From c41588d64bbde0c488dd850306d33ac928e98f6d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 10 Jan 2023 08:09:42 +0000
Subject: [PATCH] import openssh-8.0p1-17.el8

---
 SOURCES/openssh-8.0p1-ipv6-process.patch | 27 ++++++++++++++++++++
 SOURCES/openssh-8.0p1-sshd_include.patch | 13 ++++++++++
 SOURCES/openssh-9.1p1-sshbanner.patch    | 32 ++++++++++++++++++++++++
 SPECS/openssh.spec                       | 14 ++++++++++-
 4 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/openssh-8.0p1-ipv6-process.patch
 create mode 100644 SOURCES/openssh-9.1p1-sshbanner.patch

diff --git a/SOURCES/openssh-8.0p1-ipv6-process.patch b/SOURCES/openssh-8.0p1-ipv6-process.patch
new file mode 100644
index 0000000..cb76938
--- /dev/null
+++ b/SOURCES/openssh-8.0p1-ipv6-process.patch
@@ -0,0 +1,27 @@
+diff --git a/sftp.c b/sftp.c
+index 04881c83..03c7a5c7 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -2527,12 +2527,17 @@ main(int argc, char **argv)
+ 				port = tmp;
+ 			break;
+ 		default:
++			/* Try with user, host and path. */
+ 			if (parse_user_host_path(*argv, &user, &host,
+-			    &file1) == -1) {
+-				/* Treat as a plain hostname. */
+-				host = xstrdup(*argv);
+-				host = cleanhostname(host);
+-			}
++			    &file1) == 0)
++				break;
++			/* Try with user and host. */
++			if (parse_user_host_port(*argv, &user, &host, NULL)
++			    == 0)
++				break;
++			/* Treat as a plain hostname. */
++			host = xstrdup(*argv);
++			host = cleanhostname(host);
+ 			break;
+ 		}
+ 		file2 = *(argv + 1);
diff --git a/SOURCES/openssh-8.0p1-sshd_include.patch b/SOURCES/openssh-8.0p1-sshd_include.patch
index 9b634cc..ff51340 100644
--- a/SOURCES/openssh-8.0p1-sshd_include.patch
+++ b/SOURCES/openssh-8.0p1-sshd_include.patch
@@ -790,3 +790,16 @@ diff -up openssh-8.0p1/sshd.c.sshdinclude openssh-8.0p1/sshd.c
  		dump_config(&options);
  	}
  
+diff -up openssh-8.0p1/sshbuf-getput-basic.c.stringb openssh-8.0p1/sshbuf-getput-basic.c
+--- openssh-8.0p1/sshbuf-getput-basic.c.stringb	2022-12-21 12:18:43.274799163 +0100
++++ openssh-8.0p1/sshbuf-getput-basic.c	2022-12-21 12:19:19.758081516 +0100
+@@ -371,6 +371,9 @@ sshbuf_put_cstring(struct sshbuf *buf, c
+ int
+ sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
+ {
++	if (v == NULL)
++		return sshbuf_put_string(buf, NULL, 0);
++
+ 	return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v));
+ }
+ 
diff --git a/SOURCES/openssh-9.1p1-sshbanner.patch b/SOURCES/openssh-9.1p1-sshbanner.patch
new file mode 100644
index 0000000..0e40770
--- /dev/null
+++ b/SOURCES/openssh-9.1p1-sshbanner.patch
@@ -0,0 +1,32 @@
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index d29a03b4..d7283136 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -490,6 +490,15 @@ congreet(int s)
+ 		return;
+ 	}
+ 
++	/*
++	 * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
++	 * protocol identification string may be preceeded by an arbitarily
++	 * large banner which we must read and ignore.  Loop while reading
++	 * newline-terminated lines until we have one starting with "SSH-".
++	 * The ID string cannot be longer than 255 characters although the
++	 * preceeding banner lines may (in which case they'll be discarded
++	 * in multiple iterations of the outer loop).
++	 */
+ 	for (;;) {
+ 		memset(buf, '\0', sizeof(buf));
+ 		bufsiz = sizeof(buf);
+@@ -517,6 +526,11 @@ congreet(int s)
+ 		conrecycle(s);
+ 		return;
+ 	}
++	if (cp >= buf + sizeof(buf)) {
++		error("%s: greeting exceeds allowable length", c->c_name);
++		confree(s);
++		return;
++	}
+ 	if (*cp != '\n' && *cp != '\r') {
+ 		error("%s: bad greeting", c->c_name);
+ 		confree(s);
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index bf9c10f..cd44e45 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 16
+%global openssh_rel 17
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
@@ -252,6 +252,7 @@ Patch980: openssh-8.7p1-upstream-cve-2021-41617.patch
 # c2bd7f74b0e0f3a3ee9d19ac549e6ba89013abaf~1..677d0ece67634262b3b96c3cd6410b19f3a603b7
 # 8bdc3bb7cf4c82c3344cfcb82495a43406e87e83
 # 47adfdc07f4f8ea0064a1495500244de08d311ed~1..7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01
+# supplementary commit 612b1dd1ec91ffb1e01f58cca0c6eb1d47bf4423
 Patch981: openssh-8.0p1-sshd_include.patch
 # Port upstream ClientAliveCountMax behaviour
 # upstream commit:
@@ -272,6 +273,10 @@ Patch984: openssh-8.0p1-crypto-policy-doc.patch
 # 0fa33683223c76289470a954404047bc762be84c
 # f8df0413f0a057b6a3d3dd7bd8bc7c5d80911d3a
 Patch985: openssh-8.7p1-minimize-sha1-use.patch
+# Upstream ff89b1bed80721295555bd083b173247a9c0484e
+Patch986: openssh-9.1p1-sshbanner.patch
+# Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6
+Patch987: openssh-8.0p1-ipv6-process.patch
 
 License: BSD
 Group: Applications/Internet
@@ -503,6 +508,8 @@ popd
 %patch983 -p1 -b .sftp-realpath
 %patch984 -p1 -b .crypto-policy-doc
 %patch985 -p1 -b .minimize-sha1-use
+%patch986 -p1 -b .banner
+%patch987 -p1 -b .sftp_ipv6
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -794,6 +801,11 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17
+- Fix parsing of IPv6 IPs in sftp client (#2151334)
+- Avoid ssh banner one-byte overflow (#2138344)
+- Avoid crash of sshd when Include folder does not exist (#2133087)
+
 * Wed Jun 29 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-16
 - Omit client side from minimize-sha1-use.patch to prevent regression (#2093897)