From b5a1df4a77c86979aff60b2660dca65aacccbb09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Thu, 10 Mar 2016 20:12:09 +0000
Subject: [PATCH 1/2] Vendor import of OpenSSH 7.2p2.

---
 ChangeLog                   | 30 ++++++++++++++----------------
 README                      |  2 +-
 contrib/redhat/openssh.spec |  2 +-
 contrib/suse/openssh.spec   |  2 +-
 session.c                   | 32 ++++++++++++++++++++++++++++++--
 version.h                   |  2 +-
 6 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b01bb5642fb4..1e4346715204 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+commit 5c35450a0c901d9375fb23343a8dc82397da5f75
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Mar 10 05:04:48 2016 +1100
+
+    update versions for release
+
+commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Mar 10 05:03:39 2016 +1100
+
+    sanitise characters destined for xauth(1)
+    
+    reported by github.com/tintinweb
+
 commit 72b061d4ba0f909501c595d709ea76e06b01e5c9
 Author: Darren Tucker <dtucker@zip.com.au>
 Date:   Fri Feb 26 14:40:04 2016 +1100
@@ -8889,19 +8903,3 @@ Author: Damien Miller <djm@mindrot.org>
 Date:   Thu Mar 13 13:14:21 2014 +1100
 
      - (djm) Release OpenSSH 6.6
-
-commit 8569eba5d7f7348ce3955eeeb399f66f25c52ece
-Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Mar 4 09:35:17 2014 +1100
-
-       - djm@cvs.openbsd.org 2014/03/03 22:22:30
-         [session.c]
-         ignore enviornment variables with embedded '=' or '\0' characters;
-         spotted by Jann Horn; ok deraadt@
-
-commit 2476c31b96e89aec7d4e73cb6fbfb9a4290de3a7
-Author: Damien Miller <djm@mindrot.org>
-Date:   Sun Mar 2 04:01:00 2014 +1100
-
-     - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
-       no moduli file exists at the expected location.
diff --git a/README b/README
index 0dd047af34ff..86c55a554e89 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-7.2p1 for the release notes.
+See http://www.openssh.com/txt/release-7.2p2 for the release notes.
 
 Please read http://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 2a55f454e26b..eefe82df074e 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 7.2p1
+%define ver 7.2p2
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 53264c1fbc6d..f20a78656a8e 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	7.2p1
+Version:	7.2p2
 URL:		http://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz
diff --git a/session.c b/session.c
index 7a02500ab68f..87fddfc3db2d 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
 
 #include <arpa/inet.h>
 
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
 	do_cleanup(authctxt);
 }
 
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+	size_t i;
+
+	for (i = 0; s[i] != '\0'; i++) {
+		if (!isalnum((u_char)s[i]) &&
+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+		    s[i] != '-' && s[i] != '_')
+		return 0;
+	}
+	return 1;
+}
+
 /*
  * Prepares for an interactive session.  This is called after the user has
  * been successfully authenticated.  During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
 				s->screen = 0;
 			}
 			packet_check_eom();
-			success = session_setup_x11fwd(s);
+			if (xauth_valid_string(s->auth_proto) &&
+			    xauth_valid_string(s->auth_data))
+				success = session_setup_x11fwd(s);
+			else {
+				success = 0;
+				error("Invalid X11 forwarding data");
+			}
 			if (!success) {
 				free(s->auth_proto);
 				free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
 	s->screen = packet_get_int();
 	packet_check_eom();
 
-	success = session_setup_x11fwd(s);
+	if (xauth_valid_string(s->auth_proto) &&
+	    xauth_valid_string(s->auth_data))
+		success = session_setup_x11fwd(s);
+	else {
+		success = 0;
+		error("Invalid X11 forwarding data");
+	}
 	if (!success) {
 		free(s->auth_proto);
 		free(s->auth_data);
diff --git a/version.h b/version.h
index 4189982a98b1..eb4e94825e38 100644
--- a/version.h
+++ b/version.h
@@ -2,5 +2,5 @@
 
 #define SSH_VERSION	"OpenSSH_7.2"
 
-#define SSH_PORTABLE	"p1"
+#define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

From 642a1c3843c9c824a6fbcee4d340d711bc049aa9 Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 2 Nov 2016 06:43:20 +0000
Subject: [PATCH 2/2] Apply upstream fix for CVE-2016-8858:

  Unregister the KEXINIT handler after message has been received.
  Otherwise an unauthenticated peer can repeat the KEXINIT and cause
  allocation of up to 128MB -- until the connection is closed.
  Reported by shilei-c at 360.cn

Obtained from:	OpenBSD
---
 kex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kex.c b/kex.c
index d371f47c48dd..9c9f56228ea5 100644
--- a/kex.c
+++ b/kex.c
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
 	if (kex == NULL)
 		return SSH_ERR_INVALID_ARGUMENT;
 
+	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
 	ptr = sshpkt_ptr(ssh, &dlen);
 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
 		return r;