summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssh
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-04-29 14:26:36 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-04-30 12:05:23 +0100
commite0a6bdaa64ab8c8dd7ba583d1f9c7f73396f2331 (patch)
treee7242cc889c8a6e29fd701ff4eafff31c0d712c9 /meta/recipes-connectivity/openssh
parent71a546aaf3a7da8487a90f20ac211dd31d852d85 (diff)
downloadpoky-e0a6bdaa64ab8c8dd7ba583d1f9c7f73396f2331.tar.gz
openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Also backport a patch to fix issues introduced by fix for CVE-2019-6109. (From OE-Core rev: 31b7485d8377c1c535d1878220bbc1d49dc5f13e) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssh')
-rw-r--r--meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch121
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch40
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch275
-rw-r--r--meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch187
-rw-r--r--meta/recipes-connectivity/openssh/openssh_7.9p1.bb4
5 files changed, 627 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
new file mode 100644
index 0000000000..2fb57da635
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
@@ -0,0 +1,121 @@
1From 5df934e2279e8ed1f07b990f4b2b3baf6470f7e5 Mon Sep 17 00:00:00 2001
2From: "dtucker@openbsd.org" <dtucker@openbsd.org>
3Date: Thu, 24 Jan 2019 16:52:17 +0000
4Subject: [PATCH] upstream: Have progressmeter force an update at the beginning
5 and
6
7end of each transfer. Fixes the problem recently introduces where very quick
8transfers do not display the progressmeter at all. Spotted by naddy@
9
10OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
11Ustream-Status: Backport
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13---
14 progressmeter.c | 13 +++++--------
15 progressmeter.h | 4 ++--
16 scp.c | 2 +-
17 sftp-client.c | 2 +-
18 4 files changed, 9 insertions(+), 12 deletions(-)
19
20diff --git a/progressmeter.c b/progressmeter.c
21index add462d..e385c12 100644
22--- a/progressmeter.c
23+++ b/progressmeter.c
24@@ -1,4 +1,4 @@
25-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
26+/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
27 /*
28 * Copyright (c) 2003 Nils Nordman. All rights reserved.
29 *
30@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t);
31 static void sig_winch(int);
32 static void setscreensize(void);
33
34-/* updates the progressmeter to reflect the current state of the transfer */
35-void refresh_progress_meter(void);
36-
37 /* signal handler for updating the progress meter */
38 static void sig_alarm(int);
39
40@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes)
41 }
42
43 void
44-refresh_progress_meter(void)
45+refresh_progress_meter(int force_update)
46 {
47 char buf[MAX_WINSIZE + 1];
48 off_t transferred;
49@@ -131,7 +128,7 @@ refresh_progress_meter(void)
50 int hours, minutes, seconds;
51 int file_len;
52
53- if ((!alarm_fired && !win_resized) || !can_output())
54+ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
55 return;
56 alarm_fired = 0;
57
58@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
59 bytes_per_second = 0;
60
61 setscreensize();
62- refresh_progress_meter();
63+ refresh_progress_meter(1);
64
65 signal(SIGALRM, sig_alarm);
66 signal(SIGWINCH, sig_winch);
67@@ -271,7 +268,7 @@ stop_progress_meter(void)
68
69 /* Ensure we complete the progress */
70 if (cur_pos != end_pos)
71- refresh_progress_meter();
72+ refresh_progress_meter(1);
73
74 atomicio(vwrite, STDOUT_FILENO, "\n", 1);
75 }
76diff --git a/progressmeter.h b/progressmeter.h
77index 8f66780..1703ea7 100644
78--- a/progressmeter.h
79+++ b/progressmeter.h
80@@ -1,4 +1,4 @@
81-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
82+/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
83 /*
84 * Copyright (c) 2002 Nils Nordman. All rights reserved.
85 *
86@@ -24,5 +24,5 @@
87 */
88
89 void start_progress_meter(const char *, off_t, off_t *);
90-void refresh_progress_meter(void);
91+void refresh_progress_meter(int);
92 void stop_progress_meter(void);
93diff --git a/scp.c b/scp.c
94index 4a342a6..0587cec 100644
95--- a/scp.c
96+++ b/scp.c
97@@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s)
98 off_t *cnt = (off_t *)_cnt;
99
100 *cnt += s;
101- refresh_progress_meter();
102+ refresh_progress_meter(0);
103 if (limit_kbps > 0)
104 bandwidth_limit(&bwlimit, s);
105 return 0;
106diff --git a/sftp-client.c b/sftp-client.c
107index 2bc698f..cf2887a 100644
108--- a/sftp-client.c
109+++ b/sftp-client.c
110@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
111 {
112 struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
113
114- refresh_progress_meter();
115+ refresh_progress_meter(0);
116 if (bwlimit != NULL)
117 bandwidth_limit(bwlimit, amount);
118 return 0;
119--
1202.7.4
121
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch
new file mode 100644
index 0000000000..e2fc607ff8
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch
@@ -0,0 +1,40 @@
1From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 16 Nov 2018 03:03:10 +0000
4Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
5 to the
6
7current directory; based on report/patch from Harry Sintonen
8
9OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
10
11CVE: CVE-2018-20685
12Ustream-Status: Backport
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 scp.c | 5 +++--
16 1 file changed, 3 insertions(+), 2 deletions(-)
17
18diff --git a/scp.c b/scp.c
19index 60682c6..4f3fdcd 100644
20--- a/scp.c
21+++ b/scp.c
22@@ -1,4 +1,4 @@
23-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
24+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
25 /*
26 * scp - secure remote copy. This is basically patched BSD rcp which
27 * uses ssh to do the data transfer (instead of using rcmd).
28@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
29 SCREWUP("size out of range");
30 size = (off_t)ull;
31
32- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
33+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
34+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
35 run_err("error: unexpected filename: %s", cp);
36 exit(1);
37 }
38--
392.7.4
40
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch
new file mode 100644
index 0000000000..dabe4a6c97
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch
@@ -0,0 +1,275 @@
1From 15d47c3bd8551521240bc459fc004c280daef817 Mon Sep 17 00:00:00 2001
2From: "dtucker@openbsd.org" <dtucker@openbsd.org>
3Date: Wed, 23 Jan 2019 08:01:46 +0000
4Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
5 move
6
7the progressmeter formatting outside of signal handler context and have the
8atomicio callback called for EINTR too. bz#2434 with contributions from djm
9and jjelen at redhat.com, ok djm@
10
11OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
12CVE: CVE-2019-6109
13Upstream-Status: Backport
14Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15---
16 atomicio.c | 20 +++++++++++++++-----
17 progressmeter.c | 53 ++++++++++++++++++++++++-----------------------------
18 progressmeter.h | 3 ++-
19 scp.c | 1 +
20 sftp-client.c | 16 +++++++++-------
21 5 files changed, 51 insertions(+), 42 deletions(-)
22
23diff --git a/atomicio.c b/atomicio.c
24index f854a06..d91bd76 100644
25--- a/atomicio.c
26+++ b/atomicio.c
27@@ -1,4 +1,4 @@
28-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
29+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
30 /*
31 * Copyright (c) 2006 Damien Miller. All rights reserved.
32 * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
33@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
34 res = (f) (fd, s + pos, n - pos);
35 switch (res) {
36 case -1:
37- if (errno == EINTR)
38+ if (errno == EINTR) {
39+ /* possible SIGALARM, update callback */
40+ if (cb != NULL && cb(cb_arg, 0) == -1) {
41+ errno = EINTR;
42+ return pos;
43+ }
44 continue;
45- if (errno == EAGAIN || errno == EWOULDBLOCK) {
46+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
47 #ifndef BROKEN_READ_COMPARISON
48 (void)poll(&pfd, 1, -1);
49 #endif
50@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
51 res = (f) (fd, iov, iovcnt);
52 switch (res) {
53 case -1:
54- if (errno == EINTR)
55+ if (errno == EINTR) {
56+ /* possible SIGALARM, update callback */
57+ if (cb != NULL && cb(cb_arg, 0) == -1) {
58+ errno = EINTR;
59+ return pos;
60+ }
61 continue;
62- if (errno == EAGAIN || errno == EWOULDBLOCK) {
63+ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
64 #ifndef BROKEN_READV_COMPARISON
65 (void)poll(&pfd, 1, -1);
66 #endif
67diff --git a/progressmeter.c b/progressmeter.c
68index fe9bf52..add462d 100644
69--- a/progressmeter.c
70+++ b/progressmeter.c
71@@ -1,4 +1,4 @@
72-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
73+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
74 /*
75 * Copyright (c) 2003 Nils Nordman. All rights reserved.
76 *
77@@ -31,6 +31,7 @@
78
79 #include <errno.h>
80 #include <signal.h>
81+#include <stdarg.h>
82 #include <stdio.h>
83 #include <string.h>
84 #include <time.h>
85@@ -39,6 +40,7 @@
86 #include "progressmeter.h"
87 #include "atomicio.h"
88 #include "misc.h"
89+#include "utf8.h"
90
91 #define DEFAULT_WINSIZE 80
92 #define MAX_WINSIZE 512
93@@ -61,7 +63,7 @@ static void setscreensize(void);
94 void refresh_progress_meter(void);
95
96 /* signal handler for updating the progress meter */
97-static void update_progress_meter(int);
98+static void sig_alarm(int);
99
100 static double start; /* start progress */
101 static double last_update; /* last progress update */
102@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
103 static int bytes_per_second; /* current speed in bytes per second */
104 static int win_size; /* terminal window size */
105 static volatile sig_atomic_t win_resized; /* for window resizing */
106+static volatile sig_atomic_t alarm_fired;
107
108 /* units for format_size */
109 static const char unit[] = " KMGT";
110@@ -126,9 +129,17 @@ refresh_progress_meter(void)
111 off_t bytes_left;
112 int cur_speed;
113 int hours, minutes, seconds;
114- int i, len;
115 int file_len;
116
117+ if ((!alarm_fired && !win_resized) || !can_output())
118+ return;
119+ alarm_fired = 0;
120+
121+ if (win_resized) {
122+ setscreensize();
123+ win_resized = 0;
124+ }
125+
126 transferred = *counter - (cur_pos ? cur_pos : start_pos);
127 cur_pos = *counter;
128 now = monotime_double();
129@@ -158,16 +169,11 @@ refresh_progress_meter(void)
130
131 /* filename */
132 buf[0] = '\0';
133- file_len = win_size - 35;
134+ file_len = win_size - 36;
135 if (file_len > 0) {
136- len = snprintf(buf, file_len + 1, "\r%s", file);
137- if (len < 0)
138- len = 0;
139- if (len >= file_len + 1)
140- len = file_len;
141- for (i = len; i < file_len; i++)
142- buf[i] = ' ';
143- buf[file_len] = '\0';
144+ buf[0] = '\r';
145+ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
146+ file_len * -1, file);
147 }
148
149 /* percent of transfer done */
150@@ -228,22 +234,11 @@ refresh_progress_meter(void)
151
152 /*ARGSUSED*/
153 static void
154-update_progress_meter(int ignore)
155+sig_alarm(int ignore)
156 {
157- int save_errno;
158-
159- save_errno = errno;
160-
161- if (win_resized) {
162- setscreensize();
163- win_resized = 0;
164- }
165- if (can_output())
166- refresh_progress_meter();
167-
168- signal(SIGALRM, update_progress_meter);
169+ signal(SIGALRM, sig_alarm);
170+ alarm_fired = 1;
171 alarm(UPDATE_INTERVAL);
172- errno = save_errno;
173 }
174
175 void
176@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
177 bytes_per_second = 0;
178
179 setscreensize();
180- if (can_output())
181- refresh_progress_meter();
182+ refresh_progress_meter();
183
184- signal(SIGALRM, update_progress_meter);
185+ signal(SIGALRM, sig_alarm);
186 signal(SIGWINCH, sig_winch);
187 alarm(UPDATE_INTERVAL);
188 }
189@@ -286,6 +280,7 @@ stop_progress_meter(void)
190 static void
191 sig_winch(int sig)
192 {
193+ signal(SIGWINCH, sig_winch);
194 win_resized = 1;
195 }
196
197diff --git a/progressmeter.h b/progressmeter.h
198index bf179dc..8f66780 100644
199--- a/progressmeter.h
200+++ b/progressmeter.h
201@@ -1,4 +1,4 @@
202-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
203+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
204 /*
205 * Copyright (c) 2002 Nils Nordman. All rights reserved.
206 *
207@@ -24,4 +24,5 @@
208 */
209
210 void start_progress_meter(const char *, off_t, off_t *);
211+void refresh_progress_meter(void);
212 void stop_progress_meter(void);
213diff --git a/scp.c b/scp.c
214index 4f3fdcd..4a342a6 100644
215--- a/scp.c
216+++ b/scp.c
217@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
218 off_t *cnt = (off_t *)_cnt;
219
220 *cnt += s;
221+ refresh_progress_meter();
222 if (limit_kbps > 0)
223 bandwidth_limit(&bwlimit, s);
224 return 0;
225diff --git a/sftp-client.c b/sftp-client.c
226index 4986d6d..2bc698f 100644
227--- a/sftp-client.c
228+++ b/sftp-client.c
229@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
230 {
231 struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
232
233- bandwidth_limit(bwlimit, amount);
234+ refresh_progress_meter();
235+ if (bwlimit != NULL)
236+ bandwidth_limit(bwlimit, amount);
237 return 0;
238 }
239
240@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
241 iov[1].iov_base = (u_char *)sshbuf_ptr(m);
242 iov[1].iov_len = sshbuf_len(m);
243
244- if (atomiciov6(writev, conn->fd_out, iov, 2,
245- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
246+ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
247+ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
248 sshbuf_len(m) + sizeof(mlen))
249 fatal("Couldn't send packet: %s", strerror(errno));
250
251@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
252
253 if ((r = sshbuf_reserve(m, 4, &p)) != 0)
254 fatal("%s: buffer error: %s", __func__, ssh_err(r));
255- if (atomicio6(read, conn->fd_in, p, 4,
256- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
257+ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
258+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
259 if (errno == EPIPE || errno == ECONNRESET)
260 fatal("Connection closed");
261 else
262@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
263
264 if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
265 fatal("%s: buffer error: %s", __func__, ssh_err(r));
266- if (atomicio6(read, conn->fd_in, p, msg_len,
267- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
268+ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
269+ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
270 != msg_len) {
271 if (errno == EPIPE)
272 fatal("Connection closed");
273--
2742.7.4
275
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch
new file mode 100644
index 0000000000..80cf39b923
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch
@@ -0,0 +1,187 @@
1From 15cc3497367d2e9729353b3df75518548e845c82 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Sat, 26 Jan 2019 22:41:28 +0000
4Subject: [PATCH] upstream: check in scp client that filenames sent during
5
6remote->local directory copies satisfy the wildcard specified by the user.
7
8This checking provides some protection against a malicious server
9sending unexpected filenames, but it comes at a risk of rejecting wanted
10files due to differences between client and server wildcard expansion rules.
11
12For this reason, this also adds a new -T flag to disable the check.
13
14reported by Harry Sintonen
15fix approach suggested by markus@;
16has been in snaps for ~1wk courtesy deraadt@
17
18OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
19
20CVE: CVE-2019-6111
21Ustream-Status: Backport
22Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
23---
24 scp.1 | 12 +++++++++++-
25 scp.c | 37 +++++++++++++++++++++++++++++--------
26 2 files changed, 40 insertions(+), 9 deletions(-)
27
28diff --git a/scp.1 b/scp.1
29index 0e5cc1b..397e770 100644
30--- a/scp.1
31+++ b/scp.1
32@@ -18,7 +18,7 @@
33 .Nd secure copy (remote file copy program)
34 .Sh SYNOPSIS
35 .Nm scp
36-.Op Fl 346BCpqrv
37+.Op Fl 346BCpqrTv
38 .Op Fl c Ar cipher
39 .Op Fl F Ar ssh_config
40 .Op Fl i Ar identity_file
41@@ -208,6 +208,16 @@ to use for the encrypted connection.
42 The program must understand
43 .Xr ssh 1
44 options.
45+.It Fl T
46+Disable strict filename checking.
47+By default when copying files from a remote host to a local directory
48+.Nm
49+checks that the received filenames match those requested on the command-line
50+to prevent the remote end from sending unexpected or unwanted files.
51+Because of differences in how various operating systems and shells interpret
52+filename wildcards, these checks may cause wanted files to be rejected.
53+This option disables these checks at the expense of fully trusting that
54+the server will not send unexpected filenames.
55 .It Fl v
56 Verbose mode.
57 Causes
58diff --git a/scp.c b/scp.c
59index 0587cec..b2d331e 100644
60--- a/scp.c
61+++ b/scp.c
62@@ -94,6 +94,7 @@
63 #include <dirent.h>
64 #include <errno.h>
65 #include <fcntl.h>
66+#include <fnmatch.h>
67 #include <limits.h>
68 #include <locale.h>
69 #include <pwd.h>
70@@ -375,14 +376,14 @@ void verifydir(char *);
71 struct passwd *pwd;
72 uid_t userid;
73 int errs, remin, remout;
74-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
75+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
76
77 #define CMDNEEDS 64
78 char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
79
80 int response(void);
81 void rsource(char *, struct stat *);
82-void sink(int, char *[]);
83+void sink(int, char *[], const char *);
84 void source(int, char *[]);
85 void tolocal(int, char *[]);
86 void toremote(int, char *[]);
87@@ -421,8 +422,9 @@ main(int argc, char **argv)
88 addargs(&args, "-oRemoteCommand=none");
89 addargs(&args, "-oRequestTTY=no");
90
91- fflag = tflag = 0;
92- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
93+ fflag = Tflag = tflag = 0;
94+ while ((ch = getopt(argc, argv,
95+ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
96 switch (ch) {
97 /* User-visible flags. */
98 case '1':
99@@ -501,9 +503,13 @@ main(int argc, char **argv)
100 setmode(0, O_BINARY);
101 #endif
102 break;
103+ case 'T':
104+ Tflag = 1;
105+ break;
106 default:
107 usage();
108 }
109+ }
110 argc -= optind;
111 argv += optind;
112
113@@ -534,7 +540,7 @@ main(int argc, char **argv)
114 }
115 if (tflag) {
116 /* Receive data. */
117- sink(argc, argv);
118+ sink(argc, argv, NULL);
119 exit(errs != 0);
120 }
121 if (argc < 2)
122@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
123 continue;
124 }
125 free(bp);
126- sink(1, argv + argc - 1);
127+ sink(1, argv + argc - 1, src);
128 (void) close(remin);
129 remin = remout = -1;
130 }
131@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
132 (sizeof(type) != 4 && sizeof(type) != 8))
133
134 void
135-sink(int argc, char **argv)
136+sink(int argc, char **argv, const char *src)
137 {
138 static BUF buffer;
139 struct stat stb;
140@@ -984,6 +990,7 @@ sink(int argc, char **argv)
141 unsigned long long ull;
142 int setimes, targisdir, wrerrno = 0;
143 char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
144+ char *src_copy = NULL, *restrict_pattern = NULL;
145 struct timeval tv[2];
146
147 #define atime tv[0]
148@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
149 (void) atomicio(vwrite, remout, "", 1);
150 if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
151 targisdir = 1;
152+ if (src != NULL && !iamrecursive && !Tflag) {
153+ /*
154+ * Prepare to try to restrict incoming filenames to match
155+ * the requested destination file glob.
156+ */
157+ if ((src_copy = strdup(src)) == NULL)
158+ fatal("strdup failed");
159+ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
160+ *restrict_pattern++ = '\0';
161+ }
162+ }
163 for (first = 1;; first = 0) {
164 cp = buf;
165 if (atomicio(read, remin, cp, 1) != 1)
166@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
167 run_err("error: unexpected filename: %s", cp);
168 exit(1);
169 }
170+ if (restrict_pattern != NULL &&
171+ fnmatch(restrict_pattern, cp, 0) != 0)
172+ SCREWUP("filename does not match request");
173 if (targisdir) {
174 static char *namebuf;
175 static size_t cursize;
176@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
177 goto bad;
178 }
179 vect[0] = xstrdup(np);
180- sink(1, vect);
181+ sink(1, vect, src);
182 if (setimes) {
183 setimes = 0;
184 if (utimes(vect[0], tv) < 0)
185--
1862.7.4
187
diff --git a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
index 6260135d5b..b971b2b1e8 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
@@ -24,6 +24,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ 24 file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
25 file://sshd_check_keys \ 25 file://sshd_check_keys \
26 file://add-test-support-for-busybox.patch \ 26 file://add-test-support-for-busybox.patch \
27 file://CVE-2018-20685.patch \
28 file://CVE-2019-6109.patch \
29 file://0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch \
30 file://CVE-2019-6111.patch \
27 " 31 "
28SRC_URI[md5sum] = "c6af50b7a474d04726a5aa747a5dce8f" 32SRC_URI[md5sum] = "c6af50b7a474d04726a5aa747a5dce8f"
29SRC_URI[sha256sum] = "6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad" 33SRC_URI[sha256sum] = "6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad"