From d92d34db5a382997e3d9230247644e55a1d84602 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Sun, 3 Mar 2019 12:18:09 +0100 Subject: [PATCH] openssh: add upstream patches, including CVE-2019-6111 Signed-off-by: Peter Wagner --- net/openssh/Makefile | 2 +- .../patches/0001-fix-key-type-check.patch | 82 ++++ ...002-request-rsa-sha2-cert-signatures.patch | 39 ++ ...anitize-scp-filenames-via-snmprintf.patch} | 18 - ...update-at-beginning-and-end-transfer.patch | 108 ++++++ ... 0005-check-filenames-in-scp-client.patch} | 0 .../patches/0006-scp-handle-braces.patch | 353 ++++++++++++++++++ ...tion-with-openssl-built-without-ECC.patch} | 0 ...SL_init_crypto-call-for-openssl-1.1.patch} | 0 9 files changed, 583 insertions(+), 19 deletions(-) create mode 100644 net/openssh/patches/0001-fix-key-type-check.patch create mode 100644 net/openssh/patches/0002-request-rsa-sha2-cert-signatures.patch rename net/openssh/patches/{0003-cve-2019-6109-sanitize-scp-filenames-via-snmprintf.patch => 0003-sanitize-scp-filenames-via-snmprintf.patch} (91%) create mode 100644 net/openssh/patches/0004-have-progressmeter-force-update-at-beginning-and-end-transfer.patch rename net/openssh/patches/{0004-cve-2019-6111-check-filenames-in-scp-client.patch => 0005-check-filenames-in-scp-client.patch} (100%) create mode 100644 net/openssh/patches/0006-scp-handle-braces.patch rename net/openssh/patches/{0001-fix-compilation-with-openssl-built-without-ECC.patch => 1001-fix-compilation-with-openssl-built-without-ECC.patch} (100%) rename net/openssh/patches/{0002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch => 1002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch} (100%) diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 03c77738a..6ef5ca39f 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh PKG_VERSION:=7.9p1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/net/openssh/patches/0001-fix-key-type-check.patch b/net/openssh/patches/0001-fix-key-type-check.patch new file mode 100644 index 000000000..c5b9f0e9b --- /dev/null +++ b/net/openssh/patches/0001-fix-key-type-check.patch @@ -0,0 +1,82 @@ +From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 16 Nov 2018 02:43:56 +0000 +Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and + +PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were +specified, then authentication would always fail for RSA keys as the monitor +checks only the base key (not the signature algorithm) type against +*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker + +OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2 +Last-Update: 2019-02-28 + +Patch-Name: fix-key-type-check.patch +--- + monitor.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/monitor.c b/monitor.c +index 08fddabd7..037d6d333 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m) + return (0); + } + ++/* ++ * Check that the key type appears in the supplied pattern list, ignoring ++ * mismatches in the signature algorithm. (Signature algorithm checks are ++ * performed in the unprivileged authentication code). ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ++key_base_type_match(const char *method, const struct sshkey *key, ++ const char *list) ++{ ++ char *s, *l, *ol = xstrdup(list); ++ int found = 0; ++ ++ l = ol; ++ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { ++ if (sshkey_type_from_name(s) == key->type) { ++ found = 1; ++ break; ++ } ++ } ++ if (!found) { ++ error("%s key type %s is not in permitted list %s", method, ++ sshkey_ssh_name(key), list); ++ } ++ ++ free(ol); ++ return found; ++} ++ + int + mm_answer_authpassword(int sock, struct sshbuf *m) + { +@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) + break; + if (auth2_key_already_used(authctxt, key)) + break; +- if (match_pattern_list(sshkey_ssh_name(key), +- options.pubkey_key_types, 0) != 1) ++ if (!key_base_type_match(auth_method, key, ++ options.pubkey_key_types)) + break; + allowed = user_key_allowed(ssh, authctxt->pw, key, + pubkey_auth_attempt, &opts); +@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) + break; + if (auth2_key_already_used(authctxt, key)) + break; +- if (match_pattern_list(sshkey_ssh_name(key), +- options.hostbased_key_types, 0) != 1) ++ if (!key_base_type_match(auth_method, key, ++ options.hostbased_key_types)) + break; + allowed = hostbased_key_allowed(authctxt->pw, + cuser, chost, key); diff --git a/net/openssh/patches/0002-request-rsa-sha2-cert-signatures.patch b/net/openssh/patches/0002-request-rsa-sha2-cert-signatures.patch new file mode 100644 index 000000000..2c876be31 --- /dev/null +++ b/net/openssh/patches/0002-request-rsa-sha2-cert-signatures.patch @@ -0,0 +1,39 @@ +From d94226d4fcefbc398c5583e12b5d07ca33884ba4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 27 Dec 2018 23:02:11 +0000 +Subject: upstream: Request RSA-SHA2 signatures for + +rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ + +OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944 +Bug-Debian: https://bugs.debian.org/923419 +Last-Update: 2019-02-28 + +Patch-Name: request-rsa-sha2-cert-signatures.patch +--- + authfd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/authfd.c b/authfd.c +index ecdd869ab..62cbf8c19 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl) + static u_int + agent_encode_alg(const struct sshkey *key, const char *alg) + { +- if (alg != NULL && key->type == KEY_RSA) { +- if (strcmp(alg, "rsa-sha2-256") == 0) ++ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) { ++ if (strcmp(alg, "rsa-sha2-256") == 0 || ++ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_256; +- else if (strcmp(alg, "rsa-sha2-512") == 0) ++ if (strcmp(alg, "rsa-sha2-512") == 0 || ++ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_512; + } + return 0; diff --git a/net/openssh/patches/0003-cve-2019-6109-sanitize-scp-filenames-via-snmprintf.patch b/net/openssh/patches/0003-sanitize-scp-filenames-via-snmprintf.patch similarity index 91% rename from net/openssh/patches/0003-cve-2019-6109-sanitize-scp-filenames-via-snmprintf.patch rename to net/openssh/patches/0003-sanitize-scp-filenames-via-snmprintf.patch index e58b8b1bd..347382b9b 100644 --- a/net/openssh/patches/0003-cve-2019-6109-sanitize-scp-filenames-via-snmprintf.patch +++ b/net/openssh/patches/0003-sanitize-scp-filenames-via-snmprintf.patch @@ -28,12 +28,6 @@ diff --git a/atomicio.c b/atomicio.c index f854a06f5..d91bd7621 100644 --- a/atomicio.c +++ b/atomicio.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */ -+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */ - /* - * Copyright (c) 2006 Damien Miller. All rights reserved. - * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. @@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, res = (f) (fd, s + pos, n - pos); switch (res) { @@ -72,12 +66,6 @@ diff --git a/progressmeter.c b/progressmeter.c index fe9bf52e4..add462dde 100644 --- a/progressmeter.c +++ b/progressmeter.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */ -+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */ - /* - * Copyright (c) 2003 Nils Nordman. All rights reserved. - * @@ -31,6 +31,7 @@ #include @@ -202,12 +190,6 @@ diff --git a/progressmeter.h b/progressmeter.h index bf179dca6..8f6678060 100644 --- a/progressmeter.h +++ b/progressmeter.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */ -+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */ - /* - * Copyright (c) 2002 Nils Nordman. All rights reserved. - * @@ -24,4 +24,5 @@ */ diff --git a/net/openssh/patches/0004-have-progressmeter-force-update-at-beginning-and-end-transfer.patch b/net/openssh/patches/0004-have-progressmeter-force-update-at-beginning-and-end-transfer.patch new file mode 100644 index 000000000..f89ee1715 --- /dev/null +++ b/net/openssh/patches/0004-have-progressmeter-force-update-at-beginning-and-end-transfer.patch @@ -0,0 +1,108 @@ +From 2a8f710447442e9a03e71c022859112ec2d77d17 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Thu, 24 Jan 2019 16:52:17 +0000 +Subject: upstream: Have progressmeter force an update at the beginning and + +end of each transfer. Fixes the problem recently introduces where very quick +transfers do not display the progressmeter at all. Spotted by naddy@ + +OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb +Last-Update: 2019-02-08 + +Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch +--- + progressmeter.c | 13 +++++-------- + progressmeter.h | 4 ++-- + scp.c | 2 +- + sftp-client.c | 2 +- + 4 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/progressmeter.c b/progressmeter.c +index add462dde..e385c1254 100644 +--- a/progressmeter.c ++++ b/progressmeter.c +@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t); + static void sig_winch(int); + static void setscreensize(void); + +-/* updates the progressmeter to reflect the current state of the transfer */ +-void refresh_progress_meter(void); +- + /* signal handler for updating the progress meter */ + static void sig_alarm(int); + +@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes) + } + + void +-refresh_progress_meter(void) ++refresh_progress_meter(int force_update) + { + char buf[MAX_WINSIZE + 1]; + off_t transferred; +@@ -131,7 +128,7 @@ refresh_progress_meter(void) + int hours, minutes, seconds; + int file_len; + +- if ((!alarm_fired && !win_resized) || !can_output()) ++ if ((!force_update && !alarm_fired && !win_resized) || !can_output()) + return; + alarm_fired = 0; + +@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) + bytes_per_second = 0; + + setscreensize(); +- refresh_progress_meter(); ++ refresh_progress_meter(1); + + signal(SIGALRM, sig_alarm); + signal(SIGWINCH, sig_winch); +@@ -271,7 +268,7 @@ stop_progress_meter(void) + + /* Ensure we complete the progress */ + if (cur_pos != end_pos) +- refresh_progress_meter(); ++ refresh_progress_meter(1); + + atomicio(vwrite, STDOUT_FILENO, "\n", 1); + } +diff --git a/progressmeter.h b/progressmeter.h +index 8f6678060..1703ea75b 100644 +--- a/progressmeter.h ++++ b/progressmeter.h +@@ -24,5 +24,5 @@ + */ + + void start_progress_meter(const char *, off_t, off_t *); +-void refresh_progress_meter(void); ++void refresh_progress_meter(int); + void stop_progress_meter(void); +diff --git a/scp.c b/scp.c +index 80308573c..1971c80cd 100644 +--- a/scp.c ++++ b/scp.c +@@ -593,7 +593,7 @@ scpio(void *_cnt, size_t s) + off_t *cnt = (off_t *)_cnt; + + *cnt += s; +- refresh_progress_meter(); ++ refresh_progress_meter(0); + if (limit_kbps > 0) + bandwidth_limit(&bwlimit, s); + return 0; +diff --git a/sftp-client.c b/sftp-client.c +index 2bc698f86..cf2887a40 100644 +--- a/sftp-client.c ++++ b/sftp-client.c +@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount) + { + struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; + +- refresh_progress_meter(); ++ refresh_progress_meter(0); + if (bwlimit != NULL) + bandwidth_limit(bwlimit, amount); + return 0; diff --git a/net/openssh/patches/0004-cve-2019-6111-check-filenames-in-scp-client.patch b/net/openssh/patches/0005-check-filenames-in-scp-client.patch similarity index 100% rename from net/openssh/patches/0004-cve-2019-6111-check-filenames-in-scp-client.patch rename to net/openssh/patches/0005-check-filenames-in-scp-client.patch diff --git a/net/openssh/patches/0006-scp-handle-braces.patch b/net/openssh/patches/0006-scp-handle-braces.patch new file mode 100644 index 000000000..0cbdcfdc0 --- /dev/null +++ b/net/openssh/patches/0006-scp-handle-braces.patch @@ -0,0 +1,353 @@ +From 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sun, 10 Feb 2019 11:15:52 +0000 +Subject: upstream: when checking that filenames sent by the server side + +match what the client requested, be prepared to handle shell-style brace +alternations, e.g. "{foo,bar}". + +"looks good to me" millert@ + in snaps for the last week courtesy +deraadt@ + +OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874 +Bug-Debian: https://bugs.debian.org/923486 +Last-Update: 2019-03-01 + +Patch-Name: scp-handle-braces.patch +--- + scp.c | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 269 insertions(+), 11 deletions(-) + +diff --git a/scp.c b/scp.c +index 035037bcc..3888baab0 100644 +--- a/scp.c ++++ b/scp.c +@@ -635,6 +635,253 @@ parse_scp_uri(const char *uri, char **userp, char **hostp, int *portp, + return r; + } + ++/* Appends a string to an array; returns 0 on success, -1 on alloc failure */ ++static int ++append(char *cp, char ***ap, size_t *np) ++{ ++ char **tmp; ++ ++ if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL) ++ return -1; ++ tmp[(*np)] = cp; ++ (*np)++; ++ *ap = tmp; ++ return 0; ++} ++ ++/* ++ * Finds the start and end of the first brace pair in the pattern. ++ * returns 0 on success or -1 for invalid patterns. ++ */ ++static int ++find_brace(const char *pattern, int *startp, int *endp) ++{ ++ int i; ++ int in_bracket, brace_level; ++ ++ *startp = *endp = -1; ++ in_bracket = brace_level = 0; ++ for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) { ++ switch (pattern[i]) { ++ case '\\': ++ /* skip next character */ ++ if (pattern[i + 1] != '\0') ++ i++; ++ break; ++ case '[': ++ in_bracket = 1; ++ break; ++ case ']': ++ in_bracket = 0; ++ break; ++ case '{': ++ if (in_bracket) ++ break; ++ if (pattern[i + 1] == '}') { ++ /* Protect a single {}, for find(1), like csh */ ++ i++; /* skip */ ++ break; ++ } ++ if (*startp == -1) ++ *startp = i; ++ brace_level++; ++ break; ++ case '}': ++ if (in_bracket) ++ break; ++ if (*startp < 0) { ++ /* Unbalanced brace */ ++ return -1; ++ } ++ if (--brace_level <= 0) ++ *endp = i; ++ break; ++ } ++ } ++ /* unbalanced brackets/braces */ ++ if (*endp < 0 && (*startp >= 0 || in_bracket)) ++ return -1; ++ return 0; ++} ++ ++/* ++ * Assembles and records a successfully-expanded pattern, returns -1 on ++ * alloc failure. ++ */ ++static int ++emit_expansion(const char *pattern, int brace_start, int brace_end, ++ int sel_start, int sel_end, char ***patternsp, size_t *npatternsp) ++{ ++ char *cp; ++ int o = 0, tail_len = strlen(pattern + brace_end + 1); ++ ++ if ((cp = malloc(brace_start + (sel_end - sel_start) + ++ tail_len + 1)) == NULL) ++ return -1; ++ ++ /* Pattern before initial brace */ ++ if (brace_start > 0) { ++ memcpy(cp, pattern, brace_start); ++ o = brace_start; ++ } ++ /* Current braced selection */ ++ if (sel_end - sel_start > 0) { ++ memcpy(cp + o, pattern + sel_start, ++ sel_end - sel_start); ++ o += sel_end - sel_start; ++ } ++ /* Remainder of pattern after closing brace */ ++ if (tail_len > 0) { ++ memcpy(cp + o, pattern + brace_end + 1, tail_len); ++ o += tail_len; ++ } ++ cp[o] = '\0'; ++ if (append(cp, patternsp, npatternsp) != 0) { ++ free(cp); ++ return -1; ++ } ++ return 0; ++} ++ ++/* ++ * Expand the first encountered brace in pattern, appending the expanded ++ * patterns it yielded to the *patternsp array. ++ * ++ * Returns 0 on success or -1 on allocation failure. ++ * ++ * Signals whether expansion was performed via *expanded and whether ++ * pattern was invalid via *invalid. ++ */ ++static int ++brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp, ++ int *expanded, int *invalid) ++{ ++ int i; ++ int in_bracket, brace_start, brace_end, brace_level; ++ int sel_start, sel_end; ++ ++ *invalid = *expanded = 0; ++ ++ if (find_brace(pattern, &brace_start, &brace_end) != 0) { ++ *invalid = 1; ++ return 0; ++ } else if (brace_start == -1) ++ return 0; ++ ++ in_bracket = brace_level = 0; ++ for (i = sel_start = brace_start + 1; i < brace_end; i++) { ++ switch (pattern[i]) { ++ case '{': ++ if (in_bracket) ++ break; ++ brace_level++; ++ break; ++ case '}': ++ if (in_bracket) ++ break; ++ brace_level--; ++ break; ++ case '[': ++ in_bracket = 1; ++ break; ++ case ']': ++ in_bracket = 0; ++ break; ++ case '\\': ++ if (i < brace_end - 1) ++ i++; /* skip */ ++ break; ++ } ++ if (pattern[i] == ',' || i == brace_end - 1) { ++ if (in_bracket || brace_level > 0) ++ continue; ++ /* End of a selection, emit an expanded pattern */ ++ ++ /* Adjust end index for last selection */ ++ sel_end = (i == brace_end - 1) ? brace_end : i; ++ if (emit_expansion(pattern, brace_start, brace_end, ++ sel_start, sel_end, patternsp, npatternsp) != 0) ++ return -1; ++ /* move on to the next selection */ ++ sel_start = i + 1; ++ continue; ++ } ++ } ++ if (in_bracket || brace_level > 0) { ++ *invalid = 1; ++ return 0; ++ } ++ /* success */ ++ *expanded = 1; ++ return 0; ++} ++ ++/* Expand braces from pattern. Returns 0 on success, -1 on failure */ ++static int ++brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp) ++{ ++ char *cp, *cp2, **active = NULL, **done = NULL; ++ size_t i, nactive = 0, ndone = 0; ++ int ret = -1, invalid = 0, expanded = 0; ++ ++ *patternsp = NULL; ++ *npatternsp = 0; ++ ++ /* Start the worklist with the original pattern */ ++ if ((cp = strdup(pattern)) == NULL) ++ return -1; ++ if (append(cp, &active, &nactive) != 0) { ++ free(cp); ++ return -1; ++ } ++ while (nactive > 0) { ++ cp = active[nactive - 1]; ++ nactive--; ++ if (brace_expand_one(cp, &active, &nactive, ++ &expanded, &invalid) == -1) { ++ free(cp); ++ goto fail; ++ } ++ if (invalid) ++ fatal("%s: invalid brace pattern \"%s\"", __func__, cp); ++ if (expanded) { ++ /* ++ * Current entry expanded to new entries on the ++ * active list; discard the progenitor pattern. ++ */ ++ free(cp); ++ continue; ++ } ++ /* ++ * Pattern did not expand; append the finename component to ++ * the completed list ++ */ ++ if ((cp2 = strrchr(cp, '/')) != NULL) ++ *cp2++ = '\0'; ++ else ++ cp2 = cp; ++ if (append(xstrdup(cp2), &done, &ndone) != 0) { ++ free(cp); ++ goto fail; ++ } ++ free(cp); ++ } ++ /* success */ ++ *patternsp = done; ++ *npatternsp = ndone; ++ done = NULL; ++ ndone = 0; ++ ret = 0; ++ fail: ++ for (i = 0; i < nactive; i++) ++ free(active[i]); ++ free(active); ++ for (i = 0; i < ndone; i++) ++ free(done[i]); ++ free(done); ++ return ret; ++} ++ + void + toremote(int argc, char **argv) + { +@@ -998,7 +1245,8 @@ sink(int argc, char **argv, const char *src) + unsigned long long ull; + int setimes, targisdir, wrerrno = 0; + char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; +- char *src_copy = NULL, *restrict_pattern = NULL; ++ char **patterns = NULL; ++ size_t n, npatterns = 0; + struct timeval tv[2]; + + #define atime tv[0] +@@ -1028,16 +1276,13 @@ sink(int argc, char **argv, const char *src) + * Prepare to try to restrict incoming filenames to match + * the requested destination file glob. + */ +- if ((src_copy = strdup(src)) == NULL) +- fatal("strdup failed"); +- if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) { +- *restrict_pattern++ = '\0'; +- } ++ if (brace_expand(src, &patterns, &npatterns) != 0) ++ fatal("%s: could not expand pattern", __func__); + } + for (first = 1;; first = 0) { + cp = buf; + if (atomicio(read, remin, cp, 1) != 1) +- return; ++ goto done; + if (*cp++ == '\n') + SCREWUP("unexpected "); + do { +@@ -1063,7 +1308,7 @@ sink(int argc, char **argv, const char *src) + } + if (buf[0] == 'E') { + (void) atomicio(vwrite, remout, "", 1); +- return; ++ goto done; + } + if (ch == '\n') + *--cp = 0; +@@ -1138,9 +1383,14 @@ sink(int argc, char **argv, const char *src) + run_err("error: unexpected filename: %s", cp); + exit(1); + } +- if (restrict_pattern != NULL && +- fnmatch(restrict_pattern, cp, 0) != 0) +- SCREWUP("filename does not match request"); ++ if (npatterns > 0) { ++ for (n = 0; n < npatterns; n++) { ++ if (fnmatch(patterns[n], cp, 0) == 0) ++ break; ++ } ++ if (n >= npatterns) ++ SCREWUP("filename does not match request"); ++ } + if (targisdir) { + static char *namebuf; + static size_t cursize; +@@ -1299,7 +1549,15 @@ bad: run_err("%s: %s", np, strerror(errno)); + break; + } + } ++done: ++ for (n = 0; n < npatterns; n++) ++ free(patterns[n]); ++ free(patterns); ++ return; + screwup: ++ for (n = 0; n < npatterns; n++) ++ free(patterns[n]); ++ free(patterns); + run_err("protocol error: %s", why); + exit(1); + } diff --git a/net/openssh/patches/0001-fix-compilation-with-openssl-built-without-ECC.patch b/net/openssh/patches/1001-fix-compilation-with-openssl-built-without-ECC.patch similarity index 100% rename from net/openssh/patches/0001-fix-compilation-with-openssl-built-without-ECC.patch rename to net/openssh/patches/1001-fix-compilation-with-openssl-built-without-ECC.patch diff --git a/net/openssh/patches/0002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch b/net/openssh/patches/1002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch similarity index 100% rename from net/openssh/patches/0002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch rename to net/openssh/patches/1002-Fix-OPENSSL_init_crypto-call-for-openssl-1.1.patch