nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 00:12:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssh_gssapi: 8.4p1 -> 9.0p1

Browse Source 
Fixes https://github.com/NixOS/nixpkgs/issues/142999, CVE-2021-28041, CVE-2021-41617, CVE-2016-20012

@moduon MT-904
This commit is contained in:
Jairo Llopis 2022-07-06 10:34:30 +01:00
parent 8ef7523c8e
commit da4c6be018
No known key found for this signature in database
GPG Key ID: E47E3BE44B940490
3 changed files with 5 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkgs/tools/networking/openssh/default.nix
View File

@ -47,32 +47,24 @@ in
openssh_gssapi = common rec {
pname = "openssh-with-gssapi";
version = "8.4p1";
version = "9.0p1";
extraDesc = " with GSSAPI support";
src = fetchurl {
url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as";
sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
};
extraPatches = [
./ssh-keysign-8.4.patch
# See https://github.com/openssh/openssh-portable/pull/206
./ssh-copy-id-fix-eof.patch
./ssh-keysign-8.5.patch
(fetchpatch {
name = "openssh-gssapi.patch";
url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch";
sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2";
url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-1/debian/patches/gssapi.patch";
sha256 = "sha256-VG7+2dfu09nvHWuSAB6sLGMmjRCDCysl/9FR1WSF21k=";
})
];
extraNativeBuildInputs = [ autoreconfHook ];
extraMeta.knownVulnerabilities = [
"CVE-2021-28041"
"CVE-2021-41617"
];
};
}

21
pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch
View File

@ -1,21 +0,0 @@
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f..a769077 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"

29
pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
View File

@ -1,29 +0,0 @@
diff --git a/pathnames.h b/pathnames.h
index cb44caa4..354fdf05 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -124,7 +124,7 @@
/* Location of ssh-keysign for hostbased authentication */
#ifndef _PATH_SSH_KEY_SIGN
-#define _PATH_SSH_KEY_SIGN "/usr/libexec/ssh-keysign"
+#define _PATH_SSH_KEY_SIGN "ssh-keysign"
#endif
/* Location of ssh-pkcs11-helper to support keys in tokens */
diff --git a/sshconnect2.c b/sshconnect2.c
index dffee90b..e9a86e59 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
closefrom(sock + 1);
debug3("%s: [child] pid=%ld, exec %s",
__func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
- execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
strerror(errno));
}
--
2.22.0