main/openssh: security fix for CVE-2014-2653

patch cherry-picked from debian
also delete the obsolete old CVE patch (6.6 has the fix builtin)

3 files changed, 89 insertions, 36 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index e58053d3bf..b5d9237560 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.6_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -17,7 +17,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	openssh-fix-utmp.diff
 	sshd.initd
 	sshd.confd
-	CVE-2014-2532.patch
+	CVE-2014-2653.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
@@ -30,7 +30,7 @@ prepare() {
 			msg "Applying $i"
 			gunzip -c "$srcdir"/"${i##*/}" | patch -p1 -N || return 1
 			;;
-		*.diff)
+		*.diff|*.patch)
 			msg "Applying $i"
 			patch -p1 -N -i "$srcdir"/${i##*/} || return 1
 			;;
@@ -108,7 +108,7 @@ cd52fe99cb4b7d0d847bf5d710d93564  openssh6.5-peaktput.diff
 f7d9d6f96940ef66bd3c3a0aa27e57a7  openssh-fix-utmp.diff
 bcf990d4ef7ff446160cde7dbd32bf1f  sshd.initd
 b35e9f3829f4cfca07168fcba98749c7  sshd.confd
-e4cf579145106ce3d4465453b70ea50d  CVE-2014-2532.patch"
+02a7de5652d9769576e3b252d768cd0f  CVE-2014-2653.patch"
 sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb  openssh-6.6p1.tar.gz
 83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad  openssh6.6-dynwindows.diff
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
@@ -116,7 +116,7 @@ c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59  openssh-fix-in
 f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde  openssh-fix-utmp.diff
 2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac  sshd.initd
 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
-323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa  CVE-2014-2532.patch"
+03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd  CVE-2014-2653.patch"
 sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b  openssh-6.6p1.tar.gz
 3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd  openssh6.6-dynwindows.diff
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
@@ -124,4 +124,4 @@ e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c98
 cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5  openssh-fix-utmp.diff
 eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e  sshd.initd
 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
-4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d  CVE-2014-2532.patch"
+be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40  CVE-2014-2653.patch"
diff --git a/main/openssh/CVE-2014-2532.patch b/main/openssh/CVE-2014-2532.patch
deleted file mode 100644
index 49cccbd274..0000000000
--- a/main/openssh/CVE-2014-2532.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Description: fix AcceptEnv wildcard environment restrictions bypass
-Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271
-
-Index: openssh-6.0p1/session.c
-===================================================================
---- openssh-6.0p1.orig/session.c	2014-03-21 11:03:33.904069205 -0400
-+++ openssh-6.0p1/session.c	2014-03-21 11:03:33.900069205 -0400
-@@ -963,6 +963,11 @@
- 		*envsizep = 1;
- 	}
- 
-+	if (strchr(name, '=') != NULL) {
-+		error("Invalid environment variable \"%.100s\"", name);
-+		return;
-+	}
-+
- 	/*
- 	 * Find the slot where the value should be stored.  If the variable
- 	 * already exists, we reuse the slot; otherwise we append a new slot
-@@ -2186,8 +2191,8 @@
- 	char *name, *val;
- 	u_int name_len, val_len, i;
- 
--	name = packet_get_string(&name_len);
--	val = packet_get_string(&val_len);
-+	name = packet_get_cstring(&name_len);
-+	val = packet_get_cstring(&val_len);
- 	packet_check_eom();
- 
- 	/* Don't set too many environment variables */
diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch
new file mode 100644
index 0000000000..b453081c5a
--- /dev/null
+++ b/main/openssh/CVE-2014-2653.patch
@@ -0,0 +1,83 @@
+From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mcv21@cam.ac.uk>
+Date: Wed, 26 Mar 2014 15:32:23 +0000
+Subject: Attempt SSHFP lookup even if server presents a certificate
+
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+
+This patch is by Damien Miller (of openssh upstream). It's simpler
+than the patch by Mark Wooding which I applied yesterday; a copy is
+taken of the proffered key/cert, the key extracted from the cert (if
+necessary), and then the DNS consulted.
+
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Patch-Name: sshfp_with_server_cert_upstr
+---
+ sshconnect.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index 87c3770..324f5e0 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+ 	int flags = 0;
+ 	char *fp;
++	Key *plain = NULL;
+ 
+ 	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ 	debug("Server host key: %s %s", key_type(host_key), fp);
+ 	free(fp);
+ 
+-	/* XXX certs are not yet supported for DNS */
+-	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-		if (flags & DNS_VERIFY_FOUND) {
+-
+-			if (options.verify_host_key_dns == 1 &&
+-			    flags & DNS_VERIFY_MATCH &&
+-			    flags & DNS_VERIFY_SECURE)
+-				return 0;
+-
+-			if (flags & DNS_VERIFY_MATCH) {
+-				matching_host_key_dns = 1;
+-			} else {
+-				warn_changed_key(host_key);
+-				error("Update the SSHFP RR in DNS with the new "
+-				    "host key to get rid of this message.");
++	if (options.verify_host_key_dns) {
++		/*
++		 * XXX certs are not yet supported for DNS, so downgrade
++		 * them and try the plain key.
++		 */
++		plain = key_from_private(host_key);
++		if (key_is_cert(plain))
++			key_drop_cert(plain);
++		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++			if (flags & DNS_VERIFY_FOUND) {
++				if (options.verify_host_key_dns == 1 &&
++				    flags & DNS_VERIFY_MATCH &&
++				    flags & DNS_VERIFY_SECURE) {
++					key_free(plain);
++					return 0;
++				}
++				if (flags & DNS_VERIFY_MATCH) {
++					matching_host_key_dns = 1;
++				} else {
++					warn_changed_key(plain);
++					error("Update the SSHFP RR in DNS "
++					    "with the new host key to get rid "
++					    "of this message.");
++				}
+ 			}
+ 		}
++		key_free(plain);
+ 	}
+ 
+ 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,