main/openssh: add mitigation for CVE-2021-41617

2 files changed, 35 insertions, 3 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index bba95c9a60b..0e2ea029079 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=8.3_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.com/portable.html"
 arch="all"
@@ -38,10 +38,14 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
 	CVE-2020-14145.patch
 	CVE-2021-28041.patch
 
+	CVE-2021-41617.patch
+
 	sshd.initd
 	sshd.confd
 	"
 # secfixes:
+#   8.3_p1-r3:
+#     - CVE-2021-41617
 #   8.3_p1-r2:
 #     - CVE-2021-28041
 #   8.3_p1-r1:
@@ -209,12 +213,15 @@ _pkg_flavour() {
 	done
 }
 
-sha512sums="b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40  openssh-8.3p1.tar.gz
+sha512sums="
+b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40  openssh-8.3p1.tar.gz
 f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1  fix-utmp.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
 b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d  fix-verify-dns-segfault.patch
 367c4f4e2777cd4608a9a7455c1d9744683938fab9b07333af8bbe26aef30091040e69b6ee84dee82c09d50d93e15a9c005cc799b5d15d40d2fa31f879ba0850  CVE-2020-14145.patch
 927863c0778d4933d90d5cbd97ba2d6f6deb3c44def522bfb764103e72320512d91a4d4f21ae46b46e72c5fd379d523511f3827b7b0834862483eb3796916bf9  CVE-2021-28041.patch
+25f73470597d2281ab4f13e992b5d56630c12c6f0b65507ebfa60b31003c828e8098012d2561f23f99858e430af67b178df0e94e0116a02e559e427cc287899f  CVE-2021-41617.patch
 8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8  sshd.initd
-ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc  sshd.confd"
+ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc  sshd.confd
+"
diff --git a/main/openssh/CVE-2021-41617.patch b/main/openssh/CVE-2021-41617.patch
new file mode 100644
index 00000000000..ec9b8392b41
--- /dev/null
+++ b/main/openssh/CVE-2021-41617.patch
@@ -0,0 +1,25 @@
+diff --git a/auth.c b/auth.c
+index b8d1040d..0134d694 100644
+--- a/auth.c
++++ b/auth.c
+@@ -56,6 +56,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
++#include <grp.h>
+ #ifdef HAVE_LOGIN_H
+ #include <login.h>
+ #endif
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
+		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,