From 4be18df7042e0832eb48c02e905c59bbcdd416a8 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Thu, 27 Jul 2023 16:05:46 +0200
Subject: [PATCH 1/3] overlay net-misc/openssh: update to 9.3_p2

Update net-misc/openssh to 9.3_p2, mainly address CVE-2023-38408.

Gentoo ref: ee25b7d5358f42edd851c00492a885faaf2e349c
---
 .../coreos-overlay/net-misc/openssh/Manifest  |  4 +-
 .../net-misc/openssh/files/sshd.socket        |  1 -
 ...9.3_p1-r2.ebuild => openssh-9.3_p2.ebuild} | 50 +++----------------
 3 files changed, 9 insertions(+), 46 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.3_p1-r2.ebuild => openssh-9.3_p2.ebuild} (87%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
index 6f31cfab6a..c70a2636a8 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
@@ -1,2 +1,2 @@
-DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
-DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
+DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
+DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
index d19f34be86..94b9533180 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
@@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild
index 8f01a48dc7..e3184f35c2 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p1-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild
@@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
@@ -227,37 +227,6 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
-insert_include() {
-	local src_config=${1} options=${2} includedir=${3}
-	local name copy regexp_options regexp lineno comment_options
-
-	name=${src_config##*/}
-	copy="${T}/${name}"
-	cp -a "${src_config}" "${copy}" || die
-
-	# Catch "Option ", "#Option " or "# Option ".
-	regexp_options=${options//,/'\|'}
-	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
-	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
-	# We have found a first line with the option, now find a first
-	# non-comment line just above the comments of the option. The
-	# lineno - 2 is here to ignore the line just above the option
-	# in case the comment block is separated by an empty line.
-	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
-
-	comment_options=${options//,/ or }
-	{
-		head -n "${lineno}" "${copy}" || die
-		cat <<-EOF || die
-		# Make sure that all ${comment_options} options are below this Include!
-		Include "${EPREFIX}/${includedir}/*.conf"
-
-		EOF
-		tail -n "+${lineno}" "${copy}" || die
-	} >"${src_config}"
-	rm -f "${copy}" || die
-}
-
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -271,9 +240,12 @@ tweak_ssh_configs() {
 	)
 
 	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-
-	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
-	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+	EOF
 
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
 	# Send locale environment variables (bug #367017)
@@ -292,10 +264,6 @@ tweak_ssh_configs() {
 	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 	EOF
 
-	# Move sshd's Subsystem option to a drop-in file.
-	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
-	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
-
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}
@@ -321,10 +289,6 @@ tweak_ssh_configs() {
 		PermitRootLogin Yes
 		EOF
 	fi
-
-	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
-	fperms 0700 /etc/ssh/sshd_config.d
-	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {

From 67275491eea9de4076c4acfe0d17c51a9fd85703 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Wed, 5 Jul 2023 16:13:38 +0200
Subject: [PATCH 2/3] net-misc/openssh: Apply Flatcar modifications

- Mark the package as stable.
- Remove the socket unit's rate limiting.
- Fixes to configuration handling. We are trying to upstream these
  changes, so this package will be eventually moved to
  portage-stable. But updating it in coreos-overlay for now to drop
  the use of the obsolete cygwin USE flags.

Upstream PR: https://github.com/gentoo/gentoo/pull/31615
---
 .../net-misc/openssh/files/sshd.socket        |  1 +
 ...9.3_p2.ebuild => openssh-9.3_p2-r1.ebuild} | 50 ++++++++++++++++---
 2 files changed, 44 insertions(+), 7 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.3_p2.ebuild => openssh-9.3_p2-r1.ebuild} (87%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
index 94b9533180..d19f34be86 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
@@ -5,6 +5,7 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
+TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild
index e3184f35c2..8f01a48dc7 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild
@@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
@@ -227,6 +227,37 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
+insert_include() {
+	local src_config=${1} options=${2} includedir=${3}
+	local name copy regexp_options regexp lineno comment_options
+
+	name=${src_config##*/}
+	copy="${T}/${name}"
+	cp -a "${src_config}" "${copy}" || die
+
+	# Catch "Option ", "#Option " or "# Option ".
+	regexp_options=${options//,/'\|'}
+	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
+	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
+	# We have found a first line with the option, now find a first
+	# non-comment line just above the comments of the option. The
+	# lineno - 2 is here to ignore the line just above the option
+	# in case the comment block is separated by an empty line.
+	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
+
+	comment_options=${options//,/ or }
+	{
+		head -n "${lineno}" "${copy}" || die
+		cat <<-EOF || die
+		# Make sure that all ${comment_options} options are below this Include!
+		Include "${EPREFIX}/${includedir}/*.conf"
+
+		EOF
+		tail -n "+${lineno}" "${copy}" || die
+	} >"${src_config}"
+	rm -f "${copy}" || die
+}
+
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -240,12 +271,9 @@ tweak_ssh_configs() {
 	)
 
 	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
-	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
-	EOF
-	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
-	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
-	EOF
+
+	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
+	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
 
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
 	# Send locale environment variables (bug #367017)
@@ -264,6 +292,10 @@ tweak_ssh_configs() {
 	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 	EOF
 
+	# Move sshd's Subsystem option to a drop-in file.
+	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
+	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
+
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}
@@ -289,6 +321,10 @@ tweak_ssh_configs() {
 		PermitRootLogin Yes
 		EOF
 	fi
+
+	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
+	fperms 0700 /etc/ssh/sshd_config.d
+	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {

From 6a2f155526895db0960ae37bf690ea24a3ea95f2 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dpark@linux.microsoft.com>
Date: Thu, 27 Jul 2023 16:16:06 +0200
Subject: [PATCH 3/3] changelog: add security changelog for openssh 9.3_p2

---
 changelog/security/2023-07-27-openssh-9.3_p2.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/security/2023-07-27-openssh-9.3_p2.md

diff --git a/changelog/security/2023-07-27-openssh-9.3_p2.md b/changelog/security/2023-07-27-openssh-9.3_p2.md
new file mode 100644
index 0000000000..e18f901eae
--- /dev/null
+++ b/changelog/security/2023-07-27-openssh-9.3_p2.md
@@ -0,0 +1 @@
+- OpenSSH ([CVE-2023-38408](https://nvd.nist.gov/vuln/detail/CVE-2023-38408))