				if (!CMP(c, IV)) {
+-					if (check_crc(c, buf, len, IV))
+-						return (DEATTACK_DETECTED);
+-					else
+-						break;
+-				}
+-			} else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
+-				if (check_crc(c, buf, len, IV))
++			if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) {
++				if (check_crc(c, buf, len))
+ 					return (DEATTACK_DETECTED);
+ 				else
+ 					break;
diff --git a/security/openssh/patches/patch-ay b/security/openssh/patches/patch-ay
new file mode 100644
index 00000000000..ec36f5da855
--- /dev/null
+++ b/security/openssh/patches/patch-ay
@@ -0,0 +1,15 @@
+$NetBSD: patch-ay,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091
+
+--- deattack.h.orig	Wed Jul  4 13:46:57 2001
++++ deattack.h
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK		0
+ #define DEATTACK_DETECTED	1
++#define DEATTACK_DOS_DETECTED	2
+ 
+-int	 detect_attack(u_char *, u_int32_t, u_char[8]);
++int	 detect_attack(u_char *, u_int32_t);
+ #endif
diff --git a/security/openssh/patches/patch-az b/security/openssh/patches/patch-az
new file mode 100644
index 00000000000..ee002ae4158
--- /dev/null
+++ b/security/openssh/patches/patch-az
@@ -0,0 +1,36 @@
+$NetBSD: patch-az,v 1.1 2006/09/27 16:10:59 taca Exp $
+
+Secunia Advisory SA22091 + one more OpenBSD's CVS update 1.144-1.145
+
+--- packet.c.orig	Sat Nov  5 13:15:00 2005
++++ packet.c
+@@ -669,6 +669,9 @@ packet_enable_delayed_compress(void)
+ 	 */
+ 	after_authentication = 1;
+ 	for (mode = 0; mode < MODE_MAX; mode++) {
++		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++		if (newkeys[mode] == NULL)
++			continue;
+ 		comp = &newkeys[mode]->comp;
+ 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ 			packet_init_compression();
+@@ -978,9 +981,16 @@ packet_read_poll1(void)
+ 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
+ 	 * Ariel Futoransky(futo@core-sdi.com)
+ 	 */
+-	if (!receive_context.plaintext &&
+-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
+-		packet_disconnect("crc32 compensation attack: network attack detected");
++	if (!receive_context.plaintext) {
++		switch (detect_attack(buffer_ptr(&input), padded_len)) {
++		case DEATTACK_DETECTED:
++			packet_disconnect("crc32 compensation attack: "
++			    "network attack detected");
++		case DEATTACK_DOS_DETECTED:
++			packet_disconnect("deattack denial of "
++			    "service detected");
++		}
++	}
+ 
+ 	/* Decrypt data to incoming_packet. */
+ 	buffer_clear(&incoming_packet);