From 351ceffa015298e526e937cbc62b989727f3ce1d Mon Sep 17 00:00:00 2001
From: tnn <tnn@pkgsrc.org>
Date: Sun, 27 Apr 2008 00:34:27 +0000
Subject: Update to OpenSSH 5.0p1. Changes since 4.7: - fix two security issues
 - chroot support for sshd(8) - sftp server internalized in sshd(8) - assorted
 bug fixes

---
 security/openssh/Makefile         | 18 ++++++++++--------
 security/openssh/distinfo         | 20 ++++++++++----------
 security/openssh/options.mk       |  4 ++--
 security/openssh/patches/patch-ao | 36 ++++++++++++------------------------
 security/openssh/patches/patch-ap | 10 +++++-----
 security/openssh/patches/patch-ax | 24 ++++++++----------------
 6 files changed, 47 insertions(+), 65 deletions(-)

(limited to 'security/openssh')

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index 1409e032c2f..30391e48479 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $
+# $NetBSD: Makefile,v 1.188 2008/04/27 00:34:27 tnn Exp $
 
-DISTNAME=		openssh-4.7p1
-PKGNAME=		openssh-4.7.1
-PKGREVISION=		3
+DISTNAME=		openssh-5.0p1
+PKGNAME=		openssh-5.0.1
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
@@ -12,7 +11,7 @@ MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
 			ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
 # Don't delete the last entry -- it's there if the pkgsrc version is not
 # up-to-date and the mirrors already removed the old distfile.
-DIST_SUBDIR=		${PKGBASE}-4.7.1-20070919
+DIST_SUBDIR=		${PKGBASE}-5.0.1-20080427
 
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
@@ -24,6 +23,8 @@ CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
 CONFLICTS+=		openssh+gssapi-[0-9]*
 CONFLICTS+=		lsh>2.0
 
+PKG_DESTDIR_SUPPORT=	user-destdir
+
 USE_TOOLS+=		perl
 
 CRYPTO=			yes
@@ -161,12 +162,13 @@ SUBST_MESSAGE.patch=	More patch a file.
 .include "../../security/tcp_wrappers/buildlink3.mk"
 
 post-install:
-	${INSTALL_DATA_DIR} ${EGDIR}
+	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
 	cd ${WRKSRC}; for file in ${CONFS}; do				\
-		${INSTALL_DATA} $${file}.out ${EGDIR}/$${file};		\
+		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
 	done
 .if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
-	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic ${EGDIR}/sshd.pam
+	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+	  ${DESTDIR}${EGDIR}/sshd.pam
 .endif
 
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 6ee29f80b25..e2934e64117 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.68 2008/04/08 06:36:47 taca Exp $
+$NetBSD: distinfo,v 1.69 2008/04/27 00:34:27 tnn Exp $
 
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e
-Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90
-Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8
+Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc
+Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes
 SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0
 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9
 SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9
@@ -20,12 +20,12 @@ SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc
 SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = f2188b57baff4c88a793eee37dad69ffc523f7e5
-SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a
+SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb
+SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08
 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
 SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
 SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
-SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88
+SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a
diff --git a/security/openssh/options.mk b/security/openssh/options.mk
index c3aa485d162..86785c5004f 100644
--- a/security/openssh/options.mk
+++ b/security/openssh/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.14 2007/09/07 10:41:12 taca Exp $
+# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -17,7 +17,7 @@ CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE:Q}
 .endif
 
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-4.7p1-hpn12v18.diff.gz
+PATCHFILES=		openssh-5.0p1-hpn13v3.diff.gz
 PATCH_SITES=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCH_DIST_STRIP=	-p1
 .endif
diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao
index 6b726840be7..6823d1e0080 100644
--- a/security/openssh/patches/patch-ao
+++ b/security/openssh/patches/patch-ao
@@ -1,12 +1,12 @@
-$NetBSD: patch-ao,v 1.11 2008/04/08 06:36:47 taca Exp $
+$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $
 
 One more replacing 0 with ROOTUID is handled by using SUBST framework
 because patch can't handle it when hpn-patch option is enabled.
 So, don't simply update this file with mkpatch command.
 
---- session.c.orig	2007-08-16 13:28:04.000000000 +0000
+--- session.c.orig	2008-03-27 01:03:05.000000000 +0100
 +++ session.c
-@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in
+@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
  
@@ -15,7 +15,7 @@ So, don't simply update this file with mkpatch command.
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she
+@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
@@ -24,7 +24,7 @@ So, don't simply update this file with mkpatch command.
  				SUPERUSER_PATH : _PATH_STDPATH);
  		}
  # endif /* HAVE_CYGWIN */
-@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she
+@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
  	}
@@ -43,22 +43,10 @@ So, don't simply update this file with mkpatch command.
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel
- 	do_xauth =
- 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
+@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw)
+ 	(void)ssh_selinux_enabled();
+ #endif
  
--	/* ignore _PATH_SSH_USER_RC for subsystems */
--	if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
-+	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
-+	if (!s->is_subsystem && options.adm_forced_command == NULL &&
-+	    (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
- 		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
- 		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
- 		if (debug_flag)
-@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw)
- void
- do_setusercontext(struct passwd *pw)
- {
 -#ifndef HAVE_CYGWIN
 +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
  	if (getuid() == 0 || geteuid() == 0)
@@ -67,7 +55,7 @@ So, don't simply update this file with mkpatch command.
  	{
  
  #ifdef HAVE_SETPCRED
-@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
  		}
@@ -79,9 +67,9 @@ So, don't simply update this file with mkpatch command.
  		}
 +# endif /* !HAVE_INTERIX */
  		endgrent();
- #ifdef GSSAPI
- 		if (options.gss_authentication) {
-@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s)
+ # ifdef USE_PAM
+ 		/*
+@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  
  	/* Release the pseudo-tty. */
diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap
index 8155f7cb536..3b982f750a3 100644
--- a/security/openssh/patches/patch-ap
+++ b/security/openssh/patches/patch-ap
@@ -1,11 +1,11 @@
-$NetBSD: patch-ap,v 1.8 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $
 
---- ssh.c.orig	2006-10-29 12:02:30.000000000 +0900
+--- ssh.c.orig	2008-02-28 09:13:52.000000000 +0100
 +++ ssh.c
-@@ -684,7 +684,7 @@ main(int ac, char **av)
- 	/* Open a connection to the remote host. */
+@@ -693,7 +693,7 @@ main(int ac, char **av)
  	if (ssh_connect(host, &hostaddr, options.port,
- 	    options.address_family, options.connection_attempts,
+ 	    options.address_family, options.connection_attempts, &timeout_ms,
+ 	    options.tcp_keep_alive, 
 -#ifdef HAVE_CYGWIN
 +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
  	    options.use_privileged_port,
diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax
index 581b9f1afab..6965d5865b1 100644
--- a/security/openssh/patches/patch-ax
+++ b/security/openssh/patches/patch-ax
@@ -1,18 +1,10 @@
-$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
+$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $
 
-Don't deadlock on exit with multiple X forwarded channels.
-Don't use X11 port which can't be bound on all IP families.
-Fixes CVE-2008-1483.
-
---- channels.c.orig	2007-06-25 09:04:47.000000000 +0000
-+++ channels.c
-@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
- 				debug2("bind port %d: %.100s", port, strerror(errno));
- 				close(sock);
+--- sftp.h.orig	2008-02-10 12:40:12.000000000 +0100
++++ sftp.h
+@@ -94,4 +94,4 @@
+ struct passwd;
  
--				if (ai->ai_next)
--					continue;
--
- 				for (n = 0; n < num_socks; n++) {
- 					close(socks[n]);
- 				}
+ int	sftp_server_main(int, char **, struct passwd *);
+-void	sftp_server_cleanup_exit(int) __dead;
++void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-- 
cgit v1.2.3