[pkgsrc/trunk]: pkgsrc/security/openssh Fix two vulnerabilities in OpenSSH:

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/openssh Fix two vulnerabilities in OpenSSH:
From: tonnerre <tonnerre%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 05:56:16 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/19472a237412
branches:  trunk
changeset: 540220:19472a237412
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Thu Apr 03 07:59:08 2008 +0000

description:
Fix two vulnerabilities in OpenSSH:
 - X11 forwarding information disclosure (CVE-2008-1483)
 - ForceCommand bypass vulnerability

diffstat:

 security/openssh/Makefile         |   4 ++--
 security/openssh/distinfo         |   5 +++--
 security/openssh/patches/patch-ao |  37 +++++++++++++++++++++++++++++--------
 security/openssh/patches/patch-ax |  18 ++++++++++++++++++
 4 files changed, 52 insertions(+), 12 deletions(-)

diffs (140 lines):

diff -r 18d187e4c2c1 -r 19472a237412 security/openssh/Makefile
--- a/security/openssh/Makefile Thu Apr 03 04:08:22 2008 +0000
+++ b/security/openssh/Makefile Thu Apr 03 07:59:08 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.186 2008/01/18 05:09:39 tnn Exp $
+# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $
 
 DISTNAME=              openssh-4.7p1
 PKGNAME=               openssh-4.7.1
-PKGREVISION=           2
+PKGREVISION=           3
 SVR4_PKGNAME=          ossh
 CATEGORIES=            security
 MASTER_SITES=          ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
diff -r 18d187e4c2c1 -r 19472a237412 security/openssh/distinfo
--- a/security/openssh/distinfo Thu Apr 03 04:08:22 2008 +0000
+++ b/security/openssh/distinfo Thu Apr 03 07:59:08 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.66 2007/09/19 13:42:02 taca Exp $
+$NetBSD: distinfo,v 1.67 2008/04/03 07:59:08 tonnerre Exp $
 
 SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c
 RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e
@@ -20,7 +20,7 @@
 SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = a70da4f5942553a42fa935b82172e601b29951df
+SHA1 (patch-ao) = 1061066758f7fe2fca630b15a55cbdc1ab041758
 SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a
 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
@@ -28,3 +28,4 @@
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
 SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
+SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88
diff -r 18d187e4c2c1 -r 19472a237412 security/openssh/patches/patch-ao
--- a/security/openssh/patches/patch-ao Thu Apr 03 04:08:22 2008 +0000
+++ b/security/openssh/patches/patch-ao Thu Apr 03 07:59:08 2008 +0000
@@ -1,8 +1,17 @@
-$NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ao,v 1.10 2008/04/03 07:59:08 tonnerre Exp $
 
---- session.c.orig     2006-10-29 17:01:29.000000000 +0900
+--- session.c.orig     2007-08-16 13:28:04.000000000 +0000
 +++ session.c
-@@ -956,7 +956,7 @@ read_etc_default_login(char ***env, u_in
+@@ -347,7 +347,7 @@ do_authenticated1(Authctxt *authctxt)
+                               break;
+                       }
+                       debug("Received TCP/IP port forwarding request.");
+-                      if (channel_input_port_forward_request(s->pw->pw_uid == 0,
++                      if (channel_input_port_forward_request(s->pw->pw_uid == ROOTUID,
+                           options.gateway_ports) < 0) {
+                               debug("Port forwarding failed.");
+                               break;
+@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in
        if (tmpenv == NULL)
                return;
  
@@ -11,7 +20,7 @@
                var = child_get_env(tmpenv, "SUPATH");
        else
                var = child_get_env(tmpenv, "PATH");
-@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *she
+@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
                if (path == NULL || *path == '\0') {
                        child_set_env(&env, &envsize, "PATH",
@@ -20,7 +29,7 @@
                                SUPERUSER_PATH : _PATH_STDPATH);
                }
  # endif /* HAVE_CYGWIN */
-@@ -1179,6 +1179,18 @@ do_setup_env(Session *s, const char *she
+@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she
                    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
                read_environment_file(&env, &envsize, buf);
        }
@@ -39,7 +48,19 @@
        if (debug_flag) {
                /* dump the environment */
                fprintf(stderr, "Environment:\n");
-@@ -1289,9 +1301,9 @@ do_nologin(struct passwd *pw)
+@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel
+       do_xauth =
+           s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
+ 
+-      /* ignore _PATH_SSH_USER_RC for subsystems */
+-      if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
++      /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
++      if (!s->is_subsystem && options.adm_forced_command == NULL &&
++          (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+               snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
+                   shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
+               if (debug_flag)
+@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw)
  void
  do_setusercontext(struct passwd *pw)
  {
@@ -51,7 +72,7 @@
        {
  
  #ifdef HAVE_SETPCRED
-@@ -1333,11 +1345,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw)
                        perror("setgid");
                        exit(1);
                }
@@ -65,7 +86,7 @@
                endgrent();
  #ifdef GSSAPI
                if (options.gss_authentication) {
-@@ -2095,7 +2109,7 @@ session_pty_cleanup2(Session *s)
+@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s)
                record_logout(s->pid, s->tty, s->pw->pw_name);
  
        /* Release the pseudo-tty. */
diff -r 18d187e4c2c1 -r 19472a237412 security/openssh/patches/patch-ax
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/openssh/patches/patch-ax Thu Apr 03 07:59:08 2008 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
+
+Don't deadlock on exit with multiple X forwarded channels.
+Don't use X11 port which can't be bound on all IP families.
+Fixes CVE-2008-1483.
+
+--- channels.c.orig    2007-06-25 09:04:47.000000000 +0000
++++ channels.c
+@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
+                               debug2("bind port %d: %.100s", port, strerror(errno));
+                               close(sock);
+ 
+-                              if (ai->ai_next)
+-                                      continue;
+-
+                               for (n = 0; n < num_socks; n++) {
+                                       close(socks[n]);
+                               }

Prev by Date: [pkgsrc/trunk]: pkgsrc/misc/rubygems The ``gem'' command doesn't exit with an...
Next by Date: [pkgsrc/trunk]: pkgsrc/misc/rubygems REPLACE_RUBY_DIRS is relative to ${WRKSR...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/misc/rubygems The ``gem'' command doesn't exit with an...
Next by Thread: [pkgsrc/trunk]: pkgsrc/misc/rubygems REPLACE_RUBY_DIRS is relative to ${WRKSR...
Indexes:

Home | Main Index | Thread Index | Old Index