5 files changed, 44 insertions, 4 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index cc2aee698..935f783bc 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8
+12577aa167c76d517bfe78f603fe805f190d8d05
-810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8
+12577aa167c76d517bfe78f603fe805f190d8d05
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
 openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 06ec4ab09..e77d3462a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -129,6 +129,12 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
      SendEnv and AcceptEnv; bz#2386
    - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
    - moduli(5): Update DH-GEX moduli (closes: #787037).
+  * There are some things I want to fix before upgrading to 7.0p1, though I
+    intend to do that soon.  In the meantime, backport security patches:
+    - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be
+      world-writable.  Local attackers may be able to write arbitrary
+      messages to logged-in users, including terminal escape sequences.
+      Reported by Nikolay Edigaryev.
  * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
    GSSAPI key exchange patch.
diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch
new file mode 100644
index 000000000..2cff74911
--- /dev/null
+++ b/debian/patches/backport-fix-pty-permissions.patch
@@ -0,0 +1,33 @@
+From 12577aa167c76d517bfe78f603fe805f190d8d05 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 30 Jul 2015 23:09:15 +0000
+Subject: Fix pty permissions
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
+Forwarded: not-needed
+Last-Update: 2015-08-19
+Patch-Name: backport-fix-pty-permissions.patch
+---
+ sshpty.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/sshpty.c b/sshpty.c
+index 0e32b39..e89efb7 100644
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role)
+        /* Determine the group to make the owner of the tty. */
+        grp = getgrnam("tty");
+        gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
+-       mode = (grp != NULL) ? 0622 : 0600;
+       mode = (grp != NULL) ? 0620 : 0600;
+ 
+        /*
+         * Change owner and mode of the tty as required.
diff --git a/debian/patches/series b/debian/patches/series
index bbc7a5fb4..bee70bc30 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ no-openssl-version-status.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
+backport-fix-pty-permissions.patch
diff --git a/sshpty.c b/sshpty.c
index 0e32b392b..e89efb74a 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role)
        /* Determine the group to make the owner of the tty. */
        grp = getgrnam("tty");
        gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
-        mode = (grp != NULL) ? 0622 : 0600;
+        mode = (grp != NULL) ? 0620 : 0600;
        /*
         * Change owner and mode of the tty as required.

diff --git a/debian/.git-dpm b/debian/.git-dpm index cc2aee698..935f783bc 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8	2	12577aa167c76d517bfe78f603fe805f190d8d05
3	810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8	3	12577aa167c76d517bfe78f603fe805f190d8d05
4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	4	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9	5	544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6	openssh_6.9p1.orig.tar.gz	6	openssh_6.9p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 06ec4ab09..e77d3462a 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -129,6 +129,12 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
129	SendEnv and AcceptEnv; bz#2386	129	SendEnv and AcceptEnv; bz#2386
130	- sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).	130	- sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
131	- moduli(5): Update DH-GEX moduli (closes: #787037).	131	- moduli(5): Update DH-GEX moduli (closes: #787037).
		132	* There are some things I want to fix before upgrading to 7.0p1, though I
		133	intend to do that soon. In the meantime, backport security patches:
		134	- SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be
		135	world-writable. Local attackers may be able to write arbitrary
		136	messages to logged-in users, including terminal escape sequences.
		137	Reported by Nikolay Edigaryev.
132	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the	138	* Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
133	GSSAPI key exchange patch.	139	GSSAPI key exchange patch.
134		140


diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch new file mode 100644 index 000000000..2cff74911 --- /dev/null +++ b/debian/patches/backport-fix-pty-permissions.patch
@@ -0,0 +1,33 @@
		1	From 12577aa167c76d517bfe78f603fe805f190d8d05 Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Thu, 30 Jul 2015 23:09:15 +0000
		4	Subject: Fix pty permissions
		5
		6	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
		7	Forwarded: not-needed
		8	Last-Update: 2015-08-19
		9
		10	Patch-Name: backport-fix-pty-permissions.patch
		11	---
		12	sshpty.c \| 4 ++--
		13	1 file changed, 2 insertions(+), 2 deletions(-)
		14
		15	diff --git a/sshpty.c b/sshpty.c
		16	index 0e32b39..e89efb7 100644
		17	--- a/sshpty.c
		18	+++ b/sshpty.c
		19	@@ -1,4 +1,4 @@
		20	-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
		21	+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
		22	/*
		23	* Author: Tatu Ylonen <ylo@cs.hut.fi>
		24	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		25	@@ -197,7 +197,7 @@ pty_setowner(struct passwd pw, const char tty, const char *role)
		26	/* Determine the group to make the owner of the tty. */
		27	grp = getgrnam("tty");
		28	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
		29	- mode = (grp != NULL) ? 0622 : 0600;
		30	+ mode = (grp != NULL) ? 0620 : 0600;
		31
		32	/*
		33	* Change owner and mode of the tty as required.


diff --git a/debian/patches/series b/debian/patches/series index bbc7a5fb4..bee70bc30 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -27,3 +27,4 @@ no-openssl-version-status.patch
27	gnome-ssh-askpass2-icon.patch	27	gnome-ssh-askpass2-icon.patch
28	sigstop.patch	28	sigstop.patch
29	debian-config.patch	29	debian-config.patch
		30	backport-fix-pty-permissions.patch


diff --git a/sshpty.c b/sshpty.c index 0e32b392b..e89efb74a 100644 --- a/sshpty.c +++ b/sshpty.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */	1	/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -197,7 +197,7 @@ pty_setowner(struct passwd pw, const char tty, const char *role)
197	/* Determine the group to make the owner of the tty. */	197	/* Determine the group to make the owner of the tty. */
198	grp = getgrnam("tty");	198	grp = getgrnam("tty");
199	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;	199	gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
200	mode = (grp != NULL) ? 0622 : 0600;	200	mode = (grp != NULL) ? 0620 : 0600;
201		201
202	/*	202	/*
203	* Change owner and mode of the tty as required.	203	* Change owner and mode of the tty as required.