From 422499de82734633ad40081ce0977f8aa2948176 Mon Sep 17 00:00:00 2001
From: jiangyong <jiang.yong5@zte.com.cn>
Date: Fri, 17 Mar 2023 15:34:08 +0800
Subject: [PATCH 1/2] Fix a one-byte overflow in SSH-banner processing Strictly
 enforce the maximum allowed SSH2 banner size in ssh-keyscan and prevent a
 one-byte buffer overflow. Upstream:
 https://github.com/openssh/openssh-portable/commit/ff89b1bed80721295555bd083b173247a9c0484e

---
 ...sh-9.1p1-fix-onebyte-buffer-overflow.patch | 32 +++++++++++++++++++
 openssh.spec                                  |  3 ++
 2 files changed, 35 insertions(+)
 create mode 100644 openssh-9.1p1-fix-onebyte-buffer-overflow.patch

diff --git a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch
new file mode 100644
index 0000000..aba9ee3
--- /dev/null
+++ b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch
@@ -0,0 +1,32 @@
+diff --color -ru openssh-8.0p1/ssh-keyscan.c openssh-8.0p1-new/ssh-keyscan.c
+--- openssh-8.0p1/ssh-keyscan.c	2023-03-17 11:17:11.269000000 -0400
++++ openssh-8.0p1-new/ssh-keyscan.c	2023-03-17 11:32:15.488000000 -0400
+@@ -470,7 +470,15 @@
+ 		confree(s);
+ 		return;
+ 	}
+-
++    /*
++     * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
++     * protocol identification string may be preceeded by an arbitarily
++     * large banner which we must read and ignore.  Loop while reading
++     * newline-terminated lines until we have one starting with "SSH-".
++     * The ID string cannot be longer than 255 characters although the
++     * preceeding banner lines may (in which case they'll be discarded
++     * in multiple iterations of the outer loop).
++     */
+ 	for (;;) {
+ 		memset(buf, '\0', sizeof(buf));
+ 		bufsiz = sizeof(buf);
+@@ -498,6 +506,11 @@
+ 		conrecycle(s);
+ 		return;
+ 	}
++    if (cp >= buf + sizeof(buf)) {
++            error("%s: greeting exceeds allowable length", c->c_name);
++            confree(s);
++            return;
++    }
+ 	if (*cp != '\n' && *cp != '\r') {
+ 		error("%s: bad greeting", c->c_name);
+ 		confree(s);
diff --git a/openssh.spec b/openssh.spec
index b738161..a4919f4 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -280,6 +280,8 @@ Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch
 # fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu
 Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch
 # End
+# Fix a one-byte overflow in SSH-banner processing
+Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch
 
 License: BSD
 Group: Applications/Internet
@@ -520,6 +522,7 @@ popd
 
 %patch1001 -p1
 %patch1002 -p1
+%patch1003 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-- 
Gitee


From eb6c44f550d85f76a748b475f54c62ace3cf8f98 Mon Sep 17 00:00:00 2001
From: jiangyong <jiang.yong5@zte.com.cn>
Date: Fri, 17 Mar 2023 16:42:18 +0800
Subject: [PATCH 2/2] another case where a utimes() failure could make scp send

when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents
to be interpreted as file metadata and thereby permit an adversary
to craft a file system that, when copied with scp(1) in a
configuration that caused utimes(2) to fail (e.g. under a SELinux
policy or syscall sandbox), transferred different file names and
contents to the actual file system layout.

Upstream:https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1
---
 ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++
 openssh.spec                                       |  3 +++
 2 files changed, 17 insertions(+)
 create mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch

diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch
new file mode 100644
index 0000000..d522f28
--- /dev/null
+++ b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch
@@ -0,0 +1,14 @@
+diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c
+--- openssh-8.0p1/scp.c	2023-03-17 16:27:55.831000000 -0400
++++ openssh-8.0p1-new/scp.c	2023-03-17 16:29:49.246000000 -0400
+@@ -1431,9 +1431,7 @@
+ 			sink(1, vect, src);
+ 			if (setimes) {
+ 				setimes = 0;
+-				if (utimes(vect[0], tv) < 0)
+-					run_err("%s: set times: %s",
+-					    vect[0], strerror(errno));
++				(void) utimes(vect[0], tv);
+ 			}
+ 			if (mod_flag)
+ 				(void) chmod(vect[0], mode);
diff --git a/openssh.spec b/openssh.spec
index a4919f4..ff8daf8 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -282,6 +282,8 @@ Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch
 # End
 # Fix a one-byte overflow in SSH-banner processing
 Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch
+Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch
+Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch
 
 License: BSD
 Group: Applications/Internet
@@ -523,6 +525,7 @@ popd
 %patch1001 -p1
 %patch1002 -p1
 %patch1003 -p1
+%patch1004 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-- 
Gitee