From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH 1/1] gnu: openssh: Fix CVE-2015-8325.
Date: Sun, 17 Apr 2016 16:26:06 +0200
Message-ID: <87wpnw9url.fsf@gnu.org>
References: <cover.1460744429.git.leo@famulari.name>
	<cover.1460744429.git.leo@famulari.name>
	<7eee4d808f7cc2b35eb7ae45c86079ba68a9e55d.1460744429.git.leo@famulari.name>
	<87r3e6r29k.fsf@gnu.org> <20160415214709.GA11506@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44525)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1arneP-00069X-KS
	for guix-devel@gnu.org; Sun, 17 Apr 2016 10:26:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1arneL-0007X4-Ew
	for guix-devel@gnu.org; Sun, 17 Apr 2016 10:26:13 -0400
In-Reply-To: <20160415214709.GA11506@jasmine> (Leo Famulari's message of "Fri,
	15 Apr 2016 17:47:09 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Apr 15, 2016 at 11:27:35PM +0200, Ludovic Court=C3=A8s wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>>=20
>> > * gnu/packages/patches/openssh-CVE-2015-8325.patch: New file.
>> > * gnu-system.am (dist_patch_DATA): Add it.
>> > * gnu/packages/ssh.scm (openssh): Use it.
>>=20
>> The explanation in the OpenSSH commit log is clear IMO and the fix looks
>> reasonable, so I=E2=80=99d say go for it=E2=80=A6
>>=20
>> =E2=80=A6 but I can=E2=80=99t seem to find the change in the authoritati=
ve repo:
>>=20
>>   http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
>
> The web page for the portable version of OpenSSH [0] (which is what we
> package) says this:
>
> "Normal OpenSSH development produces a very small, secure, and easy to
> maintain version for the OpenBSD project. The OpenSSH Portability Team
> takes that pure version and adds portability code so that OpenSSH can
> run on many other operating systems (Unfortunately, in particular since
> OpenSSH does authentication, it runs into a *lot* of differences between
> Unix operating systems)."
>
> The bug is related to how sshd interacts with PAM. My understanding is
> that OpenBSD does not use PAM, so the bug would not exist in their
> repository.
>
> [0] FYI, I could not load this site over HTTPS
> http://www.openssh.com/portable.html This page also links to the
> repository that contains the patch.

Oh, OK, thanks for the clarification.  Well, go for it!

Ludo=E2=80=99.