diff options
| author | Ariadne Conill <ariadne@dereferenced.org> | 2021-10-05 11:47:38 -0600 |
|---|---|---|
| committer | Ariadne Conill <ariadne@dereferenced.org> | 2021-10-05 11:47:38 -0600 |
| commit | d10d87c0d9c31c3fe062e31ae65e3c05a8b6a060 (patch) | |
| tree | 560c1d70a3f818405caec8ba44945ab42b2addda | |
| parent | be1a3f9d79622d58bdea6fb00d37adb104b8003c (diff) | |
main/openssh: add mitigation for CVE-2021-41617
| -rw-r--r-- | main/openssh/APKBUILD | 7 | ||||
| -rw-r--r-- | main/openssh/CVE-2021-41617.patch | 25 |
2 files changed, 31 insertions, 1 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 50432c73aa5..ac9d668e552 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -4,7 +4,7 @@ pkgname=openssh pkgver=8.6_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=2 +pkgrel=3 pkgdesc="Port of OpenBSD's free SSH release" url="https://www.openssh.com/portable.html" arch="all" @@ -43,11 +43,15 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$_myver.tar disable-forwarding-by-default.patch fix-verify-dns-segfault.patch + CVE-2021-41617.patch + sshd.initd sshd.confd " # secfixes: +# 8.6_p1-r3: +# - CVE-2021-41617 # 8.5_p1-r0: # - CVE-2021-28041 # 8.4_p1-r0: @@ -249,6 +253,7 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch +ee245ce6b6a41fbd135297edfbdf0f91997991f2f21410dce328dc1b8454f2759e2bd7fe57e86dfb452d642684938921e2262866c341641d670d2e4d1b3cabb2 CVE-2021-41617.patch 48f3f2deb2425d77ff60a54f584c19209d9f202efd664a151626f1af77709e85142f4cf2a76c686cf59344b6a7fe5d2b65713e267b083b4b1b7ef905a71fe846 sshd.initd be7dd5f6d319b2e03528525a66a58310d43444606713786b913a17a0fd9311869181d0fb7927a185d71d392674857dea3c97b6b8284886227d47b36193471a09 sshd.confd " diff --git a/main/openssh/CVE-2021-41617.patch b/main/openssh/CVE-2021-41617.patch new file mode 100644 index 00000000000..15d49f2ba04 --- /dev/null +++ b/main/openssh/CVE-2021-41617.patch @@ -0,0 +1,25 @@ +diff --git a/misc.c b/misc.c +index b8d1040d..0134d694 100644 +--- a/misc.c ++++ b/misc.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_PATHS_H + # include <paths.h> + #include <pwd.h> ++#include <grp.h> + #endif + #ifdef SSH_TUN_OPENBSD + #include <net/if.h> +@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, + strerror(errno)); |