diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-24 07:24:14 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-08-24 07:24:24 +0000 |
| commit | d81de099ec72c3de4831dda451d0450f0200c954 (patch) | |
| tree | 528cc94f39dec4ea5e5c240feed118b5b3d464a3 | |
| parent | 0027532cc128d287c275ec106cb492968d1c19c8 (diff) | |
| download | aports-d81de099ec72c3de4831dda451d0450f0200c954.tar.bz2 aports-d81de099ec72c3de4831dda451d0450f0200c954.tar.xz | |
main/openssh: upgrade to 7.8_p1
| -rw-r--r-- | main/openssh/APKBUILD | 8 | ||||
| -rw-r--r-- | main/openssh/CVE-2018-15473.patch | 146 |
2 files changed, 3 insertions, 151 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 4242bf210f..b413dae27d 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -2,9 +2,9 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openssh -pkgver=7.7_p1 +pkgver=7.8_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=4 +pkgrel=0 pkgdesc="Port of OpenBSD's free SSH release" url="http://www.openssh.org/portable.html" arch="all" @@ -35,7 +35,6 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar bsd-compatible-realpath.patch sftp-interactive.patch disable-forwarding-by-default.patch - CVE-2018-15473.patch sshd.initd sshd.confd " @@ -196,12 +195,11 @@ _pkg_flavour() { done } -sha512sums="597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261 openssh-7.7p1.tar.gz +sha512sums="8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705 openssh-7.8p1.tar.gz 398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch -3f8d0b8547965c47ac8980d45a55f48472a60a2cbba3d552cb3a8c383455830e309b2df4e0afd4b01a53b7e45197fc172760e41302c10fdd0b55dbb85a6d9d87 CVE-2018-15473.patch bcd56bebe37acb69986abd247d6b74daf7dde1712f30640244a1dd70c505a6a536c5536bef11345e128b6785e1c8ff9736627556e702218805fb14b23bd7047c sshd.initd ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd" diff --git a/main/openssh/CVE-2018-15473.patch b/main/openssh/CVE-2018-15473.patch deleted file mode 100644 index 77e71727aa..0000000000 --- a/main/openssh/CVE-2018-15473.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001 -From: djm <djm@openbsd.org> -Date: Tue, 31 Jul 2018 03:10:27 +0000 -Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?= - =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?= - =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?= - =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - usr.bin/ssh/auth2-gss.c | 11 +++++++---- - usr.bin/ssh/auth2-hostbased.c | 11 ++++++----- - usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++---------- - 3 files changed, 28 insertions(+), 19 deletions(-) - -diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c -index 649c830916a..c919ef4c353 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh) - u_int len; - u_char *doid = NULL; - -- if (!authctxt->valid || authctxt->user == NULL) -- return (0); -- - mechs = packet_get_int(); - if (mechs == 0) { - debug("Mechanism negotiation is not supported"); -@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh) - return (0); - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ free(doid); -+ return (0); -+ } -+ - if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { - if (ctxt != NULL) - ssh_gssapi_delete_ctx(&ctxt); -diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c -index ad335555934..fb5e5f42272 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh) - size_t alen, blen, slen; - int r, pktype, authenticated = 0; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - /* XXX use sshkey_froms() */ - if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || -@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh) - goto done; - } - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", __func__); -+ goto done; -+ } -+ - if ((b = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - /* reconstruct packet */ -diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c -index 195da5e2111..af9e5f04c45 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -86,19 +86,15 @@ userauth_pubkey(struct ssh *ssh) - { - Authctxt *authctxt = ssh->authctxt; - struct passwd *pw = authctxt->pw; -- struct sshbuf *b; -+ struct sshbuf *b = NULL; - struct sshkey *key = NULL; -- char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -- u_char *pkblob, *sig, have_sig; -+ char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; -+ u_char *pkblob = NULL, *sig = NULL, have_sig; - size_t blen, slen; - int r, pktype; - int authenticated = 0; - struct sshauthopt *authopts = NULL; - -- if (!authctxt->valid) { -- debug2("%s: disabled because of invalid user", __func__); -- return 0; -- } - if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || - (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || - (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) -@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh) - fatal("%s: sshbuf_put_string session id: %s", - __func__, ssh_err(r)); - } -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* reconstruct packet */ - xasprintf(&userstyle, "%s%s%s", authctxt->user, - authctxt->style ? ":" : "", -@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh) - #ifdef DEBUG_PK - sshbuf_dump(b, stderr); - #endif -- - /* test for correct signature */ - authenticated = 0; - if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && -@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh) - authenticated = 1; - } - sshbuf_free(b); -- free(sig); - auth2_record_key(authctxt, authenticated, key); - } else { - debug("%s: test pkalg %s pkblob %s%s%s", -@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh) - if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); - -+ if (!authctxt->valid || authctxt->user == NULL) { -+ debug2("%s: disabled because of invalid user", -+ __func__); -+ goto done; -+ } - /* XXX fake reply and always send PK_OK ? */ - /* - * XXX this allows testing whether a user is allowed -@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh) - free(pkblob); - free(key_s); - free(ca_s); -+ free(sig); - return authenticated; - } - |