From 30eee7d1b2fec33c14870cc11910610be5d2aa6f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 20 Dec 2016 12:16:11 +1100 Subject: [PATCH 1/4] Re-add missing "Prerequisites" header and fix typo Patch from HARUYAMA Seigo . --- INSTALL | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL b/INSTALL index 6bc80b68f..92106bf02 100644 --- a/INSTALL +++ b/INSTALL @@ -1,3 +1,4 @@ +1. Prerequisites ---------------- A C compiler. Any C89 or better compiler should work. Where supported, @@ -231,7 +232,7 @@ manually using the following commands: ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N "" -for each of the types you wish to generate (rsa, dsa or ecdsaa) or +for each of the types you wish to generate (rsa, dsa or ecdsa) or ssh-keygen -A From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 30 Dec 2016 22:08:02 +0000 Subject: [PATCH 2/4] upstream commit fix deadlock when keys/principals command produces a lot of output and a key is matched early; bz#2655, patch from jboning AT gmail.com Upstream-ID: e19456429bf99087ea994432c16d00a642060afe --- auth2-pubkey.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 20f3309e1..70c021589 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) ok = process_principals(f, NULL, pw, cert); + fclose(f); + f = NULL; + if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0) goto out; @@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); + fclose(f); + f = NULL; + if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0) goto out; From c7995f296b9222df2846f56ecf61e5ae13d7a53d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 3 Jan 2017 05:46:51 +0000 Subject: [PATCH 3/4] upstream commit check number of entries in SSH2_FXP_NAME response; avoids unreachable overflow later. Reported by Jann Horn Upstream-ID: b6b2b434a6d6035b1644ca44f24cd8104057420f --- sftp-client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sftp-client.c b/sftp-client.c index e65c15c8f..d47be0ea5 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-client.c,v 1.125 2016/09/12 01:22:38 deraadt Exp $ */ +/* $OpenBSD: sftp-client.c,v 1.126 2017/01/03 05:46:51 djm Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -587,6 +587,8 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, if ((r = sshbuf_get_u32(msg, &count)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (count > SSHBUF_SIZE_MAX) + fatal("%s: nonsensical number of entries", __func__); if (count == 0) break; debug3("Received %d SSH2_FXP_NAME responses", count); From b108ce92aae0ca0376dce9513d953be60e449ae1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 4 Jan 2017 02:21:43 +0000 Subject: [PATCH 4/4] upstream commit relax PKCS#11 whitelist a bit to allow libexec as well as lib directories. Upstream-ID: cf5617958e2e2d39f8285fd3bc63b557da484702 --- ssh-agent.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssh-agent.c b/ssh-agent.c index 395213553..1320cdaa1 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.215 2016/11/30 03:07:37 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.216 2017/01/04 02:21:43 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -89,7 +89,7 @@ #endif #ifndef DEFAULT_PKCS11_WHITELIST -# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*" +# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*" #endif typedef enum {