main/openssh: security fixes from upstream

fixes #4580

CVE-2015-6563:
  sshd(8): Portable OpenSSH only: Fixed a privilege separation
  weakness related to PAM support. Attackers who could successfully
  compromise the pre-authentication process for remote code
  execution and who had valid credentials on the host could
  impersonate other users.  Reported by Moritz Jodeit.

CVE-2015-6564:
  sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to
  PAM support that was reachable by attackers who could compromise the
  pre-authentication process for remote code execution. Also reported by
  Moritz Jodeit.

CVE-2015-6565:
  sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
  writable. Local attackers may be able to write arbitrary messages
  to logged-in users, including terminal escape sequences.
  Reported by Nikolay Edigaryev.

(cherry picked from commit 26c30cf5be4151eee04678ad118d056de0601833)

Conflicts:
	main/openssh/APKBUILD

Conflicts:
	main/openssh/APKBUILD

4 files changed, 155 insertions, 1 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index cfde9c941b..6c04cbce47 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.6_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=5
+pkgrel=6
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -19,6 +19,9 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	sshd.confd
 	CVE-2014-2653.patch
 	CVE-2015-5600.patch
+	CVE-2015-6563.patch
+	CVE-2015-6564.patch
+	CVE-2015-6565.patch
 	openssh-curve25519pad.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
@@ -113,6 +116,9 @@ bcf990d4ef7ff446160cde7dbd32bf1f  sshd.initd
 b35e9f3829f4cfca07168fcba98749c7  sshd.confd
 02a7de5652d9769576e3b252d768cd0f  CVE-2014-2653.patch
 188d255048996a0f2dce35031a9fdb07  CVE-2015-5600.patch
+ae3ac6c890f3172327118f3b793e7f05  CVE-2015-6563.patch
+9e107e2636250f33199ba47550ceca1e  CVE-2015-6564.patch
+48b16c12877d665d9701809fdc6f4bc6  CVE-2015-6565.patch
 da797337121f07bc3fac8a21afac20f8  openssh-curve25519pad.patch"
 sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb  openssh-6.6p1.tar.gz
 83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad  openssh6.6-dynwindows.diff
@@ -123,6 +129,9 @@ f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde  openssh-fix-ut
 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
 03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd  CVE-2014-2653.patch
 d7bc0d62a9741775ab618725c63c9bdda915e5c6d2e8a4c6995ebe1fa8b3224f  CVE-2015-5600.patch
+044c3ceeb69c4812414bc605d3fd1f49e48623fe75b958f130420c9a3a3d3914  CVE-2015-6563.patch
+0f4db4d65edbbef21862ac10714bdd4f8911cf9f9b6eb220f94663be0c4872c8  CVE-2015-6564.patch
+e42adee1f712850efcce272b556909fd3daf688c1f6059d86bfcc064cea09e87  CVE-2015-6565.patch
 8b0caf249298eec28aad3cb77256d31a90652c77bdc1a54a00f04e8c1446d5c4  openssh-curve25519pad.patch"
 sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b  openssh-6.6p1.tar.gz
 3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd  openssh6.6-dynwindows.diff
@@ -133,4 +142,7 @@ eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b
 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
 be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40  CVE-2014-2653.patch
 c53410eb119fdba313661bdffbbbc0e19970c2321fdf24cb086d1946d0f99c8fb06c65b7edc52a746024caa1c6cf87dfc19758e28ff2935a555ac04c9437827a  CVE-2015-5600.patch
+7ab16c39dc02d38c2b8498a187c43637f6e8a06dc9786d1746010d2d416d979c34103bd6f95365664a143641d85d6985f73bcf055f5eb481ec34ad2a7ee2e939  CVE-2015-6563.patch
+e5a7d536837aefb07260b01c2863f96d0db2521d7739ded69f92490fad4c8537c853320458cdbc3a86cd90805d54fc87e081ece1dd4cb19392599888f9078e26  CVE-2015-6564.patch
+2f74906d7bfc2ca48f001470606a055ade36b44c17d386ed89e44507c8821f1c7b48eed022be729459185d5b6f848fd5763f7b711e106fbc20fb18c10bb688bd  CVE-2015-6565.patch
 5c946726e9fb472412972ca73c6e4565598b7729558843be2391e04d8935f0e35a992b4fa9f89c8a98917665c12219ea5ad58359269cbe2cf90907f7d1e2cec8  openssh-curve25519pad.patch"
diff --git a/main/openssh/CVE-2015-6563.patch b/main/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000000..d3bdcac132
--- /dev/null
+++ b/main/openssh/CVE-2015-6563.patch
@@ -0,0 +1,37 @@
+From d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:33:24 +1000
+Subject: [PATCH] Don't resend username to PAM; it already has it.
+
+Pointed out by Moritz Jodeit; ok dtucker@
+---
+ monitor.c      | 2 --
+ monitor_wrap.c | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/monitor.c b/monitor.c
+index b410965..f1b873d 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index e6217b3..eac421b 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/main/openssh/CVE-2015-6564.patch b/main/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000000..e278dd7414
--- /dev/null
+++ b/main/openssh/CVE-2015-6564.patch
@@ -0,0 +1,33 @@
+From 5e75f5198769056089fb06c4d738ab0e5abc66f7 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Tue, 11 Aug 2015 13:34:12 +1000
+Subject: [PATCH] set sshpam_ctxt to NULL after free
+
+Avoids use-after-free in monitor when privsep child is compromised.
+Reported by Moritz Jodeit; ok dtucker@
+---
+ monitor.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/monitor.c b/monitor.c
+index f1b873d..a914209 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++	int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++	sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive";
+ 	auth_submethod = "pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
diff --git a/main/openssh/CVE-2015-6565.patch b/main/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000000..40fe7779ac
--- /dev/null
+++ b/main/openssh/CVE-2015-6565.patch
@@ -0,0 +1,72 @@
+From a5883d4eccb94b16c355987f58f86a7dee17a0c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 3 Sep 2014 18:55:07 +0000
+Subject: [PATCH] upstream commit
+
+tighten permissions on pty when the "tty" group does
+ not exist; pointed out by Corinna Vinschen; ok markus
+---
+ sshpty.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/sshpty.c b/sshpty.c
+index a2059b7..d2ff8c1 100644
+--- a/sshpty.c
++++ b/sshpty.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshpty.c,v 1.28 2007/09/11 23:49:09 stevesk Exp $ */
++/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const char *tty)
+ 
+ 	/* Determine the group to make the owner of the tty. */
+ 	grp = getgrnam("tty");
+-	if (grp) {
+-		gid = grp->gr_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
+-	} else {
+-		gid = pw->pw_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+-	}
++	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
++	mode = (grp != NULL) ? 0622 : 0600;
+ 
+ 	/*
+ 	 * Change owner and mode of the tty as required.
+From 6f941396b6835ad18018845f515b0c4fe20be21a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 30 Jul 2015 23:09:15 +0000
+Subject: upstream commit
+
+fix pty permissions; patch from Nikolay Edigaryev; ok
+ deraadt
+
+Upstream-ID: 40ff076d2878b916fbfd8e4f45dbe5bec019e550
+---
+ sshpty.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sshpty.c b/sshpty.c
+index 7bb7641..15da8c6 100644
+--- a/sshpty.c
++++ b/sshpty.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
++/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+ 	/* Determine the group to make the owner of the tty. */
+ 	grp = getgrnam("tty");
+ 	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
+-	mode = (grp != NULL) ? 0622 : 0600;
++	mode = (grp != NULL) ? 0620 : 0600;
+ 
+ 	/*
+ 	 * Change owner and mode of the tty as required.
+-- 
+cgit v0.11.2
+