Backport latest openssh from trunk resolving CVE

security/openssh/Makefile

@@ -1,13 +1,14 @@
-# $NetBSD: Makefile,v 1.249.4.1 2017/01/08 11:05:07 bsiegert Exp $
+# $NetBSD: Makefile,v 1.254 2017/10/04 11:44:14 wiz Exp $
 
-DISTNAME=		openssh-7.4p1
+DISTNAME=		openssh-7.6p1
 PKGNAME=		${DISTNAME:S/p1/.1/}
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
 
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.openssh.com/
 COMMENT=		Open Source Secure shell client and server (remote login program)
+LICENSE=		modified-bsd
 
 CONFLICTS=		sftp-[0-9]*
 CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
@@ -143,17 +144,7 @@ CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
 
 CONFS=			ssh_config sshd_config moduli
 
-PLIST_VARS+=		darwin prng
-
-.if exists(/dev/urandom)
-.  if ${OPSYS} == "NetBSD"
-MESSAGE_SRC+=		${.CURDIR}/MESSAGE.urandom
-.  endif
-.else
-CONFIGURE_ARGS+=	--without-random
-CONFS+=			ssh_prng_cmds
-PLIST.prng=		yes
-.endif
+PLIST_VARS+=		darwin
 
 EGDIR=			${PREFIX}/share/examples/${PKGBASE}
 

security/openssh/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2016/03/15 20:54:07 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
 bin/scp
 bin/sftp
 bin/ssh
@@ -9,7 +9,6 @@ bin/ssh-keyscan
 libexec/sftp-server
 libexec/ssh-keysign
 libexec/ssh-pkcs11-helper
-${PLIST.prng}libexec/ssh-rand-helper
 man/man1/scp.1
 man/man1/sftp.1
 man/man1/ssh-add.1
@@ -28,6 +27,5 @@ sbin/sshd
 share/examples/openssh/moduli
 ${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
 share/examples/openssh/ssh_config
-${PLIST.prng}share/examples/openssh/ssh_prng_cmds
 ${PLIST.pam}share/examples/openssh/sshd.pam
 share/examples/openssh/sshd_config

security/openssh/distinfo

@@ -1,18 +1,17 @@
-$NetBSD: distinfo,v 1.102.4.1 2017/01/08 11:05:07 bsiegert Exp $
+$NetBSD: distinfo,v 1.105 2017/10/04 11:44:14 wiz Exp $
 
-SHA1 (openssh-7.4p1.tar.gz) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
-RMD160 (openssh-7.4p1.tar.gz) = dff996c9f7ab697a04968fbd8924642253bc0e06
-SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
-Size (openssh-7.4p1.tar.gz) = 1511780 bytes
+SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b
+RMD160 (openssh-7.6p1.tar.gz) = 486ae743f51ffbf8197d564aab9ae54f9e2ac9da
+SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
+Size (openssh-7.6p1.tar.gz) = 1489788 bytes
 SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc
 SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7
 SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
 SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039
 SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa
-SHA1 (patch-channels.c) = edcce67664bbbc30a8d10ed2fe58dcece944726c
 SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
 SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59
-SHA1 (patch-configure.ac) = d7ba54f34e03fd204eb1a9804fcae7fd16e285e2
+SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222
 SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
 SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
 SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
@@ -26,6 +25,6 @@ SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93
 SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778
 SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca
 SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
-SHA1 (patch-sshd.c) = a1ccf7e54275629965d80d9cf7cd8669d9f1f4cf
+SHA1 (patch-sshd.c) = 040ac961247fdd55bd09b85e65b905b63bc24f7d
 SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
 SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e

security/openssh/options.mk

@@ -1,11 +1,15 @@
-# $NetBSD: options.mk,v 1.33.4.1 2017/01/08 11:05:07 bsiegert Exp $
+# $NetBSD: options.mk,v 1.35 2017/07/24 16:33:22 he Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
 PKG_SUPPORTED_OPTIONS=	kerberos openssl pam
 PKG_SUGGESTED_OPTIONS=	openssl
 
+.if ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS+=	pam
+.endif
+
 .include "../../mk/bsd.options.mk"
 
 .if !empty(PKG_OPTIONS:Mopenssl)

security/openssh/patches/patch-clientloop.c

@@ -1,4 +1,4 @@
-$NetBSD: patch-clientloop.c,v 1.4.8.1 2017/01/08 11:05:07 bsiegert Exp $
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
 
 Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
 

security/openssh/patches/patch-configure.ac

@@ -1,11 +1,11 @@
-$NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+$NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $
 
 * Various fixes regarding portability
 * Revive tcp_wrappers support.
 
---- configure.ac.orig	2015-08-21 04:49:03.000000000 +0000
+--- configure.ac.orig	2017-03-20 02:39:27.000000000 +0000
 +++ configure.ac
-@@ -316,6 +316,9 @@ AC_ARG_WITH([rpath],
+@@ -306,6 +306,9 @@ AC_ARG_WITH([rpath],
  	]
  )
 
@@ -15,15 +15,15 @@ $NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
  # Allow user to specify flags
  AC_ARG_WITH([cflags],
  	[  --with-cflags           Specify additional flags to pass to compiler],
-@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+@@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \
  	maillock.h \
  	ndir.h \
  	net/if_tun.h \
 +	net/tun/if_tun.h \
  	netdb.h \
  	netgroup.h \
  	pam/pam_appl.h \
-@@ -696,6 +700,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+@@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary("
  		;;
  	esac
  	;;
@@ -39,7 +39,7 @@ $NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
  *-*-irix5*)
  	PATH="$PATH:/usr/etc"
  	AC_DEFINE([BROKEN_INET_NTOA], [1],
-@@ -1424,6 +1437,62 @@ AC_ARG_WITH([skey],
+@@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey],
  	]
  )
 
@@ -102,7 +102,7 @@ $NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4816,9 +4885,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+@@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
  ])
  if test -z "$conf_wtmpx_location"; then
  	if test x"$system_wtmpx_path" = x"no" ; then
@@ -122,7 +122,7 @@ $NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
  	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
  		[Define if you want to specify the path to your wtmpx file])
  fi
-@@ -4905,7 +4982,7 @@ echo "OpenSSH has been configured with t
+@@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t
  echo "                     User binaries: $B"
  echo "                   System binaries: $C"
  echo "               Configuration files: $D"
@@ -131,11 +131,11 @@ $NetBSD: patch-configure.ac,v 1.5 2016/01/18 12:53:26 jperkin Exp $
  echo "                      Manual pages: $F"
  echo "                          PID file: $G"
  echo "  Privilege separation chroot path: $H"
-@@ -4929,6 +5006,7 @@ echo "                 KerberosV support
+@@ -5093,6 +5170,7 @@ echo "                 KerberosV support
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
+ echo "                   libldns support: $LDNS_MSG"

security/openssh/patches/patch-openbsd-compat_bsd-openpty.c

@@ -1,4 +1,4 @@
-$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.3.8.1 2017/01/08 11:05:07 bsiegert Exp $
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
 
 Interix support
 

security/openssh/patches/patch-session.c

@@ -1,4 +1,4 @@
-$NetBSD: patch-session.c,v 1.7.4.1 2017/01/08 11:05:07 bsiegert Exp $
+$NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $
 
 * Interix support.
 

security/openssh/patches/patch-sshd.c

@@ -1,11 +1,11 @@
-$NetBSD: patch-sshd.c,v 1.7.8.1 2017/01/08 11:05:07 bsiegert Exp $
+$NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $
 
 * Interix support
 * Revive tcp_wrappers support.
 
---- sshd.c.orig	2016-12-19 04:59:41.000000000 +0000
+--- sshd.c.orig	2017-10-02 19:34:26.000000000 +0000
 +++ sshd.c
-@@ -123,6 +123,13 @@
+@@ -122,6 +122,13 @@
  #include "version.h"
  #include "ssherr.h"
 
@@ -19,7 +19,7 @@
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
-@@ -220,7 +227,11 @@ int *startup_pipes = NULL;
+@@ -219,7 +226,11 @@ int *startup_pipes = NULL;
  int startup_pipe;		/* in child */
 
  /* variables used for privilege separation */
@@ -30,17 +30,8 @@
 +#endif
  struct monitor *pmonitor = NULL;
  int privsep_is_preauth = 1;
-
-@@ -541,7 +552,7 @@ privsep_preauth_child(void)
- 	demote_sensitive_data();
-
- 	/* Demote the child */
--	if (getuid() == 0 || geteuid() == 0) {
-+	if (getuid() == ROOTUID || geteuid() == ROOTUID) {
- 		/* Change our root directory */
- 		if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
- 			fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -552,10 +563,15 @@ privsep_preauth_child(void)
+ static int privsep_chroot = 1;
+@@ -550,10 +561,15 @@ privsep_preauth_child(void)
  		/* Drop our privileges */
  		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
  		    (u_int)privsep_pw->pw_gid);
@@ -56,7 +47,7 @@
  	}
  }
 
-@@ -619,10 +635,17 @@ privsep_preauth(Authctxt *authctxt)
+@@ -617,10 +633,17 @@ privsep_preauth(Authctxt *authctxt)
  		/* Arrange for logging to be sent to the monitor */
  		set_log_handler(mm_log_handler, pmonitor);
 
@@ -74,7 +65,7 @@
 
  		return 0;
  	}
-@@ -634,7 +657,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -632,7 +655,7 @@ privsep_postauth(Authctxt *authctxt)
  #ifdef DISABLE_FD_PASSING
  	if (1) {
  #else
@@ -83,7 +74,7 @@
  #endif
  		/* File descriptor passing is broken or root login */
  		use_privsep = 0;
-@@ -1389,8 +1412,10 @@ main(int ac, char **av)
+@@ -1393,8 +1416,10 @@ main(int ac, char **av)
  	av = saved_argv;
  #endif
 
@@ -95,7 +86,16 @@
 
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
-@@ -1766,7 +1791,7 @@ main(int ac, char **av)
+@@ -1636,7 +1661,7 @@ main(int ac, char **av)
+ 	);
+
+ 	/* Store privilege separation user for later use if required. */
+-	privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
++	privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
+ 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ 		if (privsep_chroot || options.kerberos_authentication)
+ 			fatal("Privilege separation user %s does not exist",
+@@ -1769,7 +1794,7 @@ main(int ac, char **av)
  		    (st.st_uid != getuid () ||
  		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
  #else
@@ -104,7 +104,7 @@
  #endif
  			fatal("%s must be owned by root and not group or "
  			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
-@@ -1789,8 +1814,10 @@ main(int ac, char **av)
+@@ -1792,8 +1817,10 @@ main(int ac, char **av)
  	 * to create a file, and we can't control the code in every
  	 * module which might be used).
  	 */
@@ -115,7 +115,7 @@
 
  	if (rexec_flag) {
  		rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
-@@ -1972,6 +1999,25 @@ main(int ac, char **av)
+@@ -1981,6 +2008,25 @@ main(int ac, char **av)
  	audit_connection_from(remote_ip, remote_port);
  #endif