net-misc/openssh: Upstream fix for CVE-2021-41617 for v8.5

Upstream fix:
https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455
https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde

The same change has been uploaded to Gentoo upstream for review.
https://github.com/gentoo/gentoo/pull/22961.

BUG=b/205336232
TEST=presubmit
RELEASE_NOTE=Updated openssh with upstream fix. This resolved CVE-2021-41617.

Change-Id: I01706fbc4ccc0a19629bc83ec5437f7d82af5a74
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/portage-stable/+/25526
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch b/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
new file mode 100644
index 0000000..8b7a5ba
--- /dev/null
+++ b/net-misc/openssh/files/openssh-8.5_p1-upstream-cve-2021-41617.patch
@@ -0,0 +1,26 @@
+diff --git a/misc.c b/misc.c
+index d988ce3b..33eca1c1 100644
+--- a/misc.c
++++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
++#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
++
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ 			    strerror(errno));
diff --git a/net-misc/openssh/openssh-8.5_p1-r3.ebuild b/net-misc/openssh/openssh-8.5_p1-r3.ebuild
new file mode 120000
index 0000000..3804654
--- /dev/null
+++ b/net-misc/openssh/openssh-8.5_p1-r3.ebuild
@@ -0,0 +1 @@
+openssh-8.5_p1.ebuild
\ No newline at end of file
diff --git a/net-misc/openssh/openssh-8.5_p1.ebuild b/net-misc/openssh/openssh-8.5_p1.ebuild
index 4450212..c89ac3d 100644
--- a/net-misc/openssh/openssh-8.5_p1.ebuild
+++ b/net-misc/openssh/openssh-8.5_p1.ebuild
@@ -137,6 +137,7 @@
 	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
 	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+	eapply "${FILESDIR}"/${PN}-8.5_p1-upstream-cve-2021-41617.patch
 
 	# workaround for https://bugs.gentoo.org/734984
 	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch