diff options
-rw-r--r-- | security/openssh/Makefile | 4 | ||||
-rw-r--r-- | security/openssh/distinfo | 19 | ||||
-rw-r--r-- | security/openssh/options.mk | 14 | ||||
-rw-r--r-- | security/openssh/patches/patch-auth1.c | 26 | ||||
-rw-r--r-- | security/openssh/patches/patch-clientloop.c | 14 | ||||
-rw-r--r-- | security/openssh/patches/patch-openbsd-compat_bsd-openpty.c | 18 | ||||
-rw-r--r-- | security/openssh/patches/patch-session.c | 26 | ||||
-rw-r--r-- | security/openssh/patches/patch-sshd.c | 34 |
8 files changed, 62 insertions, 93 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 119a1c9b55c..95b3d6ba0aa 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.249 2016/09/18 17:30:10 taca Exp $ +# $NetBSD: Makefile,v 1.249.4.1 2017/01/08 11:05:07 bsiegert Exp $ -DISTNAME= openssh-7.3p1 +DISTNAME= openssh-7.4p1 PKGNAME= ${DISTNAME:S/p1/.1/} CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} diff --git a/security/openssh/distinfo b/security/openssh/distinfo index f776fb466d5..bd1d5f31174 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,32 +1,31 @@ -$NetBSD: distinfo,v 1.102 2016/09/18 17:30:10 taca Exp $ +$NetBSD: distinfo,v 1.102.4.1 2017/01/08 11:05:07 bsiegert Exp $ -SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5 -RMD160 (openssh-7.3p1.tar.gz) = 823fc1e16c5d27a2361ed0b22f5ee24be11d2c13 -SHA512 (openssh-7.3p1.tar.gz) = 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 -Size (openssh-7.3p1.tar.gz) = 1522617 bytes +SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0 +RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06 +SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 +Size (openssh-7.4p1.tar.gz) = 1511780 bytes SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039 -SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c -SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7 +SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59 SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c -SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac +SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4 SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5 SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1 -SHA1 (patch-session.c) = 850cef27299cf8af6a19987d5e070bf501cd57fb +SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 -SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac +SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e diff --git a/security/openssh/options.mk b/security/openssh/options.mk index eb169e3096e..314ee4858df 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,9 +1,9 @@ -# $NetBSD: options.mk,v 1.33 2016/07/10 10:41:38 rillig Exp $ +# $NetBSD: options.mk,v 1.33.4.1 2017/01/08 11:05:07 bsiegert Exp $ .include "../../mk/bsd.prefs.mk" PKG_OPTIONS_VAR= PKG_OPTIONS.openssh -PKG_SUPPORTED_OPTIONS= hpn-patch kerberos openssl pam +PKG_SUPPORTED_OPTIONS= kerberos openssl pam PKG_SUGGESTED_OPTIONS= openssl .include "../../mk/bsd.options.mk" @@ -23,11 +23,11 @@ CONFIGURE_ENV+= ac_cv_search_k_hasafs=no . endif .endif -.if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2 -PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/ -PATCH_DIST_STRIP= -p1 -.endif +#.if !empty(PKG_OPTIONS:Mhpn-patch) +#PATCHFILES= openssh-7.1p1-hpn-20150822.diff.bz2 +#PATCH_SITES= ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/ +#PATCH_DIST_STRIP= -p1 +#.endif PLIST_VARS+= pam diff --git a/security/openssh/patches/patch-auth1.c b/security/openssh/patches/patch-auth1.c deleted file mode 100644 index 011c4bb54db..00000000000 --- a/security/openssh/patches/patch-auth1.c +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-auth1.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $ - -Replace uid 0 with ROOTUID macro - ---- auth1.c.orig 2015-08-21 04:49:03.000000000 +0000 -+++ auth1.c -@@ -322,7 +322,7 @@ do_authloop(Authctxt *authctxt) - - #ifndef HAVE_CYGWIN - /* Special handling for root */ -- if (authenticated && authctxt->pw->pw_uid == 0 && -+ if (authenticated && authctxt->pw->pw_uid == ROOTUID && - !auth_root_allowed(meth->name)) { - authenticated = 0; - # ifdef SSH_AUDIT_EVENTS -@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt) - * If we are not running as root, the user must have the same uid as - * the server. - */ --#ifndef HAVE_CYGWIN -- if (!use_privsep && getuid() != 0 && authctxt->pw && -+#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) -+ if (!use_privsep && getuid() != ROOTUID && authctxt->pw && - authctxt->pw->pw_uid != getuid()) - packet_disconnect("Cannot change user when server not running as root."); - #endif diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c index e615c28f34a..257176bf10e 100644 --- a/security/openssh/patches/patch-clientloop.c +++ b/security/openssh/patches/patch-clientloop.c @@ -1,12 +1,12 @@ -$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $ +$NetBSD: patch-clientloop.c,v 1.4.8.1 2017/01/08 11:05:07 bsiegert Exp $ Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 ---- clientloop.c.orig 2016-03-09 18:04:48.000000000 +0000 +--- clientloop.c.orig 2016-12-19 04:59:41.000000000 +0000 +++ clientloop.c -@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display +@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display struct stat st; u_int now, x11_timeout_real; @@ -17,7 +17,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r *_proto = proto; *_data = data; proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; -@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display +@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display } if (xauth_path != NULL) { @@ -51,9 +51,9 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r /* * Handle FamilyLocal case where $DISPLAY does * not match an authorization entry. For this we -@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display - if (!got_data) { - u_int32_t rnd = 0; +@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display + u_int8_t rnd[16]; + u_int i; +#if __APPLE__ + if (!is_path_to_socket) diff --git a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c index 05c46daa46a..8f23baa5509 100644 --- a/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c +++ b/security/openssh/patches/patch-openbsd-compat_bsd-openpty.c @@ -1,25 +1,21 @@ -$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3.8.1 2017/01/08 11:05:07 bsiegert Exp $ Interix support ---- openbsd-compat/bsd-openpty.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- openbsd-compat/bsd-openpty.c.orig 2016-12-19 04:59:41.000000000 +0000 +++ openbsd-compat/bsd-openpty.c -@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char +@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char return (-1); } +#if !defined(HAVE_INTERIX) /* - * Try to push the appropriate streams modules, as described + * Try to push the appropriate streams modules, as described * in Solaris pts(7). - */ - ioctl(*aslave, I_PUSH, "ptem"); - ioctl(*aslave, I_PUSH, "ldterm"); --# ifndef __hpux -+ # ifndef __hpux +@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char + # ifndef __hpux ioctl(*aslave, I_PUSH, "ttcompat"); --# endif /* __hpux */ -+ # endif /* __hpux */ + # endif /* __hpux */ +#endif /* !HAVE_INTERIX */ return (0); diff --git a/security/openssh/patches/patch-session.c b/security/openssh/patches/patch-session.c index 5666fd2151a..db1345ee135 100644 --- a/security/openssh/patches/patch-session.c +++ b/security/openssh/patches/patch-session.c @@ -1,10 +1,10 @@ -$NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $ +$NetBSD: patch-session.c,v 1.7.4.1 2017/01/08 11:05:07 bsiegert Exp $ * Interix support. ---- session.c.orig 2016-07-27 22:54:27.000000000 +0000 +--- session.c.orig 2016-12-19 04:59:41.000000000 +0000 +++ session.c -@@ -1120,7 +1120,7 @@ read_etc_default_login(char ***env, u_in +@@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -13,16 +13,16 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $ var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1230,7 +1230,7 @@ do_setup_env(Session *s, const char *she +@@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_ETC_DEFAULT_LOGIN */ - if (path == NULL || *path == '\0') { - child_set_env(&env, &envsize, "PATH", -- s->pw->pw_uid == 0 ? -+ s->pw->pw_uid == ROOTUID ? - SUPERUSER_PATH : _PATH_STDPATH); - } + if (path == NULL || *path == '\0') { + child_set_env(&env, &envsize, "PATH", +- s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); ++ s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH); + } # endif /* HAVE_CYGWIN */ -@@ -1346,6 +1346,18 @@ do_setup_env(Session *s, const char *she + #endif /* HAVE_LOGIN_CAP */ +@@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } @@ -41,7 +41,7 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $ if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1537,11 +1549,13 @@ do_setusercontext(struct passwd *pw) +@@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -55,7 +55,7 @@ $NetBSD: patch-session.c,v 1.7 2016/09/18 17:30:11 taca Exp $ endgrent(); #endif -@@ -2388,7 +2402,7 @@ session_pty_cleanup2(Session *s) +@@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index d57b45a10c4..dbba0a378a5 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,11 +1,11 @@ -$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ +$NetBSD: patch-sshd.c,v 1.7.8.1 2017/01/08 11:05:07 bsiegert Exp $ * Interix support * Revive tcp_wrappers support. ---- sshd.c.orig 2016-03-09 18:04:48.000000000 +0000 +--- sshd.c.orig 2016-12-19 04:59:41.000000000 +0000 +++ sshd.c -@@ -125,6 +125,13 @@ +@@ -123,6 +123,13 @@ #include "version.h" #include "ssherr.h" @@ -16,10 +16,10 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ +int deny_severity; +#endif /* LIBWRAP */ + - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif -@@ -236,7 +243,11 @@ int *startup_pipes = NULL; + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -220,7 +227,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ @@ -31,7 +31,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; -@@ -632,7 +643,7 @@ privsep_preauth_child(void) +@@ -541,7 +552,7 @@ privsep_preauth_child(void) demote_sensitive_data(); /* Demote the child */ @@ -40,7 +40,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ /* Change our root directory */ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -@@ -643,10 +654,15 @@ privsep_preauth_child(void) +@@ -552,10 +563,15 @@ privsep_preauth_child(void) /* Drop our privileges */ debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, (u_int)privsep_pw->pw_gid); @@ -56,7 +56,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ } } -@@ -713,10 +729,17 @@ privsep_preauth(Authctxt *authctxt) +@@ -619,10 +635,17 @@ privsep_preauth(Authctxt *authctxt) /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); @@ -74,16 +74,16 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ return 0; } -@@ -730,7 +753,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -634,7 +657,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else -- if (authctxt->pw->pw_uid == 0 || options.use_login) { -+ if (authctxt->pw->pw_uid == ROOTUID || options.use_login) { +- if (authctxt->pw->pw_uid == 0) { ++ if (authctxt->pw->pw_uid == ROOTUID) { #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1497,8 +1520,10 @@ main(int ac, char **av) +@@ -1389,8 +1412,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -95,7 +95,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1925,7 +1950,7 @@ main(int ac, char **av) +@@ -1766,7 +1791,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -104,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1948,8 +1973,10 @@ main(int ac, char **av) +@@ -1789,8 +1814,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -115,7 +115,7 @@ $NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -2145,6 +2172,25 @@ main(int ac, char **av) +@@ -1972,6 +1999,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif |