diff options
| -rw-r--r-- | security/openssh/Makefile | 5 | ||||
| -rw-r--r-- | security/openssh/distinfo | 29 | ||||
| -rw-r--r-- | security/openssh/patches/patch-Makefile.in | 18 | ||||
| -rw-r--r-- | security/openssh/patches/patch-auth-passwd.c | 15 | ||||
| -rw-r--r-- | security/openssh/patches/patch-auth2.c | 8 | ||||
| -rw-r--r-- | security/openssh/patches/patch-config.h.in | 14 | ||||
| -rw-r--r-- | security/openssh/patches/patch-configure.ac | 26 | ||||
| -rw-r--r-- | security/openssh/patches/patch-openbsd-compat_port-tun.c | 19 | ||||
| -rw-r--r-- | security/openssh/patches/patch-session.c | 21 | ||||
| -rw-r--r-- | security/openssh/patches/patch-ssh.c | 15 | ||||
| -rw-r--r-- | security/openssh/patches/patch-sshd.c | 30 | ||||
| -rw-r--r-- | security/openssh/patches/patch-uidswap.c | 23 |
12 files changed, 107 insertions, 116 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 4dadaf38b26..fcb3322e56e 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.256 2018/08/22 09:46:19 wiz Exp $ +# $NetBSD: Makefile,v 1.257 2019/01/18 20:13:36 tnn Exp $ -DISTNAME= openssh-7.6p1 +DISTNAME= openssh-7.9p1 PKGNAME= ${DISTNAME:S/p1/.1/} -PKGREVISION= 1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 7b343005c82..7353855e2e4 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,30 +1,29 @@ -$NetBSD: distinfo,v 1.105 2017/10/04 11:44:14 wiz Exp $ +$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $ -SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b -RMD160 (openssh-7.6p1.tar.gz) = 486ae743f51ffbf8197d564aab9ae54f9e2ac9da -SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 -Size (openssh-7.6p1.tar.gz) = 1489788 bytes -SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc -SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7 +SHA1 (openssh-7.9p1.tar.gz) = 993aceedea8ecabb1d0dd7293508a361891c4eaa +RMD160 (openssh-7.9p1.tar.gz) = 236617fb9c04dcca12f9d56b5975efda4e798f53 +SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e +Size (openssh-7.9p1.tar.gz) = 1565384 bytes +SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1 +SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039 -SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa +SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535 SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e -SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59 -SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222 +SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f +SHA1 (patch-configure.ac) = c8ee9d49a4989c5dfe02a89e0d3a8a4e16c32b9d SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4 -SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee +SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1 -SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93 +SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 -SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 -SHA1 (patch-sshd.c) = 040ac961247fdd55bd09b85e65b905b63bc24f7d +SHA1 (patch-sshd.c) = 1944283a09772f767044e46acf5329bfad5dae3c SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 -SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e +SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4 diff --git a/security/openssh/patches/patch-Makefile.in b/security/openssh/patches/patch-Makefile.in index f04cf0d7a9e..969eab46e70 100644 --- a/security/openssh/patches/patch-Makefile.in +++ b/security/openssh/patches/patch-Makefile.in @@ -1,27 +1,31 @@ -$NetBSD: patch-Makefile.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $ Removed install-sysconf as we handle that phase through post-install ---- Makefile.in.orig 2015-08-21 04:49:03.000000000 +0000 +--- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000 +++ Makefile.in -@@ -2,5 +2,5 @@ - - # uncomment if you run a non bourne compatable shell. Ie. csh +@@ -1,5 +1,5 @@ + # uncomment if you run a non bourne compatible shell. Ie. csh -#SHELL = @SH@ +SHELL = @SH@ AUTORECONF=autoreconf -@@ -23,5 +23,5 @@ DESTDIR= + +@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@ + DESTDIR= VPATH=@srcdir@ SSH_PROGRAM=@bindir@/ssh -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign -@@ -288,5 +288,5 @@ distprep: catman-do + SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper +@@ -320,7 +320,7 @@ distprep: catman-do depend-check + -rm -rf autom4te.cache .depend.bak install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files + check-config: diff --git a/security/openssh/patches/patch-auth-passwd.c b/security/openssh/patches/patch-auth-passwd.c index dbdbce7302d..68ed2fc1ec0 100644 --- a/security/openssh/patches/patch-auth-passwd.c +++ b/security/openssh/patches/patch-auth-passwd.c @@ -1,10 +1,10 @@ -$NetBSD: patch-auth-passwd.c,v 1.4 2016/09/18 17:30:11 taca Exp $ +$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $ Replace uid 0 with ROOTUID macro ---- auth-passwd.c.orig 2016-07-27 22:54:27.000000000 +0000 +--- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000 +++ auth-passwd.c -@@ -93,7 +93,7 @@ auth_password(Authctxt *authctxt, const +@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha return 0; #ifndef HAVE_CYGWIN @@ -13,16 +13,15 @@ Replace uid 0 with ROOTUID macro ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) -@@ -128,7 +128,12 @@ auth_password(Authctxt *authctxt, const +@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha authctxt->force_pwchange = 1; } #endif -+ +#ifdef HAVE_INTERIX -+ result = (!setuser(pw->pw_name, password, SU_CHECK)); ++ result = (!setuser(pw->pw_name, password, SU_CHECK)); +#else - result = sys_auth_passwd(authctxt, password); + result = sys_auth_passwd(ssh, password); +#endif if (authctxt->force_pwchange) - disable_forwarding(); + auth_restrict_session(ssh); return (result && ok); diff --git a/security/openssh/patches/patch-auth2.c b/security/openssh/patches/patch-auth2.c index f9b6acf2e02..2182d4afc75 100644 --- a/security/openssh/patches/patch-auth2.c +++ b/security/openssh/patches/patch-auth2.c @@ -1,15 +1,15 @@ -$NetBSD: patch-auth2.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $ Replace uid 0 with ROOTUID macro ---- auth2.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000 +++ auth2.c -@@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int +@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut fatal("INTERNAL ERROR: authenticated and postponed"); /* Special handling for root */ - if (authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == ROOTUID && - !auth_root_allowed(method)) { + !auth_root_allowed(ssh, method)) { authenticated = 0; #ifdef SSH_AUDIT_EVENTS diff --git a/security/openssh/patches/patch-config.h.in b/security/openssh/patches/patch-config.h.in index 4253ab9c3de..c1bb668067d 100644 --- a/security/openssh/patches/patch-config.h.in +++ b/security/openssh/patches/patch-config.h.in @@ -1,11 +1,11 @@ -$NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $ * Added Interix and define new path to if_tun.h. * Revive tcp_wrappers support. ---- config.h.in.orig 2015-08-21 05:09:20.000000000 +0000 +--- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000 +++ config.h.in -@@ -640,6 +640,9 @@ +@@ -741,6 +741,9 @@ /* define if you have int64_t data type */ #undef HAVE_INT64_T @@ -15,9 +15,9 @@ $NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ /* Define to 1 if the system has the type `intmax_t'. */ #undef HAVE_INTMAX_T -@@ -799,6 +802,9 @@ - /* Define to 1 if you have the <net/if_tun.h> header file. */ - #undef HAVE_NET_IF_TUN_H +@@ -910,6 +913,9 @@ + /* Define to 1 if you have the <net/route.h> header file. */ + #undef HAVE_NET_ROUTE_H +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ +#undef HAVE_NET_TUN_IF_TUN_H @@ -25,7 +25,7 @@ $NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ /* Define if you are on NeXT */ #undef HAVE_NEXT -@@ -1394,6 +1400,9 @@ +@@ -1617,6 +1623,9 @@ /* Define if pututxline updates lastlog too */ #undef LASTLOG_WRITE_PUTUTXLINE diff --git a/security/openssh/patches/patch-configure.ac b/security/openssh/patches/patch-configure.ac index bf9336cc213..922f7686cd1 100644 --- a/security/openssh/patches/patch-configure.ac +++ b/security/openssh/patches/patch-configure.ac @@ -1,11 +1,11 @@ -$NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ +$NetBSD: patch-configure.ac,v 1.7 2019/01/18 20:13:37 tnn Exp $ * Various fixes regarding portability * Revive tcp_wrappers support. ---- configure.ac.orig 2017-03-20 02:39:27.000000000 +0000 +--- configure.ac.orig 2018-10-17 00:01:20.000000000 +0000 +++ configure.ac -@@ -306,6 +306,9 @@ AC_ARG_WITH([rpath], +@@ -293,6 +293,9 @@ AC_ARG_WITH([rpath], ] ) @@ -15,7 +15,7 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ # Allow user to specify flags AC_ARG_WITH([cflags], [ --with-cflags Specify additional flags to pass to compiler], -@@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \ +@@ -386,6 +389,7 @@ AC_CHECK_HEADERS([ \ maillock.h \ ndir.h \ net/if_tun.h \ @@ -23,7 +23,7 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ netdb.h \ netgroup.h \ pam/pam_appl.h \ -@@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary(" +@@ -736,6 +740,15 @@ main() { if (NSVersionOfRunTimeLibrary(" ;; esac ;; @@ -39,9 +39,9 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ *-*-irix5*) PATH="$PATH:/usr/etc" AC_DEFINE([BROKEN_INET_NTOA], [1], -@@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey], - ] - ) +@@ -1493,6 +1506,62 @@ else + AC_MSG_RESULT([no]) + fi +# Check