From 504d9cc36b7cce12fe32cd729d4211c5c4fc3303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bart=C5=82omiej=20Piotrowski?= <bpiotrowski@alpinelinux.org>
Date: Wed, 26 Mar 2014 10:12:26 +0100
Subject: main/openssh: security fix for CVE-2014-2532

---
 main/openssh/APKBUILD            | 12 ++++++++----
 main/openssh/CVE-2014-2532.patch | 30 ++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 main/openssh/CVE-2014-2532.patch

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index dc178e7aa..70b5103e6 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openssh
 pkgver=6.4_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=0
+pkgrel=1
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -18,6 +18,7 @@ source="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.
 	openssh-fix-utmp.diff
 	sshd.initd
 	sshd.confd
+	CVE-2014-2532.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
@@ -108,7 +109,8 @@ c65d454dc5b149647273485fc184636d  openssh-hmac-accel.diff
 7c86680602f7ad71b0773d9e98a30d73  openssh-fix-includes.diff
 f7d9d6f96940ef66bd3c3a0aa27e57a7  openssh-fix-utmp.diff
 cb0dd08c413fad346f0c594107b4a2e0  sshd.initd
-b35e9f3829f4cfca07168fcba98749c7  sshd.confd"
+b35e9f3829f4cfca07168fcba98749c7  sshd.confd
+e4cf579145106ce3d4465453b70ea50d  CVE-2014-2532.patch"
 sha256sums="5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2  openssh-6.4p1.tar.gz
 4f78f16807c6b6a3a3773c000b85df0c56ea8a93dc35eaa6bbdffe6e30328e58  openssh6.2-dynwindows.diff
 6e803be3b3569eedfe69d9e9aeabef2e3fec2ed28f75bc456dfd69c2ef2c8198  openssh-peaktput.diff
@@ -116,7 +118,8 @@ sha256sums="5530f616513b14aea3662c4c373bafd6a97a269938674c006377e381f68975d2  op
 c3189ba0e17e60e83851ac2d6f18ad5b08cb90cccfce31d61cccb9fd76d44d59  openssh-fix-includes.diff
 f2748da45d0bc31055727f8c80d93e1872cc043ced3202e2f6d150aca3c08dde  openssh-fix-utmp.diff
 3fa062fd4bfac64abf21f3c1d0548f1dfcf3c6e56e84ece14c848f53a293024e  sshd.initd
-29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd"
+29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41  sshd.confd
+323d1a7a0ff72143580ac1b0ce2a28b9640f956368bc6629890c22c79af28aaa  CVE-2014-2532.patch"
 sha512sums="f87b3e1d3110b87c1dfff729459ff26024863480c8eb4449b9e3b0b750d187acdfedb199ca4ea133b5dfa436bed0e2eea7607392d451b18c626c4dc1d38bb52a  openssh-6.4p1.tar.gz
 773cc0629e17a8f78e82be56e579855ea9b3ca8fd26360964aee854d717a7cfc2c9d4d654cf0fda5723c3aabe96e48ee2cfe6d1fd64b5717f0ef5eb997d00293  openssh6.2-dynwindows.diff
 64f5aff3fc1a0d2f7c65ea875d1c2c4d98a3d305ff2677d9d4ca82f20778df9e317b1bfc428cee2b0df1bfa01a65dfcf83b68435a227a23a2cf3400fef35d656  openssh-peaktput.diff
@@ -124,4 +127,5 @@ aaa128126400171d0755038a846672aa7b1e87340edf73a672962d403abf404ef1821466b17da51d
 70e2c6613ab77ec379e03ddf029c1c38e5d852bb225db40ceaa63e642d58b0261fa7c954b288710736bb1dc71f8057f2598ea0d1f5b1214135fa5e9541d5f05a  openssh-fix-includes.diff
 cc909f68d9da1b264926973b96d36162b5c588299c98d62f526faf2ef1273d98bb8d8dea4d482770a2aef88bcbf15fa61144401aef9ab916c15e1623bcf449b5  openssh-fix-utmp.diff
 1483e2bcd700da9b02f04508d490b472c816344787bf1675fef2f7e27f72b91e4323e4e8c1db701e47d81d37d6d4b0623eaeac46b2cf589ae5ad69f363baa594  sshd.initd
-b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd"
+b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81  sshd.confd
+4521052ef55b77a2932484fa52f4a7688e8dbd4e6aa1e210ce24a59b8501775ca7e844108e36c06a9e3a47b70cd8d59007c12ca7a7bb8af27ae1e31e7b0de34d  CVE-2014-2532.patch"
diff --git a/main/openssh/CVE-2014-2532.patch b/main/openssh/CVE-2014-2532.patch
new file mode 100644
index 000000000..49cccbd27
--- /dev/null
+++ b/main/openssh/CVE-2014-2532.patch
@@ -0,0 +1,30 @@
+Description: fix AcceptEnv wildcard environment restrictions bypass
+Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.270;r2=1.271
+
+Index: openssh-6.0p1/session.c
+===================================================================
+--- openssh-6.0p1.orig/session.c	2014-03-21 11:03:33.904069205 -0400
++++ openssh-6.0p1/session.c	2014-03-21 11:03:33.900069205 -0400
+@@ -963,6 +963,11 @@
+ 		*envsizep = 1;
+ 	}
+ 
++	if (strchr(name, '=') != NULL) {
++		error("Invalid environment variable \"%.100s\"", name);
++		return;
++	}
++
+ 	/*
+ 	 * Find the slot where the value should be stored.  If the variable
+ 	 * already exists, we reuse the slot; otherwise we append a new slot
+@@ -2186,8 +2191,8 @@
+ 	char *name, *val;
+ 	u_int name_len, val_len, i;
+ 
+-	name = packet_get_string(&name_len);
+-	val = packet_get_string(&val_len);
++	name = packet_get_cstring(&name_len);
++	val = packet_get_cstring(&val_len);
+ 	packet_check_eom();
+ 
+ 	/* Don't set too many environment variables */
-- 
cgit v1.2.3