From 403f796724c009dfce0bdd4ec22a47e9af7c3fe4 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Tue, 15 Mar 2016 20:54:07 +0000 Subject: Update openssh to 7.2.2 (7.2p2). Changes since OpenSSH 7.2p1 =========================== This release fixes a security bug: * sshd(8): sanitise X11 authentication credentials to avoid xauth command injection when X11Forwarding is enabled. Full details of the vulnerability are available at: http://www.openssh.com/txt/x11fwd.adv --- security/openssh/Makefile | 7 ++-- security/openssh/PLIST | 4 +-- security/openssh/distinfo | 21 +++++------- security/openssh/patches/patch-clientloop.c | 18 +++++----- security/openssh/patches/patch-packet.c | 16 --------- security/openssh/patches/patch-readconf.c | 25 -------------- security/openssh/patches/patch-ssh.c | 23 ++++--------- security/openssh/patches/patch-sshd.c | 53 ++++++++++++++++------------- 8 files changed, 57 insertions(+), 110 deletions(-) delete mode 100644 security/openssh/patches/patch-packet.c delete mode 100644 security/openssh/patches/patch-readconf.c (limited to 'security') diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 9a2378d521c..351d3932d73 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.242 2016/03/05 11:29:23 jperkin Exp $ +# $NetBSD: Makefile,v 1.243 2016/03/15 20:54:07 bsiegert Exp $ -DISTNAME= openssh-7.1p1 -PKGNAME= ${DISTNAME:S/p1/.1/} -PKGREVISION= 4 +DISTNAME= openssh-7.2p2 +PKGNAME= ${DISTNAME:S/p2/.2/} CATEGORIES= security MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} diff --git a/security/openssh/PLIST b/security/openssh/PLIST index ebe150ae24d..e18d93a97c3 100644 --- a/security/openssh/PLIST +++ b/security/openssh/PLIST @@ -1,7 +1,6 @@ -@comment $NetBSD: PLIST,v 1.17 2015/08/14 08:57:00 jperkin Exp $ +@comment $NetBSD: PLIST,v 1.18 2016/03/15 20:54:07 bsiegert Exp $ bin/scp bin/sftp -bin/slogin bin/ssh bin/ssh-add bin/ssh-agent @@ -13,7 +12,6 @@ libexec/ssh-pkcs11-helper ${PLIST.prng}libexec/ssh-rand-helper man/man1/scp.1 man/man1/sftp.1 -man/man1/slogin.1 man/man1/ssh-add.1 man/man1/ssh-agent.1 man/man1/ssh-keygen.1 diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 747daee1ff3..a8f162f80e1 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,12 +1,9 @@ -$NetBSD: distinfo,v 1.99 2016/02/26 21:06:38 tez Exp $ +$NetBSD: distinfo,v 1.100 2016/03/15 20:54:07 bsiegert Exp $ -SHA1 (openssh-7.1p1-hpn-20150822.diff.bz2) = 444a2fbd80d57ff93b53ade84ec162e2a2f3aa67 -RMD160 (openssh-7.1p1-hpn-20150822.diff.bz2) = 87fb6887d9ccb4b305ff3c25fd5f67847d9996d1 -Size (openssh-7.1p1-hpn-20150822.diff.bz2) = 12173 bytes -SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6 -RMD160 (openssh-7.1p1.tar.gz) = 2c97ea10099fa8658156c0351d60d715655b9b07 -SHA512 (openssh-7.1p1.tar.gz) = f1491ca5a0a733eb27ede966590642a412cb7be7178dcb7b9e5844bbdc8383032f4b00435192b95fc0365b6fe74d6c5ac8d6facbe9d51e1532d049e2f784e8f7 -Size (openssh-7.1p1.tar.gz) = 1493170 bytes +SHA1 (openssh-7.2p2.tar.gz) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38 +RMD160 (openssh-7.2p2.tar.gz) = d18d73719ceeefa5116b5b741124f3604d7ddb99 +SHA512 (openssh-7.2p2.tar.gz) = 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b +Size (openssh-7.2p2.tar.gz) = 1499808 bytes SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc SHA1 (patch-auth-passwd.c) = 92c487cc3c092efb56f8b4ac4ca08ccd67803a83 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 @@ -14,7 +11,7 @@ SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039 SHA1 (patch-auth1.c) = cdac14ffa4008e62926526e66316b0a553435374 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c -SHA1 (patch-clientloop.c) = a99fa9ff36e0068c059ee9daa392d06c01d1761c +SHA1 (patch-clientloop.c) = 9b2db181d964b7720e1dc12724a9b9033f28d0e7 SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59 SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4 @@ -23,15 +20,13 @@ SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c SHA1 (patch-openbsd-compat_bsd-openpty.c) = eaac72830e36e307c19a7b679e6018ece9aebaac SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4 SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee -SHA1 (patch-packet.c) = d302a0802861287e9a5230bbe2a1018c5dc17d28 SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5 -SHA1 (patch-readconf.c) = e1663d4d9a7ca8de8f87ba42d7b764923cdcc5db SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1 SHA1 (patch-session.c) = 2aa1d95a35b52519c4921494855f861dc1380f3b SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 -SHA1 (patch-ssh.c) = 00897c09b7d3037713c579cbc41301623d4c2ebf +SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 -SHA1 (patch-sshd.c) = 85a9f50c8b1bdcc44156e2b457a583ccdbc5821b +SHA1 (patch-sshd.c) = cd23ce269bfb48b0caa901e62fc01d35ef0618ac SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e diff --git a/security/openssh/patches/patch-clientloop.c b/security/openssh/patches/patch-clientloop.c index a0937955e63..e615c28f34a 100644 --- a/security/openssh/patches/patch-clientloop.c +++ b/security/openssh/patches/patch-clientloop.c @@ -1,12 +1,12 @@ -$NetBSD: patch-clientloop.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-clientloop.c,v 1.4 2016/03/15 20:54:07 bsiegert Exp $ Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts. https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205 ---- clientloop.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- clientloop.c.orig 2016-03-09 18:04:48.000000000 +0000 +++ clientloop.c -@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display +@@ -313,6 +313,10 @@ client_x11_get_proto(const char *display struct stat st; u_int now, x11_timeout_real; @@ -14,13 +14,13 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r + int is_path_to_socket = 0; +#endif /* __APPLE__ */ + - xauthdir = xauthfile = NULL; *_proto = proto; *_data = data; -@@ -330,6 +334,33 @@ client_x11_get_proto(const char *display - debug("x11_get_proto: DISPLAY not set"); - return; - } + proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0'; +@@ -329,6 +333,33 @@ client_x11_get_proto(const char *display + } + + if (xauth_path != NULL) { +#if __APPLE__ + { + /* @@ -51,7 +51,7 @@ https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?r /* * Handle FamilyLocal case where $DISPLAY does * not match an authorization entry. For this we -@@ -421,6 +452,9 @@ client_x11_get_proto(const char *display +@@ -438,6 +469,9 @@ client_x11_get_proto(const char *display if (!got_data) { u_int32_t rnd = 0; diff --git a/security/openssh/patches/patch-packet.c b/security/openssh/patches/patch-packet.c deleted file mode 100644 index 2c5f1a455da..00000000000 --- a/security/openssh/patches/patch-packet.c +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-packet.c,v 1.1 2016/02/26 21:06:38 tez Exp $ - -Fix for CVE-2016-1907 -from https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 - - ---- packet.c.orig 2016-02-26 18:42:38.037291000 +0000 -+++ packet.c -@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u - logit("Bad packet length %u.", state->packlen); - if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0) - return r; -+ return SSH_ERR_CONN_CORRUPT; - } - sshbuf_reset(state->incoming_packet); - } else if (state->packlen == 0) { diff --git a/security/openssh/patches/patch-readconf.c b/security/openssh/patches/patch-readconf.c deleted file mode 100644 index 79e5a01cbdf..00000000000 --- a/security/openssh/patches/patch-readconf.c +++ /dev/null @@ -1,25 +0,0 @@ -$NetBSD: patch-readconf.c,v 1.1 2016/01/18 12:53:26 jperkin Exp $ - -Disable roaming. - ---- readconf.c.orig 2015-08-21 04:49:03.000000000 +0000 -+++ readconf.c -@@ -1660,7 +1660,7 @@ initialize_options(Options * options) - options->tun_remote = -1; - options->local_command = NULL; - options->permit_local_command = -1; -- options->use_roaming = -1; -+ options->use_roaming = 0; - options->visual_host_key = -1; - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; -@@ -1833,8 +1833,7 @@ fill_default_options(Options * options) - options->tun_remote = SSH_TUNID_ANY; - if (options->permit_local_command == -1) - options->permit_local_command = 0; -- if (options->use_roaming == -1) -- options->use_roaming = 1; -+ options->use_roaming = 0; - if (options->visual_host_key == -1) - options->visual_host_key = 0; - if (options->ip_qos_interactive == -1) diff --git a/security/openssh/patches/patch-ssh.c b/security/openssh/patches/patch-ssh.c index 32c1235f15b..43e615ed32b 100644 --- a/security/openssh/patches/patch-ssh.c +++ b/security/openssh/patches/patch-ssh.c @@ -1,26 +1,15 @@ -$NetBSD: patch-ssh.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-ssh.c,v 1.6 2016/03/15 20:54:07 bsiegert Exp $ Interix support -Disable roaming ---- ssh.