Fix DH GEX against non-default group sizes (openssh-7.2) (#1332082)

2016-05-02 14:05:19 +02:00 · 2016-05-02 14:05:19 +02:00 · 0a18e4800e
commit 0a18e4800e
parent 10f391c509
2 changed files with 15 additions and 0 deletions
--- a/openssh-6.9p1-compat-7.2.patch
+++ b/openssh-6.9p1-compat-7.2.patch
@ -0,0 +1,13 @@
+diff --git a/kexgexs.c b/kexgexs.c
+index a81fd1e..f69068c 100644
+--- a/kexgexs.c
+++ b/kexgexs.c
+@@ -81,7 +81,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
+ 	    (r = sshpkt_get_end(ssh)) != 0)
+ 		goto out;
+ 	kex->nbits = nbits;
+-	kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+	kex->min = min;
+ 	kex->max = max;
+ 	min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
+ 	max = MIN(DH_GRP_MAX, max);
--- a/openssh.spec
+++ b/openssh.spec
@ -242,6 +242,7 @@ Patch934: openssh-6.9p1-gssKexAlgorithms.patch
 Patch935: openssh-6.9p1-security-7.1.patch
 # Fix for security issue (openssh-7.2p2): sanitise characters destined for xauth(1)
 Patch936: openssh-6.9p1-xauth.patch
+Patch937: openssh-6.9p1-compat-7.2.patch


 License: BSD
@ -474,6 +475,7 @@ popd

 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips
+%patch937 -p1 -b .compat-7.2

 %patch100 -p1 -b .coverity