Fix two vulnerabilities in OpenSSH: - X11 forwarding information disclosure (CVE-2008-1483) - ForceCommand bypass vulnerabilitydiff -r1.186 -r1.187 pkgsrc/security/openssh/Makefile
(tonnerre)
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.186 2008/01/18 05:09:39 tnn Exp $ | 1 | # $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $ | |
2 | 2 | |||
3 | DISTNAME= openssh-4.7p1 | 3 | DISTNAME= openssh-4.7p1 | |
4 | PKGNAME= openssh-4.7.1 | 4 | PKGNAME= openssh-4.7.1 | |
5 | PKGREVISION= 2 | 5 | PKGREVISION= 3 | |
6 | SVR4_PKGNAME= ossh | 6 | SVR4_PKGNAME= ossh | |
7 | CATEGORIES= security | 7 | CATEGORIES= security | |
8 | MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ | 8 | MASTER_SITES= ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ | |
9 | ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ | 9 | ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \ | |
10 | http://public.planetmirror.com.au/pub/OpenBSD/OpenSSH/portable/ \ | 10 | http://public.planetmirror.com.au/pub/OpenBSD/OpenSSH/portable/ \ | |
11 | ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \ | 11 | ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \ | |
12 | ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/ | 12 | ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/ | |
13 | # Don't delete the last entry -- it's there if the pkgsrc version is not | 13 | # Don't delete the last entry -- it's there if the pkgsrc version is not | |
14 | # up-to-date and the mirrors already removed the old distfile. | 14 | # up-to-date and the mirrors already removed the old distfile. | |
15 | DIST_SUBDIR= ${PKGBASE}-4.7.1-20070919 | 15 | DIST_SUBDIR= ${PKGBASE}-4.7.1-20070919 | |
16 | 16 | |||
17 | MAINTAINER= pkgsrc-users@NetBSD.org | 17 | MAINTAINER= pkgsrc-users@NetBSD.org | |
18 | HOMEPAGE= http://www.openssh.com/ | 18 | HOMEPAGE= http://www.openssh.com/ |
@@ -1,30 +1,31 @@ | @@ -1,30 +1,31 @@ | |||
1 | $NetBSD: distinfo,v 1.66 2007/09/19 13:42:02 taca Exp $ | 1 | $NetBSD: distinfo,v 1.67 2008/04/03 07:59:08 tonnerre Exp $ | |
2 | 2 | |||
3 | SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c | 3 | SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c | |
4 | RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e | 4 | RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e | |
5 | Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes | 5 | Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes | |
6 | SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4 | 6 | SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4 | |
7 | RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90 | 7 | RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90 | |
8 | Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes | 8 | Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes | |
9 | SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 | 9 | SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0 | |
10 | SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 | 10 | SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9 | |
11 | SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 | 11 | SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 | |
12 | SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d | 12 | SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d | |
13 | SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1 | 13 | SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1 | |
14 | SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6 | 14 | SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6 | |
15 | SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5 | 15 | SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5 | |
16 | SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce | 16 | SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce | |
17 | SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403 | 17 | SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403 | |
18 | SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54 | 18 | SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54 | |
