6 files changed, 452 insertions, 0 deletions
diff --git a/patches/source/openssh/doinst.sh b/patches/source/openssh/doinst.sh
new file mode 100644
index 000000000..73ce62836
--- /dev/null
+++ b/patches/source/openssh/doinst.sh
@@ -0,0 +1,49 @@
+config() {
+  NEW="$1"
+  OLD="`dirname $NEW`/`basename $NEW .new`"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+  if [ -e ${OLD} ]; then
+    cp -a ${OLD} ${NEW}.incoming
+    cat ${NEW} > ${NEW}.incoming
+    touch -r ${NEW} ${NEW}.incoming
+    mv ${NEW}.incoming ${NEW}
+  fi
+  config ${NEW}
+}
+
+config etc/ssh/ssh_config.new
+config etc/ssh/sshd_config.new
+preserve_perms etc/rc.d/rc.sshd.new
+if [ -e etc/rc.d/rc.sshd.new ]; then
+  mv etc/rc.d/rc.sshd.new etc/rc.d/rc.sshd
+fi
+
+# If the sshd user/group/shadow don't exist, add them:
+
+if ! grep -q "^sshd:" etc/passwd ; then
+  echo "sshd:x:33:33:sshd:/:" >> etc/passwd
+fi
+
+if ! grep -q "^sshd:" etc/group ; then
+  echo "sshd::33:sshd" >> etc/group
+fi
+
+if ! grep -q "^sshd:" etc/shadow ; then
+  echo "sshd:*:9797:0:::::" >> etc/shadow
+fi
+
+# Add a btmp file to store login failure if one doesn't exist:
+if [ ! -r var/log/btmp ]; then
+  ( cd var/log ; umask 077 ; touch btmp )
+fi
+
diff --git a/patches/source/openssh/openssh-7.4p1-libwrap.diff b/patches/source/openssh/openssh-7.4p1-libwrap.diff
new file mode 100644
index 000000000..d1025e43c
--- /dev/null
+++ b/patches/source/openssh/openssh-7.4p1-libwrap.diff
@@ -0,0 +1,137 @@
+--- ./configure.ac.orig	2016-12-18 22:59:41.000000000 -0600
++++ ./configure.ac	2016-12-23 12:58:04.200707728 -0600
+@@ -1467,6 +1467,62 @@
+ 	]
+ )
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap -lnsl $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap -lnsl"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5081,6 +5137,7 @@
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+--- ./sshd.c.orig	2016-12-18 22:59:41.000000000 -0600
++++ ./sshd.c	2016-12-23 12:58:40.847710372 -0600
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -1971,6 +1978,24 @@
+ #ifdef SSH_AUDIT_EVENTS
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (packet_connection_is_on_socket()) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
+ 
+ 	/* Log the connection. */
+ 	laddr = get_local_ipaddr(sock_in);
+--- ./sshd.8.orig	2016-12-18 22:59:41.000000000 -0600
++++ ./sshd.8	2016-12-23 12:58:04.208707729 -0600
+@@ -825,6 +825,12 @@
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -929,6 +935,7 @@
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/patches/source/openssh/openssh.CVE-2017-15906.patch b/patches/source/openssh/openssh.CVE-2017-15906.patch
new file mode 100644
index 000000000..fdb963f7e
--- /dev/null
+++ b/patches/source/openssh/openssh.CVE-2017-15906.patch
@@ -0,0 +1,19 @@
+--- ./sftp-server.c.orig	2016-12-18 22:59:41.000000000 -0600
++++ ./sftp-server.c	2018-03-07 19:18:19.275984210 -0600
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+  * Copyright (c) 2000-2004 Markus Friedl.  All rights reserved.
