diff options
Diffstat (limited to 'pkgs/tools/networking/openssh')
| -rw-r--r-- | pkgs/tools/networking/openssh/default.nix | 6 | ||||
| -rw-r--r-- | pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch | 65 |
2 files changed, 68 insertions, 3 deletions
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 50d53bdff2cd6..2004e453a0d95 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -17,11 +17,11 @@ let in with stdenv.lib; stdenv.mkDerivation rec { - name = "openssh-7.1p1"; + name = "openssh-6.9p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "0a44mnr8bvw41zg83xh4sb55d8nds29j95gxvxk5qg863lnns2pw"; + sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf"; }; prePatch = optionalString hpnSupport @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; - patches = [ ./locale_archive.patch ]; + patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch]; buildInputs = [ zlib openssl libedit pkgconfig pam ] ++ optional withKerberos [ kerberos ]; diff --git a/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch new file mode 100644 index 0000000000000..02e9eb3a9739a --- /dev/null +++ b/pkgs/tools/networking/openssh/openssh-6.9p1-security-7.0.patch @@ -0,0 +1,65 @@ +http://pkgs.fedoraproject.org/cgit/openssh.git/commit/openssh-6.9p1-security-7.0.patch?h=f22&id=4776fad91e7e1f626f33e8c240d0ccecd663554d + +diff --git a/sshpty.c b/sshpty.c +index 7bb7641..15da8c6 100644 +--- a/sshpty.c ++++ b/sshpty.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ ++/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty) + /* Determine the group to make the owner of the tty. */ + grp = getgrnam("tty"); + gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; +- mode = (grp != NULL) ? 0622 : 0600; ++ mode = (grp != NULL) ? 0620 : 0600; + + /* + * Change owner and mode of the tty as required. +diff --git a/monitor.c b/monitor.c +index b410965..f1b873d 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + +diff --git a/monitor_wrap.c b/monitor_wrap.c +index e6217b3..eac421b 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); |