main/openssh: security fixes

CVE-2018-20685, CVE-2019-6109, CVE-2019-6111

Rebase HPN patch

Fixes #9996

5 files changed, 519 insertions, 11 deletions

diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index fced60459e..9503f60e82 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=7.9_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=2
+pkgrel=3
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.org/portable.html"
 arch="all"
@@ -30,15 +30,23 @@ for _flavour in $_pkgsupport; do
 done
 
 source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
+        CVE-2018-20685.patch
+        CVE-2019-6109.patch
+        CVE-2019-6111.patch
         openssh7.4-peaktput.patch
         fix-utmp.patch
         bsd-compatible-realpath.patch
         sftp-interactive.patch
         disable-forwarding-by-default.patch
+
         sshd.initd
         sshd.confd
         "
 # secfixes:
+#   7.9_p1-r3:
+#     - CVE-2018-20685
+#     - CVE-2019-6109
+#     - CVE-2019-6111
 #   7.7_p1-r4:
 #     - CVE-2018-15473
 #   7.5_p1-r8:
@@ -197,7 +205,10 @@ _pkg_flavour() {
 }
 
 sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e  openssh-7.9p1.tar.gz
-398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6  openssh7.4-peaktput.patch
+b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04  CVE-2018-20685.patch
+299e24dbe73d170d16769fa46e52045e034ff8eb2e7ed26bf2e29d941f067ebbe7e66f4a1253576d13ef689922ac2948215ecd744f57a362cb175549080f41ca  CVE-2019-6109.patch
+7b321e7ff7cff7fb956efd30d3ee770eb553e2db8d0d5e613624859f877efe55da8989f03cdf9e206b397bbc9b6b584c4374073af1a524981e8420c72daf648c  CVE-2019-6111.patch
+7b5ec0c18117437d8ed5132e13b29d604b49a11c571ee89316d1adeb457092379130b9af6b97effa6b2d05d5d5512cf82ebf76803c29cbc5ab387bf87bafd7b9  openssh7.4-peaktput.patch
 f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b3389462296ed77921a1d08456e7aaa3825cbed08f405b381a58e1  fix-utmp.patch
 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
diff --git a/main/openssh/CVE-2018-20685.patch b/main/openssh/CVE-2018-20685.patch
new file mode 100644
index 0000000000..f2f1ecfc55
--- /dev/null
+++ b/main/openssh/CVE-2018-20685.patch
@@ -0,0 +1,33 @@
+From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 03:03:10 +0000
+Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
+ to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+---
+ scp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 60682c687..4f3fdcd3d 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
++/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
+ /*
+  * scp - secure remote copy.  This is basically patched BSD rcp which
+  * uses ssh to do the data transfer (instead of using rcmd).
+@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
+                        SCREWUP("size out of range");
+                size = (off_t)ull;
+ 
+-               if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++               if (*cp == '\0' || strchr(cp, '/') != NULL ||
++                   strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+                        run_err("error: unexpected filename: %s", cp);
+                        exit(1);
+                }
diff --git a/main/openssh/CVE-2019-6109.patch b/main/openssh/CVE-2019-6109.patch
new file mode 100644
index 0000000000..e58b8b1bd5
--- /dev/null
+++ b/main/openssh/CVE-2019-6109.patch
@@ -0,0 +1,276 @@
+From 11b88754cadcad0ba79b4ffcc127223248dccb54 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 23 Jan 2019 08:01:46 +0000
+Subject: upstream: Sanitize scp filenames via snmprintf. To do this we move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too.  bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+
+CVE-2019-6109
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c
+Bug-Debian: https://bugs.debian.org/793412
+Last-Update: 2019-02-08
+
+Patch-Name: sanitize-scp-filenames-via-snmprintf.patch
+---
+ atomicio.c      | 20 ++++++++++++++-----
+ progressmeter.c | 53 ++++++++++++++++++++++---------------------------
+ progressmeter.h |  3 ++-
+ scp.c           |  1 +
+ sftp-client.c   | 16 ++++++++-------
+ 5 files changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/atomicio.c b/atomicio.c
+index f854a06f5..d91bd7621 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+  * Copyright (c) 2006 Damien Miller. All rights reserved.
+  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
+                res = (f) (fd, s + pos, n - pos);
+                switch (res) {
+                case -1:
+-                       if (errno == EINTR)
++                       if (errno == EINTR) {
++                               /* possible SIGALARM, update callback */
++                               if (cb != NULL && cb(cb_arg, 0) == -1) {
++                                       errno = EINTR;
++                                       return pos;
++                               }
+                                continue;
+-                       if (errno == EAGAIN || errno == EWOULDBLOCK) {
++                       } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READ_COMPARISON
+                                (void)poll(&pfd, 1, -1);
+ #endif
+@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+                res = (f) (fd, iov, iovcnt);
+                switch (res) {
+                case -1:
+-                       if (errno == EINTR)
++                       if (errno == EINTR) {
++                               /* possible SIGALARM, update callback */
++                               if (cb != NULL && cb(cb_arg, 0) == -1) {
++                                       errno = EINTR;
++                                       return pos;
++                               }
+                                continue;
+-                       if (errno == EAGAIN || errno == EWOULDBLOCK) {
++                       } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READV_COMPARISON
+                                (void)poll(&pfd, 1, -1);
+ #endif
+diff --git a/progressmeter.c b/progressmeter.c
+index fe9bf52e4..add462dde 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
+  *
+@@ -31,6 +31,7 @@
+ 
+ #include <errno.h>
+ #include <signal.h>
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -39,6 +40,7 @@
+ #include "progressmeter.h"
+ #include "atomicio.h"
+ #include "misc.h"
++#include "utf8.h"
+ 
+ #define DEFAULT_WINSIZE 80
+ #define MAX_WINSIZE 512
+@@ -61,7 +63,7 @@ static void setscreensize(void);
+ void refresh_progress_meter(void);
+ 
+ /* signal handler for updating the progress meter */
+-static void update_progress_meter(int);
++static void sig_alarm(int);
+ 
+ static double start;           /* start progress */
+ static double last_update;     /* last progress update */
+@@ -74,6 +76,7 @@ static long stalled;          /* how long we have been stalled */
+ static int bytes_per_second;   /* current speed in bytes per second */
+ static int win_size;           /* terminal window size */
+ static volatile sig_atomic_t win_resized; /* for window resizing */
++static volatile sig_atomic_t alarm_fired;
+ 
+ /* units for format_size */
+ static const char unit[] = " KMGT";
+@@ -126,9 +129,17 @@ refresh_progress_meter(void)
+        off_t bytes_left;
+        int cur_speed;
+        int hours, minutes, seconds;
+-       int i, len;
+        int file_len;
+ 
++       if ((!alarm_fired && !win_resized) || !can_output())
++               return;
++       alarm_fired = 0;
++
++       if (win_resized) {
++               setscreensize();
++               win_resized = 0;
++       }
++
+        transferred = *counter - (cur_pos ? cur_pos : start_pos);
+        cur_pos = *counter;
+        now = monotime_double();
+@@ -158,16 +169,11 @@ refresh_progress_meter(void)
+ 
+        /* filename */
+        buf[0] = '\0';
+-       file_len = win_size - 35;
++       file_len = win_size - 36;
+        if (file_len > 0) {
+-               len = snprintf(buf, file_len + 1, "\r%s", file);
+-               if (len < 0)
+-                       len = 0;
+-               if (len >= file_len + 1)
+-                       len = file_len;
+-               for (i = len; i < file_len; i++)
+-                       buf[i] = ' ';
+-               buf[file_len] = '\0';
++               buf[0] = '\r';
++               snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
++                   file_len * -1, file);
+        }
+ 
+        /* percent of transfer done */
+@@ -228,22 +234,11 @@ refresh_progress_meter(void)
+ 
+ /*ARGSUSED*/
+ static void
+-update_progress_meter(int ignore)
++sig_alarm(int ignore)
+ {
+-       int save_errno;
+-
+-       save_errno = errno;
+-
+-       if (win_resized) {
+-               setscreensize();
+-               win_resized = 0;
+-       }
+-       if (can_output())
+-               refresh_progress_meter();
+-
+-       signal(SIGALRM, update_progress_meter);
++       signal(SIGALRM, sig_alarm);
++       alarm_fired = 1;
+        alarm(UPDATE_INTERVAL);
+-       errno = save_errno;
+ }
+ 
+ void
+@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+        bytes_per_second = 0;
+ 
+        setscreensize();
+-       if (can_output())
+-               refresh_progress_meter();
++       refresh_progress_meter();
+ 
+-       signal(SIGALRM, update_progress_meter);
++       signal(SIGALRM, sig_alarm);
+        signal(SIGWINCH, sig_winch);
+        alarm(UPDATE_INTERVAL);
+ }
+@@ -286,6 +280,7 @@ stop_progress_meter(void)
+ static void
+ sig_winch(int sig)
+ {
++       signal(SIGWINCH, sig_winch);
+        win_resized = 1;
+ }
+ 
+diff --git a/progressmeter.h b/progressmeter.h
+index bf179dca6..8f6678060 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
+  *
+@@ -24,4 +24,5 @@
+  */
+ 
+ void   start_progress_meter(const char *, off_t, off_t *);
++void   refresh_progress_meter(void);
+ void   stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 7163d33dc..80308573c 100644
+--- a/scp.c
++++ b/scp.c
+@@ -593,6 +593,7 @@ scpio(void *_cnt, size_t s)
+        off_t *cnt = (off_t *)_cnt;
+ 
+        *cnt += s;
++       refresh_progress_meter();
+        if (limit_kbps > 0)
+                bandwidth_limit(&bwlimit, s);
+        return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 4986d6d8d..2bc698f86 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+        struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+ 
+-       bandwidth_limit(bwlimit, amount);
++       refresh_progress_meter();
++       if (bwlimit != NULL)
++               bandwidth_limit(bwlimit, amount);
+        return 0;
+ }
+ 
+@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
+        iov[1].iov_base = (u_char *)sshbuf_ptr(m);
+        iov[1].iov_len = sshbuf_len(m);
+ 
+-       if (atomiciov6(writev, conn->fd_out, iov, 2,
+-           conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
++       if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
++           conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
+            sshbuf_len(m) + sizeof(mlen))
+                fatal("Couldn't send packet: %s", strerror(errno));
+ 
+@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+ 
+        if ((r = sshbuf_reserve(m, 4, &p)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       if (atomicio6(read, conn->fd_in, p, 4,
+-           conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
++       if (atomicio6(read, conn->fd_in, p, 4, sftpio,
++           conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
+                if (errno == EPIPE || errno == ECONNRESET)
+                        fatal("Connection closed");
+                else
+@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+ 
+        if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       if (atomicio6(read, conn->fd_in, p, msg_len,
+-           conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
++       if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
++           conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
+            != msg_len) {
+                if (errno == EPIPE)
+                        fatal("Connection closed");
diff --git a/main/openssh/CVE-2019-6111.patch b/main/openssh/CVE-2019-6111.patch
new file mode 100644
index 0000000000..519358ce6c
--- /dev/null
+++ b/main/openssh/CVE-2019-6111.patch
@@ -0,0 +1,187 @@
+From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+
+CVE-2019-6111
+
+Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc
+Last-Update: 2019-02-08
+
+Patch-Name: check-filenames-in-scp-client.patch
+---
+ scp.1 | 12 +++++++++++-
+ scp.c | 37 +++++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/scp.1 b/scp.1
+index 0e5cc1b2d..397e77091 100644
+--- a/scp.1
++++ b/scp.1
+@@ -18,7 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346BCpqrv
++.Op Fl 346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -208,6 +208,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
++.It Fl T
++Disable strict filename checking.
++By default when copying files from a remote host to a local directory
++.Nm
++checks that the received filenames match those requested on the command-line
++to prevent the remote end from sending unexpected or unwanted files.
++Because of differences in how various operating systems and shells interpret
++filename wildcards, these checks may cause wanted files to be rejected.
++This option disables these checks at the expense of fully trusting that
++the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 1971c80cd..035037bcc 100644
+--- a/scp.c
++++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -383,14 +384,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+ 
+ #define        CMDNEEDS        64
+ char cmd[CMDNEEDS];            /* must hold "rcp -r -p -d\0" */
+ 
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(int, char *[]);
+@@ -429,8 +430,9 @@ main(int argc, char **argv)
+        addargs(&args, "-oRemoteCommand=none");
+        addargs(&args, "-oRequestTTY=no");
+ 
+-       fflag = tflag = 0;
+-       while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++       fflag = Tflag = tflag = 0;
++       while ((ch = getopt(argc, argv,
++           "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
+                switch (ch) {
+                /* User-visible flags. */
+                case '1':
+@@ -509,9 +511,13 @@ main(int argc, char **argv)
+                        setmode(0, O_BINARY);
+ #endif
+                        break;
++               case 'T':
++                       Tflag = 1;
++                       break;
+                default:
+                        usage();
+                }
++       }
+        argc -= optind;
+        argv += optind;
+ 
+@@ -542,7 +548,7 @@ main(int argc, char **argv)
+        }
+        if (tflag) {
+                /* Receive data. */
+-               sink(argc, argv);
++               sink(argc, argv, NULL);
+                exit(errs != 0);
+        }
+        if (argc < 2)
+@@ -800,7 +806,7 @@ tolocal(int argc, char **argv)
+                        continue;
+                }
+                free(bp);
+-               sink(1, argv + argc - 1);
++               sink(1, argv + argc - 1, src);
+                (void) close(remin);
+                remin = remout = -1;
+        }
+@@ -976,7 +982,7 @@ rsource(char *name, struct stat *statp)
+         (sizeof(type) != 4 && sizeof(type) != 8))
+ 
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+        static BUF buffer;
+        struct stat stb;
+@@ -992,6 +998,7 @@ sink(int argc, char **argv)
+        unsigned long long ull;
+        int setimes, targisdir, wrerrno = 0;
+        char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++       char *src_copy = NULL, *restrict_pattern = NULL;
+        struct timeval tv[2];
+ 
+ #define        atime   tv[0]
+@@ -1016,6 +1023,17 @@ sink(int argc, char **argv)
+        (void) atomicio(vwrite, remout, "", 1);
+        if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+                targisdir = 1;
++       if (src != NULL && !iamrecursive && !Tflag) {
++               /*
++                * Prepare to try to restrict incoming filenames to match
++                * the requested destination file glob.
++                */
++               if ((src_copy = strdup(src)) == NULL)
++                       fatal("strdup failed");
++               if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++                       *restrict_pattern++ = '\0';
++               }
++       }
+        for (first = 1;; first = 0) {
+                cp = buf;
+                if (atomicio(read, remin, cp, 1) != 1)
+@@ -1120,6 +1138,9 @@ sink(int argc, char **argv)
+                        run_err("error: unexpected filename: %s", cp);
+                        exit(1);
+                }
++               if (restrict_pattern != NULL &&
++                   fnmatch(restrict_pattern, cp, 0) != 0)
++                       SCREWUP("filename does not match request");
+                if (targisdir) {
+                        static char *namebuf;
+                        static size_t cursize;
+@@ -1157,7 +1178,7 @@ sink(int argc, char **argv)
+                                        goto bad;
+                        }
+                        vect[0] = xstrdup(np);
+-                       sink(1, vect);
++                       sink(1, vect, src);
+                        if (setimes) {
+                                setimes = 0;
+                                if (utimes(vect[0], tv) < 0)
diff --git a/main/openssh/openssh7.4-peaktput.patch b/main/openssh/openssh7.4-peaktput.patch
index 6fc6140a6e..ec76deb3b4 100644
--- a/main/openssh/openssh7.4-peaktput.patch
+++ b/main/openssh/openssh7.4-peaktput.patch
@@ -9,14 +9,15 @@
  static volatile off_t *counter;        /* progress counter */
  static long stalled;           /* how long we have been stalled */
  static int bytes_per_second;   /* current speed in bytes per second */
-@@ -128,12 +130,17 @@
+@@ -132,6 +132,7 @@ refresh_progress_meter(void)
+        int cur_speed;
         int hours, minutes, seconds;
-        int i, len;
         int file_len;
 +       off_t delta_pos;
  
-        transferred = *counter - (cur_pos ? cur_pos : start_pos);
-        cur_pos = *counter;
+        if ((!alarm_fired && !win_resized) || !can_output())
+                return;
+@@ -147,6 +148,10 @@ refresh_progress_meter(void)
         now = monotime_double();
         bytes_left = end_pos - cur_pos;
  
@@ -27,15 +28,15 @@
         if (bytes_left > 0)
                 elapsed = now - last_update;
         else {
-@@ -158,7 +165,7 @@
+@@ -171,7 +176,7 @@ refresh_progress_meter(void)
  
         /* filename */
         buf[0] = '\0';
--       file_len = win_size - 35;
-+       file_len = win_size - 45;
+-       file_len = win_size - 36;
++       file_len = win_size - 46;
         if (file_len > 0) {
-                len = snprintf(buf, file_len + 1, "\r%s", file);
-                if (len < 0)
+                buf[0] = '\r';
+                snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
 @@ -188,6 +195,15 @@
             (off_t)bytes_per_second);
         strlcat(buf, "/s ", win_size);