[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date:	Tue, 14 Nov 2017 22:15:29
Message-Id:	`1510697711.713e5d3b63b36aa4cc6e47fb47214142dbc8d23c.whissi@gentoo`

1

commit:     713e5d3b63b36aa4cc6e47fb47214142dbc8d23c

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Tue Nov 14 22:14:56 2017 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Tue Nov 14 22:15:11 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713e5d3b

7

8

net-misc/openssh: Rev bump to fix CVE-2017-15906

9

10

Bug: https://bugs.gentoo.org/633428

11

Package-Manager: Portage-2.3.13, Repoman-2.3.4

12

13

 .../files/openssh-7.5_p1-CVE-2017-15906.patch      |  31 ++

14

 net-misc/openssh/openssh-7.5_p1-r3.ebuild          | 332 +++++++++++++++++++++

15

 2 files changed, 363 insertions(+)

16

17

diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch

18

new file mode 100644

19

index 00000000000..b97ceb4b278

20

--- /dev/null

21

+++ b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch

22

@@ -0,0 +1,31 @@

23

+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001

24

+From: djm <djm@×××××××.org>

25

+Date: Tue, 4 Apr 2017 00:24:56 +0000

26

+Subject: [PATCH] disallow creation (of empty files) in read-only mode;

27

+ reported by Michal Zalewski, feedback & ok deraadt@

28

+

29

+---

30

+ usr.bin/ssh/sftp-server.c | 6 +++---

31

+ 1 file changed, 3 insertions(+), 3 deletions(-)

32

+

33

+diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c

34

+index 2510d234a3a..42249ebd60d 100644

35

+--- a/usr.bin/ssh/sftp-server.c

36

++++ b/usr.bin/ssh/sftp-server.c

37

+@@ -1,4 +1,4 @@

38

+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */

39

++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */

40

+ /*

41

+  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.

42

+  *

43

+@@ -683,8 +683,8 @@ process_open(u_int32_t id)

44

+ 	logit("open \"%s\" flags %s mode 0%o",

45

+ 	    name, string_from_portable(pflags), mode);

46

+ 	if (readonly &&

47

+-	    ((flags & O_ACCMODE) == O_WRONLY ||

48

+-	    (flags & O_ACCMODE) == O_RDWR)) {

49

++	    ((flags & O_ACCMODE) != O_RDONLY ||

50

++	    (flags & (O_CREAT|O_TRUNC)) != 0)) {

51

+ 		verbose("Refusing open request in read-only mode");

52

+ 		status = SSH2_FX_PERMISSION_DENIED;

53

+ 	} else {

54

55

diff --git a/net-misc/openssh/openssh-7.5_p1-r3.ebuild b/net-misc/openssh/openssh-7.5_p1-r3.ebuild

56

new file mode 100644

57

index 00000000000..d9cb2ffe89b

58

--- /dev/null

59

+++ b/net-misc/openssh/openssh-7.5_p1-r3.ebuild

60

@@ -0,0 +1,332 @@

61

+# Copyright 1999-2017 Gentoo Foundation

62

+# Distributed under the terms of the GNU General Public License v2

63

+

64

+EAPI="5"

65

+

66

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

67

+

68

+# Make it more portable between straight releases

69

+# and _p? releases.

70

+PARCH=${P/_}

71

+

72

+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"

73

+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"

74

+LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"

75

+X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"

76

+

77

+DESCRIPTION="Port of OpenBSD's free SSH release"

78

+HOMEPAGE="http://www.openssh.org/"

79

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

80

+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}

81

+	${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}

82

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

83

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

84

+	"

85

+

86

+LICENSE="BSD GPL-2"

87

+SLOT="0"

88

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

89

+# Probably want to drop ssl defaulting to on in a future version.

90

+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"

91

+REQUIRED_USE="ldns? ( ssl )

92

+	pie? ( !static )

93

+	ssh1? ( ssl )

94

+	static? ( !kerberos !pam )

95

+	X509? ( !ldap !sctp ssl )

96

+	test? ( ssl )"

97

+

98

+LIB_DEPEND="

99

+	audit? ( sys-process/audit[static-libs(+)] )

100

+	ldns? (

101

+		net-libs/ldns[static-libs(+)]

102

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

103

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

104

+	)

105

+	libedit? ( dev-libs/libedit:=[static-libs(+)] )

106

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

107

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

108

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

109

+	ssl? (

110

+		!libressl? (

111

+			>=dev-libs/openssl-1.0.1:0=[bindist=]

112

+			dev-libs/openssl:0=[static-libs(+)]

113

+		)

114

+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )

115

+	)

116

+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"

117

+RDEPEND="

118

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

119

+	pam? ( virtual/pam )

120

+	kerberos? ( virtual/krb5 )

121

+	ldap? ( net-nds/openldap )"

122

+DEPEND="${RDEPEND}

123

+	static? ( ${LIB_DEPEND} )

124

+	virtual/pkgconfig

125

+	virtual/os-headers

126

+	sys-devel/autoconf"

127

+RDEPEND="${RDEPEND}

128

+	pam? ( >=sys-auth/pambase-20081028 )

129

+	userland_GNU? ( virtual/shadow )

130

+	X? ( x11-apps/xauth )"

131

+

132

+S=${WORKDIR}/${PARCH}

133

+

134

+pkg_pretend() {

135

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

136

+	# than not be able to log in to their server any more

137

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

138

+	local fail="

139

+		$(use X509 && maybe_fail X509 X509_PATCH)

140

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

141

+		$(use hpn && maybe_fail hpn HPN_PATCH)

142

+	"

143

+	fail=$(echo ${fail})

144

+	if [[ -n ${fail} ]] ; then

145

+		eerror "Sorry, but this version does not yet support features"

146

+		eerror "that you requested:	 ${fail}"

147

+		eerror "Please mask ${PF} for now and check back later:"

148

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

149

+		die "booooo"

150

+	fi

151

+

152

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

153

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

154

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

155

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

156

+	fi

157

+}

158

+

159

+save_version() {

160

+	# version.h patch conflict avoidence

161

+	mv version.h version.h.$1

162

+	cp -f version.h.pristine version.h

163

+}

164

+

165

+src_prepare() {

166

+	sed -i \

167

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

168

+		pathnames.h || die

169

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

170

+	# this file.

171

+	cp version.h version.h.pristine

172

+

173

+	# don't break .ssh/authorized_keys2 for fun

174

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

175

+

176

+	if use X509 ; then

177

+		if use hpn ; then

178

+			pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null

179

+			epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch

180

+			popd >/dev/null

181

+		fi

182

+		save_version X509

183

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

184

+	fi

185

+

186

+	if use ldap ; then

187

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

188

+		save_version LPK

189

+	fi

190

+

191

+	epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex

192

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

193

+	epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch

194

+	epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch

195

+	use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}

196

+	use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch

197

+	use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch

198

+

199

+	if use hpn ; then

200

+		EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

201

+			EPATCH_MULTI_MSG="Applying HPN patchset ..." \

202

+			epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

203

+		save_version HPN

204

+	fi

205

+

206

+	tc-export PKG_CONFIG

207

+	local sed_args=(

208

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

209

+		# Disable PATH reset, trust what portage gives us #254615

210

+		-e 's:^PATH=/:#PATH=/:'

211

+		# Disable fortify flags ... our gcc does this for us

212

+		-e 's:-D_FORTIFY_SOURCE=2::'

213

+	)

214

+	# The -ftrapv flag ICEs on hppa #505182

215

+	use hppa && sed_args+=(

216

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

217

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

218

+	)

219

+	# _XOPEN_SOURCE causes header conflicts on Solaris

220

+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(

221

+		-e 's/-D_XOPEN_SOURCE//'

222

+	)

223

+	sed -i "${sed_args[@]}" configure{.ac,} || die

224

+

225

+	epatch_user #473004

226

+

227

+	# Now we can build a sane merged version.h

228

+	(

229

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

230

+		macros=()

231

+		for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done

232

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"

233

+	) > version.h

234

+

235

+	eautoreconf

236

+}

237

+

238

+src_configure() {

239

+	addwrite /dev/ptmx

240

+

241

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

242

+	use static && append-ldflags -static

243

+

244

+	local myconf=(

245

+		--with-ldflags="${LDFLAGS}"

246

+		--disable-strip

247

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

248

+		--sysconfdir="${EPREFIX}"/etc/ssh

249

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

250

+		--datadir="${EPREFIX}"/usr/share/openssh

251

+		--with-privsep-path="${EPREFIX}"/var/empty

252

+		--with-privsep-user=sshd

253

+		$(use_with audit audit linux)

254

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

255

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

256

+		# unconditionally else we get unknown flag warnings.

257

+		$(use ldap && use_with ldap)

258

+		$(use_with ldns)

259

+		$(use_with libedit)

260

+		$(use_with pam)

261

+		$(use_with pie)

262

+		$(use X509 || use_with sctp)

263

+		$(use_with selinux)

264

+		$(use_with skey)

265

+		$(use_with ssh1)

266

+		$(use_with ssl openssl)

267

+		$(use_with ssl md5-passwords)

268

+		$(use_with ssl ssl-engine)

269

+	)

270

+

271

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

272

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

273

+

274

+	econf "${myconf[@]}"

275

+}

276

+

277

+src_install() {

278

+	emake install-nokeys DESTDIR="${D}"

279

+	fperms 600 /etc/ssh/sshd_config

280

+	dobin contrib/ssh-copy-id

281

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

282

+	newconfd "${FILESDIR}"/sshd.confd sshd

283

+

284

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

285

+	if use pam ; then

286

+		sed -i \

287

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

288

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

289

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

290

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

291

+			"${ED}"/etc/ssh/sshd_config || die

292

+	fi

293

+

294

+	# Gentoo tweaks to default config files

295

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

296

+

297

+	# Allow client to pass locale environment variables #367017

298

+	AcceptEnv LANG LC_*

299

+	EOF

300

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

301

+

302

+	# Send locale environment variables #367017

303

+	SendEnv LANG LC_*

304

+	EOF

305

+

306

+	if use livecd ; then

307

+		sed -i \

308

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

309

+			"${ED}"/etc/ssh/sshd_config || die

310

+	fi

311

+

312

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

313

+		insinto /etc/openldap/schema/

314

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

315

+	fi

316

+

317

+	doman contrib/ssh-copy-id.1

318

+	dodoc CREDITS OVERVIEW README* TODO sshd_config

319

+	use X509 || dodoc ChangeLog

320

+

321

+	diropts -m 0700

322

+	dodir /etc/skel/.ssh

323

+

324

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

325

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

326

+}

327

+

328

+src_test() {

329

+	local t skipped=() failed=() passed=()

330

+	local tests=( interop-tests compat-tests )

331

+

332

+	local shell=$(egetshell "${UID}")

333

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

334

+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"

335

+		elog "user, so we will run a subset only."

336

+		skipped+=( tests )

337

+	else

338

+		tests+=( tests )

339

+	fi

340

+

341

+	# It will also attempt to write to the homedir .ssh.

342

+	local sshhome=${T}/homedir

343

+	mkdir -p "${sshhome}"/.ssh

344

+	for t in "${tests[@]}" ; do

345

+		# Some tests read from stdin ...

346

+		HOMEDIR="${sshhome}" HOME="${sshhome}" \

347

+		emake -k -j1 ${t} </dev/null \

348

+			&& passed+=( "${t}" ) \

349

+			|| failed+=( "${t}" )

350

+	done

351

+

352

+	einfo "Passed tests: ${passed[*]}"

353

+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"

354

+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"

355

+}

356

+

357

+pkg_preinst() {

358

+	enewgroup sshd 22

359

+	enewuser sshd 22 -1 /var/empty sshd

360

+}

361

+

362

+pkg_postinst() {

363

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

364

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

365

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

366

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

367

+	fi

368

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

369

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

370

+	fi

371

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

372

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

373

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

374

+		elog "be an alternative for you as it supports USE=tcpd."

375

+	fi

376

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

377

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

378

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

379

+		elog "adding to your sshd_config or ~/.ssh/config files:"

380

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

381

+		elog "You should however generate new keys using rsa or ed25519."

382

+

383

+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

384

+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

385

+		elog "out of the box.  If you need this, please update your sshd_config explicitly."

386

+	fi

387

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

388

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

389

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

390

+		elog "and update all clients/servers that utilize them."

391

+	fi

392

+}

1	commit: 713e5d3b63b36aa4cc6e47fb47214142dbc8d23c
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Tue Nov 14 22:14:56 2017 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Tue Nov 14 22:15:11 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713e5d3b
7
8	net-misc/openssh: Rev bump to fix CVE-2017-15906
9
10	Bug: https://bugs.gentoo.org/633428
11	Package-Manager: Portage-2.3.13, Repoman-2.3.4
12
13	.../files/openssh-7.5_p1-CVE-2017-15906.patch \| 31 ++
14	net-misc/openssh/openssh-7.5_p1-r3.ebuild \| 332 +++++++++++++++++++++
15	2 files changed, 363 insertions(+)
16
17	diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
18	new file mode 100644
19	index 00000000000..b97ceb4b278
20	--- /dev/null
21	+++ b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch
22	@@ -0,0 +1,31 @@
23	+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
24	+From: djm <djm@×××××××.org>
25	+Date: Tue, 4 Apr 2017 00:24:56 +0000
26	+Subject: [PATCH] disallow creation (of empty files) in read-only mode;
27	+ reported by Michal Zalewski, feedback & ok deraadt@
28	+
29	+---
30	+ usr.bin/ssh/sftp-server.c \| 6 +++---
31	+ 1 file changed, 3 insertions(+), 3 deletions(-)
32	+
33	+diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
34	+index 2510d234a3a..42249ebd60d 100644
35	+--- a/usr.bin/ssh/sftp-server.c
36	++++ b/usr.bin/ssh/sftp-server.c
37	+@@ -1,4 +1,4 @@
38	+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
39	++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
40	+ /*
41	+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
42	+ *
43	+@@ -683,8 +683,8 @@ process_open(u_int32_t id)
44	+ logit("open \"%s\" flags %s mode 0%o",
45	+ name, string_from_portable(pflags), mode);
46	+ if (readonly &&
47	+- ((flags & O_ACCMODE) == O_WRONLY \|\|
48	+- (flags & O_ACCMODE) == O_RDWR)) {
49	++ ((flags & O_ACCMODE) != O_RDONLY \|\|
50	++ (flags & (O_CREAT\|O_TRUNC)) != 0)) {
51	+ verbose("Refusing open request in read-only mode");
52	+ status = SSH2_FX_PERMISSION_DENIED;
53	+ } else {
54
55	diff --git a/net-misc/openssh/openssh-7.5_p1-r3.ebuild b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
56	new file mode 100644
57	index 00000000000..d9cb2ffe89b
58	--- /dev/null
59	+++ b/net-misc/openssh/openssh-7.5_p1-r3.ebuild
60	@@ -0,0 +1,332 @@
61	+# Copyright 1999-2017 Gentoo Foundation
62	+# Distributed under the terms of the GNU General Public License v2
63	+
64	+EAPI="5"
65	+
66	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
67	+
68	+# Make it more portable between straight releases
69	+# and _p? releases.
70	+PARCH=${P/_}
71	+
72	+HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
73	+SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
74	+LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz"
75	+X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
76	+
77	+DESCRIPTION="Port of OpenBSD's free SSH release"
78	+HOMEPAGE="http://www.openssh.org/"
79	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
80	+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
81	+ ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
82	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
83	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
84	+ "
85	+
86	+LICENSE="BSD GPL-2"
87	+SLOT="0"
88	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
89	+# Probably want to drop ssl defaulting to on in a future version.
90	+IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
91	+REQUIRED_USE="ldns? ( ssl )
92	+ pie? ( !static )
93	+ ssh1? ( ssl )
94	+ static? ( !kerberos !pam )
95	+ X509? ( !ldap !sctp ssl )
96	+ test? ( ssl )"
97	+
98	+LIB_DEPEND="
99	+ audit? ( sys-process/audit[static-libs(+)] )
100	+ ldns? (
101	+ net-libs/ldns[static-libs(+)]
102	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
103	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
104	+ )
105	+ libedit? ( dev-libs/libedit:=[static-libs(+)] )
106	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
107	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
108	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
109	+ ssl? (
110	+ !libressl? (
111	+ >=dev-libs/openssl-1.0.1:0=[bindist=]
112	+ dev-libs/openssl:0=[static-libs(+)]
113	+ )
114	+ libressl? ( dev-libs/libressl:0=[static-libs(+)] )
115	+ )
116	+ >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
117	+RDEPEND="
118	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
119	+ pam? ( virtual/pam )
120	+ kerberos? ( virtual/krb5 )
121	+ ldap? ( net-nds/openldap )"
122	+DEPEND="${RDEPEND}
123	+ static? ( ${LIB_DEPEND} )
124	+ virtual/pkgconfig
125	+ virtual/os-headers
