Package init

2019-12-25 16:00:14 +08:00 · 2019-12-25 16:00:14 +08:00 · 91beafa331
commit 91beafa331
parent 938630c472
8 changed files with 1150 additions and 3 deletions
--- a/CVE-2019-16905.patch
+++ b/CVE-2019-16905.patch
@ -0,0 +1,37 @@
 From a546b17bbaeb12beac4c9aeed56f74a42b18a93a Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 9 Oct 2019 00:02:57 +0000
 Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
 Reported by Adam Zabrocki via SecuriTeam's SSH program.
 Note that this code is experimental and not compiled by default.
 ok markus@
 OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
 ---
 sshkey-xmss.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/sshkey-xmss.c b/sshkey-xmss.c
 index a29e33f39..9e5f5e475 100644
 --- a/sshkey-xmss.c
 +++ b/sshkey-xmss.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshkey-xmss.c,v 1.3 2018/07/09 21:59:10 markus Exp $ */
 +/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
 /*
  * Copyright (c) 2017 Markus Friedl.  All rights reserved.
  *
@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
 		goto out;
 	}
 	/* check that an appropriate amount of auth data is present */
 -	if (sshbuf_len(encoded) < encrypted_len + authlen) {
 +	if (sshbuf_len(encoded) < authlen ||
 +	    sshbuf_len(encoded) - authlen < encrypted_len) {
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
--- a/CVE-2019-6109-1.patch
+++ b/CVE-2019-6109-1.patch
@ -0,0 +1,270 @@
 From 8976f1c4b2721c26e878151f52bdf346dfe2d54c Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Wed, 23 Jan 2019 08:01:46 +0000
 Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
 move
 the progressmeter formatting outside of signal handler context and have the
 atomicio callback called for EINTR too.  bz#2434 with contributions from djm
 and jjelen at redhat.com, ok djm@
 OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
 ---
 atomicio.c      | 20 ++++++++++++++-----
 progressmeter.c | 53 ++++++++++++++++++++++---------------------------
 progressmeter.h |  3 ++-
 scp.c           |  3 ++-
 sftp-client.c   | 18 +++++++++--------
 5 files changed, 53 insertions(+), 44 deletions(-)
 diff --git a/atomicio.c b/atomicio.c
 index cffa9fa7d..845b328ee 100644
 --- a/atomicio.c
 +++ b/atomicio.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
 +/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller. All rights reserved.
  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -67,9 +67,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
 		res = (f) (fd, s + pos, n - pos);
 		switch (res) {
 		case -1:
 -			if (errno == EINTR)
 +			if (errno == EINTR) {
 +				/* possible SIGALARM, update callback */
 +				if (cb != NULL && cb(cb_arg, 0) == -1) {
 +					errno = EINTR;
 +					return pos;
 +				}
 				continue;
 -			if (errno == EAGAIN || errno == EWOULDBLOCK) {
 +			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READ_COMPARISON
 				(void)poll(&pfd, 1, -1);
 #endif
@@ -124,9 +129,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
 		res = (f) (fd, iov, iovcnt);
 		switch (res) {
 		case -1:
 -			if (errno == EINTR)
 +			if (errno == EINTR) {
 +				/* possible SIGALARM, update callback */
 +				if (cb != NULL && cb(cb_arg, 0) == -1) {
 +					errno = EINTR;
 +					return pos;
 +				}
 				continue;
 -			if (errno == EAGAIN || errno == EWOULDBLOCK) {
 +			} else if (errno == EAGAIN || errno == EWOULDBLOCK) {
 #ifndef BROKEN_READV_COMPARISON
 				(void)poll(&pfd, 1, -1);
 #endif
 diff --git a/progressmeter.c b/progressmeter.c
 index fe9bf52e4..add462dde 100644
 --- a/progressmeter.c
 +++ b/progressmeter.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
  *
@@ -31,6 +31,7 @@
 #include <errno.h>
 #include <signal.h>
 +#include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
@@ -39,6 +40,7 @@
 #include "progressmeter.h"
 #include "atomicio.h"
 #include "misc.h"
 +#include "utf8.h"
 #define DEFAULT_WINSIZE 80
 #define MAX_WINSIZE 512
@@ -61,7 +63,7 @@ static void setscreensize(void);
 void refresh_progress_meter(void);
 /* signal handler for updating the progress meter */
 -static void update_progress_meter(int);
 +static void sig_alarm(int);
 static double start;		/* start progress */
 static double last_update;	/* last progress update */
@@ -74,6 +76,7 @@ static long stalled;		/* how long we have been stalled */
 static int bytes_per_second;	/* current speed in bytes per second */
 static int win_size;		/* terminal window size */
 static volatile sig_atomic_t win_resized; /* for window resizing */
 +static volatile sig_atomic_t alarm_fired;
 /* units for format_size */
 static const char unit[] = " KMGT";
@@ -126,9 +129,17 @@ refresh_progress_meter(void)
 	off_t bytes_left;
 	int cur_speed;
 	int hours, minutes, seconds;
 -	int i, len;
 	int file_len;
 +	if ((!alarm_fired && !win_resized) || !can_output())
 +		return;
 +	alarm_fired = 0;
 +
 +	if (win_resized) {
 +		setscreensize();
 +		win_resized = 0;
 +	}
 +
 	transferred = *counter - (cur_pos ? cur_pos : start_pos);
 	cur_pos = *counter;
 	now = monotime_double();
@@ -158,16 +169,11 @@ refresh_progress_meter(void)
 	/* filename */
 	buf[0] = '\0';
 -	file_len = win_size - 35;
 +	file_len = win_size - 36;
 	if (file_len > 0) {
 -		len = snprintf(buf, file_len + 1, "\r%s", file);
 -		if (len < 0)
 -			len = 0;
 -		if (len >= file_len + 1)
 -			len = file_len;
 -		for (i = len; i < file_len; i++)
 -			buf[i] = ' ';
 -		buf[file_len] = '\0';
 +		buf[0] = '\r';
 +		snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
 +		    file_len * -1, file);
 	}
 	/* percent of transfer done */
@@ -228,22 +234,11 @@ refresh_progress_meter(void)
 /*ARGSUSED*/
 static void
 -update_progress_meter(int ignore)
 +sig_alarm(int ignore)
 {
 -	int save_errno;
 -
 -	save_errno = errno;
 -
 -	if (win_resized) {
 -		setscreensize();
 -		win_resized = 0;
 -	}
 -	if (can_output())
 -		refresh_progress_meter();
 -
 -	signal(SIGALRM, update_progress_meter);
 +	signal(SIGALRM, sig_alarm);
 +	alarm_fired = 1;
 	alarm(UPDATE_INTERVAL);
 -	errno = save_errno;
 }
 void
@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
 	bytes_per_second = 0;
 	setscreensize();
 -	if (can_output())
 -		refresh_progress_meter();
 +	refresh_progress_meter();
 -	signal(SIGALRM, update_progress_meter);
 +	signal(SIGALRM, sig_alarm);
 	signal(SIGWINCH, sig_winch);
 	alarm(UPDATE_INTERVAL);
 }
@@ -286,6 +280,7 @@ stop_progress_meter(void)
 static void
 sig_winch(int sig)
 {
 +	signal(SIGWINCH, sig_winch);
 	win_resized = 1;
 }
 diff --git a/progressmeter.h b/progressmeter.h
 index bf179dca6..8f6678060 100644
 --- a/progressmeter.h
 +++ b/progressmeter.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
 +/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
 /*
  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
  *
@@ -24,4 +24,5 @@
  */
 void	start_progress_meter(const char *, off_t, off_t *);
 +void	refresh_progress_meter(void);
 void	stop_progress_meter(void);
 diff --git a/scp.c b/scp.c
 index ae51137ee..25595a299 100644
 --- a/scp.c
 +++ b/scp.c
@@ -588,6 +588,7 @@ scpio(void *_cnt, size_t s)
 	off_t *cnt = (off_t *)_cnt;
 	*cnt += s;
 +	refresh_progress_meter();
 	if (limit_kbps > 0)
 		bandwidth_limit(&bwlimit, s);
 	return 0;
 diff --git a/sftp-client.c b/sftp-client.c
 index d3f80e5a0..36c4b8a4a 100644
 --- a/sftp-client.c
 +++ b/sftp-client.c
@@ -102,7 +102,9 @@ sftpio(void *_bwlimit, size_t amount)
 {
 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
 -	bandwidth_limit(bwlimit, amount);
 +	refresh_progress_meter();
 +	if (bwlimit != NULL)
 +		bandwidth_limit(bwlimit, amount);
 	return 0;
 }
@@ -122,8 +124,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
 	iov[1].iov_base = (u_char *)sshbuf_ptr(m);
 	iov[1].iov_len = sshbuf_len(m);
 -	if (atomiciov6(writev, conn->fd_out, iov, 2,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
 +	if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
 	    sshbuf_len(m) + sizeof(mlen))
 		fatal("Couldn't send packet: %s", strerror(errno));
@@ -139,8 +141,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
 	if ((r = sshbuf_reserve(m, 4, &p)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 -	if (atomicio6(read, conn->fd_in, p, 4,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
 +	if (atomicio6(read, conn->fd_in, p, 4, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
 		if (errno == EPIPE || errno == ECONNRESET)
 			fatal("Connection closed");
 		else
@@ -158,8 +160,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
 	if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 -	if (atomicio6(read, conn->fd_in, p, msg_len,
 -	    conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
 +	if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
 +	    conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
 	    != msg_len) {
 		if (errno == EPIPE)
 			fatal("Connection closed");
--- a/CVE-2019-6109-2.patch
+++ b/CVE-2019-6109-2.patch
@ -0,0 +1,117 @@
 From bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Thu, 24 Jan 2019 16:52:17 +0000
 Subject: [PATCH] upstream: Have progressmeter force an update at the beginning
 and
 end of each transfer.  Fixes the problem recently introduces where very quick
 transfers do not display the progressmeter at all.  Spotted by naddy@
 OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
 ---
 progressmeter.c | 13 +++++--------
 progressmeter.h |  4 ++--
 scp.c           |  4 ++--
 sftp-client.c   |  4 ++--
 4 files changed, 11 insertions(+), 14 deletions(-)
 diff --git a/progressmeter.c b/progressmeter.c
 index add462dde..e385c1254 100644
 --- a/progressmeter.c
 +++ b/progressmeter.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
 /*
  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
  *
@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t);
 static void sig_winch(int);
 static void setscreensize(void);
 -/* updates the progressmeter to reflect the current state of the transfer */
 -void refresh_progress_meter(void);
 -
 /* signal handler for updating the progress meter */
 static void sig_alarm(int);
@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes)
 }
 void
 -refresh_progress_meter(void)
 +refresh_progress_meter(int force_update)
 {
 	char buf[MAX_WINSIZE + 1];
 	off_t transferred;
@@ -131,7 +128,7 @@ refresh_progress_meter(void)
 	int hours, minutes, seconds;
 	int file_len;
 -	if ((!alarm_fired && !win_resized) || !can_output())
 +	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
 		return;
 	alarm_fired = 0;
@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
 	bytes_per_second = 0;
 	setscreensize();
 -	refresh_progress_meter();
 +	refresh_progress_meter(1);
 	signal(SIGALRM, sig_alarm);
 	signal(SIGWINCH, sig_winch);
@@ -271,7 +268,7 @@ stop_progress_meter(void)
 	/* Ensure we complete the progress */
 	if (cur_pos != end_pos)
 -		refresh_progress_meter();
 +		refresh_progress_meter(1);
 	atomicio(vwrite, STDOUT_FILENO, "\n", 1);
 }
 diff --git a/progressmeter.h b/progressmeter.h
 index 8f6678060..1703ea75b 100644
 --- a/progressmeter.h
 +++ b/progressmeter.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
 +/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
 /*
  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
  *
@@ -24,5 +24,5 @@
  */
 void	start_progress_meter(const char *, off_t, off_t *);
 -void	refresh_progress_meter(void);
 +void	refresh_progress_meter(int);
 void	stop_progress_meter(void);
 diff --git a/scp.c b/scp.c
 index 25595a299..74dfe521a 100644
 --- a/scp.c
 +++ b/scp.c
@@ -588,7 +588,7 @@ scpio(void *_cnt, size_t s)
 	off_t *cnt = (off_t *)_cnt;
 	*cnt += s;
 -	refresh_progress_meter();
 +	refresh_progress_meter(0);
 	if (limit_kbps > 0)
 		bandwidth_limit(&bwlimit, s);
 	return 0;
 diff --git a/sftp-client.c b/sftp-client.c
 index 36c4b8a4a..73e3c2f53 100644
 --- a/sftp-client.c
 +++ b/sftp-client.c
@@ -102,7 +102,7 @@ sftpio(void *_bwlimit, size_t amount)
 {
 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
 -	refresh_progress_meter();
 +	refresh_progress_meter(0);
 	if (bwlimit != NULL)
 		bandwidth_limit(bwlimit, amount);
 	return 0;
--- a/CVE-2019-6111-1.patch
+++ b/CVE-2019-6111-1.patch
@ -0,0 +1,181 @@
 From 391ffc4b9d31fa1f4ad566499fef9176ff8a07dc Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sat, 26 Jan 2019 22:41:28 +0000
 Subject: [PATCH] upstream: check in scp client that filenames sent during
 remote->local directory copies satisfy the wildcard specified by the user.
 This checking provides some protection against a malicious server
 sending unexpected filenames, but it comes at a risk of rejecting wanted
 files due to differences between client and server wildcard expansion rules.
 For this reason, this also adds a new -T flag to disable the check.
 reported by Harry Sintonen
 fix approach suggested by markus@;
 has been in snaps for ~1wk courtesy deraadt@
 OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
 ---
 scp.1 | 16 +++++++++++++---
 scp.c | 39 ++++++++++++++++++++++++++++++---------
 2 files changed, 43 insertions(+), 12 deletions(-)
 diff --git a/scp.1 b/scp.1
 index 8bb63edaa..a2833dab0 100644
 --- a/scp.1
 +++ b/scp.1
@@ -18,7 +18,7 @@
 .Nd secure copy (remote file copy program)
 .Sh SYNOPSIS
 .Nm scp
 -.Op Fl 346BCpqrv
 +.Op Fl 346BCpqrTv
 .Op Fl c Ar cipher
 .Op Fl F Ar ssh_config
 .Op Fl i Ar identity_file
@@ -222,6 +222,16 @@ to use for the encrypted connection.
 The program must understand
 .Xr ssh 1
 options.
 +.It Fl T
 +Disable strict filename checking.
 +By default when copying files from a remote host to a local directory
 +.Nm
 +checks that the received filenames match those requested on the command-line
 +to prevent the remote end from sending unexpected or unwanted files.
 +Because of differences in how various operating systems and shells interpret
 +filename wildcards, these checks may cause wanted files to be rejected.
 +This option disables these checks at the expense of fully trusting that
 +the server will not send unexpected filenames.
 .It Fl v
 Verbose mode.
 Causes
 diff --git a/scp.c b/scp.c
 index 74dfe521a..e669e815e 100644
 --- a/scp.c
 +++ b/scp.c
@@ -94,6 +94,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 +#include <fnmatch.h>
 #include <limits.h>
 #include <locale.h>
 #include <pwd.h>
@@ -375,14 +376,14 @@ void verifydir(char *);
 struct passwd *pwd;
 uid_t userid;
 int errs, remin, remout;
 -int pflag, iamremote, iamrecursive, targetshouldbedirectory;
 +int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
 #define	CMDNEEDS	64
 char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
 int response(void);
 void rsource(char *, struct stat *);
 -void sink(int, char *[]);
 +void sink(int, char *[], const char *);
 void source(int, char *[]);
 void tolocal(int, char *[]);
 void toremote(int, char *[]);
@@ -423,8 +424,9 @@ main(int argc, char **argv)
 	addargs(&args, "-oRemoteCommand=none");
 	addargs(&args, "-oRequestTTY=no");
 -	fflag = tflag = 0;
 -	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
 +	fflag = Tflag = tflag = 0;
 +	while ((ch = getopt(argc, argv,
 +	    "dfl:prtTvBCc:i:P:q12346S:o:F:J:")) != -1) {
 		switch (ch) {
 		/* User-visible flags. */
 		case '1':
@@ -504,9 +506,13 @@ main(int argc, char **argv)
 			setmode(0, O_BINARY);
 #endif
 			break;
 +		case 'T':
 +			Tflag = 1;
 +			break;
 		default:
 			usage();
 		}
 +	}
 	argc -= optind;
 	argv += optind;
@@ -537,7 +543,7 @@ main(int argc, char **argv)
 	}
 	if (tflag) {
 		/* Receive data. */
 -		sink(argc, argv);
 +		sink(argc, argv, NULL);
 		exit(errs != 0);
 	}
 	if (argc < 2)
@@ -795,7 +801,7 @@ tolocal(int argc, char **argv)
 			continue;
 		}
 		free(bp);
 -		sink(1, argv + argc - 1);
 +		sink(1, argv + argc - 1, src);
 		(void) close(remin);
 		remin = remout = -1;
 	}
@@ -971,7 +977,7 @@ rsource(char *name, struct stat *statp)
 	 (sizeof(type) != 4 && sizeof(type) != 8))
 void
 -sink(int argc, char **argv)
 +sink(int argc, char **argv, const char *src)
 {
 	static BUF buffer;
 	struct stat stb;
@@ -987,6 +993,7 @@ sink(int argc, char **argv)
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 +	char *src_copy = NULL, *restrict_pattern = NULL;
 	struct timeval tv[2];
 #define	atime	tv[0]
@@ -1011,6 +1018,17 @@ sink(int argc, char **argv)
 	(void) atomicio(vwrite, remout, "", 1);
 	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
 		targisdir = 1;
 +	if (src != NULL && !iamrecursive && !Tflag) {
 +		/*
 +		 * Prepare to try to restrict incoming filenames to match
 +		 * the requested destination file glob.
 +		 */
 +		if ((src_copy = strdup(src)) == NULL)
 +			fatal("strdup failed");
 +		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
 +			*restrict_pattern++ = '\0';
 +		}
 +	}
 	for (first = 1;; first = 0) {
 		cp = buf;
 		if (atomicio(read, remin, cp, 1) != 1)
@@ -1115,6 +1133,9 @@ sink(int argc, char **argv)
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);
 		}
 +		if (restrict_pattern != NULL &&
 +		    fnmatch(restrict_pattern, cp, 0) != 0)
 +			SCREWUP("filename does not match request");
 		if (targisdir) {
 			static char *namebuf;
 			static size_t cursize;
@@ -1152,7 +1173,7 @@ sink(int argc, char **argv)
 					goto bad;
 			}
 			vect[0] = xstrdup(np);
 -			sink(1, vect);
 +			sink(1, vect, src);
 			if (setimes) {
 				setimes = 0;
 				if (utimes(vect[0], tv) < 0)
--- a/CVE-2019-6111-2.patch
+++ b/CVE-2019-6111-2.patch
@ -0,0 +1,348 @@
 From 3d896c157c722bc47adca51a58dca859225b5874 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sun, 10 Feb 2019 11:15:52 +0000
 Subject: [PATCH] upstream: when checking that filenames sent by the server
 side
 match what the client requested, be prepared to handle shell-style brace
 alternations, e.g. "{foo,bar}".
 "looks good to me" millert@ + in snaps for the last week courtesy
 deraadt@
 OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
 ---
 scp.c | 282 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 270 insertions(+), 12 deletions(-)
 diff --git a/scp.c b/scp.c
 index 96fc246cd..80bc0e8b1 100644
 --- a/scp.c
 +++ b/scp.c
@@ -630,6 +630,253 @@ parse_scp_uri(const char *uri, char **userp, char **hostp, int *portp,
 	return r;
 }
 +/* Appends a string to an array; returns 0 on success, -1 on alloc failure */
 +static int
 +append(char *cp, char ***ap, size_t *np)
 +{
 +	char **tmp;
 +
 +	if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)
 +		return -1;
 +	tmp[(*np)] = cp;
 +	(*np)++;
 +	*ap = tmp;
 +	return 0;
 +}
 +
 +/*
 + * Finds the start and end of the first brace pair in the pattern.
 + * returns 0 on success or -1 for invalid patterns.
 + */
 +static int
 +find_brace(const char *pattern, int *startp, int *endp)
 +{
 +	int i;
 +	int in_bracket, brace_level;
 +
 +	*startp = *endp = -1;
 +	in_bracket = brace_level = 0;
 +	for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {
 +		switch (pattern[i]) {
 +		case '\\':
 +			/* skip next character */
 +			if (pattern[i + 1] != '\0')
 +				i++;
 +			break;
 +		case '[':
 +			in_bracket = 1;
 +			break;
 +		case ']':
 +			in_bracket = 0;
 +			break;
 +		case '{':
 +			if (in_bracket)
 +				break;
 +			if (pattern[i + 1] == '}') {
 +				/* Protect a single {}, for find(1), like csh */
 +				i++; /* skip */
 +				break;
 +			}
 +			if (*startp == -1)
 +				*startp = i;
 +			brace_level++;
 +			break;
 +		case '}':
 +			if (in_bracket)
 +				break;
 +			if (*startp < 0) {
 +				/* Unbalanced brace */
 +				return -1;
 +			}
 +			if (--brace_level <= 0)
 +				*endp = i;
 +			break;
 +		}
 +	}
 +	/* unbalanced brackets/braces */
 +	if (*endp < 0 && (*startp >= 0 || in_bracket))
 +		return -1;
 +	return 0;
 +}
 +
 +/*
 + * Assembles and records a successfully-expanded pattern, returns -1 on
 + * alloc failure.
 + */
 +static int
 +emit_expansion(const char *pattern, int brace_start, int brace_end,
 +    int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
 +{
 +	char *cp;
 +	int o = 0, tail_len = strlen(pattern + brace_end + 1);
 +
 +	if ((cp = malloc(brace_start + (sel_end - sel_start) +
 +	    tail_len + 1)) == NULL)
 +		return -1;
 +
 +	/* Pattern before initial brace */
 +	if (brace_start > 0) {
 +		memcpy(cp, pattern, brace_start);
 +		o = brace_start;
 +	}
 +	/* Current braced selection */
 +	if (sel_end - sel_start > 0) {
 +		memcpy(cp + o, pattern + sel_start,
 +		    sel_end - sel_start);
 +		o += sel_end - sel_start;
 +	}
 +	/* Remainder of pattern after closing brace */
 +	if (tail_len > 0) {
 +		memcpy(cp + o, pattern + brace_end + 1, tail_len);
 +		o += tail_len;
 +	}
 +	cp[o] = '\0';
 +	if (append(cp, patternsp, npatternsp) != 0) {
 +		free(cp);
 +		return -1;
 +	}
 +	return 0;
 +}
 +
 +/*
 + * Expand the first encountered brace in pattern, appending the expanded
 + * patterns it yielded to the *patternsp array.
 + *
 + * Returns 0 on success or -1 on allocation failure.
 + *
 + * Signals whether expansion was performed via *expanded and whether
 + * pattern was invalid via *invalid.
 + */
 +static int
 +brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,
 +    int *expanded, int *invalid)
 +{
 +	int i;
 +	int in_bracket, brace_start, brace_end, brace_level;
 +	int sel_start, sel_end;
 +
 +	*invalid = *expanded = 0;
 +
 +	if (find_brace(pattern, &brace_start, &brace_end) != 0) {
 +		*invalid = 1;
 +		return 0;
 +	} else if (brace_start == -1)
 +		return 0;
 +
 +	in_bracket = brace_level = 0;
 +	for (i = sel_start = brace_start + 1; i < brace_end; i++) {
 +		switch (pattern[i]) {
 +		case '{':
 +			if (in_bracket)
 +				break;
 +			brace_level++;
 +			break;
 +		case '}':
 +			if (in_bracket)
 +				break;
 +			brace_level--;
 +			break;
 +		case '[':
 +			in_bracket = 1;
 +			break;
 +		case ']':
 +			in_bracket = 0;
 +			break;
 +		case '\\':
 +			if (i < brace_end - 1)
 +				i++; /* skip */
 +			break;
 +		}
 +		if (pattern[i] == ',' || i == brace_end - 1) {
 +			if (in_bracket || brace_level > 0)
 +				continue;
 +			/* End of a selection, emit an expanded pattern */
 +
 +			/* Adjust end index for last selection */
 +			sel_end = (i == brace_end - 1) ? brace_end : i;
 +			if (emit_expansion(pattern, brace_start, brace_end,
 +			    sel_start, sel_end, patternsp, npatternsp) != 0)
 +				return -1;
 +			/* move on to the next selection */
 +			sel_start = i + 1;
 +			continue;
 +		}
 +	}
 +	if (in_bracket || brace_level > 0) {
 +		*invalid = 1;
 +		return 0;
 +	}
 +	/* success */
 +	*expanded = 1;
 +	return 0;
 +}
 +
 +/* Expand braces from pattern. Returns 0 on success, -1 on failure */
 +static int
 +brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)
 +{
 +	char *cp, *cp2, **active = NULL, **done = NULL;
 +	size_t i, nactive = 0, ndone = 0;
 +	int ret = -1, invalid = 0, expanded = 0;
 +
 +	*patternsp = NULL;
 +	*npatternsp = 0;
 +
 +	/* Start the worklist with the original pattern */
 +	if ((cp = strdup(pattern)) == NULL)
 +		return -1;
 +	if (append(cp, &active, &nactive) != 0) {
 +		free(cp);
 +		return -1;
 +	}
 +	while (nactive > 0) {
 +		cp = active[nactive - 1];
 +		nactive--;
 +		if (brace_expand_one(cp, &active, &nactive,
 +		    &expanded, &invalid) == -1) {
 +			free(cp);
 +			goto fail;
 +		}
 +		if (invalid)
 +			fatal("%s: invalid brace pattern \"%s\"", __func__, cp);
 +		if (expanded) {
 +			/*
 +			 * Current entry expanded to new entries on the
 +			 * active list; discard the progenitor pattern.
 +			 */
 +			free(cp);
 +			continue;
 +		}
 +		/*
 +		 * Pattern did not expand; append the finename component to
 +		 * the completed list
 +		 */
 +		if ((cp2 = strrchr(cp, '/')) != NULL)
 +			*cp2++ = '\0';
 +		else
 +			cp2 = cp;
 +		if (append(xstrdup(cp2), &done, &ndone) != 0) {
 +			free(cp);
 +			goto fail;
 +		}
 +		free(cp);
 +	}
 +	/* success */
 +	*patternsp = done;
 +	*npatternsp = ndone;
 +	done = NULL;
 +	ndone = 0;
 +	ret = 0;
 + fail:
 +	for (i = 0; i < nactive; i++)
 +		free(active[i]);
 +	free(active);
 +	for (i = 0; i < ndone; i++)
 +		free(done[i]);
 +	free(done);
 +	return ret;
 +}
 +
 void
 toremote(int argc, char **argv)
 {
@@ -993,7 +1240,8 @@ sink(int argc, char **argv, const char *src)
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 -	char *src_copy = NULL, *restrict_pattern = NULL;
 +	char **patterns = NULL;
 +	size_t n, npatterns = 0;
 	struct timeval tv[2];
 #define	atime	tv[0]
@@ -1023,16 +1271,13 @@ sink(int argc, char **argv, const char *src)
 		 * Prepare to try to restrict incoming filenames to match
 		 * the requested destination file glob.
 		 */
 -		if ((src_copy = strdup(src)) == NULL)
 -			fatal("strdup failed");
 -		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
 -			*restrict_pattern++ = '\0';
 -		}
 +		if (brace_expand(src, &patterns, &npatterns) != 0)
 +			fatal("%s: could not expand pattern", __func__);
 	}
 	for (first = 1;; first = 0) {
 		cp = buf;
 		if (atomicio(read, remin, cp, 1) != 1)
 -			return;
 +			goto done;
 		if (*cp++ == '\n')
 			SCREWUP("unexpected <newline>");
 		do {
@@ -1058,7 +1303,7 @@ sink(int argc, char **argv, const char *src)
 		}
 		if (buf[0] == 'E') {
 			(void) atomicio(vwrite, remout, "", 1);
 -			return;
 +			goto done;
 		}
 		if (ch == '\n')
 			*--cp = 0;
@@ -1133,9 +1378,14 @@ sink(int argc, char **argv, const char *src)
 			run_err("error: unexpected filename: %s", cp);
 			exit(1);
 		}
 -		if (restrict_pattern != NULL &&
 -		    fnmatch(restrict_pattern, cp, 0) != 0)
 -			SCREWUP("filename does not match request");
 +		if (npatterns > 0) {
 +			for (n = 0; n < npatterns; n++) {
 +				if (fnmatch(patterns[n], cp, 0) == 0)
 +					break;
 +			}
 +			if (n >= npatterns)
 +				SCREWUP("filename does not match request");
 +		}
 		if (targisdir) {
 			static char *namebuf;
 			static size_t cursize;
@@ -1294,7 +1544,15 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			break;
 		}
 	}
 +done:
 +	for (n = 0; n < npatterns; n++)
 +		free(patterns[n]);
 +	free(patterns);
 +	return;
 screwup:
 +	for (n = 0; n < npatterns; n++)
 +		free(patterns[n]);
 +	free(patterns);
 	run_err("protocol error: %s", why);
 	exit(1);
 }
--- a/openssh-7.7p1-redhat.patch
+++ b/openssh-7.7p1-redhat.patch
--- a/openssh.spec
+++ b/openssh.spec
@ -10,7 +10,7 @@
 Name:          openssh
 Version:       7.8p1
-Release:       4
+Release:       6
 URL:           https://www.openssh.com/portable.html
 License:       BSD
 Summary:       An open source implementation of SSH protocol version 2
@ -58,7 +58,7 @@ Patch702:      openssh-5.1p1-askpass-progress.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=198332
 Patch703:      openssh-4.3p2-askpass-grab-info.patch
 #patch from redhat 
-Patch707:      openssh-7.7p1-redhat.patch
+Patch707:      openssh-7.7p1.patch
 Patch709:      openssh-6.2p1-vendor.patch
 Patch711:      openssh-7.8p1-UsePAM-warning.patch
 Patch712:      openssh-6.3p1-ctr-evp-fast.patch
@ -118,6 +118,13 @@ Patch6022:     upstream-Always-initialize-2nd-arg-to-hpdelim2.-It-p.patch
 Patch6023:     Cygwin-Change-service-name-to-cygsshd.patch
 Patch6024:     openssh-fix-typo-that-prevented-detection-of-Linux-V.patch
 Patch6025:     CVE-2019-6109-1.patch
 Patch6026:     CVE-2019-6109-2.patch
 Patch6027:     CVE-2019-6111-1.patch
 Patch6028:     CVE-2019-6111-2.patch
 Patch6029:     CVE-2019-16905.patch
 Patch6030:     upstream-fix-sshd-T-without-C.patch
 Patch9004:     bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
 Patch9005:     bugfix-openssh-6.6p1-log-usepam-no.patch
 Patch9006:     bugfix-openssh-add-option-check-username-splash.patch
@ -190,7 +197,7 @@ popd
 %patch609 -p1 -b .x11
 %patch702 -p1 -b .progress
 %patch703 -p1 -b .grab-info
-%patch707 -p1 -b .redhat
+%patch707 -p1 
 %patch709 -p1 -b .vendor
 %patch711 -p1 -b .log-usepam-no
 %patch712 -p1 -b .evp-ctr
@ -253,11 +260,18 @@ popd
 %patch6022 -p1
 %patch6023 -p1
 %patch6024 -p1
 %patch6025 -p1
 %patch6026 -p1
 %patch6027 -p1
 %patch6028 -p1
 %patch6029 -p1
 %patch9004 -p1
 %patch9005 -p1
 %patch9006 -p1
 %patch6030 -p1
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
 autoreconf
@ -443,5 +457,17 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %changelog
 * Mon Dec 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.8P1-6
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:delete the patch
 * Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.8P1-5
 - Type:cves
 - ID:NA
 - SUG:restart
 - DESC:fix cves
 * Fri Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.8p1-4
 - Package init
--- a/upstream-fix-sshd-T-without-C.patch
+++ b/upstream-fix-sshd-T-without-C.patch
@ -0,0 +1,168 @@
 From: Darren Tucker
 Date: 2019-04-18 19:42:28 EST
 Subject: [PATCH] ssh-T
 ---
 regress/cfgmatch.sh | 47 +++++++++++++++++++++++++++++++++++++++++++--
 servconf.c          | 14 ++++++++------
 servconf.h          |  2 ++
 sshd.c              |  1 +
 4 files changed, 56 insertions(+), 8 deletions(-)
 diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
 index dd11e40..37fe6f8 100644
 --- a/regress/cfgmatch.sh
 +++ b/regress/cfgmatch.sh
@@ -51,9 +51,10 @@ echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
 echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
 -start_sshd
 +${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
 +    fail "config w/match fails config test"
 -#set -x
 +start_sshd
 # Test Match + PermitOpen in sshd_config.  This should be permitted
 trace "match permitopen localhost"
@@ -113,3 +114,45 @@ start_client -F $OBJ/ssh_proxy
 ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
     fail "nomatch override permitopen"
 stop_client
 +
 +
 +# Test parsing of available Match criteria (with the exception of Group which
 +# requires knowledge of actual group memberships user running the test).
 +params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
 +    localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
 +cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
 +echo 'Banner /nomatch' >>$OBJ/sshd_config
 +for i in $params; do
 +	config=`echo $i | cut -f1 -d:`
 +	criteria=`echo $i | cut -f2 -d:`
 +	value=`echo $i | cut -f3 -d:`
 +	cat >>$OBJ/sshd_config <<EOD
 +	    Match $config $value
 +	      Banner /$value
 +EOD
 +done
 +${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
 +    fail "validate config for w/out spec"
 +
 +# Test matching each criteria.
 +for i in $params; do
 +	testcriteria=`echo $i | cut -f2 -d:`
 +	expected=/`echo $i | cut -f3 -d:`
 +	spec=""
 +	for j in $params; do
 +		config=`echo $j | cut -f1 -d:`
 +		criteria=`echo $j | cut -f2 -d:`
 +		value=`echo $j | cut -f3 -d:`
 +		if [ "$criteria" = "$testcriteria" ]; then
 +			spec="$criteria=$value,$spec"
 +		else
 +			spec="$criteria=1$value,$spec"
 +		fi
 +	done
 +	trace "test spec $spec"
 +	result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \
 +	    awk '$1=="banner"{print $2}'`
 +	if [ "$result" != "$expected" ]; then
 +		fail "match $config expected $expected got $result"
 +	fi
 +done
 diff --git a/servconf.c b/servconf.c
 index 434f0bc..9f363c9 100644
 --- a/servconf.c
 +++ b/servconf.c
@@ -1075,7 +1075,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 			return -1;
 		}
 		if (strcasecmp(attrib, "user") == 0) {
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->user == NULL)) {
 				result = 0;
 				continue;
 			}
@@ -1087,7 +1087,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				debug("user %.100s matched 'User %.100s' at "
 				    "line %d", ci->user, arg, line);
 		} else if (strcasecmp(attrib, "group") == 0) {
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->user == NULL)) {
 				result = 0;
 				continue;
 			}
@@ -1100,7 +1100,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				result = 0;
 			}
 		} else if (strcasecmp(attrib, "host") == 0) {
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->host == NULL)) {
 				result = 0;
 				continue;
 			}
@@ -1112,7 +1112,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				debug("connection from %.100s matched 'Host "
 				    "%.100s' at line %d", ci->host, arg, line);
 		} else if (strcasecmp(attrib, "address") == 0) {
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->address == NULL)) {
 				result = 0;
 				continue;
 			}
@@ -1131,7 +1131,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				return -1;
 			}
 		} else if (strcasecmp(attrib, "localaddress") == 0){
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
 				result = 0;
 				continue;
 			}
@@ -1157,7 +1157,7 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				    arg);
 				return -1;
 			}
 -			if (ci == NULL) {
 +			if (ci == NULL || (ci->test && ci->lport == -1)) {
 				result = 0;
 				continue;
 			}
@@ -1175,6 +1175,8 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				result = 0;
 				continue;
 			}
 +			if (ci->rdomain == NULL)
 +				match_test_missing_fatal("RDomain", "rdomain");
 			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
 				result = 0;
 			else
 diff --git a/servconf.h b/servconf.h
 index fdbae24..381ed25 100644
 --- a/servconf.h
 +++ b/servconf.h
@@ -231,6 +231,8 @@ struct connection_info {
 	const char *laddress;	/* local address */
 	int lport;		/* local port */
 	const char *rdomain;	/* routing domain if available */
 +	int test;		/* test mode, allow some attributes to be
 +				   * unspecified */
 };
 diff --git a/sshd.c b/sshd.c
 index 6d081e4..a00b1af 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -2001,6 +2001,7 @@ main(int ac, char **av)
 		 */
 		if (connection_info == NULL)
 			connection_info = get_connection_info(0, 0);
 +		connection_info->test = 1;
 		parse_server_match_config(&options, connection_info);
 		dump_config(&options);
 	}
 -- 
 2.19.1