19 | SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc | 19 | SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc | |
20 | SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 | 20 | SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 | |
21 | SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 | 21 | SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 | |
22 | SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250 | 22 | SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250 | |
23 | SHA1 (patch-ao) = a70da4f5942553a42fa935b82172e601b29951df | 23 | SHA1 (patch-ao) = 1061066758f7fe2fca630b15a55cbdc1ab041758 | |
24 | SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a | 24 | SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a | |
25 | SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 | 25 | SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 | |
26 | SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d | 26 | SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d | |
27 | SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 | 27 | SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 | |
28 | SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f | 28 | SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f | |
29 | SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 | 29 | SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365 | |
30 | SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 | 30 | SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 | |
31 | SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88 |
@@ -1,76 +1,97 @@ | @@ -1,76 +1,97 @@ | |||
1 | $NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ | 1 | $NetBSD: patch-ao,v 1.10 2008/04/03 07:59:08 tonnerre Exp $ | |
2 | 2 | |||
3 | --- session.c.orig 2006-10-29 17:01:29.000000000 +0900 | 3 | --- session.c.orig 2007-08-16 13:28:04.000000000 +0000 | |
4 | +++ session.c | 4 | +++ session.c | |
5 | @@ -956,7 +956,7 @@ read_etc_default_login(char ***env, u_in | 5 | @@ -347,7 +347,7 @@ do_authenticated1(Authctxt *authctxt) | |
6 | break; | |||
7 | } | |||
8 | debug("Received TCP/IP port forwarding request."); | |||
9 | - if (channel_input_port_forward_request(s->pw->pw_uid == 0, | |||
10 | + if (channel_input_port_forward_request(s->pw->pw_uid == ROOTUID, | |||
11 | options.gateway_ports) < 0) { | |||
12 | debug("Port forwarding failed."); | |||
13 | break; | |||
14 | @@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in | |||
6 | if (tmpenv == NULL) | 15 | if (tmpenv == NULL) | |
7 | return; | 16 | return; | |
8 | 17 | |||
9 | - if (uid == 0) | 18 | - if (uid == 0) | |
10 | + if (uid == ROOTUID) | 19 | + if (uid == ROOTUID) | |
11 | var = child_get_env(tmpenv, "SUPATH"); | 20 | var = child_get_env(tmpenv, "SUPATH"); | |
12 | else | 21 | else | |
13 | var = child_get_env(tmpenv, "PATH"); | 22 | var = child_get_env(tmpenv, "PATH"); | |
14 | @@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *she | 23 | @@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she | |
15 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | 24 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | |
16 | if (path == NULL || *path == '\0') { | 25 | if (path == NULL || *path == '\0') { | |
17 | child_set_env(&env, &envsize, "PATH", | 26 | child_set_env(&env, &envsize, "PATH", | |
18 | - s->pw->pw_uid == 0 ? | 27 | - s->pw->pw_uid == 0 ? | |
19 | + s->pw->pw_uid == ROOTUID ? | 28 | + s->pw->pw_uid == ROOTUID ? | |
20 | SUPERUSER_PATH : _PATH_STDPATH); | 29 | SUPERUSER_PATH : _PATH_STDPATH); | |
21 | } | 30 | } | |
22 | # endif /* HAVE_CYGWIN */ | 31 | # endif /* HAVE_CYGWIN */ | |
23 | @@ -1179,6 +1179,18 @@ do_setup_env(Session *s, const char *she | 32 | @@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she | |
24 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | 33 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | |
25 | read_environment_file(&env, &envsize, buf); | 34 | read_environment_file(&env, &envsize, buf); | |
26 | } | 35 | } | |
27 | + | 36 | + | |
28 | +#ifdef HAVE_INTERIX | 37 | +#ifdef HAVE_INTERIX | |
29 | + { | 38 | + { | |
