aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-03-04 14:23:19 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-03-04 15:08:29 +0000
commitcfa04666c50b8dfbe34b6ac8e6b177add54ce649 (patch)
treedf5801b6b7f9e0fb32ec62e314a3a473ca641cd7
parente75dee2587e0366d31527c0c11983372be4f532b (diff)
downloadaports-cfa04666c50b8dfbe34b6ac8e6b177add54ce649.tar.gz
aports-cfa04666c50b8dfbe34b6ac8e6b177add54ce649.tar.bz2
aports-cfa04666c50b8dfbe34b6ac8e6b177add54ce649.tar.xz
main/openssh: security fixes
CVE-2018-20685, CVE-2019-6109, CVE-2019-6111 Rebased HPN patch, included upstream patch due regression bug due to CVE-2019-6109 fix Fixes #9999
-rw-r--r--main/openssh/APKBUILD33
-rw-r--r--main/openssh/CVE-2018-20685.patch36
-rw-r--r--main/openssh/CVE-2019-6109.patch278
-rw-r--r--main/openssh/CVE-2019-6111.patch197
-rw-r--r--main/openssh/have-progressmeter-force-update-at-beginning-and-end-transfer.patch124
-rw-r--r--main/openssh/openssh7.4-dynwindows.patch17
-rw-r--r--main/openssh/openssh7.4-peaktput.patch19
7 files changed, 677 insertions, 27 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 19508813a1..c7ae42f7a6 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=7.5_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=9
+pkgrel=10
pkgdesc="Port of OpenBSD's free SSH release"
url="http://www.openssh.org/portable.html"
arch="all"
@@ -30,18 +30,27 @@ for _flavour in $_pkgsupport; do
done
source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
- openssh7.4-peaktput.patch
- openssh7.4-dynwindows.patch
fix-utmp.patch
bsd-compatible-realpath.patch
- sshd.initd
- sshd.confd
sftp-interactive.patch
openssh-7.5p1-sandbox.patch
CVE-2017-15906.patch
CVE-2018-15473.patch
+ CVE-2018-20685.patch
+ CVE-2019-6109.patch
+ CVE-2019-6111.patch
+ have-progressmeter-force-update-at-beginning-and-end-transfer.patch
+ openssh7.4-peaktput.patch
+ openssh7.4-dynwindows.patch
+
+ sshd.initd
+ sshd.confd
"
# secfixes:
+# 7.5_p1-r10:
+# - CVE-2018-20685
+# - CVE-2019-6109
+# - CVE-2019-6111
# 7.5_p1-r9:
# - CVE-2018-15473
# 7.5_p1-r0:
@@ -201,13 +210,17 @@ _pkg_flavour() {
}
sha512sums="58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 openssh-7.5p1.tar.gz
-398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch
-b9d736eae9b43de91fa3eb277ba8abc6290a8436b0fb00ae3b0f1b2eabba9983e4d2a1e3c68f5514247d0a3f120037f0795fd88fbf302aabd2d1b54a325a04ee openssh7.4-dynwindows.patch
f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1 fix-utmp.patch
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
-394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd
-ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
15c5478bcae56c019a2fbd82ec04808537fd4ba1f1ba4a0a88c0343c16c698c45dbfac59eebc3fcfd3c15b302ebec43e60ffa02442a6c77673b14818ad3f7b60 openssh-7.5p1-sandbox.patch
e064acdb9b9990ac3e997b0110051150a0e0e86a128228d400707815957cb6414ae167c8992da049ee81f315ef19d0ba4d6f55aef197b1fa16fc7ebb8596d320 CVE-2017-15906.patch
-390b238ec6f037dcd684f3cbbfd9655aa264791a32d3cbd270773989cdda3896756ddd83e4088356a56e21c183b11052cc4cc7653506d4b46ba48f092f7c66ea CVE-2018-15473.patch"
+390b238ec6f037dcd684f3cbbfd9655aa264791a32d3cbd270773989cdda3896756ddd83e4088356a56e21c183b11052cc4cc7653506d4b46ba48f092f7c66ea CVE-2018-15473.patch
+aab79b8a5761d27096a40af32ea864aecdde16068b2fe9090b7a45463c30c308f5c20756baf11705249e66d52489ccf51c95bbd8ac13af915d8151184fbbe681 CVE-2018-20685.patch
+1ca02180ac6514ee32e898b76e4c678acdef75099bd7d3a75c485fd69c2d123906eca4f930d29051407d52d4d259a6ba94c1147c47a1be012d041aa41a05702d CVE-2019-6109.patch
+73617926e4de73108f75c525b587ab643310417dbe43eb855748601cf6e91e646f3600a43a0d8a16a9ab88da770c6595a13c7acfa911e4da23c31a29d6968c78 CVE-2019-6111.patch
+da016f2e76cc663ca14a354abcbb5e8a0139735e6b3833fc7345ca6207dc02d4f093ffc64527a129f6cfdd1275cedca79fadf2d839fbd4d01517459b3f8a1d82 have-progressmeter-force-update-at-beginning-and-end-transfer.patch
+a69c79ca4bc76fbc8d16d20d508f307874e518e9ba3816db689cc94ee649f266286e74c1b03c25fd529c85332b85017a10614b381e3e9270be3de84d19633cc8 openssh7.4-peaktput.patch
+d98825a40bccbf6b46336fdbe7ac4a91cfd94939236f0ac03b48f09a29cf0df437e1ccf9eea7a8b3f1cd06e1e031aa023d99e68b97c0f3996b6642c94571f492 openssh7.4-dynwindows.patch
+394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd
+ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd"
diff --git a/main/openssh/CVE-2018-20685.patch b/main/openssh/CVE-2018-20685.patch
new file mode 100644
index 0000000000..c0bdd304a2
--- /dev/null
+++ b/main/openssh/CVE-2018-20685.patch
@@ -0,0 +1,36 @@
+From 951d1b405c221a98e30c8560e941c73ab8493f9d Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 03:03:10 +0000
+Subject: upstream: disallow empty incoming filename or ones that refer to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2
+Bug-Debian: https://bugs.debian.org/919101
+Last-Update: 2019-02-08
+
+Patch-Name: scp-disallow-dot-or-empty-filename.patch
+
+Ported to stretch by Yves-Alexis Perez <corsac@debian.org>
+
+CVE-2018-20685
+---
+ scp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scp.c b/scp.c
+index 18c27720..26099529 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1055,7 +1055,8 @@ sink(int argc, char **argv)
+ size = size * 10 + (*cp++ - '0');
+ if (*cp++ != ' ')
+ SCREWUP("size not delimited");
+- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++ if (*cp == '\0' || strchr(cp, '/') != NULL ||
++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
diff --git a/main/openssh/CVE-2019-6109.patch b/main/openssh/CVE-2019-6109.patch
new file mode 100644
index 0000000000..e399aefb05
--- /dev/null
+++ b/main/openssh/CVE-2019-6109.patch
@@ -0,0 +1,278 @@
+From 86fe04b06ec887e09b1bae345baff95ff2d05f6a Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 23 Jan 2019 08:01:46 +0000
+Subject: upstream: Sanitize scp filenames via snmprintf. To do this we move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too. bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
+Bug-Debian: https://bugs.debian.org/793412
+Last-Update: 2019-02-08
+
+Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
+
+Ported to Stretch (OpenSSH 7.4) by Yves-Alexis Perez <corsac@debian.org>
+
+CVE-2019-6109
+---
+ atomicio.c | 20 ++++++++++++++-----
+ progressmeter.c | 53 ++++++++++++++++++++++---------------------------
+ progressmeter.h | 3 ++-
+ scp.c | 1 +
+ sftp-client.c | 16 ++++++++-------
+ 5 files changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/atomicio.c b/atomicio.c
+index f854a06f..d91bd762 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
+ res = (f) (fd, s + pos, n - pos);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READ_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+ res = (f) (fd, iov, iovcnt);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READV_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+diff --git a/progressmeter.c b/progressmeter.c
+index fe9bf52e..add462dd 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -31,6 +31,7 @@
+
+ #include <errno.h>
+ #include <signal.h>
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -39,6 +40,7 @@
+ #include "progressmeter.h"
+ #include "atomicio.h"
+ #include "misc.h"
++#include "utf8.h"
+
+ #define DEFAULT_WINSIZE 80
+ #define MAX_WINSIZE 512
+@@ -61,7 +63,7 @@ static void setscreensize(void);
+ void refresh_progress_meter(void);
+
+ /* signal handler for updating the progress meter */
+-static void update_progress_meter(int);
++static void sig_alarm(int);
+
+ static double start; /* start progress */
+ static double last_update; /* last progress update */
+@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ static int win_size; /* terminal window size */
+ static volatile sig_atomic_t win_resized; /* for window resizing */
++static volatile sig_atomic_t alarm_fired;
+
+ /* units for format_size */
+ static const char unit[] = " KMGT";
+@@ -126,9 +129,17 @@ refresh_progress_meter(void)
+ off_t bytes_left;
+ int cur_speed;
+ int hours, minutes, seconds;
+- int i, len;
+ int file_len;
+
++ if ((!alarm_fired && !win_resized) || !can_output())
++ return;
++ alarm_fired = 0;
++
++ if (win_resized) {
++ setscreensize();
++ win_resized = 0;
++ }
++
+ transferred = *counter - (cur_pos ? cur_pos : start_pos);
+ cur_pos = *counter;
+ now = monotime_double();
+@@ -158,16 +169,11 @@ refresh_progress_meter(void)
+
+ /* filename */
+ buf[0] = '\0';
+- file_len = win_size - 35;
++ file_len = win_size - 36;
+ if (file_len > 0) {
+- len = snprintf(buf, file_len + 1, "\r%s", file);
+- if (len < 0)
+- len = 0;
+- if (len >= file_len + 1)
+- len = file_len;
+- for (i = len; i < file_len; i++)
+- buf[i] = ' ';
+- buf[file_len] = '\0';
++ buf[0] = '\r';
++ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
++ file_len * -1, file);
+ }
+
+ /* percent of transfer done */
+@@ -228,22 +234,11 @@ refresh_progress_meter(void)
+
+ /*ARGSUSED*/
+ static void
+-update_progress_meter(int ignore)
++sig_alarm(int ignore)
+ {
+- int save_errno;
+-
+- save_errno = errno;
+-
+- if (win_resized) {
+- setscreensize();
+- win_resized = 0;
+- }
+- if (can_output())
+- refresh_progress_meter();
+-
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
++ alarm_fired = 1;
+ alarm(UPDATE_INTERVAL);
+- errno = save_errno;
+ }
+
+ void
+@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- if (can_output())
+- refresh_progress_meter();
++ refresh_progress_meter();
+
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+ alarm(UPDATE_INTERVAL);
+ }
+@@ -286,6 +280,7 @@ stop_progress_meter(void)
+ static void
+ sig_winch(int sig)
+ {
++ signal(SIGWINCH, sig_winch);
+ win_resized = 1;
+ }
+
+diff --git a/progressmeter.h b/progressmeter.h
+index bf179dca..8f667806 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,4 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
++void refresh_progress_meter(void);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 26099529..e2e16993 100644
+--- a/scp.c
++++ b/scp.c
+@@ -567,6 +567,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
++ refresh_progress_meter();
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index e65c15c8..3cefbe26 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -94,7 +94,9 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- bandwidth_limit(bwlimit, amount);
++ refresh_progress_meter();
++ if (bwlimit != NULL)
++ bandwidth_limit(bwlimit, amount);
+ return 0;
+ }
+
+@@ -114,8 +116,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
+ iov[1].iov_base = (u_char *)sshbuf_ptr(m);
+ iov[1].iov_len = sshbuf_len(m);
+
+- if (atomiciov6(writev, conn->fd_out, iov, 2,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
++ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
+ sshbuf_len(m) + sizeof(mlen))
+ fatal("Couldn't send packet: %s", strerror(errno));
+
+@@ -131,8 +133,8 @@ get_msg(struct sftp_conn *conn, struct sshbuf *m)
+
+ if ((r = sshbuf_reserve(m, 4, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, 4,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
++ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
+ else
+@@ -146,8 +148,8 @@ get_msg(struct sftp_conn *conn, struct sshbuf *m)
+
+ if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, msg_len,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
++ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
+ != msg_len) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
diff --git a/main/openssh/CVE-2019-6111.patch b/main/openssh/CVE-2019-6111.patch
new file mode 100644
index 0000000000..fd4bd054f1
--- /dev/null
+++ b/main/openssh/CVE-2019-6111.patch
@@ -0,0 +1,197 @@
+From e83897f1bff97275e02e9e452d8d5282131128f6 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
+Last-Update: 2019-02-08
+
+Patch-Name: check-filenames-in-scp-client.patch
+
+Ported to Stretch (OpenSSH 7.4) by Yves-Alexis Perez <corsac@debian.org>
+
+CVE-2019-6111
+---
+ scp.1 | 17 +++++++++++++----
+ scp.c | 35 +++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 12 deletions(-)
+
+diff --git a/scp.1 b/scp.1
+index 4ae87775..695a9cb2 100644
+--- a/scp.1
++++ b/scp.1
+@@ -8,9 +8,9 @@
+ .\"
+ .\" Created: Sun May 7 00:14:37 1995 ylo
+ .\"
+-.\" $OpenBSD: scp.1,v 1.71 2016/07/16 06:57:55 jmc Exp $
++.\" $OpenBSD: scp.1,v 1.85 2019/01/26 22:41:28 djm Exp $
+ .\"
+-.Dd $Mdocdate: July 16 2016 $
++.Dd $Mdocdate: January 26 2019 $
+ .Dt SCP 1
+ .Os
+ .Sh NAME
+@@ -18,8 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Bk -words
+-.Op Fl 12346BCpqrv
++.Op Fl 12346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -215,6 +214,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
++.It Fl T
++Disable strict filename checking.
++By default when copying files from a remote host to a local directory
++.Nm
++checks that the received filenames match those requested on the command-line
++to prevent the remote end from sending unexpected or unwanted files.
++Because of differences in how various operating systems and shells interpret
++filename wildcards, these checks may cause wanted files to be rejected.
++This option disables these checks at the expense of fully trusting that
++the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 2f5a4d46..44b74fa4 100644
+--- a/scp.c
++++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -362,14 +363,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+ #define CMDNEEDS 64
+ char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
+
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(char *, int, char *[]);
+@@ -406,8 +407,8 @@ main(int argc, char **argv)
+ addargs(&args, "-oPermitLocalCommand=no");
+ addargs(&args, "-oClearAllForwardings=yes");
+
+- fflag = tflag = 0;
+- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++ fflag = Tflag = tflag = 0;
++ while ((ch = getopt(argc, argv, "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1)
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -483,6 +484,9 @@ main(int argc, char **argv)
+ setmode(0, O_BINARY);
+ #endif
+ break;
++ case 'T':
++ Tflag = 1;
++ break;
+ default:
+ usage();
+ }
+@@ -516,7 +520,7 @@ main(int argc, char **argv)
+ }
+ if (tflag) {
+ /* Receive data. */
+- sink(argc, argv);
++ sink(argc, argv, NULL);
+ exit(errs != 0);
+ }
+ if (argc < 2)
+@@ -757,7 +761,7 @@ tolocal(int argc, char **argv)
+ continue;
+ }
+ free(bp);
+- sink(1, argv + argc - 1);
++ sink(1, argv + argc - 1, src);
+ (void) close(remin);
+ remin = remout = -1;
+ }
+@@ -925,7 +929,7 @@ rsource(char *name, struct stat *statp)
+ }
+
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+ static BUF buffer;
+ struct stat stb;
+@@ -941,6 +945,7 @@ sink(int argc, char **argv)
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
+ #define atime tv[0]
+@@ -962,6 +967,17 @@ sink(int argc, char **argv)
+ (void) atomicio(vwrite, remout, "", 1);
+ if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ targisdir = 1;
++ if (src != NULL && !iamrecursive && !Tflag) {
++ /*
++ * Prepare to try to restrict incoming filenames to match
++ * the requested destination file glob.
++ */
++ if ((src_copy = strdup(src)) == NULL)
++ fatal("strdup failed");
++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++ *restrict_pattern++ = '\0';
++ }
++ }
+ for (first = 1;; first = 0) {
+ cp = buf;
+ if (atomicio(read, remin, cp, 1) != 1)
+@@ -1061,6 +1077,9 @@ sink(int argc, char **argv)
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
++ if (restrict_pattern != NULL &&
++ fnmatch(restrict_pattern, cp, 0) != 0)
++ SCREWUP("filename does not match request");
+ if (targisdir) {
+ static char *namebuf;
+ static size_t cursize;
+@@ -1098,7 +1117,7 @@ sink(int argc, char **argv)
+ goto bad;
+ }
+ vect[0] = xstrdup(np);
+- sink(1, vect);
++ sink(1, vect, src);
+ if (setimes) {
+ setimes = 0;
+ if (utimes(vect[0], tv) < 0)
diff --git a/main/openssh/have-progressmeter-force-update-at-beginning-and-end-transfer.patch b/main/openssh/have-progressmeter-force-update-at-beginning-and-end-transfer.patch
new file mode 100644
index 0000000000..2b5d4ee8b2
--- /dev/null
+++ b/main/openssh/have-progressmeter-force-update-at-beginning-and-end-transfer.patch
@@ -0,0 +1,124 @@
+From 177357c62172385f9ccee7fb37b456de22268028 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Thu, 24 Jan 2019 16:52:17 +0000
+Subject: upstream: Have progressmeter force an update at the beginning and
+
+end of each transfer. Fixes the problem recently introduces where very quick
+transfers do not display the progressmeter at all. Spotted by naddy@
+
+OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
+Last-Update: 2019-02-08
+
+Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch
+
+Ported to Stretch (OpenSSH 7.5) by Yves-Alexis Perez <corsac@debian.org>
+
+Fix a regression introduced by the patch for CVE-2019-6109
+---
+ progressmeter.c | 13 +++++--------
+ progressmeter.h | 4 ++--
+ scp.c | 2 +-
+ sftp-client.c | 2 +-
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/progressmeter.c b/progressmeter.c
+index add462dd..e385c125 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t);
+ static void sig_winch(int);
+ static void setscreensize(void);
+
+-/* updates the progressmeter to reflect the current state of the transfer */
+-void refresh_progress_meter(void);
+-
+ /* signal handler for updating the progress meter */
+ static void sig_alarm(int);
+
+@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes)
+ }
+
+ void
+-refresh_progress_meter(void)
++refresh_progress_meter(int force_update)
+ {
+ char buf[MAX_WINSIZE + 1];
+ off_t transferred;
+@@ -131,7 +128,7 @@ refresh_progress_meter(void)
+ int hours, minutes, seconds;
+ int file_len;
+
+- if ((!alarm_fired && !win_resized) || !can_output())
++ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+ return;
+ alarm_fired = 0;
+
+@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- refresh_progress_meter();
++ refresh_progress_meter(1);
+
+ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+@@ -271,7 +268,7 @@ stop_progress_meter(void)
+
+ /* Ensure we complete the progress */
+ if (cur_pos != end_pos)
+- refresh_progress_meter();
++ refresh_progress_meter(1);
+
+ atomicio(vwrite, STDOUT_FILENO, "\n", 1);
+ }
+diff --git a/progressmeter.h b/progressmeter.h
+index 8f667806..1703ea75 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,5 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
+-void refresh_progress_meter(void);
++void refresh_progress_meter(int);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index e2e16993..2f5a4d46 100644
+--- a/scp.c
++++ b/scp.c
+@@ -567,7 +567,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
+- refresh_progress_meter();
++ refresh_progress_meter(0);
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 3cefbe26..b4be8cd6 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -94,7 +94,7 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- refresh_progress_meter();
++ refresh_progress_meter(0);
+ if (bwlimit != NULL)
+ bandwidth_limit(bwlimit, amount);
+ return 0;
diff --git a/main/openssh/openssh7.4-dynwindows.patch b/main/openssh/openssh7.4-dynwindows.patch
index 45c42159ea..0b5bdb43b5 100644
--- a/main/openssh/openssh7.4-dynwindows.patch
+++ b/main/openssh/openssh7.4-dynwindows.patch
@@ -401,14 +401,15 @@ index 2be290a..453c85e 100644
int len;
for (indx = 0; indx < argc; ++indx) {
-@@ -931,7 +931,7 @@
- off_t size, statbytes;
- unsigned long long ull;
- int setimes, targisdir, wrerrno = 0;
-- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
-+ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
- struct timeval tv[2];
-
+@ -936,7 +936,7 @@ sink(int argc, char **argv, const char *src)
+ off_t size, statbytes;
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+- char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
+ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
#define atime tv[0]
--- a/servconf.c
+++ b/servconf.c
diff --git a/main/openssh/openssh7.4-peaktput.patch b/main/openssh/openssh7.4-peaktput.patch
index 6fc6140a6e..6483e336d7 100644
--- a/main/openssh/openssh7.4-peaktput.patch
+++ b/main/openssh/openssh7.4-peaktput.patch
@@ -9,14 +9,15 @@
static volatile off_t *counter; /* progress counter */
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
-@@ -128,12 +130,17 @@
+@@ -129,6 +129,7 @@ refresh_progress_meter(int force_update)
+ int cur_speed;
int hours, minutes, seconds;
- int i, len;
int file_len;
+ off_t delta_pos;
- transferred = *counter - (cur_pos ? cur_pos : start_pos);
- cur_pos = *counter;
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+ return;
+@ -144,6 +145,10 @@ refresh_progress_meter(int force_update)
now = monotime_double();
bytes_left = end_pos - cur_pos;
@@ -27,15 +28,15 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -158,7 +165,7 @@
+@@ -168,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
buf[0] = '\0';
-- file_len = win_size - 35;
-+ file_len = win_size - 45;
+- file_len = win_size - 36;
++ file_len = win_size - 46;
if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
+ buf[0] = '\r';
+ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
@@ -188,6 +195,15 @@
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);