whether user wants TCP wrappers support +TCPW_MSG="no" @@ -102,7 +102,7 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +@@ -5189,9 +5258,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -122,7 +122,7 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], [Define if you want to specify the path to your wtmpx file]) fi -@@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t +@@ -5283,7 +5360,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" @@ -131,10 +131,10 @@ $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ echo " Manual pages: $F" echo " PID file: $G" echo " Privilege separation chroot path: $H" -@@ -5093,6 +5170,7 @@ echo " KerberosV support +@@ -5305,6 +5382,7 @@ echo " PAM support + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" diff --git a/security/openssh/patches/patch-openbsd-compat_port-tun.c b/security/openssh/patches/patch-openbsd-compat_port-tun.c index 7114086073f..e5386174262 100644 --- a/security/openssh/patches/patch-openbsd-compat_port-tun.c +++ b/security/openssh/patches/patch-openbsd-compat_port-tun.c @@ -1,10 +1,15 @@ -$NetBSD: patch-openbsd-compat_port-tun.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $ if_tun.h can be found in net/tun ---- openbsd-compat/port-tun.c.orig 2015-08-21 04:49:03.000000000 +0000 -+++ openbsd-compat/port-tun.c -@@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode) +--- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000 ++++ openbsd-compat/port-net.c +@@ -1,3 +1,4 @@ ++ + /* + * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org> + * +@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i #include <sys/socket.h> #include <net/if.h> @@ -15,7 +20,7 @@ if_tun.h can be found in net/tun #ifdef HAVE_NET_IF_TUN_H #include <net/if_tun.h> #endif -@@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode) +@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i { struct ifreq ifr; char name[100]; @@ -26,8 +31,8 @@ if_tun.h can be found in net/tun +#endif const char *tunbase = "tun"; - if (mode == SSH_TUNMODE_ETHERNET) { -@@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode) + if (ifname != NULL) +@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i return (-1); } diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c index 613ae3ad7ff..d0b9df8d7dc 100644 --- a/security/openssh/patches/patch-session.c +++ b/security/openssh/patches/patch-session.c @@ -1,10 +1,10 @@ -$NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ +$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $ * Interix support. ---- session.c.orig 2016-12-19 04:59:41.000000000 +0000 +--- session.c.orig 2018-10-17 00:01:20.000000000 +0000 +++ session.c -@@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in +@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -13,7 +13,7 @@ $NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she +@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", @@ -22,11 +22,10 @@ $NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ } # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ -@@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she - strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); - read_environment_file(&env, &envsize, buf); - } -+ +@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s + child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", + original_command); + +#ifdef HAVE_INTERIX + { + /* copy standard Windows environment, then apply changes */ @@ -41,7 +40,7 @@ $NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw) +@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -55,7 +54,7 @@ $NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ endgrent(); #endif -@@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s) +@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c deleted file mode 100644 index 43e615ed32b..00000000000 --- a/security/openssh/patches/patch-ssh.c +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-ssh.c,v 1.6 2016/03/15 20:54:07 bsiegert Exp $ - -Interix support - ---- ssh.c.orig 2016-03-09 18:04:48.000000000 +0000 -+++ ssh.c -@@ -1097,7 +1097,7 @@ main(int ac, char **av) - } - if (options.connection_attempts <= 0) - fatal("Invalid number of ConnectionAttempts"); --#ifndef HAVE_CYGWIN -+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) - if (original_effective_uid != 0) - options.use_privileged_port = 0; - #endif diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index bbd3eca95db..3c9e812fa62 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,11 +1,11 @@ -$NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ +$NetBSD: patch-sshd.c,v 1.10 2019/01/18 20:13:37 tnn Exp $ * Interix support * Revive tcp_wrappers support. ---- sshd.c.orig 