Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on the server end than the client (thanks, Damien Miller; closes: #817870, LP: #1558576).

30 files changed, 46 insertions, 40 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index a06ce86e7..56d701e88 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-27a3937bf51447024527168a510d7f9b21542b1c
-27a3937bf51447024527168a510d7f9b21542b1c
+d888c9637031a93c13c168a35e99e9aa76c14a9a
+d888c9637031a93c13c168a35e99e9aa76c14a9a
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 f0329aac23c61e1a5197d6d57349a63f459bccb0
 openssh_7.2p2.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 2bcadbc1b..25e64486a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssh (1:7.2p2-2) UNRELEASED; urgency=medium
+
+  * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
+    the server end than the client (thanks, Damien Miller; closes: #817870,
+    LP: #1558576).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon, 21 Mar 2016 12:06:42 +0000
+
 openssh (1:7.2p2-1) unstable; urgency=high
 
   * New upstream release (http://www.openssh.com/txt/release-7.2p2):
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 482ca97bd..a08e710da 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From 33f7235ca187f62f44734c6caca95e54c3cf7232 Mon Sep 17 00:00:00 2001
+From 1dd7836b386be1816bc565aafb9875769430a02d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index a6e5019e4..16319024c 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 4f28c3fcf778105bbbb3a2144d1d46bee93b48b7 Mon Sep 17 00:00:00 2001
+From 37a9102e7075f34d57b02d1eac631efa73f120fd Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 64e7bcae9..4d60c3c01 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From ae6ba56387f97086bb50273e1c80ba5cbaba2adc Mon Sep 17 00:00:00 2001
+From 1b9f8f458824d7e46f9f749c77f26016f2ea9967 Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 3bc6c1303..bb1728107 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 27a3937bf51447024527168a510d7f9b21542b1c Mon Sep 17 00:00:00 2001
+From d888c9637031a93c13c168a35e99e9aa76c14a9a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a6d108d64..a82a719b2 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 9c255ad5c677682eb99e1d45dbd5328cef732036 Mon Sep 17 00:00:00 2001
+From ca8dd1a2520b4230dd97d8e4774426b756f16c42 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 20d25b04e..b0b7e5602 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From e28df965f5f36a83bba58549a216fba78277585f Mon Sep 17 00:00:00 2001
+From 298a5e96571cbe9036a2445eecaca26d2aeade11 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 698236ca7..5d52dcde6 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From d0f5716ccb267efa3178ee03c2fc5a45d024c465 Mon Sep 17 00:00:00 2001
+From ceec3c2a41d87211d478fa6332137aad39dcd18a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 7d0c14d5b..36ed11962 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From bd1efc3a46d0253b5d3c44e7d881d7ac0af87549 Mon Sep 17 00:00:00 2001
+From 067b8148b52fcf5de6e3bfa3a90ed8a2fa05d8e6 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 6ce8a62bf..fd3b9b630 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 6dfd41bb6858c6446c1da47449e2108fbabf220e Mon Sep 17 00:00:00 2001
+From 8c27af53099b50387dda97c0aae36194197186f6 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
 security history.
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2016-01-04
+Last-Updated: 2016-03-21
 
 Patch-Name: gssapi.patch
 ---
@@ -36,7 +36,7 @@ Patch-Name: gssapi.patch
  kex.c            |  16 +++
  kex.h            |  14 +++
  kexgssc.c        | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- kexgsss.c        | 295 ++++++++++++++++++++++++++++++++++++++++++++++++
+ kexgsss.c        | 294 ++++++++++++++++++++++++++++++++++++++++++++++++
  monitor.c        | 108 +++++++++++++++++-
  monitor.h        |   3 +
  monitor_wrap.c   |  47 +++++++-
@@ -54,7 +54,7 @@ Patch-Name: gssapi.patch
  sshd_config.5    |  10 ++
  sshkey.c         |   3 +-
  sshkey.h         |   1 +
- 33 files changed, 1951 insertions(+), 46 deletions(-)
+ 33 files changed, 1950 insertions(+), 46 deletions(-)
  create mode 100644 ChangeLog.gssapi
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
@@ -1637,10 +1637,10 @@ index 0000000..a49bac2
 +#endif /* GSSAPI */
 diff --git a/kexgsss.c b/kexgsss.c
 new file mode 100644
-index 0000000..0847469
+index 0000000..dd8ba1d
 --- /dev/null
 +++ b/kexgsss.c
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,294 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@@ -1753,13 +1753,12 @@ index 0000000..0847469
 +               min = packet_get_int();
 +               nbits = packet_get_int();
 +               max = packet_get_int();
-+               min = MAX(DH_GRP_MIN, min);
-+               max = MIN(DH_GRP_MAX, max);
 +               packet_check_eom();
 +               if (max < min || nbits < min || max < nbits)
 +                       fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
 +                           min, nbits, max);
-+               dh = PRIVSEP(choose_dh(min, nbits, max));
++               dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min),
++                   nbits, MIN(DH_GRP_MAX, max)));
 +               if (dh == NULL)
 +                       packet_disconnect("Protocol error: no matching group found");
 +
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index d8a12a26f..8ebbf1fbc 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 6165757b14648f66150a0b5b45790b117f562790 Mon Sep 17 00:00:00 2001
+From 2b2c5ff34efa305e141130466260ca97f3a429ff Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index f184bb41e..bc798582d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From ce1a5718a57d2d1c0d9e59cfac81c2f6401780a0 Mon Sep 17 00:00:00 2001
+From c7c5d5805bd2a58fcab69da87daa53259db06d81 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 77fd9dd81..80f9b78e0 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 86be635e17e81da5e0dc39498724a5c37a52753d Mon Sep 17 00:00:00 2001
+From 4dc338b2703dd6169cecdbe3388c92f4cc2fc119 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 58a39a95b..a53f6dee1 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 37fa6804403a83d98a796f417544104996f3c4a8 Mon Sep 17 00:00:00 2001
+From d3362ea5419b16b81eb171436b95b51beedb9242 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 72f946fec..6027ca645 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From a94344bdb2f8499dd6370f53f41d46bd5a6fc045 Mon Sep 17 00:00:00 2001
+From 9d764f08fd01fa5c62a7cbff66165bc5d5ffb637 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 3fd57a043..58c57dbac 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From fa63bc351c67842b687d94a24afa1d7fd1d8c94f Mon Sep 17 00:00:00 2001
+From 81e52d59797c24edadc36f0f90f96387976a82c0 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 5eaab4036..b085e5e08 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 2ebca9787f92efa5d3fa1a1a47547f5ed1d31ca0 Mon Sep 17 00:00:00 2001
+From f1e898fb6e470f99c3e64313c6f9fce08eb94e80 Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index dbb66f10f..4607d5f53 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 1b820bd5376b5b04403f0489b2e135566cedd4e6 Mon Sep 17 00:00:00 2001
+From 0031968609564a15294c39d2519201741664905d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index fbaaa92ec..1ad0d11e2 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 9788125fd5b4541ebeae6028b9e911c5aeb43d9f Mon Sep 17 00:00:00 2001
+From eca335b47f5cf4adfc64cd17096f83d546fa91da Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index de4384b03..fea289291 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 16caff9bcfbc638ed7d2e01a338db678f138faa5 Mon Sep 17 00:00:00 2001
+From 206bdbf6bcc95e589effa11695aff2c6b9327e11 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index ea8f2d685..95ff21814 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From a8c208a1f6b234a3bf0206c7bce2aaa27b88b46a Mon Sep 17 00:00:00 2001
+From cfcbb82102babef6affeec3b8373f5811d82d065 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 590f55539..b17176db8 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 2b25784cfb29177fe9e19546981ab698eb422b9f Mon Sep 17 00:00:00 2001
+From 803865858838e2ccf1fa885ba14b9a11c4a3153e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 5d64655e5..0a8180056 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 3e0e43c3840d4df2e44435a41981fd1eef5030b4 Mon Sep 17 00:00:00 2001
+From c13ebec3d0989b374bef99d2d1f2a3bcc3c62aa8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 6cb4a8472..51cdfde48 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From af8f74e50c8b6f49d85bd03c64e92260ae95ef59 Mon Sep 17 00:00:00 2001
+From 22585509beb1efc6a3a58c8ff714211043325201 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 7ff30093a..b909e6ddb 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 50201dd1c0a38e8a26d614b1679981610a8effc5 Mon Sep 17 00:00:00 2001
+From ceebe313c4b094557bda974d274a6e7b5b33e3f9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index fe72ff7ba..6bc3911f7 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From b8c3ad59100fedf8aaab9986b55c9307c599ec61 Mon Sep 17 00:00:00 2001
+From 68388fa20403834f5559486542b1baf4ad36141a Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index ae66bee27..ab3445fcc 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From 8eec1f49bed1e85e4534067c4290662b7bcc3f34 Mon Sep 17 00:00:00 2001
+From 643bc17ada741a9ee5b86170ad313f83278e1f72 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 79536fd47..c64e141f8 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 4176718757a83a831028f468ff66cedd291c24b9 Mon Sep 17 00:00:00 2001
+From bf0d87583a842b9e8aaf2a9cd9dbc3e976df2af4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
diff --git a/kexgsss.c b/kexgsss.c
index 0847469af..dd8ba1d93 100644
--- a/kexgsss.c
+++ b/kexgsss.c
@@ -110,13 +110,12 @@ kexgss_server(struct ssh *ssh)
                 min = packet_get_int();
                 nbits = packet_get_int();
                 max = packet_get_int();
-                min = MAX(DH_GRP_MIN, min);
-                max = MIN(DH_GRP_MAX, max);
                 packet_check_eom();
                 if (max < min || nbits < min || max < nbits)
                         fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
                             min, nbits, max);
-                dh = PRIVSEP(choose_dh(min, nbits, max));
+                dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min),
+                    nbits, MIN(DH_GRP_MAX, max)));
                 if (dh == NULL)
                         packet_disconnect("Protocol error: no matching group found");