From cd9e926efc77d1b155c76c221d3d06dace296953 Mon Sep 17 00:00:00 2001
From: Francesco Colista <fcolista@alpinelinux.org>
Date: Fri, 15 Dec 2017 14:14:31 +0000
Subject: main/openssh: security fixes for CVE-2017-15906. Fixes #8280

---
 main/openssh/APKBUILD             | 10 +++++++---
 main/openssh/CVE-2017-15906.patch | 31 +++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 main/openssh/CVE-2017-15906.patch

(limited to 'main/openssh')

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index f54bc3a375..bc49d77c77 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=7.5_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=7
+pkgrel=8
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -38,9 +38,12 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
 	sshd.confd
 	sftp-interactive.patch
 	openssh-7.5p1-sandbox.patch
+	CVE-2017-15906.patch
 	"
 # secfixes:
-#   7.4_p1:
+#   7.5_p1-r0:
+#     - CVE-2017-15906
+#   7.4_p1-r8:
 #     - CVE-2016-10009
 #     - CVE-2016-10010
 #     - CVE-2016-10011
@@ -202,4 +205,5 @@ f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1
 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f  sshd.initd
 ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
-15c5478bcae56c019a2fbd82ec04808537fd4ba1f1ba4a0a88c0343c16c698c45dbfac59eebc3fcfd3c15b302ebec43e60ffa02442a6c77673b14818ad3f7b60  openssh-7.5p1-sandbox.patch"
+15c5478bcae56c019a2fbd82ec04808537fd4ba1f1ba4a0a88c0343c16c698c45dbfac59eebc3fcfd3c15b302ebec43e60ffa02442a6c77673b14818ad3f7b60  openssh-7.5p1-sandbox.patch
+e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320  CVE-2017-15906.patch"
diff --git a/main/openssh/CVE-2017-15906.patch b/main/openssh/CVE-2017-15906.patch
new file mode 100644
index 0000000000..a80047d49d
--- /dev/null
+++ b/main/openssh/CVE-2017-15906.patch
@@ -0,0 +1,31 @@
+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] disallow creation (of empty files) in read-only mode;
+ reported by Michal Zalewski, feedback & ok deraadt@
+
+---
+ usr.bin/ssh/sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sftp-server.c b/sftp-server.c
+index 2510d234a3a..42249ebd60d 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
+  *
+@@ -683,8 +683,8 @@ process_open(u_int32_t id)
+ 	logit("open \"%s\" flags %s mode 0%o",
+ 	    name, string_from_portable(pflags), mode);
+ 	if (readonly &&
+-	    ((flags & O_ACCMODE) == O_WRONLY ||
+-	    (flags & O_ACCMODE) == O_RDWR)) {
++	    ((flags & O_ACCMODE) != O_RDONLY ||
++	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ 		verbose("Refusing open request in read-only mode");
+ 		status = SSH2_FX_PERMISSION_DENIED;
+ 	} else {
-- 
cgit v1.2.3