diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index b7b71af99747..59f6b06bd804 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,241 +1,241 @@ # Created by: dwcjr@inethouston.net PORTNAME= openssh DISTVERSION= 8.7p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH LICENSE= OPENSSH LICENSE_NAME= OpenSSH Licenses LICENSE_FILE= ${WRKSRC}/LICENCE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias autoreconf compiler:c11 cpe localbase ncurses \ pkgconfig ssl GNU_CONFIGURE= yes CONFIGURE_ARGS= --prefix=${PREFIX} \ --with-ssl-engine \ --with-mantype=man \ --with-Werror ETCOLD= ${PREFIX}/etc CPE_VENDOR= openbsd FLAVORS= default hpn gssapi default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ openssh-portable-x509 hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ openssh-portable-x509 gssapi_PKGNAMESUFFIX= -portable-gssapi OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN KERB_GSSAPI \ LDNS NONECIPHER XMSS FIDO_U2F BLACKLISTD OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS FIDO_U2F .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif .if ${FLAVOR:U} == gssapi OPTIONS_DEFAULT+= KERB_GSSAPI MIT .endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) FIDO_U2F_DESC= FIDO/U2F support (security/libfido2) BLACKLISTD_DESC= FreeBSD blacklistd(8) support OPTIONS_SUB= yes TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key # Until https://reviews.freebsd.org/D27289 is committed FIDO_U2F_EXTRA_PATCHES= ${FILESDIR}/extra-patch-libfido2-configure.ac BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. GSSAPI_DEBIAN_SUBDIR= ${DISTVERSION}-2 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} CONFIGURE_LIBS+= -lblacklist .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} #BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} CFLAGS+= ${CFLAGS_${CHOSEN_COMPILER_TYPE}} CFLAGS_gcc= -Wno-stringop-truncation -Wno-stringop-overflow SSH_ASKPASS_PATH?= ${LOCALBASE}/bin/ssh-askpass post-patch: @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} \ -e 's|$$[{(]libexecdir[})]/ssh-askpass|${SSH_ASKPASS_PATH}|' \ ${WRKSRC}/Makefile.in ${WRKSRC}/configure.ac @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-configure-BLACKLISTD-on: @${ECHO_CMD} "#define USE_BLACKLIST 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/moduli \ ${STAGEDIR}${ETCDIR}/moduli.sample ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}/ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV:NHOME=*} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ HOME="${HOME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include diff --git a/security/openssh-portable/files/patch-CVE-2021-41617-bf944e3794eff5413f2df1ef37cddf96918c6bde b/security/openssh-portable/files/patch-CVE-2021-41617-bf944e3794eff5413f2df1ef37cddf96918c6bde new file mode 100644 index 000000000000..f8d2ccbc2605 --- /dev/null +++ b/security/openssh-portable/files/patch-CVE-2021-41617-bf944e3794eff5413f2df1ef37cddf96918c6bde @@ -0,0 +1,18 @@ +commit bf944e3794eff5413f2df1ef37cddf96918c6bde +Author: Damien Miller +Date: Mon Sep 27 00:03:19 2021 +1000 + + initgroups needs grp.h + +diff --git misc.c misc.c +index d94438da6..0134d6949 100644 +--- misc.c ++++ misc.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_PATHS_H + # include + #include ++#include + #endif + #ifdef SSH_TUN_OPENBSD + #include diff --git a/security/openssh-portable/files/patch-CVE-2021-41617-f3cbe43e28fe71427d41cfe3a17125b972710455 b/security/openssh-portable/files/patch-CVE-2021-41617-f3cbe43e28fe71427d41cfe3a17125b972710455 new file mode 100644 index 000000000000..0662cee96811 --- /dev/null +++ b/security/openssh-portable/files/patch-CVE-2021-41617-f3cbe43e28fe71427d41cfe3a17125b972710455 @@ -0,0 +1,33 @@ +commit f3cbe43e28fe71427d41cfe3a17125b972710455 +Author: djm@openbsd.org +Date: Sun Sep 26 14:01:03 2021 +0000 + + upstream: need initgroups() before setresgid(); reported by anton@, + + ok deraadt@ + + OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce + +diff --git misc.c misc.c +index b8d1040d1..d94438da6 100644 +--- misc.c ++++ misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -2695,6 +2695,12 @@ subprocess(const char *tag, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, + strerror(errno));