Fix vulnerabilities published with openssh-7.1p2 (#1298626)

* CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
 * Fix an out of-bound read access in the packet handling code

openssh-6.9p1-security-7.1.patch

@@ -0,0 +1,79 @@
+From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 8 Nov 2015 21:59:11 +0000
+Subject: upstream commit
+
+fix OOB read in packet code caused by missing return
+ statement found by Ben Hawkes; ok markus@ deraadt@
+
+Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+---
+ packet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/packet.c b/packet.c
+index 01d3e29..7b5c419 100644
+--- a/packet.c
++++ b/packet.c
+@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			logit("Bad packet length %u.", state->packlen);
+ 			if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
+ 				return r;
++			return SSH_ERR_CONN_CORRUPT;
+ 		}
+ 		sshbuf_reset(state->incoming_packet);
+ 	} else if (state->packlen == 0) {
+-- 
+cgit v0.11.2
+
+From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Fri, 15 Jan 2016 01:30:36 +1100
+Subject: forcibly disable roaming support in the client
+
+---
+ readconf.c | 5 ++---
+ ssh.c      | 3 ---
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/readconf.c b/readconf.c
+index 0a38091..dd67811 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -1713,7 +1713,7 @@ initialize_options(Options * options)
+ 	options->tun_remote = -1;
+ 	options->local_command = NULL;
+ 	options->permit_local_command = -1;
+-	options->use_roaming = -1;
++	options->use_roaming = 0;
+ 	options->visual_host_key = -1;
+ 	options->ip_qos_interactive = -1;
+ 	options->ip_qos_bulk = -1;
+@@ -1889,8 +1889,7 @@ fill_default_options(Options * options)
+ 		options->tun_remote = SSH_TUNID_ANY;
+ 	if (options->permit_local_command == -1)
+ 		options->permit_local_command = 0;
+-	if (options->use_roaming == -1)
+-		options->use_roaming = 1;
++	options->use_roaming = 0;
+ 	if (options->visual_host_key == -1)
+ 		options->visual_host_key = 0;
+ 	if (options->ip_qos_interactive == -1)
+diff --git a/ssh.c b/ssh.c
+index 096c5b5..cf6eaeb 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1949,9 +1949,6 @@ ssh_session2(void)
+ 			fork_postauth();
+ 	}
+ 
+-	if (options.use_roaming)
+-		request_roaming();
+-
+ 	return client_loop(tty_flag, tty_flag ?
+ 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ }
+-- 
+cgit v0.11.2
+
+

openssh.spec

@@ -236,6 +236,10 @@ Patch932: openssh-6.9p1-security-7.0.patch
 Patch933: openssh-6.9p1-show-more-fingerprints.patch
 # Add GSSAPIKexAlgorithms option for server and client application
 Patch934: openssh-6.9p1-gssKexAlgorithms.patch
+# Vulnerabilities published with openssh-7.1p2 (#1298626)
+#  CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
+#  Fix an out of-bound read access in the packet handling code
+Patch935: openssh-6.9p1-security-7.1.patch
 
 
 License: BSD
@@ -463,6 +467,7 @@ popd
 %patch932 -p1 -b .security
 %patch933 -p1 -b .fingerprint
 %patch934 -p1 -b .gsskexalg
+%patch935 -p1 -b .security71
 
 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips