Mail archive
alpine-aports

[alpine-aports] [PATCH v3.4] main/openssh: security fixes #6584

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 29 Dec 2016 07:12:02 +0000

CVE-2016-10009: loading of untrusted PKCS#11 modules in ssh-agent
CVE-2016-10010: privilege escalation via Unix domain socket forwarding
CVE-2016-10011: Leak of host private key material to privilege-separated child process via realloc()
CVE-2016-10012: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
---
 main/openssh/APKBUILD               |  38 +++++++++--
 main/openssh/CVE-2016-10009.patch   | 130 ++++++++++++++++++++++++++++++++++++
 main/openssh/CVE-2016-10010.patch   |  29 ++++++++
 main/openssh/CVE-2016-10011.patch   |  37 ++++++++++
 main/openssh/CVE-2016-10012-1.patch |  89 ++++++++++++++++++++++++
 main/openssh/CVE-2016-10012-2.patch |  33 +++++++++
 main/openssh/CVE-2016-10012-3.patch |  17 +++++
 7 files changed, 369 insertions(+), 4 deletions(-)
 create mode 100644 main/openssh/CVE-2016-10009.patch
 create mode 100644 main/openssh/CVE-2016-10010.patch
 create mode 100644 main/openssh/CVE-2016-10011.patch
 create mode 100644 main/openssh/CVE-2016-10012-1.patch
 create mode 100644 main/openssh/CVE-2016-10012-2.patch
 create mode 100644 main/openssh/CVE-2016-10012-3.patch
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 84924d7..aa421cb 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
_at_@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Conptributor: Valery Kartel <valery.kartel_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=openssh
 pkgver=7.2_p2
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=3
+pkgrel=4
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
_at_@ -23,6 +24,12 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
 	openssh-sftp-interactive.diff
 	CVE-2016-6210.patch
 	CVE-2016-6515.patch
+	CVE-2016-10009.patch
+	CVE-2016-10010.patch
+	CVE-2016-10011.patch
+	CVE-2016-10012-1.patch
+	CVE-2016-10012-2.patch
+	CVE-2016-10012-3.patch
 	"
 # HPN patches are from: http://www.psc.edu/index.php/hpn-ssh
 
_at_@ -31,6 +38,11 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
 #     - CVE-2016-6210
 #   7.2_p2-r2:
 #     - CVE-2016-6515
+#   7.2_p2-r4:
+#     - CVE-2016-10009
+#     - CVE-2016-10010
+#     - CVE-2016-10011
+#     - CVE-2016-10012
 
 _builddir="$srcdir"/$pkgname-$_myver
 prepare() {
_at_@ -134,7 +146,13 @@ cd52fe99cb4b7d0d847bf5d710d93564  openssh6.5-peaktput.diff
 ccff4ede2075bcdaa070940cb4eadba2  sshd.confd
 2dd7e366607e95f9762273067309fd6e  openssh-sftp-interactive.diff
 baccdaf19767102c91343742cc09ebc9  CVE-2016-6210.patch
-c70de89a56f365514ea7a877c8267715  CVE-2016-6515.patch"
+c70de89a56f365514ea7a877c8267715  CVE-2016-6515.patch
+c90d3f553ab3f7e18eef857160b4f3e4  CVE-2016-10009.patch
+ff2645ea513fd071553f657aabb49e2b  CVE-2016-10010.patch
+368a1f2e4d381157647671effbb2f48e  CVE-2016-10011.patch
+af9e3c0a4d90b72cc9532120dd50341c  CVE-2016-10012-1.patch
+7bc38d8b2ff07def069a063a4ba74311  CVE-2016-10012-2.patch
+75b99affc2a24f8187561e27a90cfbc8  CVE-2016-10012-3.patch"
 sha256sums="a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c  openssh-7.2p2.tar.gz
 bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-peaktput.diff
 861132af07c18f5e0ac7b64f389a929e61a051887bf44bda770a97e3afd9bfb6  openssh7.1-dynwindows.diff
_at_@ -144,7 +162,13 @@ bf49212e47a86d10650f739532cea514a310925e6445b4f8011031b6b55f3249  openssh6.5-pea
 3342d2fc9b174f898f887237002f04fa9bc01c31e9a851e063ca7de8825ad0eb  sshd.confd
 4ce1ad5f767c0f4e854a0cfeef0e2e400f333c649e552df1ecc317e6a6557376  openssh-sftp-interactive.diff
 53ee8c957e9dd3bb51fe629d04e6373c6e4b62026352463bad916a4e66c00f37  CVE-2016-6210.patch
-dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa  CVE-2016-6515.patch"
+dae8c7167a614eae45e5efadd635791e1d7f47dadfa605819a29f7b8ecedf9aa  CVE-2016-6515.patch
+21cc3551212d0e7468ea624fed9a77f75c26ee618d0c8f9db5ba371a6714c2c9  CVE-2016-10009.patch
+477fe3e0aa4e84ed456ed976070596047a587e0a743c2be8a69274869e904a01  CVE-2016-10010.patch
+2e281fe5fae68346097c83738516195733e3745cbf144404983116f90c9790ea  CVE-2016-10011.patch
+fedc1069bdbd7e95b8ba7f597fa0f07cae09714ba839b454596e5aa860698004  CVE-2016-10012-1.patch
+2be09b0a0aa4b3859fddd360a679b41c95f97a7e11df95aa1a1abe174f97bab7  CVE-2016-10012-2.patch
+bd6fa4cfd9cd7ebdfb4e9b8b6295b6b9579e48e90d46da1ec0a9d53aa1479369  CVE-2016-10012-3.patch"
 sha512sums="44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b  openssh-7.2p2.tar.gz
 e041398e177674f698480e23be037160bd07b751c754956a3ddf1b964da24c85e826fb75e7c23c9826d36761da73d08db9583c047d58a08dc7b2149a949075b1  openssh6.5-peaktput.diff
 72a7dc21d18388c635d14dda762ac50caeefd38f0153d8ea36d18e9d7c982e104f7b7a3af8c18fd479c31201fbdee1639f3a1ec60d035d4ca8721a8563fa11a0  openssh7.1-dynwindows.diff
_at_@ -154,4 +178,10 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
 ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  openssh-sftp-interactive.diff
 202ae2ca83c0caeb0099ca22e7a248053d29cc7751c5b5865004108e4b998d7bf738df8cc0aa138a2b770748e5f90835e707434acd4719ce388181db1dc81ccd  CVE-2016-6210.patch
-23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6  CVE-2016-6515.patch"
+23794c9035ac25851734f154fca25f10fdb4bb6fc02c4162e7593ee7f05dbbd7bc3d158fca640cc57819e8fb9d64053f188f7a2cbb204c7f37fe6a60115f2ac6  CVE-2016-6515.patch
+8fed8ced305b61428a83c074c4a4ea53c7ad5a59c68604398852a5e33b728c241ca12f89f15fb6d3df37e82854b574a117522e4c178e20ca466f3f725ad05be1  CVE-2016-10009.patch
+d6798d818ff7dfad0cd314c2f0e2d3d5477e4567f5422ff2409fdd56050d45e88073fb2b9008c3335cc3ac596b6c0ed13128fa5d588cbb56d4919ab62b218c26  CVE-2016-10010.patch
+3ab26c702f7a64225d11dd485b288ac81f96afa2a13ab0a8082245d80d31d7c9c335e49cb4cec1e0439c39cb32df5360afd6bf6363d4cbaa80cb3a991c636755  CVE-2016-10011.patch
+8d7601ecf86d5e4fcb7908690598d28af25a7e019d359b7b680a235844403414127262978e07679e36cef2293c114d417bd139c8791423febdb4ce2437d628b6  CVE-2016-10012-1.patch
+8f2e4b851d69ff1328452ed0b2f804cb55f1ba668a9a77cb1b14c8bbd573436d8f4daa163662ac40e15bebfedaba2a666519c9b9e6f53a769415cef343e61fd5  CVE-2016-10012-2.patch
+deef0aba42fa3d5c63807cfb106eaee25be2ab63a0f7cd80046ffd8e67bbc78ca19f1cdf433d522dbd09b088c4f0a165f3edcaba4c12d0200f8615da3c98f78a  CVE-2016-10012-3.patch"
diff --git a/main/openssh/CVE-2016-10009.patch b/main/openssh/CVE-2016-10009.patch
new file mode 100644
index 0000000..a7adc16
--- /dev/null
+++ b/main/openssh/CVE-2016-10009.patch
_at_@ -0,0 +1,130 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&sortby=date&f=h&f=u
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v
+retrieving revision 1.214
+retrieving revision 1.215
+diff -u -r1.214 -r1.215
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+_at_@ -69,11 +69,16 @@
+ #include "misc.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "match.h"
+ 
+ #ifdef ENABLE_PKCS11
+ #include "ssh-pkcs11.h"
+ #endif
+ 
++#ifndef DEFAULT_PKCS11_WHITELIST
++# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
++#endif
++
+ #if defined(HAVE_SYS_PRCTL_H)
+ #include <sys/prctl.h>  /* For prctl() and PR_SET_DUMPABLE */
+ #endif
+_at_@ -121,6 +126,9 @@
+ char socket_name[PATH_MAX];
+ char socket_dir[PATH_MAX];
+ 
++/* PKCS#11 path whitelist */
++static char *pkcs11_whitelist;
++
+ /* locking */
+ #define LOCK_SIZE	32
+ #define LOCK_SALT_SIZE	16
+_at_@ -724,7 +732,7 @@
+ static void
+ process_add_smartcard_key(SocketEntry *e)
+ {
+-	char *provider = NULL, *pin;
++	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
+ 	int r, i, version, count = 0, success = 0, confirm = 0;
+ 	u_int seconds;
+ 	time_t death = 0;
+_at_@ -756,10 +764,21 @@
+ 			goto send;
+ 		}
+ 	}
++	if (realpath(provider, canonical_provider) == NULL) {
++		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
++		    provider, strerror(errno));
++		goto send;
++	}
++	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
++		verbose("refusing PKCS#11 add of \"%.100s\": "
++		    "provider not whitelisted", canonical_provider);
++		goto send;
++	}
++	debug("%s: add %.100s", __func__, canonical_provider);
+ 	if (lifetime && !death)
+ 		death = monotime() + lifetime;
+ 
+-	count = pkcs11_add_provider(provider, pin, &keys);
++	count = pkcs11_add_provider(canonical_provider, pin, &keys);
+ 	for (i = 0; i < count; i++) {
+ 		k = keys[i];
+ 		version = k->type == KEY_RSA1 ? 1 : 2;
+_at_@ -767,8 +786,8 @@
+ 		if (lookup_identity(k, version) == NULL) {
+ 			id = xcalloc(1, sizeof(Identity));
+ 			id->key = k;
+-			id->provider = xstrdup(provider);
+-			id->comment = xstrdup(provider); /* XXX */
++			id->provider = xstrdup(canonical_provider);
++			id->comment = xstrdup(canonical_provider); /* XXX */
+ 			id->death = death;
+ 			id->confirm = confirm;
+ 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+_at_@ -1157,7 +1176,7 @@
+ {
+ 	fprintf(stderr,
+ 	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
+-	    "                 [-t life] [command [arg ...]]\n"
++	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
+ 	    "       ssh-agent [-c | -s] -k\n");
+ 	exit(1);
+ }
+_at_@ -1191,7 +1210,7 @@
+ 	OpenSSL_add_all_algorithms();
+ #endif
+ 
+-	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
++	while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
+ 		switch (ch) {
+ 		case 'E':
+ 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
+_at_@ -1206,6 +1225,11 @@
+ 		case 'k':
+ 			k_flag++;
+ 			break;
++		case 'P':
++			if (pkcs11_whitelist != NULL)
++				fatal("-P option already specified");
++			pkcs11_whitelist = xstrdup(optarg);
++			break;
+ 		case 's':
+ 			if (c_flag)
+ 				usage();
+_at_@ -1240,6 +1264,9 @@
+ 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+ 		usage();
+ 
++	if (pkcs11_whitelist == NULL)
++		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
++
+ 	if (ac == 0 && !c_flag && !s_flag) {
+ 		shell = getenv("SHELL");
+ 		if (shell != NULL && (len = strlen(shell)) > 2 &&
+_at_@ -1385,7 +1412,7 @@
+ 	signal(SIGTERM, cleanup_handler);
+ 	nalloc = 0;
+ 
+-	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
++	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
+ 		fatal("%s: pledge: %s", __progname, strerror(errno));
+ 
+ 	while (1) {
diff --git a/main/openssh/CVE-2016-10010.patch b/main/openssh/CVE-2016-10010.patch
new file mode 100644
index 0000000..7d3f45e
--- /dev/null
+++ b/main/openssh/CVE-2016-10010.patch
_at_@ -0,0 +1,29 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/serverloop.c.diff?r1=1.188&r2=1.189&sortby=date&f=h&f=u
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v
+retrieving revision 1.188
+retrieving revision 1.189
+diff -u -r1.188 -r1.189
+--- a/serverloop.c
++++ b/serverloop.c
+_at_@ -472,7 +472,7 @@
+ 
+ 	/* XXX fine grained permissions */
+ 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+-	    !no_port_forwarding_flag) {
++	    !no_port_forwarding_flag && use_privsep) {
+ 		c = channel_connect_to_path(target,
+ 		    "direct-streamlocal_at_openssh.com", "direct-streamlocal");
+ 	} else {
+_at_@ -748,7 +749,7 @@
+ 
+ 		/* check permissions */
+ 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+-		    || no_port_forwarding_flag) {
++		    || no_port_forwarding_flag || !use_privsep) {
+ 			success = 0;
+ 			packet_send_debug("Server has disabled port forwarding.");
+ 		} else {
diff --git a/main/openssh/CVE-2016-10011.patch b/main/openssh/CVE-2016-10011.patch
new file mode 100644
index 0000000..aea75f3
--- /dev/null
+++ b/main/openssh/CVE-2016-10011.patch
_at_@ -0,0 +1,37 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/authfile.c,v
+retrieving revision 1.121
+retrieving revision 1.122
+diff -u -r1.121 -r1.122
+--- a/authfile.c
++++ b/authfile.c
+_at_@ -98,13 +98,24 @@
+ 	u_char buf[1024];
+ 	size_t len;
+ 	struct stat st;
+-	int r;
++	int r, dontmax = 0;
+ 
+ 	if (fstat(fd, &st) < 0)
+ 		return SSH_ERR_SYSTEM_ERROR;
+ 	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
+ 	    st.st_size > MAX_KEY_FILE_SIZE)
+ 		return SSH_ERR_INVALID_FORMAT;
++	/*
++	 * Pre-allocate the buffer used for the key contents and clamp its
++	 * maximum size. This ensures that key contents are never leaked via
++	 * implicit realloc() in the sshbuf code.
++	 */
++	if ((st.st_mode & S_IFREG) == 0 || st.st_size <= 0) {
++		st.st_size = 64*1024; /* 64k should be enough for anyone :) */
++		dontmax = 1;
++	}
++	if (dontmax && (r = sshbuf_set_max_size(blob, st.st_size)) != 0)
++		return r;
+ 	for (;;) {
+ 		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
+ 			if (errno == EPIPE)
diff --git a/main/openssh/CVE-2016-10012-1.patch b/main/openssh/CVE-2016-10012-1.patch
new file mode 100644
index 0000000..4d228de
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-1.patch
_at_@ -0,0 +1,89 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
+retrieving revision 1.165
+retrieving revision 1.166
+diff -u -r1.165 -r1.166
+--- a/monitor.c
++++ b/monitor.c
+_at_@ -70,7 +70,6 @@
+ #include "misc.h"
+ #include "servconf.h"
+ #include "monitor.h"
+-#include "monitor_mm.h"
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+ #endif
+_at_@ -335,31 +334,6 @@
+ 		monitor_read(pmonitor, mon_dispatch, NULL);
+ }
+ 
+-void
+-monitor_sync(struct monitor *pmonitor)
+-{
+-	if (options.compression) {
+-		/* The member allocation is not visible, so sync it */
+-		mm_share_sync(&pmonitor->m_zlib, &pmonitor->m_zback);
+-	}
+-}
+-
+-/* Allocation functions for zlib */
+-static void *
+-mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
+-{
+-	if (size == 0 || ncount == 0 || ncount > SIZE_MAX / size)
+-		fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size);
+-
+-	return mm_malloc(mm, size * ncount);
+-}
+-
+-static void
+-mm_zfree(struct mm_master *mm, void *address)
+-{
+-	mm_free(mm, address);
+-}
+-
+ static int
+ monitor_read_log(struct monitor *pmonitor)
+ {
+_at_@ -1292,13 +1266,6 @@
+ 		kex->host_key_index=&get_hostkey_index;
+ 		kex->sign = sshd_hostkey_sign;
+ 	}
+-
+-	/* Update with new address */
+-	if (options.compression) {
+-		ssh_packet_set_compress_hooks(ssh, pmonitor->m_zlib,
+-		    (ssh_packet_comp_alloc_func *)mm_zalloc,
+-		    (ssh_packet_comp_free_func *)mm_zfree);
+-	}
+ }
+ 
+ /* This function requries careful sanity checking */
+_at_@ -1351,23 +1318,10 @@
+ struct monitor *
+ monitor_init(void)
+ {
+-	struct ssh *ssh = active_state;			/* XXX */
+ 	struct monitor *mon;
+ 
+ 	mon = xcalloc(1, sizeof(*mon));
+-
+ 	monitor_openfds(mon, 1);
+-
+-	/* Used to share zlib space across processes */
+-	if (options.compression) {
+-		mon->m_zback = mm_create(NULL, MM_MEMSIZE);
+-		mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE);
+-
+-		/* Compression needs to share state across borders */
+-		ssh_packet_set_compress_hooks(ssh, mon->m_zlib,
+-		    (ssh_packet_comp_alloc_func *)mm_zalloc,
+-		    (ssh_packet_comp_free_func *)mm_zfree);
+-	}
+ 
+ 	return mon;
+ }
diff --git a/main/openssh/CVE-2016-10012-2.patch b/main/openssh/CVE-2016-10012-2.patch
new file mode 100644
index 0000000..4f462fb
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-2.patch
_at_@ -0,0 +1,33 @@
+patch was slightly modified to be applied to openssh-7.2_p2
+Original patch:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
+
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/monitor.h,v
+retrieving revision 1.19
+retrieving revision 1.20
+diff -u -r1.19 -r1.20
+--- a/monitor.h
++++ b/monitor.h
+_at_@ -58,21 +58,17 @@
+ 	MONITOR_REQ_TERM = 50,
+ };
+ 
+-struct mm_master;
+ struct monitor {
+ 	int			 m_recvfd;
+ 	int			 m_sendfd;
+ 	int			 m_log_recvfd;
+ 	int			 m_log_sendfd;
+-	struct mm_master	*m_zback;
+-	struct mm_master	*m_zlib;
+ 	struct kex		**m_pkex;
+ 	pid_t			 m_pid;
+ };
+ 
+ struct monitor *monitor_init(void);
+ void monitor_reinit(struct monitor *);
+-void monitor_sync(struct monitor *);
+ 
+ struct Authctxt;
+ void monitor_child_preauth(struct Authctxt *, struct monitor *);
diff --git a/main/openssh/CVE-2016-10012-3.patch b/main/openssh/CVE-2016-10012-3.patch
new file mode 100644
index 0000000..423b56a
--- /dev/null
+++ b/main/openssh/CVE-2016-10012-3.patch
_at_@ -0,0 +1,17 @@
+CVE-2016-10012 fix for openssh-7.2_p2
+Idea taken from patches:
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
+http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
+
+===================================================================
+--- a/sshd.c
++++ b/sshd.c
+_at_@ -683,8 +683,5 @@
+ 			ssh_sandbox_parent_preauth(box, pid);
+ 		monitor_child_preauth(authctxt, pmonitor);
+ 
+-		/* Sync memory */
+-		monitor_sync(pmonitor);
+-
+ 		/* Wait for the child's exit status */
+ 		while (waitpid(pid, &status, 0) < 0) { 
-- 
2.8.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Dec 29 2016 - 07:12:02 GMT