diff options
Diffstat (limited to 'security/openssh-portable')
| -rw-r--r-- | security/openssh-portable/Makefile | 9 | ||||
| -rw-r--r-- | security/openssh-portable/distinfo | 6 | ||||
| -rw-r--r-- | security/openssh-portable/files/patch-uidswap.c | 57 |
3 files changed, 64 insertions, 8 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 7717b82b4f34..842355156ecd 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -1,6 +1,6 @@ PORTNAME= openssh DISTVERSION= 10.0p1 -PORTREVISION= 0 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -101,20 +101,19 @@ PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,hpn,gsskex # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} || ${FLAVOR:U} == gssapi -BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif # - See https://sources.debian.org/data/main/o/openssh/ for which subdir to # pull from. -GSSAPI_DEBIAN_VERSION= 9.9p2 -GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-1 +GSSAPI_DEBIAN_VERSION= 10.0p1 +GSSAPI_DEBIAN_SUBDIR= ${GSSAPI_DEBIAN_VERSION:U${DISTVERSION}}-5 # - Debian does not use a versioned filename so we trick fetch to make one for # us with the ?<anything>=/ trick. PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_SUBDIR}/debian/patches/gssapi.patch?dummy=/:gsskex # Bump this when updating the patch location -GSSAPI_DISTVERSION= 9.9p1 +GSSAPI_DISTVERSION= 10.0p1 PATCHFILES+= openssh-${GSSAPI_DISTVERSION:U${DISTVERSION}}-gsskex-all-debian-rh-${GSSAPI_DISTVERSION}.patch:-p1:gsskex EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgssc.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-kexgsss.c diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index 613aa094758a..e011b5271ca0 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1744346816 +TIMESTAMP = 1747920014 SHA256 (openssh-10.0p1.tar.gz) = 021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c SIZE (openssh-10.0p1.tar.gz) = 1972675 -SHA256 (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = b8b590024137d54394fd46ebfe32f2b081d0744abdcdcacf6dd30d1c91339864 -SIZE (openssh-9.9p1-gsskex-all-debian-rh-9.9p1.patch) = 125233 +SHA256 (openssh-10.0p1-gsskex-all-debian-rh-10.0p1.patch) = 6749430c148dacf41b396c0f7a107526e6030379ccd4f57f407993748d4a5912 +SIZE (openssh-10.0p1-gsskex-all-debian-rh-10.0p1.patch) = 126360 diff --git a/security/openssh-portable/files/patch-uidswap.c b/security/openssh-portable/files/patch-uidswap.c new file mode 100644 index 000000000000..b906d1d67480 --- /dev/null +++ b/security/openssh-portable/files/patch-uidswap.c @@ -0,0 +1,57 @@ +commit 239e8c98636a7578cc67a6f9d54d14c71b095e36 +Author: Kyle Evans <kevans@FreeBSD.org> +Date: Sat Aug 9 11:01:57 2025 -0500 + + ssh: sshd-session: properly save off the privileged gid + + Current and traditional FreeBSD behavior means that getegid() here is + the first element in the prior setgroups() call, if any, so we may + inadvertently wipe out our rgid with the unprivileged gid. This is + rendered somewhat harmless by the fact that we're losing the privileged + gid -- we'll still regain it as the egid in restore_uid() later by way + of restoring saved_egroups, rather than by intentionally restoring it + from getgid(). + + This will be promptly reverted if we can get setgroups(2)/getgroups(2) + changed in FreeBSD 15.0, but it seemed wise to get this technically + correct for previous branches. + + Reviewed by: jlduran + Differential Revision: https://reviews.freebsd.org/D51753 + +diff --git uidswap.c uidswap.c +index 6ed3024d0180..0143f4994611 100644 +--- uidswap.c ++++ uidswap.c +@@ -14,6 +14,10 @@ + + #include "includes.h" + ++#ifdef __FreeBSD__ ++#include <sys/param.h> ++#include <assert.h> ++#endif + #include <errno.h> + #include <pwd.h> + #include <string.h> +@@ -121,8 +124,20 @@ temporarily_use_uid(struct passwd *pw) + fatal("setgroups: %.100s", strerror(errno)); + #ifndef SAVED_IDS_WORK_WITH_SETEUID + /* Propagate the privileged gid to all of our gids. */ ++#if defined(__FreeBSD__) && __FreeBSD_version < 1500061 ++ /* ++ * FreeBSD traditionally includes the egid as the first element. If we ++ * use getegid() here then we effectively propagate user_groups[0], ++ * which is probably pw->pw_gid. Fix it to work as intended by using ++ * the egid we already have stashed off. ++ */ ++ assert(saved_egroupslen > 0); ++ if (setgid(saved_egroups[0]) == -1) ++ debug("setgid %u: %.100s", (u_int) saved_egroups[0], strerror(errno)); ++#else + if (setgid(getegid()) == -1) + debug("setgid %u: %.100s", (u_int) getegid(), strerror(errno)); ++#endif + /* Propagate the privileged uid to all of our uids. */ + if (setuid(geteuid()) == -1) + debug("setuid %u: %.100s", (u_int) geteuid(), strerror(errno)); |