 @@ -1,39 +1,40 @@
-# $NetBSD: Makefile,v 1.187 2008/04/03 07:59:08 tonnerre Exp $
+# $NetBSD: Makefile,v 1.188 2008/04/27 00:34:27 tnn Exp $
-DISTNAME=		openssh-4.7p1
+DISTNAME=		openssh-5.0p1
-PKGNAME=		openssh-4.7.1
+PKGNAME=		openssh-5.0.1
 PKGREVISION=		3
 SVR4_PKGNAME=		ossh
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
 			ftp://ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/ \
 			http://public.planetmirror.com.au/pub/OpenBSD/OpenSSH/portable/ \
 			ftp://gd.tuwien.ac.at/opsys/OpenBSD/OpenSSH/portable/ \
 			ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/old/
 # Don't delete the last entry -- it's there if the pkgsrc version is not
 # up-to-date and the mirrors already removed the old distfile.
-DIST_SUBDIR=		${PKGBASE}-4.7.1-20070919
+DIST_SUBDIR=		${PKGBASE}-5.0.1-20080427
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
 COMMENT=		Open Source Secure shell client and server (remote login program)
 CONFLICTS=		sftp-[0-9]*
 CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
 CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
 CONFLICTS+=		openssh+gssapi-[0-9]*
 CONFLICTS+=		lsh>2.0
 PKG_DESTDIR_SUPPORT=	user-destdir
 USE_TOOLS+=		perl
 CRYPTO=			yes
 # retain the following line, for IPv6-ready pkgsrc webpage
 BUILD_DEFS+=		IPV6_READY
 PKG_GROUPS_VARS+=	OPENSSH_GROUP
 PKG_USERS_VARS+=	OPENSSH_USER
 BUILD_DEFS+=		OPENSSH_CHROOT
 BUILD_DEFS+=		VARBASE
 INSTALL_TARGET=		install-nokeys
 @@ -151,22 +152,23 @@ PLIST_SRC+=		${.CURDIR}/PLIST
 FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR:Q}
 SUBST_CLASSES+=		patch
 SUBST_STAGE.patch=	pre-configure
 SUBST_FILES.patch=	session.c
 SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
 SUBST_MESSAGE.patch=	More patch a file.
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
 .include "../../security/tcp_wrappers/buildlink3.mk"
 post-install:
-	${INSTALL_DATA_DIR} ${EGDIR}
+	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
 	cd ${WRKSRC}; for file in ${CONFS}; do				\
-		${INSTALL_DATA} $${file}.out ${EGDIR}/$${file};		\
+		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
 	done
 .if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
-	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic ${EGDIR}/sshd.pam
+	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
 	  ${DESTDIR}${EGDIR}/sshd.pam
 .endif
 .include "../../mk/bsd.pkg.mk"

 @@ -1,31 +1,31 @@
-$NetBSD: distinfo,v 1.68 2008/04/08 06:36:47 taca Exp $
+$NetBSD: distinfo,v 1.69 2008/04/27 00:34:27 tnn Exp $
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 8ab61d12b5bcf70d0ffe9cb1d157136d20ebb22c
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 688265249dfaa449283ddfae2f81a9b6e3507f86
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 7b35eb1a3f6f3b703ac7f155f620bff63a900a0e
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = d4baca41f6212036b513173835de6e1081d49ac8
-Size (openssh-4.7.1-20070919/openssh-4.7p1-hpn12v18.diff.gz) = 16094 bytes
+Size (openssh-5.0.1-20080427/openssh-5.0p1-hpn13v3.diff.gz) = 24060 bytes
-SHA1 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4
+SHA1 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 121cea3a730c0b0353334b6f46f438de30ab4928
-RMD160 (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = b828e79d3d1a931cb77651ec7d7276cf3ba22d90
+RMD160 (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = b813234014e339fe2d9d10a5adad9f8e065918fc
-Size (openssh-4.7.1-20070919/openssh-4.7p1.tar.gz) = 991119 bytes
+Size (openssh-5.0.1-20080427/openssh-5.0p1.tar.gz) = 1011556 bytes
 SHA1 (patch-aa) = 8b7a16e9a63cfff3b73d70b9cebb6627b96396e0
 SHA1 (patch-ab) = a105c238c8dc774ed6992791b131da56824869e9
 SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9
 SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d
 SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1
 SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6
 SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5
 SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce
 SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403
 SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54
 SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc
 SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7
 SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38
 SHA1 (patch-an) = 2f955b8891bedd79986490d282eb09acd4910250
-SHA1 (patch-ao) = f2188b57baff4c88a793eee37dad69ffc523f7e5
+SHA1 (patch-ao) = a7c5a1832cb2a4584c77577fb125f84a1e9a9deb
-SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a
+SHA1 (patch-ap) = 3029b847ce83305e8103276e27c75e0338e1fc08
 SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34
 SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d
 SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3
 SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f
 SHA1 (patch-av) = 00f54c3fae7318b278b16bd0b01881a90bd31365
 SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30
-SHA1 (patch-ax) = 1ddf59636b6f3b544850f787ca63287fd93cae88
+SHA1 (patch-ax) = 8b876f4ba5b020dbd41f1166fc0b169444874d5a

 @@ -1,33 +1,33 @@
-# $NetBSD: options.mk,v 1.14 2007/09/07 10:41:12 taca Exp $
+# $NetBSD: options.mk,v 1.15 2008/04/27 00:34:27 tnn Exp $
 .include "../../mk/bsd.prefs.mk"
 PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
 PKG_SUPPORTED_OPTIONS=	kerberos hpn-patch
 .if !empty(OPSYS:MLinux)
 PKG_SUPPORTED_OPTIONS+= pam
 .endif
 .include "../../mk/bsd.options.mk"
 .if !empty(PKG_OPTIONS:Mkerberos)
 .  include "../../mk/krb5.buildlink3.mk"
 CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE:Q}
 .endif
 .if !empty(PKG_OPTIONS:Mhpn-patch)
-PATCHFILES=		openssh-4.7p1-hpn12v18.diff.gz
+PATCHFILES=		openssh-5.0p1-hpn13v3.diff.gz
 PATCH_SITES=		http://www.psc.edu/networking/projects/hpn-ssh/
 PATCH_DIST_STRIP=	-p1
 .endif
 .if !empty(PKG_OPTIONS:Mpam)
 # XXX: PAM authentication causes memory faults, and haven't tracked down
 # XXX: why yet.  For the moment, disable PAM authentication for non-Linux.
 .include "../../mk/pam.buildlink3.mk"
 CONFIGURE_ARGS+=	--with-pam
 PLIST_SRC+=		${.CURDIR}/PLIST.pam
 MESSAGE_SRC+=		${.CURDIR}/MESSAGE.pam
 MESSAGE_SUBST+=		EGDIR=${EGDIR}
 .endif

 @@ -1,92 +1,80 @@
-$NetBSD: patch-ao,v 1.11 2008/04/08 06:36:47 taca Exp $
+$NetBSD: patch-ao,v 1.12 2008/04/27 00:34:27 tnn Exp $
 One more replacing 0 with ROOTUID is handled by using SUBST framework
 because patch can't handle it when hpn-patch option is enabled.
 So, don't simply update this file with mkpatch command.
---- session.c.orig	2007-08-16 13:28:04.000000000 +0000
+--- session.c.orig	2008-03-27 01:03:05.000000000 +0100
 +++ session.c
-@@ -954,7 +954,7 @@ read_etc_default_login(char ***env, u_in
+@@ -955,7 +955,7 @@ read_etc_default_login(char ***env, u_in
  	if (tmpenv == NULL)
  		return;
 -	if (uid == 0)
 +	if (uid == ROOTUID)
  		var = child_get_env(tmpenv, "SUPATH");
  	else
  		var = child_get_env(tmpenv, "PATH");
-@@ -1063,7 +1063,7 @@ do_setup_env(Session *s, const char *she
+@@ -1064,7 +1064,7 @@ do_setup_env(Session *s, const char *she
  #  endif /* HAVE_ETC_DEFAULT_LOGIN */
  		if (path == NULL || *path == '\0') {
  			child_set_env(&env, &envsize, "PATH",
 -			    s->pw->pw_uid == 0 ?
 +			    s->pw->pw_uid == ROOTUID ?
  				SUPERUSER_PATH : _PATH_STDPATH);
+ 		}
  # endif /* HAVE_CYGWIN */
-@@ -1177,6 +1177,18 @@ do_setup_env(Session *s, const char *she
+@@ -1178,6 +1178,18 @@ do_setup_env(Session *s, const char *she
  		    strcmp(pw->pw_dir, "/") ? pw->pw_dir : "");
  		read_environment_file(&env, &envsize, buf);
+ 	}
++
 +#ifdef HAVE_INTERIX
 +	{
 +		/* copy standard Windows environment, then apply changes */
 +		env_t *winenv = env_login(pw);
 +		env_putarray(winenv, env, ENV_OVERRIDE);
++
 +		/* swap over to altered environment as a traditional array */
 +		env = env_array(winenv);
 +	}
 +#endif
++
  	if (debug_flag) {
  		/* dump the environment */
  		fprintf(stderr, "Environment:\n");
-@@ -1201,8 +1213,9 @@ do_rc_files(Session *s, const char *shel
+@@ -1351,9 +1363,9 @@ do_setusercontext(struct passwd *pw)
- 	do_xauth =
+ 	(void)ssh_selinux_enabled();
- 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
+ #endif
 -	/* ignore _PATH_SSH_USER_RC for subsystems */
 -	if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
 +	/* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
 +	if (!s->is_subsystem && options.adm_forced_command == NULL &&
 +	    (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
  		snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
  		    shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
  		if (debug_flag)
@@ -1287,9 +1300,9 @@ do_nologin(struct passwd *pw)
  void
  do_setusercontext(struct passwd *pw)
 -#ifndef HAVE_CYGWIN
 +#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
  	if (getuid() == 0 || geteuid() == 0)
 -#endif /* HAVE_CYGWIN */
 +#endif /* !HAVE_CYGWIN && !HAVE_INTERIX */
+ 	{
  #ifdef HAVE_SETPCRED
-@@ -1331,11 +1344,13 @@ do_setusercontext(struct passwd *pw)
+@@ -1387,11 +1399,13 @@ do_setusercontext(struct passwd *pw)
  			perror("setgid");
  			exit(1);
+ 		}
 +# if !defined(HAVE_INTERIX)
  		/* Initialize the group list. */
  		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
  			perror("initgroups");
  			exit(1);
+ 		}
 +# endif /* !HAVE_INTERIX */
  		endgrent();
- #ifdef GSSAPI
+ # ifdef USE_PAM
- 		if (options.gss_authentication) {
+ 		/*
-@@ -2086,7 +2101,7 @@ session_pty_cleanup2(Session *s)
+@@ -2175,7 +2189,7 @@ session_pty_cleanup2(Session *s)
  		record_logout(s->pid, s->tty, s->pw->pw_name);
  	/* Release the pseudo-tty. */
 -	if (getuid() == 0)
 +	if (getuid() == ROOTUID)
  		pty_release(s->tty);
  	/*

 @@ -1,13 +1,13 @@
-$NetBSD: patch-ap,v 1.8 2006/10/31 03:31:20 taca Exp $
+$NetBSD: patch-ap,v 1.9 2008/04/27 00:34:27 tnn Exp $
---- ssh.c.orig	2006-10-29 12:02:30.000000000 +0900
+--- ssh.c.orig	2008-02-28 09:13:52.000000000 +0100
 +++ ssh.c
-@@ -684,7 +684,7 @@ main(int ac, char **av)
+@@ -693,7 +693,7 @@ main(int ac, char **av)
  	/* Open a connection to the remote host. */
  	if (ssh_connect(host, &hostaddr, options.port,
- 	    options.address_family, options.connection_attempts,
+ 	    options.address_family, options.connection_attempts, &timeout_ms,
  	    options.tcp_keep_alive,
 -#ifdef HAVE_CYGWIN
 +#if defined(HAVE_CYGWIN) || defined(HAVE_INTERIX)
  	    options.use_privileged_port,
  #else
  	    original_effective_uid == 0 && options.use_privileged_port,

 @@ -1,18 +1,10 @@
-$NetBSD: patch-ax,v 1.5 2008/04/03 07:59:08 tonnerre Exp $
+$NetBSD: patch-ax,v 1.6 2008/04/27 00:34:27 tnn Exp $
-Don't deadlock on exit with multiple X forwarded channels.
+--- sftp.h.orig	2008-02-10 12:40:12.000000000 +0100
-Don't use X11 port which can't be bound on all IP families.
++++ sftp.h
-Fixes CVE-2008-1483.
+@@ -94,4 +94,4 @@
  struct passwd;
 --- channels.c.orig	2007-06-25 09:04:47.000000000 +0000
 +++ channels.c
@@ -2905,9 +2905,6 @@ x11_create_display_inet(int x11_display_
  				debug2("bind port %d: %.100s", port, strerror(errno));
  				close(sock);
--				if (ai->ai_next)
+ int	sftp_server_main(int, char **, struct passwd *);
--					continue;
+-void	sftp_server_cleanup_exit(int) __dead;
 +void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
  				for (n = 0; n < num_socks; n++) {
  					close(socks[n]);