new file mode 100644

@@ -0,0 +1,143 @@

+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001

+From: djm <djm@openbsd.org>

+Date: Tue, 31 Jul 2018 03:10:27 +0000

+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=

+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=

+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=

+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+---

+ auth2-gss.c       | 11 +++++++----

+ auth2-hostbased.c | 11 ++++++-----

+ auth2-pubkey.c    | 25 +++++++++++++++----------

+ 3 files changed, 28 insertions(+), 19 deletions(-)

+

+diff --git a/auth2-gss.c b/auth2-gss.c

+index 1ca8357..eb9ee39 100644

+--- a/auth2-gss.c

+@@ -1,4 +1,4 @@

+-/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */

++/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */

+ 

+ /*

+  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.

+@@ -68,9 +68,6 @@ userauth_gssapi(Authctxt *authctxt)

+ 	u_int len;

+ 	u_char *doid = NULL;

+ 

+-	if (!authctxt->valid || authctxt->user == NULL)

+-		return (0);

+-

+ 	mechs = packet_get_int();

+ 	if (mechs == 0) {

+ 		debug("Mechanism negotiation is not supported");

+@@ -109,6 +106,12 @@ userauth_gssapi(Authctxt *authctxt)

+ 		return (0);

+ 	}

+ 

++       if (!authctxt->valid || authctxt->user == NULL) {

++               debug2("%s: disabled because of invalid user", __func__);

++               free(doid);

++               return (0);

++       }

++

+ 	authctxt->methoddata = (void *)ctxt;

+ 

+ 	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);

+diff --git a/auth2-hostbased.c b/auth2-hostbased.c

+index 1b3c3b2..1ec2cce 100644

+--- a/auth2-hostbased.c

+@@ -1,4 +1,4 @@

+-/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */

++/* $OpenBSD: auth2-hostbased.c,v 1.36 2018/07/31 03:10:27 djm Exp $ */

+ /*

+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.

+  *

+@@ -66,10 +66,6 @@ userauth_hostbased(Authctxt *authctxt)

+ 	int pktype;

+ 	int authenticated = 0;

+ 

+-	if (!authctxt->valid) {

+-		debug2("userauth_hostbased: disabled because of invalid user");

+-		return 0;

+-	}

+ 	pkalg = packet_get_string(&alen);

+ 	pkblob = packet_get_string(&blen);

+ 	chost = packet_get_string(NULL);

+@@ -115,6 +111,11 @@ userauth_hostbased(Authctxt *authctxt)

+ 		goto done;

+ 	}

+ 

++        if (!authctxt->valid || authctxt->user == NULL) {

++                debug2("%s: disabled because of invalid user", __func__);

++                goto done;

++        }

++

+ 	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :

+ 	    authctxt->service;

+ 	buffer_init(&b);

+diff --git a/auth2-pubkey.c b/auth2-pubkey.c

+index 20f3309..601a153 100644

+--- a/auth2-pubkey.c

+@@ -1,4 +1,4 @@

+-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */

++/* $OpenBSD: auth2-pubkey.c,v 1.83 2018/07/31 03:10:27 djm Exp $ */

+ /*

+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.

+  *

+@@ -79,16 +79,12 @@ userauth_pubkey(Authctxt *authctxt)

+ {

+ 	Buffer b;

+ 	Key *key = NULL;

+-	char *pkalg, *userstyle, *fp = NULL;

+-	u_char *pkblob, *sig;

++	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;

++	u_char *pkblob = NULL, *sig = NULL;

+ 	u_int alen, blen, slen;

+ 	int have_sig, pktype;

+ 	int authenticated = 0;

+ 

+-	if (!authctxt->valid) {

+-		debug2("%s: disabled because of invalid user", __func__);

+-		return 0;

+-	}

+ 	have_sig = packet_get_char();

+ 	if (datafellows & SSH_BUG_PKAUTH) {

+ 		debug2("%s: SSH_BUG_PKAUTH", __func__);

+@@ -149,6 +145,11 @@ userauth_pubkey(Authctxt *authctxt)

+ 		} else {

+ 			buffer_put_string(&b, session_id2, session_id2_len);

+ 		}

++                if (!authctxt->valid || authctxt->user == NULL) {

++                        debug2("%s: disabled because of invalid user",

++                            __func__);

++                        goto done;

++                }

+ 		/* reconstruct packet */

+ 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

+ 		xasprintf(&userstyle, "%s%s%s", authctxt->user,

+@@ -184,12 +185,17 @@ userauth_pubkey(Authctxt *authctxt)

+ 			key = NULL; /* Don't free below */

+ 		}

+ 		buffer_free(&b);

+-		free(sig);

+ 	} else {

+ 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",

+ 		    __func__, sshkey_type(key), fp);

+ 		packet_check_eom();

+ 

++                if (!authctxt->valid || authctxt->user == NULL) {

++                        debug2("%s: disabled because of invalid user",

++                            __func__);

++                        goto done;

++                }

++

+ 		/* XXX fake reply and always send PK_OK ? */

+ 		/*

+ 		 * XXX this allows testing whether a user is allowed

new file mode 100644

@@ -0,0 +1,33 @@

+From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001

+From: "djm@openbsd.org" <djm@openbsd.org>

+Date: Fri, 16 Nov 2018 03:03:10 +0000

+Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer

+ to the

+

+current directory; based on report/patch from Harry Sintonen

+

+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9

+---

+ scp.c | 5 +++--

+ 1 file changed, 3 insertions(+), 2 deletions(-)

+

+diff --git a/scp.c b/scp.c

+index b4db851..3faf2a5 100644

+--- a/scp.c

+@@ -1,4 +1,4 @@

+-/* $OpenBSD: scp.c,v 1.187 2016/09/12 01:22:38 deraadt Exp $ */

++/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */

+ /*

+  * scp - secure remote copy.  This is basically patched BSD rcp which

+  * uses ssh to do the data transfer (instead of using rcmd).

+@@ -1047,7 +1047,8 @@ sink(int argc, char **argv)

+ 			size = size * 10 + (*cp++ - '0');

+ 		if (*cp++ != ' ')

+ 			SCREWUP("size not delimited");

+-		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {

++                if (*cp == '\0' || strchr(cp, '/') != NULL ||

++                    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {

+ 			run_err("error: unexpected filename: %s", cp);

+ 			exit(1);

+ 		}

@@ -1,7 +1,7 @@

 Summary:        Free version of the SSH connectivity tools

 Name:           openssh

 Version:        7.4p1

-Release:        7%{?dist}

+Release:        8%{?dist}

 License:        BSD

 URL:            https://www.openssh.com/

 Group:          System Environment/Security

@@ -15,6 +15,8 @@ Patch0:         blfs_systemd_fixes.patch

 Patch1:         openssh-7.4p1-fips.patch

 Patch2:         openssh-7.4p1-configure-fips.patch

 Patch3:         openssh-CVE-2017-15906.patch

+Patch4:         openssh-CVE-2018-15473.patch

+Patch5:         openssh-CVE-2018-20685.patch

 BuildRequires:  openssl-devel

 BuildRequires:  Linux-PAM

 BuildRequires:  krb5

@@ -36,6 +38,8 @@ tar xf %{SOURCE1}

 %patch1 -p1

 %patch2 -p1

 %patch3 -p3

+%patch4 -p1

+%patch5 -p1

 %build

 ./configure \

     CFLAGS="%{optflags}" \

@@ -144,6 +148,8 @@ rm -rf %{buildroot}/*

 %{_mandir}/man8/*

 %attr(700,root,sys)/var/lib/sshd

 %changelog

+*   Wed Feb 13 2019 Ankit Jain <ankitja@vmware.comm> 7.4p1-8

+-   Fix CVE-2018-15473 and CVE-2018-20685

 *   Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> 7.4p1-7

 -   Fix CVE-2017-15906.

 *   Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> 7.4p1-6