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- ssh.c.orig 2016-03-09 18:04:48.000000000 +0000 +++ ssh.c -@@ -1084,7 +1084,7 @@ main(int ac, char **av) - "disabling"); - options.update_hostkeys = 0; +@@ -1097,7 +1097,7 @@ main(int ac, char **av) } + if (options.connection_attempts <= 0) + fatal("Invalid number of ConnectionAttempts"); -#ifndef HAVE_CYGWIN -+#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX) ++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) if (original_effective_uid != 0) options.use_privileged_port = 0; #endif -@@ -1932,9 +1932,6 @@ ssh_session2(void) - fork_postauth(); - } - -- if (options.use_roaming) -- request_roaming(); -- - return client_loop(tty_flag, tty_flag ? - options.escape_char : SSH_ESCAPECHAR_NONE, id); - } diff --git a/security/openssh/patches/patch-sshd.c b/security/openssh/patches/patch-sshd.c index 36b0419e342..d57b45a10c4 100644 --- a/security/openssh/patches/patch-sshd.c +++ b/security/openssh/patches/patch-sshd.c @@ -1,11 +1,11 @@ -$NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ +$NetBSD: patch-sshd.c,v 1.7 2016/03/15 20:54:07 bsiegert Exp $ * Interix support * Revive tcp_wrappers support. ---- sshd.c.orig 2015-08-21 04:49:03.000000000 +0000 +--- sshd.c.orig 2016-03-09 18:04:48.000000000 +0000 +++ sshd.c -@@ -126,6 +126,13 @@ +@@ -125,6 +125,13 @@ #include "version.h" #include "ssherr.h" @@ -19,7 +19,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -237,7 +244,11 @@ int *startup_pipes = NULL; +@@ -236,7 +243,11 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ @@ -31,34 +31,41 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ struct monitor *pmonitor = NULL; int privsep_is_preauth = 1; -@@ -644,10 +655,15 @@ privsep_preauth_child(void) - /* XXX not ready, too heavy after chroot */ - do_setusercontext(privsep_pw); - #else +@@ -632,7 +643,7 @@ privsep_preauth_child(void) + demote_sensitive_data(); + + /* Demote the child */ +- if (getuid() == 0 || geteuid() == 0) { ++ if (getuid() == ROOTUID || geteuid() == ROOTUID) { + /* Change our root directory */ + if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) + fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, +@@ -643,10 +654,15 @@ privsep_preauth_child(void) + /* Drop our privileges */ + debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, + (u_int)privsep_pw->pw_gid); +#ifdef HAVE_INTERIX + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE)) + fatal("setuser: %.100s", strerror(errno)); +#else - gidset[0] = privsep_pw->pw_gid; - if (setgroups(1, gidset) < 0) - fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(privsep_pw); + gidset[0] = privsep_pw->pw_gid; + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(privsep_pw); +#endif /* HAVE_INTERIX */ - #endif + } } -@@ -715,11 +731,18 @@ privsep_preauth(Authctxt *authctxt) +@@ -713,10 +729,17 @@ privsep_preauth(Authctxt *authctxt) + /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); - /* Demote the child */ -- if (getuid() == 0 || geteuid() == 0) +#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ + /* We need to do this before we chroot() so we can read sshd.sb */ + if (box != NULL) + ssh_sandbox_child(box); +#endif -+ if (getuid() == ROOTUID || geteuid() == ROOTUID) - privsep_preauth_child(); + privsep_preauth_child(); setproctitle("%s", "[net]"); +#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ if (box != NULL) @@ -67,7 +74,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ return 0; } -@@ -733,7 +756,7 @@ privsep_postauth(Authctxt *authctxt) +@@ -730,7 +753,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -76,7 +83,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -1489,8 +1512,10 @@ main(int ac, char **av) +@@ -1497,8 +1520,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -88,7 +95,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1919,7 +1944,7 @@ main(int ac, char **av) +@@ -1925,7 +1950,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -97,7 +104,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1942,8 +1967,10 @@ main(int ac, char **av) +@@ -1948,8 +1973,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -108,7 +115,7 @@ $NetBSD: patch-sshd.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ if (rexec_flag) { rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); -@@ -2139,6 +2166,25 @@ main(int ac, char **av) +@@ -2145,6 +2172,25 @@ main(int ac, char **av) audit_connection_from(remote_ip, remote_port); #endif -- cgit v1.2.3