From a518b8afc48b8fa81d565fff644af4c41adbbb99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Fri, 18 Apr 2014 16:58:43 +0300
Subject: main/openssh: security fix for CVE-2014-2653
patch cherry-picked from debian
also delete the obsolete old CVE patch (6.6 has the fix builtin)
---
main/openssh/APKBUILD | 12 +++---
main/openssh/CVE-2014-2532.patch | 30 ---------------
main/openssh/CVE-2014-2653.patch | 83 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 89 insertions(+), 36 deletions(-)
delete mode 100644 main/openssh/CVE-2014-2532.patch
create mode 100644 main/openssh/CVE-2014-2653.patch
(limited to 'main/openssh')
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index e58053d3bf..b5d9237560 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
pkgname=openssh
pkgver=6.6_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=1
+pkgrel=2
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -17,7 +17,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
openssh-fix-utmp.diff
sshd.initd
sshd.confd
- CVE-2014-2532.patch
+ CVE-2014-2653.patch
"
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
@@ -30,7 +30,7 @@ prepare() {
msg "Applying $i"
gunzip -c "$srcdir"/"${i##*/}" | patch -p1 -N || return 1
;;
- *.diff)
+ *.diff|*.patch)
msg "Applying $i"
patch -p1 -N -i "$srcdir"/${i##*/} || return 1
;;
@@ -108,7 +108,7 @@ cd52fe99cb4b7d0d847bf5d710d93564 openssh6.5-peaktput.diff
f7d9d6f96940ef66bd3c3a0aa27e57a7 openssh-fix-utmp.diff
bcf990d4ef7ff446160cde7dbd32bf1f sshd.initd
b35e9f3829f4cfca07168fcba98749c7 sshd.confd
-e4cf579145106ce3d4465453b70ea50d CVE-2014-2532.patch"
+02a7de5652d9769576e3b252d768cd0f CVE-2014-2653.patch"
sha256sums="48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb openssh-6.6p1.tar.gz
83f2b2c07988c6321875240c02a161a83ec84661d592cbd2188ea8c962f9b1ad openssh6.6-dynwindows.diff
bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff
@@ -116,7 +116,7 @@ c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59 openssh-fix-in
f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde openssh-fix-utmp.diff
2a9889ab224be7202ece80a7085aa3e85bbba9432467031b436dcd77cb92a2ac sshd.initd
29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 sshd.confd
-323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa CVE-2014-2532.patch"
+03826427d72f86c68f079acab6c9c86e8f27f7514b66428f404c2f235fd0c0bd CVE-2014-2653.patch"
sha512sums="3d3566ed87649882702cad52db1adefebfb3ef788c9f77a493f99db7e9ca2e8edcde793dd426df7df0aed72a42a31c20a63ef51506111369d3a7c49e0bf6c82b openssh-6.6p1.tar.gz
3aab8b8e1f86ce04ebc69bbdbf3c70cefd510d7b4080b99067ec49957b5e421b49e3b8a0a62103d17cf644cd7c0b30e9283a62a24988b1bbb0fbdabbdc1202fd openssh6.6-dynwindows.diff
e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff
@@ -124,4 +124,4 @@ e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c98
cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5 openssh-fix-utmp.diff
eeafefcb8a3357b498591480b39dc0116ab3440c88faeaeaddeac0b860f9e268abe6f603bc27893b79945acde06a45a7616d1bdc6ca27201cd8dc522f49b207e sshd.initd
b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 sshd.confd
-4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d CVE-2014-2532.patch"
+be48059ae1715669f970a19acde14f262588172c5a8d8d1c84159bc69a60c5750b21c98f39f65df72ae071f7f918046000a2499b9ef16ba2cb4bcd8399bc8e40 CVE-2014-2653.patch"
diff --git a/main/openssh/CVE-2014-2532.patch b/main/openssh/CVE-2014-2532.patch
deleted file mode 100644
index 49cccbd274..0000000000
--- a/main/openssh/CVE-2014-2532.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Description: fix AcceptEnv wildcard environment restrictions bypass
-Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271
-
-Index: openssh-6.0p1/session.c
-===================================================================
---- openssh-6.0p1.orig/session.c 2014-03-21 11:03:33.904069205 -0400
-+++ openssh-6.0p1/session.c 2014-03-21 11:03:33.900069205 -0400
-@@ -963,6 +963,11 @@
- *envsizep = 1;
- }
-
-+ if (strchr(name, '=') != NULL) {
-+ error("Invalid environment variable \"%.100s\"", name);
-+ return;
-+ }
-+
- /*
- * Find the slot where the value should be stored. If the variable
- * already exists, we reuse the slot; otherwise we append a new slot
-@@ -2186,8 +2191,8 @@
- char *name, *val;
- u_int name_len, val_len, i;
-
-- name = packet_get_string(&name_len);
-- val = packet_get_string(&val_len);
-+ name = packet_get_cstring(&name_len);
-+ val = packet_get_cstring(&val_len);
- packet_check_eom();
-
- /* Don't set too many environment variables */
diff --git a/main/openssh/CVE-2014-2653.patch b/main/openssh/CVE-2014-2653.patch
new file mode 100644
index 0000000000..b453081c5a
--- /dev/null
+++ b/main/openssh/CVE-2014-2653.patch
@@ -0,0 +1,83 @@
+From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mcv21@cam.ac.uk>
+Date: Wed, 26 Mar 2014 15:32:23 +0000
+Subject: Attempt SSHFP lookup even if server presents a certificate
+
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+
+This patch is by Damien Miller (of openssh upstream). It's simpler
+than the patch by Mark Wooding which I applied yesterday; a copy is
+taken of the proffered key/cert, the key extracted from the cert (if
+necessary), and then the DNS consulted.
+
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Patch-Name: sshfp_with_server_cert_upstr
+---
+ sshconnect.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index 87c3770..324f5e0 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+ int flags = 0;
+ char *fp;
++ Key *plain = NULL;
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ debug("Server host key: %s %s", key_type(host_key), fp);
+ free(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
++ if (options.verify_host_key_dns) {
++ /*
++ * XXX certs are not yet supported for DNS, so downgrade
++ * them and try the plain key.
++ */
++ plain = key_from_private(host_key);
++ if (key_is_cert(plain))
++ key_drop_cert(plain);
++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++ if (flags & DNS_VERIFY_FOUND) {
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ key_free(plain);
++ return 0;
++ }
++ if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(plain);
++ error("Update the SSHFP RR in DNS "
++ "with the new host key to get rid "
++ "of this message.");
++ }
+ }
+ }
++ key_free(plain);
+ }
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
--
cgit v1.2.3