aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-10-05 11:47:38 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-10-05 11:47:38 -0600
commitd10d87c0d9c31c3fe062e31ae65e3c05a8b6a060 (patch)
tree560c1d70a3f818405caec8ba44945ab42b2addda
parentbe1a3f9d79622d58bdea6fb00d37adb104b8003c (diff)
downloadaports-d10d87c0d9c31c3fe062e31ae65e3c05a8b6a060.tar.gz
aports-d10d87c0d9c31c3fe062e31ae65e3c05a8b6a060.tar.bz2
aports-d10d87c0d9c31c3fe062e31ae65e3c05a8b6a060.tar.xz
main/openssh: add mitigation for CVE-2021-41617
-rw-r--r--main/openssh/APKBUILD7
-rw-r--r--main/openssh/CVE-2021-41617.patch25
2 files changed, 31 insertions, 1 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 50432c73aa..ac9d668e55 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=8.6_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
@@ -43,11 +43,15 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar
disable-forwarding-by-default.patch
fix-verify-dns-segfault.patch
+ CVE-2021-41617.patch
+
sshd.initd
sshd.confd
"
# secfixes:
+# 8.6_p1-r3:
+# - CVE-2021-41617
# 8.5_p1-r0:
# - CVE-2021-28041
# 8.4_p1-r0:
@@ -249,6 +253,7 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch
+ee245ce6b6a41fbd135297edfbdf0f91997991f2f21410dce328dc1b8454f2759e2bd7fe57e86dfb452d642684938921e2262866c341641d670d2e4d1b3cabb2 CVE-2021-41617.patch
48f3f2deb2425d77ff60a54f584c19209d9f202efd664a151626f1af77709e85142f4cf2a76c686cf59344b6a7fe5d2b65713e267b083b4b1b7ef905a71fe846 sshd.initd
be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09 sshd.confd
"
diff --git a/main/openssh/CVE-2021-41617.patch b/main/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..15d49f2ba0
--- /dev/null
+++ b/main/openssh/CVE-2021-41617.patch
@@ -0,0 +1,25 @@
+diff --git a/misc.c b/misc.c
+index b8d1040d..0134d694 100644
+--- a/misc.c
++++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
++#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ }
+ closefrom(STDERR_FILENO + 1);
+
++ if (geteuid() == 0 &&
++ initgroups(pw->pw_name, pw->pw_gid) == -1) {
++ error("%s: initgroups(%s, %u): %s", tag,
++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++ _exit(1);
++ }
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ strerror(errno));