+  *
+@@ -691,8 +691,8 @@
+ 	logit("open \"%s\" flags %s mode 0%o",
+ 	    name, string_from_portable(pflags), mode);
+ 	if (readonly &&
+-	    ((flags & O_ACCMODE) == O_WRONLY ||
+-	    (flags & O_ACCMODE) == O_RDWR)) {
++	    ((flags & O_ACCMODE) != O_RDONLY ||
++	    (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ 		verbose("Refusing open request in read-only mode");
+ 		status = SSH2_FX_PERMISSION_DENIED;
+ 	} else {
diff --git a/patches/source/openssh/openssh.SlackBuild b/patches/source/openssh/openssh.SlackBuild
new file mode 100755
index 000000000..d786d5723
--- /dev/null
+++ b/patches/source/openssh/openssh.SlackBuild
@@ -0,0 +1,169 @@
+#!/bin/sh
+
+# Copyright 2000 BSDi, Inc. Concord, CA, USA
+# Copyright 2001, 2002, 2003, 2004  Slackware Linux, Inc. Concord, CA, USA
+# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013  Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+# Set initial variables:
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-openssh
+
+VERSION=${VERSION:-$(echo openssh-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-2_slack14.1}
+
+NUMJOBS=${NUMJOBS:--j6}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) export ARCH=i486 ;;
+    arm*) export ARCH=arm ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+       *) export ARCH=$( uname -m ) ;;
+  esac
+fi
+
+if [ "$ARCH" = "i486" ]; then
+  SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+elif [ "$ARCH" = "s390" ]; then
+  SLKCFLAGS="-O2"
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+elif [ "$ARCH" = "arm" ]; then
+  SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
+elif [ "$ARCH" = "armel" ]; then
+  SLKCFLAGS="-O2 -march=armv4t"
+else
+  SLKCFLAGS="-O2"
+fi
+
+# Clean target location:
+rm -rf $PKG
+mkdir -p $PKG
+
+# Prepare the framework and extract the package:
+cd $TMP
+rm -rf $PKG openssh-$VERSION
+tar xvf $CWD/openssh-$VERSION.tar.gz || tar xvf $CWD/openssh-$VERSION.tar.?z* || exit 1
+cd openssh-$VERSION
+chown -R root:root .
+
+zcat $CWD/openssh.CVE-2017-15906.patch.gz | patch -p1 --verbose || exit 1
+
+# Restore support for tcpwrappers:
+zcat $CWD/openssh-7.4p1-libwrap.diff.gz | patch -p1 --verbose || exit 1
+autoreconf -vif
+
+# Compile package:
+CFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --mandir=/usr/man \
+  --sysconfdir=/etc/ssh \
+  --without-pam \
+  --with-md5-passwords \
+  --with-tcp-wrappers \
+  --with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin \
+  --with-privsep-path=/var/empty \
+  --with-privsep-user=sshd \
+  --build=$ARCH-slackware-linux
+
+make $NUMJOBS || make || exit 1
+
+# Install the package:
+make install DESTDIR=$PKG
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+# Compress and if needed symlink the man pages:
+if [ -d $PKG/usr/man ]; then
+  ( cd $PKG/usr/man
+    for manpagedir in $(find . -type d -name "man*") ; do
+      ( cd $manpagedir
+        for eachpage in $( find . -type l -maxdepth 1) ; do
+          ln -s $( readlink $eachpage ).gz $eachpage.gz
+          rm $eachpage
+        done
+        gzip -9 *.?
+      )
+    done
+  )
+fi
+
+# Install directory used with PrivilegeSeparation option:
+mkdir -p $PKG/var/empty
+chmod 755 $PKG/var/empty
+
+# Install docs:
+mkdir -p $PKG/usr/doc/openssh-$VERSION
+cp -a \
+  CREDITS ChangeLog INSTALL LICENCE OVERVIEW \
+  README README.privsep README.smartcard RFC.nroff TODO WARNING.RNG \
+  $PKG/usr/doc/openssh-$VERSION
+chmod 644 $PKG/usr/doc/openssh-$VERSION/*
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+  DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+  cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+  touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+# Install also 'ssh-copy-id' and its manpage from contrib:
+( cd contrib
+  cp -a ssh-copy-id $PKG/usr/bin/ssh-copy-id
+  chmod 755 $PKG/usr/bin/ssh-copy-id
+  cat ssh-copy-id.1 | gzip -9c > $PKG/usr/man/man1/ssh-copy-id.1.gz
+)
+
+( cd $PKG
+
+  # Ditch the new host keys, since these have to be uniquely prepared on each machine:
+  rm -f etc/ssh/ssh_host_dsa_key
+  rm -f etc/ssh/ssh_host_dsa_key.pub
+  rm -f etc/ssh/ssh_host_rsa_key
+  rm -f etc/ssh/ssh_host_rsa_key.pub
+  rm -f etc/ssh/ssh_host_key
+  rm -f etc/ssh/ssh_host_key.pub
+
+  # Set up the config script installation:
+  mv etc/ssh/ssh_config etc/ssh/ssh_config.new
+  mv etc/ssh/sshd_config etc/ssh/sshd_config.new
+
+  # Add the init script:
+  mkdir -p etc/rc.d
+  cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new
+  chmod 755 etc/rc.d/rc.sshd.new
+
+  # Copy runtime installation files:
+  mkdir -p install
+  zcat $CWD/doinst.sh.gz > install/doinst.sh
+  cat $CWD/slack-desc > install/slack-desc
+)
+
+# Create the package itself:
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/openssh-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/openssh/rc.sshd b/patches/source/openssh/rc.sshd
new file mode 100644
index 000000000..2da2ab307
--- /dev/null
+++ b/patches/source/openssh/rc.sshd
@@ -0,0 +1,59 @@
+#!/bin/sh
+# Start/stop/restart the secure shell server:
+
+sshd_start() {
+  # Create host keys if needed.
+  if [ ! -f /etc/ssh/ssh_host_dsa_key ]; then
+    /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+    /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_ecdsa_key ]; then
+    /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
+  fi
+  if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+    /usr/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
+  fi
+  # Catch any new host key types not yet created above:
+  /usr/bin/ssh-keygen -A
+  # Start the sshd daemon:
+  /usr/sbin/sshd
+}
+
+sshd_stop() {
+  killall sshd
+}
+
+sshd_restart() {
+  if [ -r /var/run/sshd.pid ]; then
+    echo "WARNING: killing listener process only.  To kill every sshd process, you must"
+    echo "         use 'rc.sshd stop'.  'rc.sshd restart' kills only the parent sshd to"
+    echo "         allow an admin logged in through sshd to use 'rc.sshd restart' without"
+    echo "         being cut off.  If sshd has been upgraded, new connections will now"
+    echo "         use the new version, which should be a safe enough approach."
+    kill `cat /var/run/sshd.pid`
+  else
+    echo "WARNING: There does not appear to be a parent instance of sshd running."
+    echo "         If you really want to kill all running instances of sshd (including"
+    echo "         any sessions currently in use), run '/etc/rc.d/rc.sshd stop' instead."
+    exit 1
+  fi
+  sleep 1
+  sshd_start
+}
+
+case "$1" in
+'start')
+  sshd_start
+  ;;
+'stop')
+  sshd_stop
+  ;;
+'restart')
+  sshd_restart
+  ;;
+*)
+  echo "usage $0 start|stop|restart"
+esac
+
diff --git a/patches/source/openssh/slack-desc b/patches/source/openssh/slack-desc
new file mode 100644
index 000000000..04277a720
--- /dev/null
+++ b/patches/source/openssh/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in.  You must make
+# exactly 11 lines for the formatting to be correct.  It's also customary to
+# leave one space after the ':'.
+
+       |-----handy-ruler------------------------------------------------------|
+openssh: openssh (Secure Shell daemon and clients)
+openssh:
+openssh: ssh (Secure Shell) is a program for logging into a remote machine and
+openssh: for executing commands on a remote machine.  It is intended to replace
+openssh: rlogin and rsh, and provide secure encrypted communications between
+openssh: two untrusted hosts over an insecure network.  sshd (SSH Daemon) is
+openssh: the daemon program for ssh.  OpenSSH is based on the last free version
+openssh: of Tatu Ylonen's SSH, further enhanced and cleaned up by Aaron
+openssh: Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and
+openssh: Dug Song.  It has a homepage at http://www.openssh.com/
+openssh: