Security update to new upstream release 0.72.

Security fixes found by the EU-funded bug bounty:
- two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking
- a vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP and PSCP) if a malicious program can impersonate Pageant

Changelog:	https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Switch off -DSTATIC_GSSAPI build as that produces non-working executables
(assertion failures). Bug has been reported upstream.

MFH:		2019Q3
Security:	5914705c-ab03-11e9-a4f9-080027ac955c

8 files changed, 5 insertions, 236 deletions

diff --git a/security/putty/Makefile b/security/putty/Makefile
index 70a4d5c86f65..6c5c9cb0b19e 100644
--- a/security/putty/Makefile
+++ b/security/putty/Makefile
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	putty
-PORTVERSION=	0.71
+PORTVERSION=	0.72
 CATEGORIES=	security ipv6
 MASTER_SITES=	http://the.earth.li/~sgtatham/putty/${PORTVERSION}/ \
 		ftp://ftp.chiark.greenend.org.uk/users/sgtatham/putty-latest/
@@ -34,7 +34,7 @@ CONFLICTS_INSTALL?=	pssh-[0-9]* putty-gtk2-[0-9]* putty-nogtk-[0-9]*
 
 .include <bsd.port.options.mk>
 
-CFLAGS+=	-DBSD_PTYS -DOMIT_UTMP -DIPV6
+CFLAGS+=	-DBSD_PTYS -DOMIT_UTMP -DIPV6 -DHAVE_FUTIMES
 LDFLAGS+=	-Wl,--as-needed
 
 .if (${PORT_OPTIONS:MGTK2} || ${PORT_OPTIONS:MGTK3}) && !defined(WITHOUT_X11)
@@ -64,15 +64,12 @@ MAKE_ARGS+=	GTK_CONFIG=:
 .endif
 
 .if ${PORT_OPTIONS:MGSSAPI_BASE}
-_COMPAT=		-DSTATIC_GSSAPI
 USES+=		gssapi:base,flags
 MAKE_ARGS+=	KRB5CONFIG=${KRB5CONFIG}
 .elif ${PORT_OPTIONS:MGSSAPI_HEIMDAL}
-_COMPAT=		-DSTATIC_GSSAPI
 USES+=		gssapi:heimdal,flags
 MAKE_ARGS+=	KRB5CONFIG=${KRB5CONFIG}
 .elif ${PORT_OPTIONS:MGSSAPI_MIT}
-_COMPAT=		-DSTATIC_GSSAPI
 USES+=		gssapi:mit,flags
 MAKE_ARGS+=	KRB5CONFIG=${KRB5CONFIG}
 .else
diff --git a/security/putty/distinfo b/security/putty/distinfo
index 48336fbb1006..394d559d863f 100644
--- a/security/putty/distinfo
+++ b/security/putty/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1552820659
-SHA256 (putty-0.71.tar.gz) = 2f931ce2f89780cc8ca7bbed90fcd22c44515d2773f5fa954069e209b48ec6b8
-SIZE (putty-0.71.tar.gz) = 2423752
+TIMESTAMP = 1563631735
+SHA256 (putty-0.72.tar.gz) = f236b5a26b0905809b3cd190158e8b95d81f86ad34fdd97a4312c1877f2cec5f
+SIZE (putty-0.72.tar.gz) = 2449516
diff --git a/security/putty/files/patch-config.c b/security/putty/files/patch-config.c
deleted file mode 100644
index 908a88b0ef7b..000000000000
--- a/security/putty/files/patch-config.c
+++ /dev/null
@@ -1,29 +0,0 @@
---- config.c.orig	2019-03-16 12:26:32 UTC
-+++ config.c
-@@ -2442,10 +2442,12 @@ void setup_config_box(struct controlbox *b, bool midse
- 			      HELPCTX(ssh_kexlist),
- 			      kexlist_handler, P(NULL));
-             c->listbox.height = KEX_MAX;
-+#ifndef NO_GSSAPI
- 	    ctrl_checkbox(s, "Attempt GSSAPI key exchange",
- 			  'k', HELPCTX(ssh_gssapi),
- 			  conf_checkbox_handler,
- 			  I(CONF_try_gssapi_kex));
-+#endif
- 
- 	    s = ctrl_getset(b, "Connection/SSH/Kex", "repeat",
- 			    "Options controlling key re-exchange");
-@@ -2455,11 +2457,13 @@ void setup_config_box(struct controlbox *b, bool midse
- 			 conf_editbox_handler,
- 			 I(CONF_ssh_rekey_time),
- 			 I(-1));
-+#ifndef NO_GSSAPI
-             ctrl_editbox(s, "Minutes between GSS checks (0 for never)", NO_SHORTCUT, 20,
-                          HELPCTX(ssh_kex_repeat),
-                          conf_editbox_handler,
-                          I(CONF_gssapirekey),
-                          I(-1));
-+#endif
- 	    ctrl_editbox(s, "Max data before rekey (0 for no limit)", 'x', 20,
- 			 HELPCTX(ssh_kex_repeat),
- 			 conf_editbox_handler,
diff --git a/security/putty/files/patch-settings.c b/security/putty/files/patch-settings.c
deleted file mode 100644
index 76f4f6116a45..000000000000
--- a/security/putty/files/patch-settings.c
+++ /dev/null
@@ -1,60 +0,0 @@
---- settings.c.orig	2019-03-16 12:26:35 UTC
-+++ settings.c
-@@ -592,21 +592,25 @@ void save_open_settings(settings_w *sesskey, Conf *con
-     write_setting_b(sesskey, "Compression", conf_get_bool(conf, CONF_compression));
-     write_setting_b(sesskey, "TryAgent", conf_get_bool(conf, CONF_tryagent));
-     write_setting_b(sesskey, "AgentFwd", conf_get_bool(conf, CONF_agentfwd));
-+#ifndef NO_GSSAPI
-     write_setting_b(sesskey, "GssapiFwd", conf_get_bool(conf, CONF_gssapifwd));
-+#endif
-     write_setting_b(sesskey, "ChangeUsername", conf_get_bool(conf, CONF_change_username));
-     wprefs(sesskey, "Cipher", ciphernames, CIPHER_MAX, conf, CONF_ssh_cipherlist);
-     wprefs(sesskey, "KEX", kexnames, KEX_MAX, conf, CONF_ssh_kexlist);
-     wprefs(sesskey, "HostKey", hknames, HK_MAX, conf, CONF_ssh_hklist);
-     write_setting_i(sesskey, "RekeyTime", conf_get_int(conf, CONF_ssh_rekey_time));
-+#ifndef NO_GSSAPI
-     write_setting_i(sesskey, "GssapiRekey", conf_get_int(conf, CONF_gssapirekey));
-+#endif
-     write_setting_s(sesskey, "RekeyBytes", conf_get_str(conf, CONF_ssh_rekey_data));
-     write_setting_b(sesskey, "SshNoAuth", conf_get_bool(conf, CONF_ssh_no_userauth));
-     write_setting_b(sesskey, "SshBanner", conf_get_bool(conf, CONF_ssh_show_banner));
-     write_setting_b(sesskey, "AuthTIS", conf_get_bool(conf, CONF_try_tis_auth));
-     write_setting_b(sesskey, "AuthKI", conf_get_bool(conf, CONF_try_ki_auth));
-+#ifndef NO_GSSAPI
-     write_setting_b(sesskey, "AuthGSSAPI", conf_get_bool(conf, CONF_try_gssapi_auth));
-     write_setting_b(sesskey, "AuthGSSAPIKEX", conf_get_bool(conf, CONF_try_gssapi_kex));
--#ifndef NO_GSSAPI
-     wprefs(sesskey, "GSSLibs", gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist);
-     write_setting_filename(sesskey, "GSSCustom", conf_get_filename(conf, CONF_ssh_gss_custom));
- #endif
-@@ -937,7 +941,9 @@ void load_open_settings(settings_r *sesskey, Conf *con
-     gppb(sesskey, "TryAgent", true, conf, CONF_tryagent);
-     gppb(sesskey, "AgentFwd", false, conf, CONF_agentfwd);
-     gppb(sesskey, "ChangeUsername", false, conf, CONF_change_username);
-+#ifndef NO_GSSAPI
-     gppb(sesskey, "GssapiFwd", false, conf, CONF_gssapifwd);
-+#endif
-     gprefs(sesskey, "Cipher", "\0",
- 	   ciphernames, CIPHER_MAX, conf, CONF_ssh_cipherlist);
-     {
-@@ -990,7 +996,9 @@ void load_open_settings(settings_r *sesskey, Conf *con
-     gprefs(sesskey, "HostKey", "ed25519,ecdsa,rsa,dsa,WARN",
-            hknames, HK_MAX, conf, CONF_ssh_hklist);
-     gppi(sesskey, "RekeyTime", 60, conf, CONF_ssh_rekey_time);
-+#ifndef NO_GSSAPI
-     gppi(sesskey, "GssapiRekey", GSS_DEF_REKEY_MINS, conf, CONF_gssapirekey);
-+#endif
-     gpps(sesskey, "RekeyBytes", "1G", conf, CONF_ssh_rekey_data);
-     {
- 	/* SSH-2 only by default */
-@@ -1007,9 +1015,9 @@ void load_open_settings(settings_r *sesskey, Conf *con
-     gppb(sesskey, "SshBanner", true, conf, CONF_ssh_show_banner);
-     gppb(sesskey, "AuthTIS", false, conf, CONF_try_tis_auth);
-     gppb(sesskey, "AuthKI", true, conf, CONF_try_ki_auth);
-+#ifndef NO_GSSAPI
-     gppb(sesskey, "AuthGSSAPI", true, conf, CONF_try_gssapi_auth);
-     gppb(sesskey, "AuthGSSAPIKEX", true, conf, CONF_try_gssapi_kex);
--#ifndef NO_GSSAPI
-     gprefs(sesskey, "GSSLibs", "\0",
- 	   gsslibkeywords, ngsslibs, conf, CONF_ssh_gsslist);
-     gppfile(sesskey, "GSSCustom", conf, CONF_ssh_gss_custom);
diff --git a/security/putty/files/patch-ssh.c b/security/putty/files/patch-ssh.c
deleted file mode 100644
index e9f2916134e3..000000000000
--- a/security/putty/files/patch-ssh.c
+++ /dev/null
@@ -1,44 +0,0 @@
---- ssh.c.orig	2019-03-16 12:26:35 UTC
-+++ ssh.c
-@@ -50,7 +50,9 @@ struct Ssh {
-     ssh_sharing_state *connshare;
-     bool attempting_connshare;
- 
-+#ifndef NO_GSSAPI
-     struct ssh_connection_shared_gss_state gss_state;
-+#endif
- 
-     char *savedhost;
-     int savedport;
-@@ -252,10 +254,18 @@ static void ssh_got_ssh_version(struct ssh_version_rec
-                     conf_get_bool(ssh->conf, CONF_tryagent), username,
-                     conf_get_bool(ssh->conf, CONF_change_username),
-                     conf_get_bool(ssh->conf, CONF_try_ki_auth),
-+#ifndef NO_GSSAPI
-                     conf_get_bool(ssh->conf, CONF_try_gssapi_auth),
-                     conf_get_bool(ssh->conf, CONF_try_gssapi_kex),
-                     conf_get_bool(ssh->conf, CONF_gssapifwd),
--                    &ssh->gss_state);
-+                    &ssh->gss_state
-+#else
-+                    false,
-+                    false,
-+                    false,
-+                    NULL
-+#endif
-+                    );
-                 ssh_connect_ppl(ssh, userauth_layer);
-                 transport_child_layer = userauth_layer;
- 
-@@ -267,7 +277,11 @@ static void ssh_got_ssh_version(struct ssh_version_rec
-                 ssh->fullhostname,
-                 ssh_verstring_get_local(old_bpp),
-                 ssh_verstring_get_remote(old_bpp),
-+#ifndef NO_GSSAPI
-                 &ssh->gss_state,
-+#else
-+                NULL,
-+#endif
-                 &ssh->stats, transport_child_layer, false);
-             ssh_connect_ppl(ssh, ssh->base_layer);
- 
diff --git a/security/putty/files/patch-ssh2transport.c b/security/putty/files/patch-ssh2transport.c
deleted file mode 100644
index 6c101c02e622..000000000000
--- a/security/putty/files/patch-ssh2transport.c
+++ /dev/null
@@ -1,19 +0,0 @@
---- ssh2transport.c.orig	2019-03-16 12:26:35 UTC
-+++ ssh2transport.c
-@@ -1781,6 +1781,7 @@ static void ssh2_transport_gss_update(struct ssh2_tran
-     if (mins > 0 && s->gss_ctxt_lifetime <= mins * 60)
-         s->gss_status |= GSS_CTXT_EXPIRES;
- }
-+#endif /* NO_GSSAPI */
- 
- ptrlen ssh2_transport_get_session_id(PacketProtocolLayer *ppl)
- {
-@@ -1804,8 +1805,6 @@ void ssh2_transport_notify_auth_done(PacketProtocolLay
-     s->rekey_class = RK_POST_USERAUTH;
-     queue_idempotent_callback(&s->ppl.ic_process_queue);
- }
--
--#endif /* NO_GSSAPI */
- 
- static bool ssh2_transport_get_specials(
-     PacketProtocolLayer *ppl, add_special_fn_t add_special, void *ctx)
diff --git a/security/putty/files/patch-ssh2userauth.c b/security/putty/files/patch-ssh2userauth.c
deleted file mode 100644
index d375a949b9b1..000000000000
--- a/security/putty/files/patch-ssh2userauth.c
+++ /dev/null
@@ -1,28 +0,0 @@
---- ssh2userauth.c.orig	2019-03-16 12:26:35 UTC
-+++ ssh2userauth.c
-@@ -613,8 +613,10 @@ static void ssh2_userauth_process_queue(PacketProtocol
-                  * Scan it for method identifiers we know about.
-                  */
-                 bool srv_pubkey = false, srv_passwd = false;
--                bool srv_keyb_inter = false, srv_gssapi = false;
--                bool srv_gssapi_keyex_auth = false;
-+                bool srv_keyb_inter = false;
-+#ifndef NO_GSSAPI
-+                bool srv_gssapi = false, srv_gssapi_keyex_auth = false;
-+#endif
- 
-                 for (ptrlen method; get_commasep_word(&methods, &method) ;) {
-                     if (ptrlen_eq_string(method, "publickey"))
-@@ -623,10 +625,12 @@ static void ssh2_userauth_process_queue(PacketProtocol
-                         srv_passwd = true;
-                     else if (ptrlen_eq_string(method, "keyboard-interactive"))
-                         srv_keyb_inter = true;
-+#ifndef NO_GSSAPI
-                     else if (ptrlen_eq_string(method, "gssapi-with-mic"))
-                         srv_gssapi = true;
-                     else if (ptrlen_eq_string(method, "gssapi-keyex"))
-                         srv_gssapi_keyex_auth = true;
-+#endif
-                 }
- 
-                 /*
diff --git a/security/putty/files/patch-sshserver.c b/security/putty/files/patch-sshserver.c
deleted file mode 100644
index 19f0aa8a01c0..000000000000
--- a/security/putty/files/patch-sshserver.c
+++ /dev/null
@@ -1,48 +0,0 @@
---- sshserver.c.orig	2019-03-16 12:26:36 UTC
-+++ sshserver.c
-@@ -50,7 +50,9 @@ struct server {
-     PacketProtocolLayer *base_layer;
-     ConnectionLayer *cl;
- 
-+#ifndef NO_GSSAPI
-     struct ssh_connection_shared_gss_state gss_state;
-+#endif
- };
- 
- static void ssh_server_free_callback(void *vsrv);
-@@ -245,9 +247,11 @@ Plug *ssh_server_plug(
-     bufchain_init(&srv->out_raw);
-     bufchain_init(&srv->dummy_user_input);
- 
-+#ifndef NO_GSSAPI
-     /* FIXME: replace with sensible */
-     srv->gss_state.libs = snew(struct ssh_gss_liblist);
-     srv->gss_state.libs->nlibraries = 0;
-+#endif
- 
-     return &srv->plug;
- }
-@@ -297,7 +301,9 @@ static void ssh_server_free_callback(void *vsrv)
-     conf_free(srv->conf);
-     log_free(srv->logctx);
- 
-+#ifndef NO_GSSAPI
-     sfree(srv->gss_state.libs);        /* FIXME: replace with sensible */
-+#endif
- 
-     sfree(srv);
- 
-@@ -442,7 +448,12 @@ static void server_got_ssh_version(struct ssh_version_
-             srv->conf, NULL, 0, NULL,
-             ssh_verstring_get_remote(old_bpp),
-             ssh_verstring_get_local(old_bpp),
--            &srv->gss_state, &srv->stats, transport_child_layer, true);
-+#ifndef NO_GSSAPI
-+            &srv->gss_state,
-+#else
-+            NULL,
-+#endif
-+            &srv->stats, transport_child_layer, true);
-         ssh2_transport_provide_hostkeys(
-             srv->base_layer, srv->hostkeys, srv->nhostkeys);
-         if (userauth_layer)