openssh: 6.9p1 -> 7.1p2
This commit is contained in:
koral
Eelco Dolstra
parent
4d0e732168
commit
a7f09e9773
@ -23,11 +23,11 @@ let
|
||||
in
|
||||
with stdenv.lib;
|
||||
stdenv.mkDerivation rec {
|
||||
name = "openssh-6.9p1";
|
||||
name = "openssh-7.1p2";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
|
||||
sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf";
|
||||
sha256 = "1gbbvszz74lkc7b2mqr3ccgpm65zj0k5h7a2ssh0c7pjvhjg0xfx";
|
||||
};
|
||||
|
||||
prePatch = optionalString hpnSupport
|
||||
@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
|
||||
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
|
||||
'';
|
||||
|
||||
patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ./disable-roaming.patch ]
|
||||
patches = [ ./locale_archive.patch ]
|
||||
++ optional withGssapiPatches gssapiSrc;
|
||||
|
||||
buildInputs = [ zlib openssl libedit pkgconfig pam ]
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From b842c1891b9979e30a6b53292a236ceb9231be79 Mon Sep 17 00:00:00 2001
|
||||
From: Franz Pletz <fpletz@fnordicwalking.de>
|
||||
Date: Thu, 14 Jan 2016 16:25:50 +0100
|
||||
Subject: [PATCH] Disable roaming, fixes CVE-2016-0777 and CVE-0216-0778
|
||||
|
||||
Based on http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/010_ssh.patch.sig
|
||||
---
|
||||
readconf.c | 5 ++---
|
||||
ssh.c | 3 ---
|
||||
2 files changed, 2 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index db7d0bb..5b03f97 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
|
||||
options->tun_remote = -1;
|
||||
options->local_command = NULL;
|
||||
options->permit_local_command = -1;
|
||||
- options->use_roaming = -1;
|
||||
+ options->use_roaming = 0;
|
||||
options->visual_host_key = -1;
|
||||
options->ip_qos_interactive = -1;
|
||||
options->ip_qos_bulk = -1;
|
||||
@@ -1835,8 +1835,7 @@ fill_default_options(Options * options)
|
||||
options->tun_remote = SSH_TUNID_ANY;
|
||||
if (options->permit_local_command == -1)
|
||||
options->permit_local_command = 0;
|
||||
- if (options->use_roaming == -1)
|
||||
- options->use_roaming = 1;
|
||||
+ options->use_roaming = 0;
|
||||
if (options->visual_host_key == -1)
|
||||
options->visual_host_key = 0;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 3fd5a94..e8428b5 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1931,9 +1931,6 @@ ssh_session2(void)
|
||||
fork_postauth();
|
||||
}
|
||||
|
||||
- if (options.use_roaming)
|
||||
- request_roaming();
|
||||
-
|
||||
return client_loop(tty_flag, tty_flag ?
|
||||
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||||
}
|
||||
--
|
||||
2.7.0
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d
|
||||
|
||||
diff --git a/sshpty.c b/sshpty.c
|
||||
index 7bb7641..15da8c6 100644
|
||||
--- a/sshpty.c
|
||||
+++ b/sshpty.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
|
||||
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
|
||||
/* Determine the group to make the owner of the tty. */
|
||||
grp = getgrnam("tty");
|
||||
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
|
||||
- mode = (grp != NULL) ? 0622 : 0600;
|
||||
+ mode = (grp != NULL) ? 0620 : 0600;
|
||||
|
||||
/*
|
||||
* Change owner and mode of the tty as required.
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index b410965..f1b873d 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
|
||||
int
|
||||
mm_answer_pam_init_ctx(int sock, Buffer *m)
|
||||
{
|
||||
-
|
||||
debug3("%s", __func__);
|
||||
- authctxt->user = buffer_get_string(m, NULL);
|
||||
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
|
||||
sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
|
||||
int
|
||||
mm_answer_pam_free_ctx(int sock, Buffer *m)
|
||||
{
|
||||
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
|
||||
|
||||
debug3("%s", __func__);
|
||||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
+ sshpam_ctxt = sshpam_authok = NULL;
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
auth_method = "keyboard-interactive";
|
||||
auth_submethod = "pam";
|
||||
- return (sshpam_authok == sshpam_ctxt);
|
||||
+ return r;
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index e6217b3..eac421b 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
|
||||
|
||||
debug3("%s", __func__);
|
||||
buffer_init(&m);
|
||||
- buffer_put_cstring(&m, authctxt->user);
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
|
||||
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
|
||||
Loading…
Reference in New Issue
Block a user