Vendor import of OpenSSH 5.8p1

svn path=/vendor-crypto/openssh/dist/; revision=218769 svn path=/vendor-crypto/openssh/5.8p1/; revision=218770; tag=vendor/openssh/5.8p1
2011-02-17 11:49:48 +00:00 · 2011-02-17 11:49:48 +00:00 · adde052b01 · 2020-12-20 02:59:44 +00:00
commit adde052b01
parent 9f6de2d748
29 changed files with 101 additions and 49 deletions
--- a/28
+++ b/28
@ -1,3 +1,31 @@
+20110204
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2011/01/31 21:42:15
+     [PROTOCOL.mux]
+     cut'n'pasto; from bert.wesarg AT googlemail.com
+   - djm@cvs.openbsd.org 2011/02/04 00:44:21
+     [key.c]
+     fix uninitialised nonce variable; reported by Mateusz Kocielski
+   - djm@cvs.openbsd.org 2011/02/04 00:44:43
+     [version.h]
+     openssh-5.8
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] update versions in docs and spec files.
+ - Release OpenSSH 5.8p1
+
+20110128
+ - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
+   before attempting setfscreatecon(). Check whether matchpathcon()
+   succeeded before using its result. Patch from cjwatson AT debian.org;
+   bz#1851
+
+20110125
+ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
+   openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
+   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
+   building with SELinux support to avoid linking failure; report from
+   amk AT spamfence.net; ok dtucker
+
 20110122
 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
   RSA_get_default_method() for the benefit of openssl versions that don't
--- a/Makefile.in
+++ b/Makefile.in
@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
+# $Id: Makefile.in,v 1.320.4.1 2011/02/04 00:42:13 djm Exp $

 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@ -46,6 +46,7 @@ LD=@LD@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+SSHLIBS=@SSHLIBS@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 AR=@AR@
@ -142,7 +143,7 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@

 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)

 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
--- a/PROTOCOL.mux
+++ b/PROTOCOL.mux
@ -122,7 +122,7 @@ For dynamically allocated listen port the server replies with

 Note: currently unimplemented (server will always reply with MUX_S_FAILURE).

-A client may request the master to establish a port forward:
+A client may request the master to close a port forward:

 	uint32	MUX_C_CLOSE_FWD
 	uint32	request id
@ -200,4 +200,4 @@ XXX server->client error/warning notifications
 XXX port0 rfwd (need custom response message)
 XXX send signals via mux

-$OpenBSD: PROTOCOL.mux,v 1.3 2011/01/13 21:55:25 djm Exp $
+$OpenBSD: PROTOCOL.mux,v 1.4 2011/01/31 21:42:15 djm Exp $
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.7 for the release notes.
+See http://www.openssh.com/txt/release-5.8 for the release notes.

 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html

-$Id: README,v 1.75 2011/01/22 09:23:12 djm Exp $
+$Id: README,v 1.75.4.1 2011/02/04 00:57:50 djm Exp $
--- a/20
+++ b/20
@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.469 .
+# From configure.ac Revision: 1.469.4.1 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for OpenSSH Portable.
 #
@ -696,7 +696,6 @@ STARTUP_SCRIPT_SHELL
 LOGIN_PROGRAM_FALLBACK
 PATH_PASSWD_PROG
 LD
-SSHDLIBS
 PKGCONFIG
 LIBEDIT
 TEST_SSH_SHA256
@ -721,6 +720,8 @@ PROG_UPTIME
 PROG_IPCS
 PROG_TAIL
 INSTALL_SSH_PRNG_CMDS
+SSHLIBS
+SSHDLIBS
 KRB5CONF
 PRIVSEP_PATH
 xauth_path
@ -9047,7 +9048,6 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF

 			  SSHDLIBS="$SSHDLIBS -lcontract"
-
 			  SPC_MSG="yes"
 fi

@ -9126,7 +9126,6 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF

 			SSHDLIBS="$SSHDLIBS -lproject"
-
 			SP_MSG="yes"
 fi

@ -27806,6 +27805,7 @@ echo "$as_me: error: SELinux support requires libselinux library" >&2;}
   { (exit 1); exit 1; }; }
 fi

+		SSHLIBS="$SSHLIBS $LIBSELINUX"
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"


@ -27908,6 +27908,8 @@ done
 fi


+
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"

@ -31416,7 +31418,6 @@ STARTUP_SCRIPT_SHELL!$STARTUP_SCRIPT_SHELL$ac_delim
 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
 LD!$LD$ac_delim
-SSHDLIBS!$SSHDLIBS$ac_delim
 PKGCONFIG!$PKGCONFIG$ac_delim
 LIBEDIT!$LIBEDIT$ac_delim
 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
@ -31433,6 +31434,7 @@ PROG_PS!$PROG_PS$ac_delim
 PROG_SAR!$PROG_SAR$ac_delim
 PROG_W!$PROG_W$ac_delim
 PROG_WHO!$PROG_WHO$ac_delim
+PROG_LAST!$PROG_LAST$ac_delim
 _ACEOF

  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@ -31474,7 +31476,6 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
  cat >conf$$subs.sed <<_ACEOF
-PROG_LAST!$PROG_LAST$ac_delim
 PROG_LASTLOG!$PROG_LASTLOG$ac_delim
 PROG_DF!$PROG_DF$ac_delim
 PROG_VMSTAT!$PROG_VMSTAT$ac_delim
@ -31482,6 +31483,8 @@ PROG_UPTIME!$PROG_UPTIME$ac_delim
 PROG_IPCS!$PROG_IPCS$ac_delim
 PROG_TAIL!$PROG_TAIL$ac_delim
 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
+SSHLIBS!$SSHLIBS$ac_delim
+SSHDLIBS!$SSHDLIBS$ac_delim
 KRB5CONF!$KRB5CONF$ac_delim
 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
 xauth_path!$xauth_path$ac_delim
@ -31496,7 +31499,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF

-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 20; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 21; then
    break
  elif $ac_last_try; then
    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@ -31993,6 +31996,9 @@ echo "         Libraries: ${LIBS}"
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
+if test ! -z "${SSHLIBS}"; then
+echo "          +for ssh: ${SSHLIBS}"
+fi

 echo ""

--- a/configure.ac
+++ b/configure.ac
@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
+# $Id: configure.ac,v 1.469.4.1 2011/02/04 00:42:14 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
-AC_REVISION($Revision: 1.469 $)
+AC_REVISION($Revision: 1.469.4.1 $)
 AC_CONFIG_SRCDIR([ssh.c])

 # local macros
@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4)
 			[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
 				[Define if you have Solaris process contracts])
 			  SSHDLIBS="$SSHDLIBS -lcontract"
-			  AC_SUBST(SSHDLIBS)
 			  SPC_MSG="yes" ], )
 		],
 	)
@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4)
 			[ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
 				[Define if you have Solaris projects])
 			SSHDLIBS="$SSHDLIBS -lproject"
-			AC_SUBST(SSHDLIBS)
 			SP_MSG="yes" ], )
 		],
 	)
@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux,
 			  LIBS="$LIBS -lselinux"
 			],
 			AC_MSG_ERROR(SELinux support requires libselinux library))
+		SSHLIBS="$SSHLIBS $LIBSELINUX"
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
 		LIBS="$save_LIBS"
 	fi ]
 )
+AC_SUBST(SSHLIBS)
+AC_SUBST(SSHDLIBS)

 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
@ -4341,6 +4342,9 @@ echo "         Libraries: ${LIBS}"
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
+if test ! -z "${SSHLIBS}"; then
+echo "          +for ssh: ${SSHLIBS}"
+fi

 echo ""

--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@ -16,7 +16,7 @@

 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable	1
-%define version 	5.7p1
+%define version 	5.8p1
 %if %{use_stable}
  %define cvs		%{nil}
  %define release 	1
@ -363,4 +363,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31

-$Id: openssh.spec,v 1.73 2011/01/22 09:23:33 djm Exp $
+$Id: openssh.spec,v 1.73.4.1 2011/02/04 00:57:54 djm Exp $
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@ -1,4 +1,4 @@
-%define ver 5.7p1
+%define ver 5.8p1
 %define rel 1

 # OpenSSH privilege separation requires a user & group ID
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@ -13,7 +13,7 @@

 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	5.7p1
+Version:	5.8p1
 URL:		http://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz
--- a/key.c
+++ b/key.c
@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.95 2010/11/10 01:33:07 djm Exp $ */
+/* $OpenBSD: key.c,v 1.96 2011/02/04 00:44:21 djm Exp $ */
 /*
 * read_bignum():
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1886,10 +1886,9 @@ key_certify(Key *k, Key *ca)
 	buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));

 	/* -v01 certs put nonce first */
-	if (!key_cert_is_legacy(k)) {
-		arc4random_buf(&nonce, sizeof(nonce));
+	arc4random_buf(&nonce, sizeof(nonce));
+	if (!key_cert_is_legacy(k))
 		buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
-	}

 	switch (k->type) {
 	case KEY_DSA_CERT_V00:
--- a/moduli.0
+++ b/moduli.0
@ -69,4 +69,4 @@ SEE ALSO
     Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer
     Protocol, RFC 4419, 2006.

-OpenBSD 4.8                      June 26, 2008                     OpenBSD 4.8
+OpenBSD 4.9                      June 26, 2008                     OpenBSD 4.9
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */

 /*
 * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@ -205,6 +205,22 @@ ssh_selinux_change_context(const char *newname)
 	xfree(oldctx);
 	xfree(newctx);
 }
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+	security_context_t context;
+
+	if (!ssh_selinux_enabled())
+		return;
+	if (path == NULL)
+		setfscreatecon(NULL);
+		return;
+	}
+	if (matchpathcon(path, 0700, &context) == 0)
+		setfscreatecon(context);
+}
+
 #endif /* WITH_SELINUX */

 #ifdef LINUX_OOM_ADJUST
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@ -1,4 +1,4 @@
-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
+/* $Id: port-linux.h,v 1.4.10.1 2011/02/04 00:42:21 djm Exp $ */

 /*
 * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
 void ssh_selinux_change_context(const char *);
+void ssh_selinux_setfscreatecon(const char *);
 #endif

 #ifdef LINUX_OOM_ADJUST
--- a/scp.0
+++ b/scp.0
@ -153,4 +153,4 @@ AUTHORS
     Timo Rinne <tri@iki.fi>
     Tatu Ylonen <ylo@cs.hut.fi>

-OpenBSD 4.8                    December 9, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 9, 2010                    OpenBSD 4.9
--- a/sftp-server.0
+++ b/sftp-server.0
@ -61,4 +61,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>

-OpenBSD 4.8                     January 9, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     January 9, 2010                    OpenBSD 4.9
--- a/sftp.0
+++ b/sftp.0
@ -328,4 +328,4 @@ SEE ALSO
     draft-ietf-secsh-filexfer-00.txt, January 2001, work in progress
     material.

-OpenBSD 4.8                    December 4, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 4, 2010                    OpenBSD 4.9
--- a/ssh-add.0
+++ b/ssh-add.0
@ -112,4 +112,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
--- a/ssh-agent.0
+++ b/ssh-agent.0
@ -120,4 +120,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

-OpenBSD 4.8                    November 21, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    November 21, 2010                   OpenBSD 4.9
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@ -440,4 +440,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@ -106,4 +106,4 @@ BUGS
     This is because it opens a connection to the ssh port, reads the public
     key, and drops the connection as soon as it gets the key.

-OpenBSD 4.8                     August 31, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     August 31, 2010                    OpenBSD 4.9
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@ -48,4 +48,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>

-OpenBSD 4.8                     August 31, 2010                    OpenBSD 4.8
+OpenBSD 4.9                     August 31, 2010                    OpenBSD 4.9
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@ -22,4 +22,4 @@ HISTORY
 AUTHORS
     Markus Friedl <markus@openbsd.org>

-OpenBSD 4.8                    February 10, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    February 10, 2010                   OpenBSD 4.9
--- a/ssh-rand-helper.0
+++ b/ssh-rand-helper.0
@ -48,4 +48,4 @@ AUTHORS
 SEE ALSO
     ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)

-OpenBSD 4.8                     April 14, 2002                     OpenBSD 4.8
+OpenBSD 4.9                     April 14, 2002                     OpenBSD 4.9
--- a/ssh.0
+++ b/ssh.0
@ -895,4 +895,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

-OpenBSD 4.8                    November 18, 2010                   OpenBSD 4.8
+OpenBSD 4.9                    November 18, 2010                   OpenBSD 4.9
--- a/ssh.c
+++ b/ssh.c
@ -852,15 +852,12 @@ main(int ac, char **av)
 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
 	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
 #ifdef WITH_SELINUX
-		char *scon;
-
-		matchpathcon(buf, 0700, &scon);
-		setfscreatecon(scon);
+		ssh_selinux_setfscreatecon(buf);
 #endif
 		if (mkdir(buf, 0700) < 0)
 			error("Could not create directory '%.200s'.", buf);
 #ifdef WITH_SELINUX
-		setfscreatecon(NULL);
+		ssh_selinux_setfscreatecon(NULL);
 #endif
 	}
 	/* load options.identity_files */
--- a/ssh_config.0
+++ b/ssh_config.0
@ -741,4 +741,4 @@ AUTHORS
     created OpenSSH.  Markus Friedl contributed the support for SSH protocol
     versions 1.5 and 2.0.

-OpenBSD 4.8                    December 8, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 8, 2010                    OpenBSD 4.9
--- a/sshd.0
+++ b/sshd.0
@ -631,4 +631,4 @@ CAVEATS
     System security is not improved unless rshd, rlogind, and rexecd are
     disabled (thus completely disabling rlogin and rsh into the machine).

-OpenBSD 4.8                    October 28, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    October 28, 2010                    OpenBSD 4.9
--- a/sshd_config.0
+++ b/sshd_config.0
@ -710,4 +710,4 @@ AUTHORS
     versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
     for privilege separation.

-OpenBSD 4.8                    December 8, 2010                    OpenBSD 4.8
+OpenBSD 4.9                    December 8, 2010                    OpenBSD 4.9
--- a/version.h
+++ b/version.h
@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.60 2011/01/22 09:18:53 djm Exp $ */
+/* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */

-#define SSH_VERSION	"OpenSSH_5.7"
+#define SSH_VERSION	"OpenSSH_5.8"

 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE