diff --git a/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch new file mode 100644 index 000000000000..665eff864530 --- /dev/null +++ b/pkgs/tools/networking/openssh/RH-1380296-NEWKEYS-null-pointer-deref.patch @@ -0,0 +1,37 @@ +diff --git a/kex.c b/kex.c +index 50c7a0f..823668b 100644 +--- a/kex.c ++++ b/kex.c +@@ -419,6 +419,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt) + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +diff --git a/packet.c b/packet.c +index d6dad2d..f96566b 100644 +--- a/packet.c ++++ b/packet.c +@@ -38,7 +38,7 @@ + */ + + #include "includes.h" +- ++ + #include /* MIN roundup */ + #include + #include "openbsd-compat/sys-queue.h" +@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index ce323bae4e78..064f68947b80 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -29,11 +29,11 @@ stdenv.mkDerivation rec { # Please ensure that openssh_with_kerberos still builds when # bumping the version here! name = "openssh-${version}"; - version = "7.4p1"; + version = "7.3p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1l8r3x4fr2kb6xm95s7kjdif1wp6f94d4kljh4qjj9109shw87qv"; + sha256 = "1k5y1wi29d47cgizbryxrhc1fbjsba2x8l5mqfa9b9nadnd9iyrz"; }; prePatch = optionalString hpnSupport @@ -44,11 +44,13 @@ stdenv.mkDerivation rec { patches = [ + ./RH-1380296-NEWKEYS-null-pointer-deref.patch ./locale_archive.patch ./fix-host-key-algorithms-plus.patch # See discussion in https://github.com/NixOS/nixpkgs/pull/16966 ./dont_create_privsep_path.patch + ./fix-CVE-2016-8858.patch ] ++ optional withGssapiPatches gssapiSrc; diff --git a/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch new file mode 100644 index 000000000000..e526161083c0 --- /dev/null +++ b/pkgs/tools/networking/openssh/fix-CVE-2016-8858.patch @@ -0,0 +1,11 @@ +diff -u -r1.126 -r1.127 +--- ssh/kex.c 2016/09/28 21:44:52 1.126 ++++ ssh/kex.c 2016/10/10 19:28:48 1.127 +@@ -461,6 +461,7 @@ + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r;