Commit a5504c22 authored by Francesco Colista's avatar Francesco Colista
Browse files

main/openssh: security fix for CVE-2016-1907 and CVE-2015-8325

parent e388cdee
......@@ -2,7 +2,7 @@
pkgname=openssh
pkgver=6.8_p1
_myver=${pkgver%_*}${pkgver#*_}
pkgrel=9
pkgrel=10
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
......@@ -23,6 +23,8 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
CVE-2016-6515.patch
CVE-2016-10010.patch
CVE-2016-10011.patch
CVE-2016-1907.patch
CVE-2015-8325.patch
openssh6.5-peaktput.diff
openssh6.8-dynwindows.diff
openssh-fix-utmp.diff
......@@ -33,6 +35,9 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
# HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
# secfixes:
# 6.8_p1-r10:
# - CVE-2016-1907
# - CVE-2015-8325
# 6.8_p1-r7:
# - CVE-2016-6210
# 6.8_p1-r8:
......@@ -138,6 +143,8 @@ ae3ac6c890f3172327118f3b793e7f05 CVE-2015-6563.patch
c70de89a56f365514ea7a877c8267715 CVE-2016-6515.patch
ff2645ea513fd071553f657aabb49e2b CVE-2016-10010.patch
368a1f2e4d381157647671effbb2f48e CVE-2016-10011.patch
2ee78452e5f1908d2dbd19af03b4aa0a CVE-2016-1907.patch
1788e9e34e2a17ceb16fa416b9bd69d2 CVE-2015-8325.patch
cd52fe99cb4b7d0d847bf5d710d93564 openssh6.5-peaktput.diff
c6e29d7d88529a66d857657753f39694 openssh6.8-dynwindows.diff
37fbfe9cfb9a5e2454382ea8c79ed2e1 openssh-fix-utmp.diff
......@@ -156,6 +163,8 @@ cd30c1f083f810d71d91eb03ad08e2cb46652cb80dc40560729e308d4fab8a81 CVE-2015-6565.
dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa CVE-2016-6515.patch
477fe3e0aa4e84ed456ed976070596047a587e0a743c2be8a69274869e904a01 CVE-2016-10010.patch
2e281fe5fae68346097c83738516195733e3745cbf144404983116f90c9790ea CVE-2016-10011.patch
352661b549dcf8835aaf4cc67c30f64b3a9bc3a21dd9343ae8d7d8b818696ff2 CVE-2016-1907.patch
e999f5e80b67d9f72540387056994873d219d7062ba9225f0407a6cc764a531b CVE-2015-8325.patch
bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249 openssh6.5-peaktput.diff
bf0f00bd88a7224ea0618f6e347a6a805c4e5acd869196725a3923d711ff1246 openssh6.8-dynwindows.diff
1c85437fd94aa4fc269e6297e4eb790baa98c39949ec0410792c09ee31ba9782 openssh-fix-utmp.diff
......@@ -174,6 +183,8 @@ aad1fc45a8f83fc778105ea43b6406860155fc89545a058ff0359586cbb33a0d0ebff99dc70be64a
23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6 CVE-2016-6515.patch
d6798d818ff7dfad0cd314c2f0e2d3d5477e4567f5422ff2409fdd56050d45e88073fb2b9008c3335cc3ac596b6c0ed13128fa5d588cbb56d4919ab62b218c26 CVE-2016-10010.patch
3ab26c702f7a64225d11dd485b288ac81f96afa2a13ab0a8082245d80d31d7c9c335e49cb4cec1e0439c39cb32df5360afd6bf6363d4cbaa80cb3a991c636755 CVE-2016-10011.patch
3806824e81c3b8b201e1bf4d90328e6a5597e89f4c1cfa5cd15aee9aabb4dbcffdb43d3f782acaa6a92dc114d661103c41583f9b424721b888e7c2aaf4d35954 CVE-2016-1907.patch
e451d57e0714528d2631890751af47a88a0e87f85c20965fc2179c58cdf88c3eb7a7f411248e74164034c04b860a9fdfe214c32616f5624e4f1ddd384755ee59 CVE-2015-8325.patch
e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1 openssh6.5-peaktput.diff
307ca56d2bae53f2f2852a695de440843a457c4000524d1b7dbcf2f46f70ae4f8ba7309273b62287ad5eef2005e2911dd737a0f55605352397b8f557d78e18df openssh6.8-dynwindows.diff
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 openssh-fix-utmp.diff
......
From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Apr 2016 10:39:57 +1000
Subject: ignore PAM environment vars when UseLogin=yes
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/session.c b/session.c
index 48592457..4653b09f 100644
--- a/session.c
+++ b/session.c
@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
* Pull in any environment variables that may have
* been set by PAM.
*/
- if (options.use_pam) {
+ if (options.use_pam && !options.use_login) {
char **p;
p = fetch_pam_child_environment();
--
cgit v1.2.3
From 2fecfd486bdba9f51b3a789277bb0733ca36e1c0 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 8 Nov 2015 21:59:11 +0000
Subject: upstream commit
fix OOB read in packet code caused by missing return
statement found by Ben Hawkes; ok markus@ deraadt@
Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
---
packet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/packet.c b/packet.c
index a0dbc239..4f6433b4 100644
--- a/packet.c
+++ b/packet.c
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
logit("Bad packet length %u.", state->packlen);
if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
return r;
+ return SSH_ERR_CONN_CORRUPT;
}
sshbuf_reset(state->incoming_packet);
} else if (state->packlen == 0) {
--
cgit v1.2.3
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment