aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2019-01-15 08:52:52 -0500
committerLeo Famulari <leo@famulari.name>2019-01-17 14:02:04 -0500
commit2b65a9e6d18c661f5bb6b3e557973c52b3294e87 (patch)
tree2a9105013dd1ba11da22dec4e5db1b8cd4af0a9c /gnu
parent65cd70ce42d4a46a65f284cbd1386e3e169383e4 (diff)
downloadguix-2b65a9e6d18c661f5bb6b3e557973c52b3294e87.tar.gz
guix-2b65a9e6d18c661f5bb6b3e557973c52b3294e87.zip
gnu: OpenSSH: Fix CVE-2018-20685.
* gnu/packages/patches/openssh-CVE-2018-20685.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (openssh)[source]: Use it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/openssh-CVE-2018-20685.patch44
-rw-r--r--gnu/packages/ssh.scm1
3 files changed, 46 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 1619e34404..99ebdaad4a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1088,6 +1088,7 @@ dist_patch_DATA = \
%D%/packages/patches/openldap-CVE-2017-9287.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/opensmtpd-fix-crash.patch \
+ %D%/packages/patches/openssh-CVE-2018-20685.patch \
%D%/packages/patches/openssl-runpath.patch \
%D%/packages/patches/openssl-1.1-c-rehash-in.patch \
%D%/packages/patches/openssl-c-rehash-in.patch \
diff --git a/gnu/packages/patches/openssh-CVE-2018-20685.patch b/gnu/packages/patches/openssh-CVE-2018-20685.patch
new file mode 100644
index 0000000000..463c08a9d4
--- /dev/null
+++ b/gnu/packages/patches/openssh-CVE-2018-20685.patch
@@ -0,0 +1,44 @@
+Fix CVE-2018-20685:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685
+
+Patch copied from upstream source repository:
+
+https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
+
+From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 03:03:10 +0000
+Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
+ to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+---
+ scp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 60682c68..4f3fdcd3 100644
+--- a/scp.c
++++ b/scp.c
+#@@ -1,4 +1,4 @@
+#-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
+#+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
+# /*
+# * scp - secure remote copy. This is basically patched BSD rcp which
+# * uses ssh to do the data transfer (instead of using rcmd).
+@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
+ SCREWUP("size out of range");
+ size = (off_t)ull;
+
+- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++ if (*cp == '\0' || strchr(cp, '/') != NULL ||
++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
+--
+2.20.1
+
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 88230c5054..78659fbbf4 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -149,6 +149,7 @@ a server that supports the SSH-2 protocol.")
(method url-fetch)
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
name "-" version ".tar.gz"))
+ (patches (search-patches "openssh-CVE-2018-20685.patch"))
(sha256
(base32
"1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb"))))
generated by cgit
scripts/pack.scm (self-contained-tarball): Add #:entry-point and warn when it's true. (squashfs-image): Add #:entry-point and honor it. (docker-image): Add #:entry-point and honor it. (%options, show-help): Add '--entry-point'. (guix-pack): Honor '--entry-point' and pass #:entry-point to BUILD-IMAGE. * gnu/tests/docker.scm (run-docker-test): Test 'docker run' with the default entry point. (build-tarball&run-docker-test): Pass #:entry-point to 'docker-image'. * doc/guix.texi (Invoking guix pack): Document it. * gnu/tests/singularity.scm (run-singularity-test)["singularity run"]: New test. (build-tarball&run-singularity-test): Pass #:entry-point to 'squashfs-image'. Ludovic Courtès 2019-06-07services: Add Singularity....* gnu/packages/linux.scm (singularity)[source](snippet): Change file name of setuid helpers in libexec/cli/*.exec. [arguments]: Remove "--disable-suid". * gnu/services/docker.scm (%singularity-activation): New variable. (singularity-setuid-programs): New procedure. (singularity-service-type): New variable. * gnu/tests/singularity.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (Miscellaneous Services): Document it. Ludovic Courtès 2019-05-31services: Add patchwork....* gnu/service/web.scm (<patchwork-database-configuration> <patchwork-settings-module>, <patchwork-configuration>): New record types. (patchwork-virtualhost): New procedure. (patchwork-service-type): New variable. * gnu/tests/web.scm (%test-patchwork): New variable. * doc/guix.text (Web Services): Document it. Christopher Baines 2019-05-31services: Add getmail....Getmail is a mail retriever written in Python, this commit adds a service-type to run getmail. I'm looking at this, as it's a convinient way of getting mailing list messages in to Patchwork. I initially tried putting this in the (gnu services mail) module, but due to also trying to use the define-configuration pattern, it conflicted with the dovecot service. * gnu/services/getmail.scm: New file. * gnu/local.mk: Add it. * gnu/tests/mail.scm (%getmail-os, %test-getmail): New variables. (run-getmail-test): New procedure. Christopher Baines 2019-05-15vm: 'system-docker-image' provides an entry point....This simplifies use of images created with 'guix system docker-image'. * gnu/system/vm.scm (system-docker-image)[boot-program]: New variable. [os]: Add it to the GC roots. [build]: Pass #:entry-point to 'build-docker-image'. * gnu/tests/docker.scm (run-docker-system-test): New procedure. (%test-docker-system): New variable. * doc/guix.texi (Invoking guix system): Remove GUIX_NEW_SYSTEM hack and '--entrypoint' from the example. Mention 'docker create', 'docker start', and 'docker exec'. Ludovic Courtès 2019-05-15system: Add 'operating-system-with-gc-roots'....* gnu/tests/install.scm (operating-system-with-gc-roots): Move to... * gnu/system.scm (operating-system-with-gc-roots): ... here. New procedure. Ludovic Courtès 2019-05-15tests: Skip unreliable "herd invalidate nscd" test....* gnu/tests/base.scm (run-basic-test)["nscd invalidate action, wrong table"]: Skip unconditionally. Ludovic Courtès 2019-05-15tests: 'getlogin' test creates its file atomically....Previously we could end up reading an empty /root/login-id file. * gnu/tests/base.scm (run-basic-test)["getlogin on tty1"]: Create /root/login-id atomically. Ludovic Courtès 2019-05-09services: Log-in services now require "pam_loginuid"....Fixes <https://bugs.gnu.org/35553>. Reported by Bruno Haible <bruno@clisp.org>. * gnu/services/base.scm (login-pam-service): Pass #:login-uid? #t to 'unix-pam-service'. * gnu/services/ssh.scm (lsh-pam-services, openssh-pam-services): Likewise. * gnu/services/xorg.scm (slim-pam-service): Likewise. (gdm-pam-service): Likewise for "gdm-autologin" and "gdm-password". * gnu/tests/base.scm (run-basic-test)["getlogin on tty1"]: New test. * gnu/tests/ssh.scm (run-ssh-test): Add #:test-getlogin? parameter. ["getlogin"]: New test. (%test-dropbear): Pass #:test-getlogin? #f. Ludovic Courtès 2019-04-14tests: separate-store-os: Increase root partition size....* gnu/tests/install.scm (%separate-store-installation-script): Increase size of the root partition so that it's big enough to contain downloaded nars and temporary files. Add 'df -h /mnt/gnu'. Ludovic Courtès 2019-03-31services: Open vSwitch: Provide a default configuration....* gnu/services/networking.scm (openvswitch-service-type): Provide OPENVSWITCH-CONFIGURATION as a default value. * gnu/tests/networking.scm (%openvswitch-os): Don't configure the service. Marius Bakke