2017-10-02 19:34:26.000000000 +0000 +--- sshd.c.orig 2018-10-17 00:01:20.000000000 +0000 +++ sshd.c -@@ -122,6 +122,13 @@ +@@ -123,6 +123,13 @@ #include "version.h" #include "ssherr.h" @@ -19,7 +19,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -@@ -219,7 +226,11 @@ int *startup_pipes = NULL; +@@ -225,7 +232,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ @@ -31,7 +31,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; static int privsep_chroot = 1; -@@ -550,10 +561,15 @@ privsep_preauth_child(void) +@@ -556,10 +567,15 @@ privsep_preauth_child(void) /* Drop our privileges */ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, (u_int)privsep_pw->pw_gid); @@ -47,7 +47,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ } } -@@ -617,10 +633,17 @@ privsep_preauth(Authctxt *authctxt) +@@ -623,10 +639,17 @@ privsep_preauth(Authctxt *authctxt) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); @@ -65,7 +65,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ return 0; } -@@ -632,7 +655,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -638,7 +661,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -74,7 +74,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1393,8 +1416,10 @@ main(int ac, char **av) +@@ -1504,8 +1527,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -86,7 +86,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1636,7 +1661,7 @@ main(int ac, char **av) +@@ -1730,7 +1755,7 @@ main(int ac, char **av) ); /* Store privilege separation user for later use if required. */ @@ -95,7 +95,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { if (privsep_chroot || options.kerberos_authentication) fatal("Privilege separation user %s does not exist", -@@ -1769,7 +1794,7 @@ main(int ac, char **av) +@@ -1871,7 +1896,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -104,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1792,8 +1817,10 @@ main(int ac, char **av) +@@ -1899,8 +1924,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -114,8 +114,8 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ +#endif if (rexec_flag) { - rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -1981,6 +2008,25 @@ main(int ac, char **av) + if (rexec_argc < 0) +@@ -2093,6 +2120,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif @@ -138,6 +138,6 @@ $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ + } +#endif /* LIBWRAP */ + + rdomain = ssh_packet_rdomain_in(ssh); + /* Log the connection. */ - laddr = get_local_ipaddr(sock_in); - verbose("Connection from %s port %d on %s port %d", diff --git a/security/openssh/patches/patch-uidswap.c b/security/openssh/patches/patch-uidswap.c index 3b623b8b8ee..32a76c6922b 100644 --- a/security/openssh/patches/patch-uidswap.c +++ b/security/openssh/patches/patch-uidswap.c @@ -1,10 +1,10 @@ -$NetBSD: patch-uidswap.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $ Interix support ---- uidswap.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000 +++ uidswap.c -@@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw) +@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid, (u_int)saved_egid); #ifndef HAVE_CYGWIN @@ -20,21 +20,22 @@ Interix support privileged = 0; return; } -@@ -96,9 +96,11 @@ temporarily_use_uid(struct passwd *pw) +@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw) /* set and save the user's groups */ - if (user_groupslen == -1) { + if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) { +#ifndef HAVE_INTERIX if (initgroups(pw->pw_name, pw->pw_gid) < 0) fatal("initgroups: %s: %.100s", pw->pw_name, strerror(errno)); +- +#endif - user_groupslen = getgroups(0, NULL); if (user_groupslen < 0) -@@ -112,9 +114,11 @@ temporarily_use_uid(struct passwd *pw) - free(user_groups); + fatal("getgroups: %.100s", strerror(errno)); +@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw) } + user_groups_uid = pw->pw_uid; } +#ifndef HAVE_INTERIX /* Set the effective uid to the given (unprivileged) uid. */ @@ -44,7 +45,7 @@ Interix support #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) -@@ -187,8 +191,10 @@ restore_uid(void) +@@ -166,8 +169,10 @@ restore_uid(void) setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ @@ -55,7 +56,7 @@ Interix support temporarily_use_uid_effective = 0; } -@@ -211,6 +217,10 @@ permanently_set_uid(struct passwd *pw) +@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw) debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); @@ -66,7 +67,7 @@ Interix support if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -@@ -247,6 +257,7 @@ permanently_set_uid(struct passwd *pw) +@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw) (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); #endif |