diff options
author | Colin Watson <cjwatson@debian.org> | 2017-03-09 11:25:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-03-09 11:26:56 +0000 |
commit | 5e90171e0d3f39624c922a06e434423b31f6f9b9 (patch) | |
tree | f26935de9fdaa86aaa32d89a7f3d01da9d4e29e8 /debian/patches | |
parent | 0f47d98a0bf566b08873ac1464427a1263a24698 (diff) | |
parent | 78800aa252da1ebbfb55f7e593f43c337e694cc3 (diff) |
Fix ssh-keygen -H accidentally corrupting known_hosts that contained already-hashed entries (closes: #851734, LP: #1668093).
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/ssh-keygen-hash-corruption.patch | 44 |
2 files changed, 45 insertions, 0 deletions
diff --git a/debian/patches/series b/debian/patches/series index 6f0004748..7ddc4a772 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -30,3 +30,4 @@ regress-mktemp.patch | |||
30 | sandbox-x32-workaround.patch | 30 | sandbox-x32-workaround.patch |
31 | no-dsa-host-key-by-default.patch | 31 | no-dsa-host-key-by-default.patch |
32 | restore-authorized_keys2.patch | 32 | restore-authorized_keys2.patch |
33 | ssh-keygen-hash-corruption.patch | ||
diff --git a/debian/patches/ssh-keygen-hash-corruption.patch b/debian/patches/ssh-keygen-hash-corruption.patch new file mode 100644 index 000000000..7ef3c637c --- /dev/null +++ b/debian/patches/ssh-keygen-hash-corruption.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: "djm@openbsd.org" <djm@openbsd.org> | ||
3 | Date: Fri, 3 Mar 2017 06:13:11 +0000 | ||
4 | Subject: upstream commit | ||
5 | |||
6 | fix ssh-keygen -H accidentally corrupting known_hosts that | ||
7 | contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by | ||
8 | hostkeys_foreach() when hostname matching is in use, so we need to look for | ||
9 | the hash marker explicitly. | ||
10 | |||
11 | Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528 | ||
12 | |||
13 | Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9 | ||
14 | Bug-Debian: https://bugs.debian.org/851734 | ||
15 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093 | ||
16 | Last-Update: 2017-03-09 | ||
17 | |||
18 | Patch-Name: ssh-keygen-hash-corruption.patch | ||
19 | --- | ||
20 | ssh-keygen.c | 4 ++-- | ||
21 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/ssh-keygen.c b/ssh-keygen.c | ||
24 | index 2a7939bf..0833ee61 100644 | ||
25 | --- a/ssh-keygen.c | ||
26 | +++ b/ssh-keygen.c | ||
27 | @@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx) | ||
28 | struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; | ||
29 | char *hashed, *cp, *hosts, *ohosts; | ||
30 | int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); | ||
31 | + int was_hashed = l->hosts[0] == HASH_DELIM; | ||
32 | |||
33 | switch (l->status) { | ||
34 | case HKF_STATUS_OK: | ||
35 | @@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx) | ||
36 | * Don't hash hosts already already hashed, with wildcard | ||
37 | * characters or a CA/revocation marker. | ||
38 | */ | ||
39 | - if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || | ||
40 | - has_wild || l->marker != MRK_NONE) { | ||
41 | + if (was_hashed || has_wild || l->marker != MRK_NONE) { | ||
42 | fprintf(ctx->out, "%s\n", l->line); | ||
43 | if (has_wild && !find_host) { | ||
44 | logit("%s:%ld: ignoring host name " | ||