From 7de95a26d2713761a46db70dc4c451ed6b3f822c Mon Sep 17 00:00:00 2001 From: jiangyong Date: Mon, 20 Mar 2023 19:32:24 +0800 Subject: [PATCH 1/7] a desynchronising error; detail: scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. upstream:https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 --- ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++ openssh.spec | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch new file mode 100644 index 0000000..d522f28 --- /dev/null +++ b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch @@ -0,0 +1,14 @@ +diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c +--- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 ++++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 +@@ -1431,9 +1431,7 @@ + sink(1, vect, src); + if (setimes) { + setimes = 0; +- if (utimes(vect[0], tv) < 0) +- run_err("%s: set times: %s", +- vect[0], strerror(errno)); ++ (void) utimes(vect[0], tv); + } + if (mod_flag) + (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 8eacb8d..5755871 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.3 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -282,6 +282,7 @@ Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # End # Fix a one-byte overflow in SSH-banner processing Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch +Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch License: BSD Group: Applications/Internet @@ -523,6 +524,7 @@ popd %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -808,6 +810,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Mon Mar 20 2023 JiangYong - 8.0p1-16.0.3 +- another case where a utimes() failure could make scp send + * Sat Mar 18 2023 JiangYong - 8.0p1-16.0.2 - Fix a one-byte overflow in SSH-banner processing -- Gitee From 9f82f83bed4743df287b599b366667f6ec00e526 Mon Sep 17 00:00:00 2001 From: qhw01063182 Date: Thu, 11 May 2023 16:16:01 +0800 Subject: [PATCH 2/7] update to openssh-8.0p1-17.el8_7 Signed-off-by: qhw01063182 --- 1000-openssh-anolis-fix-seccomp-error.patch | 26 ----------- 1001-openssh-8.1p1-seccomp-nanosleep.patch | 44 ------------------- dist | 2 +- openssh-8.0p1-ipv6-process.patch | 27 ++++++++++++ ...3p1-fix-desynchronised-utimes-failed.patch | 14 ------ ...sh-9.1p1-fix-onebyte-buffer-overflow.patch | 32 -------------- openssh.spec | 36 ++++----------- 7 files changed, 36 insertions(+), 145 deletions(-) delete mode 100644 1000-openssh-anolis-fix-seccomp-error.patch delete mode 100644 1001-openssh-8.1p1-seccomp-nanosleep.patch create mode 100644 openssh-8.0p1-ipv6-process.patch delete mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch delete mode 100644 openssh-9.1p1-fix-onebyte-buffer-overflow.patch diff --git a/1000-openssh-anolis-fix-seccomp-error.patch b/1000-openssh-anolis-fix-seccomp-error.patch deleted file mode 100644 index f398ce9..0000000 --- a/1000-openssh-anolis-fix-seccomp-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure ---- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 -+++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 -@@ -7875,6 +7875,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; -diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac ---- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 -+++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 -@@ -882,6 +882,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; diff --git a/1001-openssh-8.1p1-seccomp-nanosleep.patch b/1001-openssh-8.1p1-seccomp-nanosleep.patch deleted file mode 100644 index 4ff852c..0000000 --- a/1001-openssh-8.1p1-seccomp-nanosleep.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 7e929163ed40f9ce90060a3ca6df558c3d901379 -Author: Jakub Jelen -Date: Wed Nov 13 12:57:05 2019 +0100 - - seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..be239767 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - -commit 500c30eaf88f26e4a74b06717fe04afec7a7516f -Author: Jakub Jelen -Date: Wed Nov 27 11:06:55 2019 +0100 - - sandbox-seccomp: Allow clock_nanosleep on ARM - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be239767..3ef30c9d 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/dist b/dist index 9c0e36e..535c690 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_7 diff --git a/openssh-8.0p1-ipv6-process.patch b/openssh-8.0p1-ipv6-process.patch new file mode 100644 index 0000000..cb76938 --- /dev/null +++ b/openssh-8.0p1-ipv6-process.patch @@ -0,0 +1,27 @@ +diff --git a/sftp.c b/sftp.c +index 04881c83..03c7a5c7 100644 +--- a/sftp.c ++++ b/sftp.c +@@ -2527,12 +2527,17 @@ main(int argc, char **argv) + port = tmp; + break; + default: ++ /* Try with user, host and path. */ + if (parse_user_host_path(*argv, &user, &host, +- &file1) == -1) { +- /* Treat as a plain hostname. */ +- host = xstrdup(*argv); +- host = cleanhostname(host); +- } ++ &file1) == 0) ++ break; ++ /* Try with user and host. */ ++ if (parse_user_host_port(*argv, &user, &host, NULL) ++ == 0) ++ break; ++ /* Treat as a plain hostname. */ ++ host = xstrdup(*argv); ++ host = cleanhostname(host); + break; + } + file2 = *(argv + 1); diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch deleted file mode 100644 index d522f28..0000000 --- a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c ---- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 -+++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 -@@ -1431,9 +1431,7 @@ - sink(1, vect, src); - if (setimes) { - setimes = 0; -- if (utimes(vect[0], tv) < 0) -- run_err("%s: set times: %s", -- vect[0], strerror(errno)); -+ (void) utimes(vect[0], tv); - } - if (mod_flag) - (void) chmod(vect[0], mode); diff --git a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch deleted file mode 100644 index aba9ee3..0000000 --- a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff --color -ru openssh-8.0p1/ssh-keyscan.c openssh-8.0p1-new/ssh-keyscan.c ---- openssh-8.0p1/ssh-keyscan.c 2023-03-17 11:17:11.269000000 -0400 -+++ openssh-8.0p1-new/ssh-keyscan.c 2023-03-17 11:32:15.488000000 -0400 -@@ -470,7 +470,15 @@ - confree(s); - return; - } -- -+ /* -+ * Read the server banner as per RFC4253 section 4.2. The "SSH-" -+ * protocol identification string may be preceeded by an arbitarily -+ * large banner which we must read and ignore. Loop while reading -+ * newline-terminated lines until we have one starting with "SSH-". -+ * The ID string cannot be longer than 255 characters although the -+ * preceeding banner lines may (in which case they'll be discarded -+ * in multiple iterations of the outer loop). -+ */ - for (;;) { - memset(buf, '\0', sizeof(buf)); - bufsiz = sizeof(buf); -@@ -498,6 +506,11 @@ - conrecycle(s); - return; - } -+ if (cp >= buf + sizeof(buf)) { -+ error("%s: greeting exceeds allowable length", c->c_name); -+ confree(s); -+ return; -+ } - if (*cp != '\n' && *cp != '\r') { - error("%s: bad greeting", c->c_name); - confree(s); diff --git a/openssh.spec b/openssh.spec index 5755871..34a50f0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.3 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -67,14 +66,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 16 +%global openssh_rel 17 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -273,16 +272,8 @@ Patch984: openssh-8.0p1-crypto-policy-doc.patch # 0fa33683223c76289470a954404047bc762be84c # f8df0413f0a057b6a3d3dd7bd8bc7c5d80911d3a Patch985: openssh-8.7p1-minimize-sha1-use.patch - -Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch - -# Add by Anolis -# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu -Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch -# End -# Fix a one-byte overflow in SSH-banner processing -Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch -Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch +# Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 +Patch987: openssh-8.0p1-ipv6-process.patch License: BSD Group: Applications/Internet @@ -375,7 +366,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -514,6 +505,7 @@ popd %patch983 -p1 -b .sftp-realpath %patch984 -p1 -b .crypto-policy-doc %patch985 -p1 -b .minimize-sha1-use +%patch987 -p1 -b .sftp_ipv6 %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -521,11 +513,6 @@ popd %patch100 -p1 -b .coverity -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 -%patch1004 -p1 - autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -810,15 +797,8 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Mon Mar 20 2023 JiangYong - 8.0p1-16.0.3 -- another case where a utimes() failure could make scp send - -* Sat Mar 18 2023 JiangYong - 8.0p1-16.0.2 -- Fix a one-byte overflow in SSH-banner processing - -* Thu Dec 29 2022 Weitao Zhou - 8.0p1-16.0.1 -- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 -- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) +* Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 +- Fix parsing of IPv6 IPs in sftp client (#2162733) * Wed Jun 29 2022 Zoltan Fridrich - 8.0p1-16 - Omit client side from minimize-sha1-use.patch to prevent regression (#2093897) -- Gitee From 7afee78dce3aac99a811c4888d450d129d2d44a5 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:02:21 +0800 Subject: [PATCH 3/7] seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 --- 1001-openssh-8.1p1-seccomp-nanosleep.patch | 44 ++++++++++++++++++++++ openssh.spec | 12 +++++- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 1001-openssh-8.1p1-seccomp-nanosleep.patch diff --git a/1001-openssh-8.1p1-seccomp-nanosleep.patch b/1001-openssh-8.1p1-seccomp-nanosleep.patch new file mode 100644 index 0000000..4ff852c --- /dev/null +++ b/1001-openssh-8.1p1-seccomp-nanosleep.patch @@ -0,0 +1,44 @@ +commit 7e929163ed40f9ce90060a3ca6df558c3d901379 +Author: Jakub Jelen +Date: Wed Nov 13 12:57:05 2019 +0100 + + seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70b..be239767 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif + +commit 500c30eaf88f26e4a74b06717fe04afec7a7516f +Author: Jakub Jelen +Date: Wed Nov 27 11:06:55 2019 +0100 + + sandbox-seccomp: Allow clock_nanosleep on ARM + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index be239767..3ef30c9d 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh.spec b/openssh.spec index 34a50f0..15fe689 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -73,7 +74,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -275,6 +276,8 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch +Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -366,7 +369,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} License: BSD %description @@ -513,6 +516,8 @@ popd %patch100 -p1 -b .coverity +%patch1001 -p1 + autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -797,6 +802,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 +- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 + * Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2162733) -- Gitee From 2bafd910baa3d1873d542f5eb5a1ab8e69a8af30 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:04:11 +0800 Subject: [PATCH 4/7] build: support loongarch64 seccomp_filter sandbox --- 1000-openssh-anolis-fix-seccomp-error.patch | 26 +++++++++++++++++++++ openssh.spec | 7 ++++++ 2 files changed, 33 insertions(+) create mode 100644 1000-openssh-anolis-fix-seccomp-error.patch diff --git a/1000-openssh-anolis-fix-seccomp-error.patch b/1000-openssh-anolis-fix-seccomp-error.patch new file mode 100644 index 0000000..f398ce9 --- /dev/null +++ b/1000-openssh-anolis-fix-seccomp-error.patch @@ -0,0 +1,26 @@ +diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure +--- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 ++++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 +@@ -7875,6 +7875,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; +diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac +--- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 ++++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 +@@ -882,6 +882,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; diff --git a/openssh.spec b/openssh.spec index 15fe689..5c3361b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -278,6 +278,11 @@ Patch987: openssh-8.0p1-ipv6-process.patch Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch +# Add by Anolis +# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu +Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch +# End + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -517,6 +522,7 @@ popd %patch100 -p1 -b .coverity %patch1001 -p1 +%patch1002 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -804,6 +810,7 @@ getent passwd sshd >/dev/null || \ %changelog * Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 +- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) * Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2162733) -- Gitee From a7f27136b23e633b3fd6a9eba14d118f2e63d4d3 Mon Sep 17 00:00:00 2001 From: jiangyong Date: Fri, 17 Mar 2023 15:34:08 +0800 Subject: [PATCH 5/7] Fix a one-byte overflow in SSH-banner processing Strictly enforce the maximum allowed SSH2 banner size in ssh-keyscan and prevent a one-byte buffer overflow. Upstream: https://github.com/openssh/openssh-portable/commit/ff89b1bed80721295555bd083b173247a9c0484e --- ...sh-9.1p1-fix-onebyte-buffer-overflow.patch | 32 +++++++++++++++++++ openssh.spec | 4 +++ 2 files changed, 36 insertions(+) create mode 100644 openssh-9.1p1-fix-onebyte-buffer-overflow.patch diff --git a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch new file mode 100644 index 0000000..aba9ee3 --- /dev/null +++ b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch @@ -0,0 +1,32 @@ +diff --color -ru openssh-8.0p1/ssh-keyscan.c openssh-8.0p1-new/ssh-keyscan.c +--- openssh-8.0p1/ssh-keyscan.c 2023-03-17 11:17:11.269000000 -0400 ++++ openssh-8.0p1-new/ssh-keyscan.c 2023-03-17 11:32:15.488000000 -0400 +@@ -470,7 +470,15 @@ + confree(s); + return; + } +- ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -498,6 +506,11 @@ + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); diff --git a/openssh.spec b/openssh.spec index 5c3361b..19fcefe 100644 --- a/openssh.spec +++ b/openssh.spec @@ -282,6 +282,8 @@ Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch # fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # End +# Fix a one-byte overflow in SSH-banner processing +Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch License: BSD Group: Applications/Internet @@ -523,6 +525,7 @@ popd %patch1001 -p1 %patch1002 -p1 +%patch1003 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -811,6 +814,7 @@ getent passwd sshd >/dev/null || \ * Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) +- Fix a one-byte overflow in SSH-banner processing * Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2162733) -- Gitee From 0e6f8cb1e0b7378c21353f29edc9f5f44e9cb564 Mon Sep 17 00:00:00 2001 From: jiangyong Date: Mon, 20 Mar 2023 19:32:24 +0800 Subject: [PATCH 6/7] another case where a utimes() failure could make scp send a desynchronising error; detail: scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. upstream url: https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 --- ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++ openssh.spec | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch new file mode 100644 index 0000000..d522f28 --- /dev/null +++ b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch @@ -0,0 +1,14 @@ +diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c +--- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 ++++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 +@@ -1431,9 +1431,7 @@ + sink(1, vect, src); + if (setimes) { + setimes = 0; +- if (utimes(vect[0], tv) < 0) +- run_err("%s: set times: %s", +- vect[0], strerror(errno)); ++ (void) utimes(vect[0], tv); + } + if (mod_flag) + (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 19fcefe..5320e01 100644 --- a/openssh.spec +++ b/openssh.spec @@ -284,6 +284,7 @@ Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # End # Fix a one-byte overflow in SSH-banner processing Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch +Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch License: BSD Group: Applications/Internet @@ -526,6 +527,7 @@ popd %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -814,7 +816,8 @@ getent passwd sshd >/dev/null || \ * Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- Fix a one-byte overflow in SSH-banner processing +- Fix a one-byte overflow in SSH-banner processing (jiang.yong5@zte.com.cn) +- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) * Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2162733) -- Gitee From 30c42e37001afe0081a7b1f83421d1fda0506d1b Mon Sep 17 00:00:00 2001 From: wxiat Date: Wed, 17 May 2023 14:37:49 +0800 Subject: [PATCH 7/7] add sw 20230517 --- openssh.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openssh.spec b/openssh.spec index 5320e01..877c024 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -285,6 +285,7 @@ Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # Fix a one-byte overflow in SSH-banner processing Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch +Patch10000: openssh-8.0p1-sw.patch License: BSD Group: Applications/Internet @@ -528,6 +529,7 @@ popd %patch1002 -p1 %patch1003 -p1 %patch1004 -p1 +%patch10000 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -813,6 +815,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed May 17 2023 wxiat - 8.0p1-17.0.2 +- add sw patch + * Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- Gitee