1 files changed, 187 insertions, 0 deletions
diff --git a/debian/patches/check-filenames-in-scp-client.patch b/debian/patches/check-filenames-in-scp-client.patch
new file mode 100644
index 000000000..519358ce6
--- /dev/null
+++ b/debian/patches/check-filenames-in-scp-client.patch
@@ -0,0 +1,187 @@
+From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: upstream: check in scp client that filenames sent during
+remote->local directory copies satisfy the wildcard specified by the user.
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+For this reason, this also adds a new -T flag to disable the check.
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+CVE-2019-6111
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
+Last-Update: 2019-02-08
+Patch-Name: check-filenames-in-scp-client.patch
+---
+ scp.1 | 12 +++++++++++-
+ scp.c | 37 +++++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+diff --git a/scp.1 b/scp.1
+index 0e5cc1b2d..397e77091 100644
+--- a/scp.1
+++ b/scp.1
+@@ -18,7 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346BCpqrv
+.Op Fl 346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -208,6 +208,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
+.It Fl T
+Disable strict filename checking.
+By default when copying files from a remote host to a local directory
+.Nm
+checks that the received filenames match those requested on the command-line
+to prevent the remote end from sending unexpected or unwanted files.
+Because of differences in how various operating systems and shells interpret
+filename wildcards, these checks may cause wanted files to be rejected.
+This option disables these checks at the expense of fully trusting that
+the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 1971c80cd..035037bcc 100644
+--- a/scp.c
+++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
+#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -383,14 +384,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+ 
+ #define        CMDNEEDS        64
+ char cmd[CMDNEEDS];            /* must hold "rcp -r -p -d\0" */
+ 
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
+void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(int, char *[]);
+@@ -429,8 +430,9 @@ main(int argc, char **argv)
+        addargs(&args, "-oRemoteCommand=none");
+        addargs(&args, "-oRequestTTY=no");
+ 
+-       fflag = tflag = 0;
+-       while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
+       fflag = Tflag = tflag = 0;
+       while ((ch = getopt(argc, argv,
+           "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
+                switch (ch) {
+                /* User-visible flags. */
+                case '1':
+@@ -509,9 +511,13 @@ main(int argc, char **argv)
+                        setmode(0, O_BINARY);
+ #endif
+                        break;
+               case 'T':
+                       Tflag = 1;
+                       break;
+                default:
+                        usage();
+                }
+       }
+        argc -= optind;
+        argv += optind;
+ 
+@@ -542,7 +548,7 @@ main(int argc, char **argv)
+        }
+        if (tflag) {
+                /* Receive data. */
+-               sink(argc, argv);
+               sink(argc, argv, NULL);
+                exit(errs != 0);
+        }
+        if (argc < 2)
+@@ -800,7 +806,7 @@ tolocal(int argc, char **argv)
+                        continue;
+                }
+                free(bp);
+-               sink(1, argv + argc - 1);
+               sink(1, argv + argc - 1, src);
+                (void) close(remin);
+                remin = remout = -1;
+        }
+@@ -976,7 +982,7 @@ rsource(char *name, struct stat *statp)
+         (sizeof(type) != 4 && sizeof(type) != 8))
+ 
+ void
+-sink(int argc, char **argv)
+sink(int argc, char **argv, const char *src)
+ {
+        static BUF buffer;
+        struct stat stb;
+@@ -992,6 +998,7 @@ sink(int argc, char **argv)
+        unsigned long long ull;
+        int setimes, targisdir, wrerrno = 0;
+        char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+       char *src_copy = NULL, *restrict_pattern = NULL;
+        struct timeval tv[2];
+ 
+ #define        atime   tv[0]
+@@ -1016,6 +1023,17 @@ sink(int argc, char **argv)
+        (void) atomicio(vwrite, remout, "", 1);
+        if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+                targisdir = 1;
+       if (src != NULL && !iamrecursive && !Tflag) {
+               /*
+                * Prepare to try to restrict incoming filenames to match
+                * the requested destination file glob.
+                */
+               if ((src_copy = strdup(src)) == NULL)
+                       fatal("strdup failed");
+               if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
+                       *restrict_pattern++ = '\0';
+               }
+       }
+        for (first = 1;; first = 0) {
+                cp = buf;
+                if (atomicio(read, remin, cp, 1) != 1)
+@@ -1120,6 +1138,9 @@ sink(int argc, char **argv)
+                        run_err("error: unexpected filename: %s", cp);
+                        exit(1);
+                }
+               if (restrict_pattern != NULL &&
+                   fnmatch(restrict_pattern, cp, 0) != 0)
+                       SCREWUP("filename does not match request");
+                if (targisdir) {
+                        static char *namebuf;
+                        static size_t cursize;
+@@ -1157,7 +1178,7 @@ sink(int argc, char **argv)
+                                        goto bad;
+                        }
+                        vect[0] = xstrdup(np);
+-                       sink(1, vect);
+                       sink(1, vect, src);
+                        if (setimes) {
+                                setimes = 0;
+                                if (utimes(vect[0], tv) < 0)

diff --git a/debian/patches/check-filenames-in-scp-client.patch b/debian/patches/check-filenames-in-scp-client.patch new file mode 100644 index 000000000..519358ce6 --- /dev/null +++ b/debian/patches/check-filenames-in-scp-client.patch
@@ -0,0 +1,187 @@
	1	From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001
	2	From: "djm@openbsd.org" <djm@openbsd.org>
	3	Date: Sat, 26 Jan 2019 22:41:28 +0000
	4	Subject: upstream: check in scp client that filenames sent during
	5
	6	remote->local directory copies satisfy the wildcard specified by the user.
	7
	8	This checking provides some protection against a malicious server
	9	sending unexpected filenames, but it comes at a risk of rejecting wanted
	10	files due to differences between client and server wildcard expansion rules.
	11
	12	For this reason, this also adds a new -T flag to disable the check.
	13
	14	reported by Harry Sintonen
	15	fix approach suggested by markus@;
	16	has been in snaps for ~1wk courtesy deraadt@
	17
	18	OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
	19
	20	CVE-2019-6111
	21
	22	Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
	23	Last-Update: 2019-02-08
	24
	25	Patch-Name: check-filenames-in-scp-client.patch
	26	---
	27	scp.1 \| 12 +++++++++++-
	28	scp.c \| 37 +++++++++++++++++++++++++++++--------
	29	2 files changed, 40 insertions(+), 9 deletions(-)
	30
	31	diff --git a/scp.1 b/scp.1
	32	index 0e5cc1b2d..397e77091 100644
	33	--- a/scp.1
	34	+++ b/scp.1
	35	@@ -18,7 +18,7 @@
	36	.Nd secure copy (remote file copy program)
	37	.Sh SYNOPSIS
	38	.Nm scp
	39	-.Op Fl 346BCpqrv
	40	+.Op Fl 346BCpqrTv
	41	.Op Fl c Ar cipher
	42	.Op Fl F Ar ssh_config
	43	.Op Fl i Ar identity_file
	44	@@ -208,6 +208,16 @@ to use for the encrypted connection.
	45	The program must understand
	46	.Xr ssh 1
	47	options.
	48	+.It Fl T
	49	+Disable strict filename checking.
	50	+By default when copying files from a remote host to a local directory
	51	+.Nm
	52	+checks that the received filenames match those requested on the command-line
	53	+to prevent the remote end from sending unexpected or unwanted files.
	54	+Because of differences in how various operating systems and shells interpret
	55	+filename wildcards, these checks may cause wanted files to be rejected.
	56	+This option disables these checks at the expense of fully trusting that
	57	+the server will not send unexpected filenames.
	58	.It Fl v
	59	Verbose mode.
	60	Causes
	61	diff --git a/scp.c b/scp.c
	62	index 1971c80cd..035037bcc 100644
	63	--- a/scp.c
	64	+++ b/scp.c
	65	@@ -94,6 +94,7 @@
	66	#include <dirent.h>
	67	#include <errno.h>
	68	#include <fcntl.h>
	69	+#include <fnmatch.h>
	70	#include <limits.h>
	71	#include <locale.h>
	72	#include <pwd.h>
	73	@@ -383,14 +384,14 @@ void verifydir(char *);
	74	struct passwd *pwd;
	75	uid_t userid;
	76	int errs, remin, remout;
	77	-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
	78	+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
	79
	80	#define CMDNEEDS 64
	81	char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
	82
	83	int response(void);
	84	void rsource(char , struct stat );
	85	-void sink(int, char *[]);
	86	+void sink(int, char [], const char );
	87	void source(int, char *[]);
	88	void tolocal(int, char *[]);
	89	void toremote(int, char *[]);
	90	@@ -429,8 +430,9 @@ main(int argc, char **argv)
	91	addargs(&args, "-oRemoteCommand=none");
	92	addargs(&args, "-oRequestTTY=no");
	93
	94	- fflag = tflag = 0;
	95	- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
	96	+ fflag = Tflag = tflag = 0;
	97	+ while ((ch = getopt(argc, argv,
	98	+ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
	99	switch (ch) {
	100	/* User-visible flags. */
	101	case '1':
	102	@@ -509,9 +511,13 @@ main(int argc, char **argv)
	103	setmode(0, O_BINARY);
	104	#endif
	105	break;
	106	+ case 'T':
	107	+ Tflag = 1;
	108	+ break;
	109	default:
	110	usage();
	111	}
	112	+ }
	113	argc -= optind;
	114	argv += optind;
	115
	116	@@ -542,7 +548,7 @@ main(int argc, char **argv)
	117	}
	118	if (tflag) {
	119	/* Receive data. */
	120	- sink(argc, argv);
	121	+ sink(argc, argv, NULL);
	122	exit(errs != 0);
	123	}
	124	if (argc < 2)
	125	@@ -800,7 +806,7 @@ tolocal(int argc, char **argv)
	126	continue;
	127	}
	128	free(bp);
	129	- sink(1, argv + argc - 1);
	130	+ sink(1, argv + argc - 1, src);
	131	(void) close(remin);
	132	remin = remout = -1;
	133	}
	134	@@ -976,7 +982,7 @@ rsource(char name, struct stat statp)
	135	(sizeof(type) != 4 && sizeof(type) != 8))
	136
	137	void
	138	-sink(int argc, char **argv)
	139	+sink(int argc, char *argv, const char src)
	140	{
	141	static BUF buffer;
	142	struct stat stb;
	143	@@ -992,6 +998,7 @@ sink(int argc, char **argv)
	144	unsigned long long ull;
	145	int setimes, targisdir, wrerrno = 0;
	146	char ch, cp, np, targ, why, *vect[1], buf[2048], visbuf[2048];
	147	+ char src_copy = NULL, restrict_pattern = NULL;
	148	struct timeval tv[2];
	149
	150	#define atime tv[0]
	151	@@ -1016,6 +1023,17 @@ sink(int argc, char **argv)
	152	(void) atomicio(vwrite, remout, "", 1);
	153	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
	154	targisdir = 1;
	155	+ if (src != NULL && !iamrecursive && !Tflag) {
	156	+ /*
	157	+ * Prepare to try to restrict incoming filenames to match
	158	+ * the requested destination file glob.
	159	+ */
	160	+ if ((src_copy = strdup(src)) == NULL)
	161	+ fatal("strdup failed");
	162	+ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
	163	+ *restrict_pattern++ = '\0';
	164	+ }
	165	+ }
	166	for (first = 1;; first = 0) {
	167	cp = buf;
	168	if (atomicio(read, remin, cp, 1) != 1)
	169	@@ -1120,6 +1138,9 @@ sink(int argc, char **argv)
	170	run_err("error: unexpected filename: %s", cp);
	171	exit(1);
	172	}
	173	+ if (restrict_pattern != NULL &&
	174	+ fnmatch(restrict_pattern, cp, 0) != 0)
	175	+ SCREWUP("filename does not match request");
	176	if (targisdir) {
	177	static char *namebuf;
	178	static size_t cursize;
	179	@@ -1157,7 +1178,7 @@ sink(int argc, char **argv)
	180	goto bad;
	181	}
	182	vect[0] = xstrdup(np);
	183	- sink(1, vect);
	184	+ sink(1, vect, src);
	185	if (setimes) {
	186	setimes = 0;
	187	if (utimes(vect[0], tv) < 0)