126	+ sys-devel/autoconf"
127	+RDEPEND="${RDEPEND}
128	+ pam? ( >=sys-auth/pambase-20081028 )
129	+ userland_GNU? ( virtual/shadow )
130	+ X? ( x11-apps/xauth )"
131	+
132	+S=${WORKDIR}/${PARCH}
133	+
134	+pkg_pretend() {
135	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
136	+ # than not be able to log in to their server any more
137	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
138	+ local fail="
139	+ $(use X509 && maybe_fail X509 X509_PATCH)
140	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
141	+ $(use hpn && maybe_fail hpn HPN_PATCH)
142	+ "
143	+ fail=$(echo ${fail})
144	+ if [[ -n ${fail} ]] ; then
145	+ eerror "Sorry, but this version does not yet support features"
146	+ eerror "that you requested: ${fail}"
147	+ eerror "Please mask ${PF} for now and check back later:"
148	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
149	+ die "booooo"
150	+ fi
151	+
152	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
153	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
154	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
155	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
156	+ fi
157	+}
158	+
159	+save_version() {
160	+ # version.h patch conflict avoidence
161	+ mv version.h version.h.$1
162	+ cp -f version.h.pristine version.h
163	+}
164	+
165	+src_prepare() {
166	+ sed -i \
167	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
168	+ pathnames.h \|\| die
169	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
170	+ # this file.
171	+ cp version.h version.h.pristine
172	+
173	+ # don't break .ssh/authorized_keys2 for fun
174	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
175	+
176	+ if use X509 ; then
177	+ if use hpn ; then
178	+ pushd "${WORKDIR}"/${HPN_PATCH%..} >/dev/null
179	+ epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
180	+ popd >/dev/null
181	+ fi
182	+ save_version X509
183	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
184	+ fi
185	+
186	+ if use ldap ; then
187	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
188	+ save_version LPK
189	+ fi
190	+
191	+ epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
192	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
193	+ epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch
194	+ epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch
195	+ use X509 \|\| epatch "${WORKDIR}"/${SCTP_PATCH%.*}
196	+ use X509 \|\| epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch
197	+ use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
198	+
199	+ if use hpn ; then
200	+ EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
201	+ EPATCH_MULTI_MSG="Applying HPN patchset ..." \
202	+ epatch "${WORKDIR}"/${HPN_PATCH%..}
203	+ save_version HPN
204	+ fi
205	+
206	+ tc-export PKG_CONFIG
207	+ local sed_args=(
208	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
209	+ # Disable PATH reset, trust what portage gives us #254615
210	+ -e 's:^PATH=/:#PATH=/:'
211	+ # Disable fortify flags ... our gcc does this for us
212	+ -e 's:-D_FORTIFY_SOURCE=2::'
213	+ )
214	+ # The -ftrapv flag ICEs on hppa #505182
215	+ use hppa && sed_args+=(
216	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
217	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
218	+ )
219	+ # _XOPEN_SOURCE causes header conflicts on Solaris
220	+ [[ ${CHOST} == -solaris ]] && sed_args+=(
221	+ -e 's/-D_XOPEN_SOURCE//'
222	+ )
223	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
224	+
225	+ epatch_user #473004
226	+
227	+ # Now we can build a sane merged version.h
228	+ (
229	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
230	+ macros=()
231	+ for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
232	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
233	+ ) > version.h
234	+
235	+ eautoreconf
236	+}
237	+
238	+src_configure() {
239	+ addwrite /dev/ptmx
240	+
241	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
242	+ use static && append-ldflags -static
243	+
244	+ local myconf=(
245	+ --with-ldflags="${LDFLAGS}"
246	+ --disable-strip
247	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
248	+ --sysconfdir="${EPREFIX}"/etc/ssh
249	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
250	+ --datadir="${EPREFIX}"/usr/share/openssh
251	+ --with-privsep-path="${EPREFIX}"/var/empty
252	+ --with-privsep-user=sshd
253	+ $(use_with audit audit linux)
254	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
255	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
256	+ # unconditionally else we get unknown flag warnings.
257	+ $(use ldap && use_with ldap)
258	+ $(use_with ldns)
259	+ $(use_with libedit)
260	+ $(use_with pam)
261	+ $(use_with pie)
262	+ $(use X509 \|\| use_with sctp)
263	+ $(use_with selinux)
264	+ $(use_with skey)
265	+ $(use_with ssh1)
266	+ $(use_with ssl openssl)
267	+ $(use_with ssl md5-passwords)
268	+ $(use_with ssl ssl-engine)
269	+ )
270	+
271	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
272	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
273	+
274	+ econf "${myconf[@]}"
275	+}
276	+
277	+src_install() {
278	+ emake install-nokeys DESTDIR="${D}"
279	+ fperms 600 /etc/ssh/sshd_config
280	+ dobin contrib/ssh-copy-id
281	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
282	+ newconfd "${FILESDIR}"/sshd.confd sshd
283	+
284	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
285	+ if use pam ; then
286	+ sed -i \
287	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
288	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
289	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
290	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
291	+ "${ED}"/etc/ssh/sshd_config \|\| die
292	+ fi
293	+
294	+ # Gentoo tweaks to default config files
295	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
296	+
297	+ # Allow client to pass locale environment variables #367017
298	+ AcceptEnv LANG LC_*
299	+ EOF
300	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
301	+
302	+ # Send locale environment variables #367017
303	+ SendEnv LANG LC_*
304	+ EOF
305	+
306	+ if use livecd ; then
307	+ sed -i \
308	+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
309	+ "${ED}"/etc/ssh/sshd_config \|\| die
310	+ fi
311	+
312	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
313	+ insinto /etc/openldap/schema/
314	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
315	+ fi
316	+
317	+ doman contrib/ssh-copy-id.1
318	+ dodoc CREDITS OVERVIEW README* TODO sshd_config
319	+ use X509 \|\| dodoc ChangeLog
320	+
321	+ diropts -m 0700
322	+ dodir /etc/skel/.ssh
323	+
324	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
325	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
326	+}
327	+
328	+src_test() {
329	+ local t skipped=() failed=() passed=()
330	+ local tests=( interop-tests compat-tests )
331	+
332	+ local shell=$(egetshell "${UID}")
333	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
334	+ elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
335	+ elog "user, so we will run a subset only."
336	+ skipped+=( tests )
337	+ else
338	+ tests+=( tests )
339	+ fi
340	+
341	+ # It will also attempt to write to the homedir .ssh.
342	+ local sshhome=${T}/homedir
343	+ mkdir -p "${sshhome}"/.ssh
344	+ for t in "${tests[@]}" ; do
345	+ # Some tests read from stdin ...
346	+ HOMEDIR="${sshhome}" HOME="${sshhome}" \
347	+ emake -k -j1 ${t} </dev/null \
348	+ && passed+=( "${t}" ) \
349	+ \|\| failed+=( "${t}" )
350	+ done
351	+
352	+ einfo "Passed tests: ${passed[*]}"
353	+ [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
354	+ [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
355	+}
356	+
357	+pkg_preinst() {
358	+ enewgroup sshd 22
359	+ enewuser sshd 22 -1 /var/empty sshd
360	+}
361	+
362	+pkg_postinst() {
363	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
364	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
365	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
366	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
367	+ fi
368	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
369	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
370	+ fi
371	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
372	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
373	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
374	+ elog "be an alternative for you as it supports USE=tcpd."
375	+ fi
376	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
377	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
378	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
379	+ elog "adding to your sshd_config or ~/.ssh/config files:"
380	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
381	+ elog "You should however generate new keys using rsa or ed25519."
382	+
383	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
384	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
385	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
386	+ fi
387	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
388	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
389	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
390	+ elog "and update all clients/servers that utilize them."
391	+ fi
392	+}

Gentoo Archives: gentoo-commits