diff -Nru openssh-7.2p2/debian/changelog openssh-7.2p2/debian/changelog --- openssh-7.2p2/debian/changelog 2016-08-11 12:41:57.000000000 +0000 +++ openssh-7.2p2/debian/changelog 2017-03-16 13:50:33.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:7.2p2-4ubuntu2.2) xenial; urgency=medium + + * Fix ssh-keygen -H accidentally corrupting known_hosts that contained + already-hashed entries (LP: #1668093). + * Fix ssh-keyscan to correctly hash hosts with a port number (LP: #1670745). + + -- Christian Ehrhardt Wed, 15 Mar 2017 13:16:56 +0100 + openssh (1:7.2p2-4ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: user enumeration via covert timing channel diff -Nru openssh-7.2p2/debian/patches/series openssh-7.2p2/debian/patches/series --- openssh-7.2p2/debian/patches/series 2016-08-11 12:38:20.000000000 +0000 +++ openssh-7.2p2/debian/patches/series 2017-03-16 13:50:45.000000000 +0000 @@ -31,3 +31,6 @@ CVE-2016-6210-2.patch CVE-2016-6210-3.patch CVE-2016-6515.patch +ssh-keygen-hash-corruption.patch +ssh-keyscan-hash-port.patch +ssh-keygen-fix-null-deref.patch diff -Nru openssh-7.2p2/debian/patches/ssh-keygen-fix-null-deref.patch openssh-7.2p2/debian/patches/ssh-keygen-fix-null-deref.patch --- openssh-7.2p2/debian/patches/ssh-keygen-fix-null-deref.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.2p2/debian/patches/ssh-keygen-fix-null-deref.patch 2017-03-16 13:50:45.000000000 +0000 @@ -0,0 +1,29 @@ +From 18501151cf272a15b5f2c5e777f2e0933633c513 +Author: dtucker@openbsd.org +Date: Mon Mar 6 02:03:20 2017 +0000 +Subject: upstream commit + + Check l->hosts before dereferencing; fixes potential null + pointer deref. ok djm@ + + Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=18501151cf272a15b5f2c5e777f2e0933633c513 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093 +Last-Update: 2017-03-16 + +Patch-Name: ssh-keygen-fix-null-deref.patch +--- + ssh-keygen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1082,7 +1082,7 @@ + struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; + char *hashed, *cp, *hosts, *ohosts; + int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); +- int was_hashed = l->hosts[0] == HASH_DELIM; ++ int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM; + + switch (l->status) { + case HKF_STATUS_OK: diff -Nru openssh-7.2p2/debian/patches/ssh-keygen-hash-corruption.patch openssh-7.2p2/debian/patches/ssh-keygen-hash-corruption.patch --- openssh-7.2p2/debian/patches/ssh-keygen-hash-corruption.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.2p2/debian/patches/ssh-keygen-hash-corruption.patch 2017-03-16 13:38:37.000000000 +0000 @@ -0,0 +1,44 @@ +From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 3 Mar 2017 06:13:11 +0000 +Subject: upstream commit + +fix ssh-keygen -H accidentally corrupting known_hosts that +contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by +hostkeys_foreach() when hostname matching is in use, so we need to look for +the hash marker explicitly. + +Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9 +Bug-Debian: https://bugs.debian.org/851734 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093 +Last-Update: 2017-03-15 + +Patch-Name: ssh-keygen-hash-corruption.patch +--- + ssh-keygen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 2a7939bf..0833ee61 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1082,6 +1082,7 @@ + struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; + char *hashed, *cp, *hosts, *ohosts; + int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); ++ int was_hashed = l->hosts[0] == HASH_DELIM; + + switch (l->status) { + case HKF_STATUS_OK: +@@ -1090,8 +1091,7 @@ + * Don't hash hosts already already hashed, with wildcard + * characters or a CA/revocation marker. + */ +- if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || +- has_wild || l->marker != MRK_NONE) { ++ if (was_hashed || has_wild || l->marker != MRK_NONE) { + fprintf(ctx->out, "%s\n", l->line); + if (has_wild && !find_host) { + logit("%s:%ld: ignoring host name " diff -Nru openssh-7.2p2/debian/patches/ssh-keyscan-hash-port.patch openssh-7.2p2/debian/patches/ssh-keyscan-hash-port.patch --- openssh-7.2p2/debian/patches/ssh-keyscan-hash-port.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.2p2/debian/patches/ssh-keyscan-hash-port.patch 2017-03-16 13:50:24.000000000 +0000 @@ -0,0 +1,48 @@ +From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 10 Mar 2017 03:18:24 +0000 +Subject: upstream commit + +correctly hash hosts with a port number. Reported by Josh +Powers in bz#2692; ok dtucker@ + +Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442 + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692 +Bug-Debian: https://bugs.debian.org/857736 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745 +Last-Update: 2017-03-14 + +Patch-Name: ssh-keyscan-hash-port.patch +--- + ssh-keyscan.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index c30d54e6..24b51ff1 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -321,16 +321,17 @@ keygrab_ssh2(con *c) + } + + static void +-keyprint_one(char *host, struct sshkey *key) ++keyprint_one(const char *host, struct sshkey *key) + { + char *hostport; +- +- if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL) +- fatal("host_hash failed"); ++ const char *known_host, *hashed; + + hostport = put_host_port(host, ssh_port); ++ if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) ++ fatal("host_hash failed"); ++ known_host = hash_hosts ? hashed : hostport; + if (!get_cert) +- fprintf(stdout, "%s ", hostport); ++ fprintf(stdout, "%s ", known_host); + sshkey_write(key, stdout); + fputs("\n", stdout); + free(hostport);