From 628a11a24d3b72672458e8c931eacbcf40e9551b Mon Sep 17 00:00:00 2001
From: Oliver Schmidt <os@flyingcircus.io>
Date: Fri, 5 Jul 2024 10:28:38 +0200
Subject: [PATCH] openssh: use 9.6p1 by default, patched against CVE-2024-6387

---
 nixos/platform/default.nix                    |  1 +
 .../openssh-9.6_p1-CVE-2024-6387.patch        | 19 +++++++++++++++++
 pkgs/openssh/openssh-9.6_p1-chaff-logic.patch | 16 ++++++++++++++
 pkgs/overlay.nix                              | 21 +++++++++++++++++++
 4 files changed, 57 insertions(+)
 create mode 100644 pkgs/openssh/openssh-9.6_p1-CVE-2024-6387.patch
 create mode 100644 pkgs/openssh/openssh-9.6_p1-chaff-logic.patch

diff --git a/nixos/platform/default.nix b/nixos/platform/default.nix
index 377938da0..100fd0390 100644
--- a/nixos/platform/default.nix
+++ b/nixos/platform/default.nix
@@ -315,6 +315,7 @@ in {
       openssh.enable = fclib.mkPlatform true;
       openssh.kbdInteractiveAuthentication = false;
       openssh.passwordAuthentication = false;
+      programs.ssh.package = pkgs.openssh_9_6;
 
       telegraf.enable = mkDefault true;
 
diff --git a/pkgs/openssh/openssh-9.6_p1-CVE-2024-6387.patch b/pkgs/openssh/openssh-9.6_p1-CVE-2024-6387.patch
new file mode 100644
index 000000000..7b7fb7038
--- /dev/null
+++ b/pkgs/openssh/openssh-9.6_p1-CVE-2024-6387.patch
@@ -0,0 +1,19 @@
+https://bugs.gentoo.org/935271
+Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2.
+--- a/log.c
++++ b/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#ifdef SYSLOG_R_SAFE_IN_SIGHAND
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 
diff --git a/pkgs/openssh/openssh-9.6_p1-chaff-logic.patch b/pkgs/openssh/openssh-9.6_p1-chaff-logic.patch
new file mode 100644
index 000000000..90544d1a4
--- /dev/null
+++ b/pkgs/openssh/openssh-9.6_p1-chaff-logic.patch
@@ -0,0 +1,16 @@
+"Minor logic error in ObscureKeystrokeTiming"
+https://marc.info/?l=oss-security&m=171982317624594&w=2
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -608,8 +608,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index 1f50df999..ee93a9ce1 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -305,6 +305,27 @@ in {
 
   openldap_2_4 = super.callPackage ./openldap_2_4.nix { };
 
+  # fixes critical CVEs, especially CVE-2024-6387
+  openssh_9_6 = super.openssh.overrideAttrs(old_ssh: rec {
+    version = "9.6p1";
+    name = "openssh-${version}";
+
+    src = super.fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      hash = "sha256-kQIRwHJVqMWtZUORtA7lmABxDdgRndU2LeCThap6d3w=";
+    };
+
+    patches = with builtins;
+      filter (p: ! (elem (builtins.baseNameOf p)
+                 ["CVE-2021-41617-1.patch" "CVE-2021-41617-2.patch"]))
+      old_ssh.patches
+      ++ [
+        ./openssh/openssh-9.6_p1-CVE-2024-6387.patch
+        ./openssh/openssh-9.6_p1-chaff-logic.patch
+      ];
+
+  });
+
   # fixes several CVEs https://www.openssl.org/news/secadv/20230207.txt
   inherit (super.callPackages ./openssl { })
       openssl_1_1