30 | + /* copy standard Windows environment, then apply changes */ | 39 | + /* copy standard Windows environment, then apply changes */ | |
31 | + env_t *winenv = env_login(pw); | 40 | + env_t *winenv = env_login(pw); | |
32 | + env_putarray(winenv, env, ENV_OVERRIDE); | 41 | + env_putarray(winenv, env, ENV_OVERRIDE); | |
33 | + | 42 | + | |
34 | + /* swap over to altered environment as a traditional array */ | 43 | + /* swap over to altered environment as a traditional array */ | |
35 | + env = env_array(winenv); | 44 | + env = env_array(winenv); | |
36 | + } | 45 | + } | |
37 | +#endif | 46 | +#endif | |
38 | + | 47 | + | |
39 | if (debug_flag) { | 48 | if (debug_flag) { | |
40 | /* dump the environment */ | 49 | /* dump the environment */ | |
41 | fprintf(stderr, "Environment:\n"); | 50 | fprintf(stderr, "Environment:\n"); | |
42 | @@ -1289,9 +1301,9 @@ do_nologin(struct passwd *pw) | 51 | @@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel | |
52 | do_xauth = | |||
53 | s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; | |||
54 | ||||
55 | - /* ignore _PATH_SSH_USER_RC for subsystems */ | |||
56 | - if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { | |||
57 | + /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ | |||
58 | + if (!s->is_subsystem && options.adm_forced_command == NULL && | |||
59 | + (stat(_PATH_SSH_USER_RC, &st) >= 0)) { | |||
60 | snprintf(cmd, sizeof cmd, "%s -c '%s %s'", | |||
61 | shell, _PATH_BSHELL, _PATH_SSH_USER_RC); | |||
62 | if (debug_flag) | |||
63 | @@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw) | |||
43 | void | 64 | void | |
44 | do_setusercontext(struct passwd *pw) | 65 | do_setusercontext(struct passwd *pw) | |
45 | { | 66 | { | |
46 | -#ifndef HAVE_CYGWIN | 67 | -#ifndef HAVE_CYGWIN | |
47 | +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) | 68 | +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX) | |
48 | if (getuid() == 0 || geteuid() == 0) | 69 | if (getuid() == 0 || geteuid() == 0) | |
49 | -#endif /* HAVE_CYGWIN */ | 70 | -#endif /* HAVE_CYGWIN */ | |
50 | +#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ | 71 | +#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */ | |
51 | { | 72 | { | |
52 | 73 | |||
53 | #ifdef HAVE_SETPCRED | 74 | #ifdef HAVE_SETPCRED | |
54 | @@ -1333,11 +1345,13 @@ do_setusercontext(struct passwd *pw) | 75 | @@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw) | |
55 | perror("setgid"); | 76 | perror("setgid"); | |
56 | exit(1); | 77 | exit(1); | |
57 | } | 78 | } | |
58 | +# if !defined(HAVE_INTERIX) | 79 | +# if !defined(HAVE_INTERIX) | |
59 | /* Initialize the group list. */ | 80 | /* Initialize the group list. */ | |
60 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | 81 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | |
61 | perror("initgroups"); | 82 | perror("initgroups"); | |
62 | exit(1); | 83 | exit(1); | |
63 | } | 84 | } | |
64 | +# endif /* !HAVE_INTERIX */ | 85 | +# endif /* !HAVE_INTERIX */ | |
65 | endgrent(); | 86 | endgrent(); | |
66 | #ifdef GSSAPI | 87 | #ifdef GSSAPI | |
67 | if (options.gss_authentication) { | 88 | if (options.gss_authentication) { | |
68 | @@ -2095,7 +2109,7 @@ session_pty_cleanup2(Session *s) | 89 | @@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s) | |
69 | record_logout(s->pid, s->tty, s->pw->pw_name); | 90 | record_logout(s->pid, s->tty, s->pw->pw_name); | |
70 | 91 | |||
71 | /* Release the pseudo-tty. */ | 92 | /* Release the pseudo-tty. */ | |
72 | - if (getuid() == 0) | 93 | - if (getuid() == 0) | |
73 | + if (getuid() == ROOTUID) | 94 | + if (getuid() == ROOTUID) | |
74 | pty_release(s->tty); | 95 | pty_release(s->tty); | |
75 | 96 | |||
76 | /* | 97 | /* |
$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
Don't deadlock on exit with multiple X forwarded channels.
Don't use X11 port which can't be bound on all IP families.
Fixes CVE-2008-1483.
--- channels.c.orig 2007-06-25 09:04:47.000000000 +0000
+++ channels.c
@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);
- if (ai->ai_next)
- continue;
-
for (n = 0; n < num_socks; n++) {
close(socks[n]);
}