Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 18 Nov 2017 11:14:23 +0000
Message-id: <[🔎] 20171118111423.qk2dkrrnnhc7uh7z@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 882061@bugs.debian.org
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This is the jessie version of #865986.  The WinSCP change isn't
applicable to jessie, but the fixes for #865770 and #873201 are.

I had to do some minor git surgery to integrate the previous security
updates into git-dpm's view of the world (including changing one patch
to have a proper name rather than an automatically-generated one);
apologies for the resulting noise, but I think it's still short enough
to be reasonably reviewable.  I ran the "git-dpm update-patches" step in
a jessie chroot to avoid further noise from patches generated by
different git versions.

diff -Nru openssh-6.7p1/debian/.git-dpm openssh-6.7p1/debian/.git-dpm
--- openssh-6.7p1/debian/.git-dpm	2016-04-14 18:53:01.000000000 +0100
+++ openssh-6.7p1/debian/.git-dpm	2017-11-18 10:52:00.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-d6139ee6bbf3bda83ebefc73d8079d0897488d1d
-d6139ee6bbf3bda83ebefc73d8079d0897488d1d
+1ec1d66c12c333a99a10d399b5f47e5636d2bcff
+1ec1d66c12c333a99a10d399b5f47e5636d2bcff
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 487bdb3a5ef6075887b830ccb8a0b14f6da78e93
 openssh_6.7p1.orig.tar.gz
diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog
--- openssh-6.7p1/debian/changelog	2016-07-22 18:22:20.000000000 +0100
+++ openssh-6.7p1/debian/changelog	2017-11-18 10:56:29.000000000 +0000
@@ -1,3 +1,12 @@
+openssh (1:6.7p1-5+deb8u4) jessie; urgency=medium
+
+  * Test configuration before starting or reloading sshd under systemd
+    (closes: #865770).
+  * Make "--" before the hostname terminate argument processing after the
+    hostname too (closes: #873201).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 18 Nov 2017 10:56:29 +0000
+
 openssh (1:6.7p1-5+deb8u3) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru openssh-6.7p1/debian/openssh-server.ssh.service openssh-6.7p1/debian/openssh-server.ssh.service
--- openssh-6.7p1/debian/openssh-server.ssh.service	2016-04-14 18:53:01.000000000 +0100
+++ openssh-6.7p1/debian/openssh-server.ssh.service	2017-11-18 10:52:00.000000000 +0000
@@ -5,7 +5,9 @@
 
 [Service]
 EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
diff -Nru openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch
--- openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch	2016-04-14 18:53:01.000000000 +0100
+++ openssh-6.7p1/debian/patches/0030-disable-roaming-in-ssh-client.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,36 +0,0 @@
-From d6139ee6bbf3bda83ebefc73d8079d0897488d1d Mon Sep 17 00:00:00 2001
-From: Yves-Alexis Perez <corsac@debian.org>
-Date: Tue, 12 Jan 2016 17:14:33 -0800
-Subject: disable roaming in ssh client
-
-SSH roaming implementation in openssh client is vulnerable to an
-information leak (CVE-2016-0777) and heap-based buffer overflow
-(CVE-2016-0778). The information leak is somehow attacker-controller,
-and it is for example possible to extract the ssh client private keys.
----
- readconf.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/readconf.c b/readconf.c
-index 29338b6..337d914 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -1640,7 +1640,7 @@ initialize_options(Options * options)
- 	options->tun_remote = -1;
- 	options->local_command = NULL;
- 	options->permit_local_command = -1;
--	options->use_roaming = -1;
-+	options->use_roaming = 0;
- 	options->visual_host_key = -1;
- 	options->ip_qos_interactive = -1;
- 	options->ip_qos_bulk = -1;
-@@ -1822,8 +1822,7 @@ fill_default_options(Options * options)
- 		options->tun_remote = SSH_TUNID_ANY;
- 	if (options->permit_local_command == -1)
- 		options->permit_local_command = 0;
--	if (options->use_roaming == -1)
--		options->use_roaming = 1;
-+	options->use_roaming = 0;
- 	if (options->visual_host_key == -1)
- 		options->visual_host_key = 0;
- 	if (options->ip_qos_interactive == -1)
diff -Nru openssh-6.7p1/debian/patches/CVE-2015-8325.patch openssh-6.7p1/debian/patches/CVE-2015-8325.patch
--- openssh-6.7p1/debian/patches/CVE-2015-8325.patch	2016-04-14 18:53:01.000000000 +0100
+++ openssh-6.7p1/debian/patches/CVE-2015-8325.patch	2017-11-18 10:52:00.000000000 +0000
@@ -1,7 +1,7 @@
-From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
+From df02ed53cf4f3df6ef0bba7fd271d72360b19b0a Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Wed, 13 Apr 2016 10:39:57 +1000
-Subject: [PATCH] ignore PAM environment vars when UseLogin=yes
+Subject: ignore PAM environment vars when UseLogin=yes
 
 If PAM is configured to read user-specified environment variables
 and UseLogin=yes in sshd_config, then a hostile local user may
@@ -9,13 +9,17 @@
 set via PAM.
 
 CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
+
+Patch-Name: CVE-2015-8325.patch
 ---
  session.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
+diff --git a/session.c b/session.c
+index 6250c20..e341512 100644
 --- a/session.c
 +++ b/session.c
-@@ -1301,7 +1301,7 @@ do_setup_env(Session *s, const char *she
+@@ -1301,7 +1301,7 @@ do_setup_env(Session *s, const char *shell)
  	 * Pull in any environment variables that may have
  	 * been set by PAM.
  	 */
diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch
--- openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch	2016-07-22 18:20:48.000000000 +0100
+++ openssh-6.7p1/debian/patches/CVE-2016-6210-1.patch	2017-11-18 10:52:00.000000000 +0000
@@ -1,4 +1,4 @@
-From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
+From 3f40a5c09c405270a7f118855cc959dc8beac835 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@zip.com.au>
 Date: Fri, 15 Jul 2016 13:32:45 +1000
 Subject: Determine appropriate salt for invalid users.
@@ -14,6 +14,8 @@
 
 To mitigate, use the same hash algorithm that root uses for hashing
 passwords for users that do not exist on the system.  ok djm@
+
+Patch-Name: CVE-2016-6210-1.patch
 ---
  auth-passwd.c           | 12 ++++++++----
  openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
@@ -50,7 +52,7 @@
  	/*
  	 * Authentication is accepted if the encrypted passwords
 diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
-index 8577cbd..8913bb8 100644
+index c8aea46..53cb9c8 100644
 --- a/openbsd-compat/xcrypt.c
 +++ b/openbsd-compat/xcrypt.c
 @@ -25,6 +25,7 @@
@@ -106,6 +108,3 @@
  # ifdef HAVE_MD5_PASSWORDS
          if (is_md5_salt(salt))
                  crypted = md5_crypt(password, salt);
--- 
-cgit v0.12
-
diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch
--- openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch	2016-07-22 18:20:48.000000000 +0100
+++ openssh-6.7p1/debian/patches/CVE-2016-6210-2.patch	2017-11-18 10:52:00.000000000 +0000
@@ -1,4 +1,4 @@
-From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
+From 0be96ff6eb447fb8b249c54211fd2f637ba1a989 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@zip.com.au>
 Date: Fri, 15 Jul 2016 13:49:44 +1000
 Subject: Mitigate timing of disallowed users PAM logins.
@@ -12,12 +12,14 @@
 Mitigate by constructing an invalid password that is the same length
 as the one from the client and thus takes the same time to hash.
 Diff from djm@
+
+Patch-Name: CVE-2016-6210-2.patch
 ---
  auth-pam.c | 35 +++++++++++++++++++++++++++++++----
  1 file changed, 31 insertions(+), 4 deletions(-)
 
 diff --git a/auth-pam.c b/auth-pam.c
-index 451de78..465b5a7 100644
+index d789bad..55cd77a 100644
 --- a/auth-pam.c
 +++ b/auth-pam.c
 @@ -231,7 +231,6 @@ static int sshpam_account_status = -1;
@@ -103,6 +105,3 @@
  	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
  		debug("PAM: password authentication accepted for %.100s",
  		    authctxt->user);
--- 
-cgit v0.12
-
diff -Nru openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch
--- openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch	2016-07-22 18:20:48.000000000 +0100
+++ openssh-6.7p1/debian/patches/CVE-2016-6210-3.patch	2017-11-18 10:52:00.000000000 +0000
@@ -1,4 +1,4 @@
-From dbf788b4d9d9490a5fff08a7b09888272bb10fcc Mon Sep 17 00:00:00 2001
+From 625547cd45e339b60949dd79d4692ac76fc457a0 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@zip.com.au>
 Date: Thu, 21 Jul 2016 14:17:31 +1000
 Subject: Search users for one with a valid salt.
@@ -6,12 +6,14 @@
 If the root account is locked (eg password "!!" or "*LK*") keep looking
 until we find a user with a valid salt to use for crypting passwords of
 invalid users.  ok djm@
+
+Patch-Name: CVE-2016-6210-3.patch
 ---
  openbsd-compat/xcrypt.c | 24 +++++++++++++++---------
  1 file changed, 15 insertions(+), 9 deletions(-)
 
 diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
-index 8913bb8..cf6a9b9 100644
+index 53cb9c8..7a72345 100644
 --- a/openbsd-compat/xcrypt.c
 +++ b/openbsd-compat/xcrypt.c
 @@ -65,7 +65,9 @@
@@ -52,6 +54,3 @@
  	return salt;
  }
  
--- 
-cgit v0.12
-
diff -Nru openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch
--- openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-6.7p1/debian/patches/dash-dash-before-hostname.patch	2017-11-18 10:52:00.000000000 +0000
@@ -0,0 +1,63 @@
+From 1ec1d66c12c333a99a10d399b5f47e5636d2bcff Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 12 Aug 2017 06:46:01 +0000
+Subject: Make "--" before hostname end option processing
+
+make "--" before the hostname terminate command-line
+option processing completely; previous behaviour would not prevent further
+options appearing after the hostname (ssh has a supported options after the
+hostname for >20 years, so that's too late to change).
+
+ok deraadt@
+
+Upstream-ID: ef5ee50571b98ad94dcdf8282204e877ec88ad89
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=643c2ad82910691b2240551ea8b14472f60b5078
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2766
+Bug-Debian: https://bugs.debian.org/873201
+Last-Update: 2017-11-18
+
+Patch-Name: dash-dash-before-hostname.patch
+---
+ ssh.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 5bce695..9d70230 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -414,13 +414,13 @@ process_config_files(struct passwd *pw)
+ int
+ main(int ac, char **av)
+ {
+-	int i, r, opt, exit_status, use_syslog;
++	int i, r, opt, exit_status, use_syslog, timeout_ms;
++	int opt_terminated = 0;
+ 	char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile;
+ 	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
+ 	char cname[NI_MAXHOST];
+ 	struct stat st;
+ 	struct passwd *pw;
+-	int timeout_ms;
+ 	extern int optind, optreset;
+ 	extern char *optarg;
+ 	struct Forward fwd;
+@@ -813,6 +813,9 @@ main(int ac, char **av)
+ 		}
+ 	}
+ 
++	if (optind > 1 && strcmp(av[optind - 1], "--") == 0)
++		opt_terminated = 1;
++
+ 	ac -= optind;
+ 	av += optind;
+ 
+@@ -827,7 +830,7 @@ main(int ac, char **av)
+ 			host = xstrdup(++cp);
+ 		} else
+ 			host = xstrdup(*av);
+-		if (ac > 1) {
++		if (ac > 1 && !opt_terminated) {
+ 			optind = optreset = 1;
+ 			goto again;
+ 		}
diff -Nru openssh-6.7p1/debian/patches/disable-roaming.patch openssh-6.7p1/debian/patches/disable-roaming.patch
--- openssh-6.7p1/debian/patches/disable-roaming.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-6.7p1/debian/patches/disable-roaming.patch	2017-11-18 10:52:00.000000000 +0000
@@ -0,0 +1,38 @@
+From beb5d60922b914b095b75b1ce30196062e574d87 Mon Sep 17 00:00:00 2001
+From: Yves-Alexis Perez <corsac@debian.org>
+Date: Tue, 12 Jan 2016 17:14:33 -0800
+Subject: disable roaming in ssh client
+
+SSH roaming implementation in openssh client is vulnerable to an
+information leak (CVE-2016-0777) and heap-based buffer overflow
+(CVE-2016-0778). The information leak is somehow attacker-controller,
+and it is for example possible to extract the ssh client private keys.
+
+Patch-Name: disable-roaming.patch
+---
+ readconf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 29338b6..337d914 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1640,7 +1640,7 @@ initialize_options(Options * options)
+ 	options->tun_remote = -1;
+ 	options->local_command = NULL;
+ 	options->permit_local_command = -1;
+-	options->use_roaming = -1;
++	options->use_roaming = 0;
+ 	options->visual_host_key = -1;
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+@@ -1822,8 +1822,7 @@ fill_default_options(Options * options)
+ 		options->tun_remote = SSH_TUNID_ANY;
+ 	if (options->permit_local_command == -1)
+ 		options->permit_local_command = 0;
+-	if (options->use_roaming == -1)
+-		options->use_roaming = 1;
++	options->use_roaming = 0;
+ 	if (options->visual_host_key == -1)
+ 		options->visual_host_key = 0;
+ 	if (options->ip_qos_interactive == -1)
diff -Nru openssh-6.7p1/debian/patches/series openssh-6.7p1/debian/patches/series
--- openssh-6.7p1/debian/patches/series	2016-07-22 18:20:48.000000000 +0100
+++ openssh-6.7p1/debian/patches/series	2017-11-18 10:52:00.000000000 +0000
@@ -27,8 +27,9 @@
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
-0030-disable-roaming-in-ssh-client.patch
+disable-roaming.patch
 CVE-2015-8325.patch
 CVE-2016-6210-1.patch
 CVE-2016-6210-2.patch
 CVE-2016-6210-3.patch
+dash-dash-before-hostname.patch
diff -Nru openssh-6.7p1/debian/systemd/ssh.service openssh-6.7p1/debian/systemd/ssh.service
--- openssh-6.7p1/debian/systemd/ssh.service	2016-04-14 18:53:01.000000000 +0100
+++ openssh-6.7p1/debian/systemd/ssh.service	2017-11-18 10:52:00.000000000 +0000
@@ -5,7 +5,9 @@
 
 [Service]
 EnvironmentFile=-/etc/default/ssh
+ExecStartPre=/usr/sbin/sshd -t
 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/usr/sbin/sshd -t
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to:
Follow-Ups:
- Processed: Re: Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
Prev by Date: Bug#881860: transition: glibc 2.25
Next by Date: Bug#882068: stretch-pu: dehydrated/0.3.1-3+deb9u1
Previous by thread: Bug#859566: marked as done (Britney: Should ignore irrelevant out of date arch:all binaries kept for non-release architectures)
Next by thread: Processed: Re: Bug#882061: jessie-pu: package openssh/1:6.7p1-5+deb8u4
Index(es):
- Date
- Thread