openssh: Disable roaming (security fix)

Fixes CVE-2016-0777 and CVE-0216-0778. Closes #12385.
2024-11-21 13:10:33 +00:00 · 2016-01-14 16:28:43 +01:00 · 2016-01-14 16:28:43 +01:00 · 2d65772950
parent 0fa58f4e01
commit 2d65772950
2 changed files with 52 additions and 1 deletions
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
      export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
    '';

-  patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ]
+  patches = [ ./locale_archive.patch ./openssh-6.9p1-security-7.0.patch ./disable-roaming.patch ]
    ++ optional withGssapiPatches gssapiSrc;

  buildInputs = [ zlib openssl libedit pkgconfig pam ]
--- a/pkgs/tools/networking/openssh/disable-roaming.patch
+++ b/pkgs/tools/networking/openssh/disable-roaming.patch
@ -0,0 +1,51 @@
+From b842c1891b9979e30a6b53292a236ceb9231be79 Mon Sep 17 00:00:00 2001
+From: Franz Pletz <fpletz@fnordicwalking.de>
+Date: Thu, 14 Jan 2016 16:25:50 +0100
+Subject: [PATCH] Disable roaming, fixes CVE-2016-0777 and CVE-0216-0778
+
+Based on http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/010_ssh.patch.sig
+---
+ readconf.c | 5 ++---
+ ssh.c      | 3 ---
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index db7d0bb..5b03f97 100644
+--- a/readconf.c
+++ b/readconf.c
+@@ -1660,7 +1660,7 @@ initialize_options(Options * options)
+ 	options->tun_remote = -1;
+ 	options->local_command = NULL;
+ 	options->permit_local_command = -1;
+-	options->use_roaming = -1;
+	options->use_roaming = 0;
+ 	options->visual_host_key = -1;
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+@@ -1835,8 +1835,7 @@ fill_default_options(Options * options)
+ 		options->tun_remote = SSH_TUNID_ANY;
+ 	if (options->permit_local_command == -1)
+ 		options->permit_local_command = 0;
+-	if (options->use_roaming == -1)
+-		options->use_roaming = 1;
+	options->use_roaming = 0;
+ 	if (options->visual_host_key == -1)
+ 		options->visual_host_key = 0;
+ 	if (options->ip_qos_interactive == -1)
+diff --git a/ssh.c b/ssh.c
+index 3fd5a94..e8428b5 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -1931,9 +1931,6 @@ ssh_session2(void)
+ 			fork_postauth();
+ 	}
+ 
+-	if (options.use_roaming)
+-		request_roaming();
+-
+ 	return client_loop(tty_flag, tty_flag ?
+ 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ }
+-- 
+2.7.0
+