From 6f4a6807d97d1420a2dc47c6674431d2ca1378c9 Mon Sep 17 00:00:00 2001 From: Renbo Date: Wed, 24 May 2023 15:27:39 +0800 Subject: [PATCH 1/4] update to openssh-8.0p1-17.el8 Signed-off-by: Renbo --- 1000-openssh-anolis-fix-seccomp-error.patch | 26 ----------- 1001-openssh-8.1p1-seccomp-nanosleep.patch | 44 ------------------- dist | 2 +- openssh-8.0p1-sshd_include.patch | 13 ++++++ ...3p1-fix-desynchronised-utimes-failed.patch | 14 ------ ...sh-9.1p1-fix-onebyte-buffer-overflow.patch | 32 -------------- openssh-9.1p1-sshbanner.patch | 32 ++++++++++++++ openssh.spec | 36 +++++---------- 8 files changed, 56 insertions(+), 143 deletions(-) delete mode 100644 1000-openssh-anolis-fix-seccomp-error.patch delete mode 100644 1001-openssh-8.1p1-seccomp-nanosleep.patch delete mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch delete mode 100644 openssh-9.1p1-fix-onebyte-buffer-overflow.patch create mode 100644 openssh-9.1p1-sshbanner.patch diff --git a/1000-openssh-anolis-fix-seccomp-error.patch b/1000-openssh-anolis-fix-seccomp-error.patch deleted file mode 100644 index f398ce9..0000000 --- a/1000-openssh-anolis-fix-seccomp-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure ---- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 -+++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 -@@ -7875,6 +7875,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; -diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac ---- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 -+++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 -@@ -882,6 +882,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; diff --git a/1001-openssh-8.1p1-seccomp-nanosleep.patch b/1001-openssh-8.1p1-seccomp-nanosleep.patch deleted file mode 100644 index 4ff852c..0000000 --- a/1001-openssh-8.1p1-seccomp-nanosleep.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 7e929163ed40f9ce90060a3ca6df558c3d901379 -Author: Jakub Jelen -Date: Wed Nov 13 12:57:05 2019 +0100 - - seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..be239767 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - -commit 500c30eaf88f26e4a74b06717fe04afec7a7516f -Author: Jakub Jelen -Date: Wed Nov 27 11:06:55 2019 +0100 - - sandbox-seccomp: Allow clock_nanosleep on ARM - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be239767..3ef30c9d 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/dist b/dist index 535c690..9c0e36e 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_7 +an8 diff --git a/openssh-8.0p1-sshd_include.patch b/openssh-8.0p1-sshd_include.patch index 9b634cc..ff51340 100644 --- a/openssh-8.0p1-sshd_include.patch +++ b/openssh-8.0p1-sshd_include.patch @@ -790,3 +790,16 @@ diff -up openssh-8.0p1/sshd.c.sshdinclude openssh-8.0p1/sshd.c dump_config(&options); } +diff -up openssh-8.0p1/sshbuf-getput-basic.c.stringb openssh-8.0p1/sshbuf-getput-basic.c +--- openssh-8.0p1/sshbuf-getput-basic.c.stringb 2022-12-21 12:18:43.274799163 +0100 ++++ openssh-8.0p1/sshbuf-getput-basic.c 2022-12-21 12:19:19.758081516 +0100 +@@ -371,6 +371,9 @@ sshbuf_put_cstring(struct sshbuf *buf, c + int + sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v) + { ++ if (v == NULL) ++ return sshbuf_put_string(buf, NULL, 0); ++ + return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v)); + } + diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch deleted file mode 100644 index d522f28..0000000 --- a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c ---- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 -+++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 -@@ -1431,9 +1431,7 @@ - sink(1, vect, src); - if (setimes) { - setimes = 0; -- if (utimes(vect[0], tv) < 0) -- run_err("%s: set times: %s", -- vect[0], strerror(errno)); -+ (void) utimes(vect[0], tv); - } - if (mod_flag) - (void) chmod(vect[0], mode); diff --git a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch b/openssh-9.1p1-fix-onebyte-buffer-overflow.patch deleted file mode 100644 index aba9ee3..0000000 --- a/openssh-9.1p1-fix-onebyte-buffer-overflow.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff --color -ru openssh-8.0p1/ssh-keyscan.c openssh-8.0p1-new/ssh-keyscan.c ---- openssh-8.0p1/ssh-keyscan.c 2023-03-17 11:17:11.269000000 -0400 -+++ openssh-8.0p1-new/ssh-keyscan.c 2023-03-17 11:32:15.488000000 -0400 -@@ -470,7 +470,15 @@ - confree(s); - return; - } -- -+ /* -+ * Read the server banner as per RFC4253 section 4.2. The "SSH-" -+ * protocol identification string may be preceeded by an arbitarily -+ * large banner which we must read and ignore. Loop while reading -+ * newline-terminated lines until we have one starting with "SSH-". -+ * The ID string cannot be longer than 255 characters although the -+ * preceeding banner lines may (in which case they'll be discarded -+ * in multiple iterations of the outer loop). -+ */ - for (;;) { - memset(buf, '\0', sizeof(buf)); - bufsiz = sizeof(buf); -@@ -498,6 +506,11 @@ - conrecycle(s); - return; - } -+ if (cp >= buf + sizeof(buf)) { -+ error("%s: greeting exceeds allowable length", c->c_name); -+ confree(s); -+ return; -+ } - if (*cp != '\n' && *cp != '\r') { - error("%s: bad greeting", c->c_name); - confree(s); diff --git a/openssh-9.1p1-sshbanner.patch b/openssh-9.1p1-sshbanner.patch new file mode 100644 index 0000000..0e40770 --- /dev/null +++ b/openssh-9.1p1-sshbanner.patch @@ -0,0 +1,32 @@ +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index d29a03b4..d7283136 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -490,6 +490,15 @@ congreet(int s) + return; + } + ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -517,6 +526,11 @@ congreet(int s) + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); diff --git a/openssh.spec b/openssh.spec index 5320e01..cd44e45 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -74,7 +73,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -253,6 +252,7 @@ Patch980: openssh-8.7p1-upstream-cve-2021-41617.patch # c2bd7f74b0e0f3a3ee9d19ac549e6ba89013abaf~1..677d0ece67634262b3b96c3cd6410b19f3a603b7 # 8bdc3bb7cf4c82c3344cfcb82495a43406e87e83 # 47adfdc07f4f8ea0064a1495500244de08d311ed~1..7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01 +# supplementary commit 612b1dd1ec91ffb1e01f58cca0c6eb1d47bf4423 Patch981: openssh-8.0p1-sshd_include.patch # Port upstream ClientAliveCountMax behaviour # upstream commit: @@ -273,19 +273,11 @@ Patch984: openssh-8.0p1-crypto-policy-doc.patch # 0fa33683223c76289470a954404047bc762be84c # f8df0413f0a057b6a3d3dd7bd8bc7c5d80911d3a Patch985: openssh-8.7p1-minimize-sha1-use.patch +# Upstream ff89b1bed80721295555bd083b173247a9c0484e +Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch -Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch - -# Add by Anolis -# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu -Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch -# End -# Fix a one-byte overflow in SSH-banner processing -Patch1003: openssh-9.1p1-fix-onebyte-buffer-overflow.patch -Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch - License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -377,7 +369,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -516,6 +508,7 @@ popd %patch983 -p1 -b .sftp-realpath %patch984 -p1 -b .crypto-policy-doc %patch985 -p1 -b .minimize-sha1-use +%patch986 -p1 -b .banner %patch987 -p1 -b .sftp_ipv6 %patch200 -p1 -b .audit @@ -524,11 +517,6 @@ popd %patch100 -p1 -b .coverity -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 -%patch1004 -p1 - autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -813,14 +801,10 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Thu May 11 2023 Weitao Zhou - 8.0p1-17.0.1 -- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 -- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- Fix a one-byte overflow in SSH-banner processing (jiang.yong5@zte.com.cn) -- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) - -* Mon Jan 23 2023 Dmitry Belyavskiy - 8.0p1-17 -- Fix parsing of IPv6 IPs in sftp client (#2162733) +* Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 +- Fix parsing of IPv6 IPs in sftp client (#2151334) +- Avoid ssh banner one-byte overflow (#2138344) +- Avoid crash of sshd when Include folder does not exist (#2133087) * Wed Jun 29 2022 Zoltan Fridrich - 8.0p1-16 - Omit client side from minimize-sha1-use.patch to prevent regression (#2093897) -- Gitee From 60904f1732073a01515f970fbe8ac84cdf1e5aec Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:02:21 +0800 Subject: [PATCH 2/4] seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 --- 1001-openssh-8.1p1-seccomp-nanosleep.patch | 44 ++++++++++++++++++++++ openssh.spec | 12 +++++- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 1001-openssh-8.1p1-seccomp-nanosleep.patch diff --git a/1001-openssh-8.1p1-seccomp-nanosleep.patch b/1001-openssh-8.1p1-seccomp-nanosleep.patch new file mode 100644 index 0000000..4ff852c --- /dev/null +++ b/1001-openssh-8.1p1-seccomp-nanosleep.patch @@ -0,0 +1,44 @@ +commit 7e929163ed40f9ce90060a3ca6df558c3d901379 +Author: Jakub Jelen +Date: Wed Nov 13 12:57:05 2019 +0100 + + seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70b..be239767 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif + +commit 500c30eaf88f26e4a74b06717fe04afec7a7516f +Author: Jakub Jelen +Date: Wed Nov 27 11:06:55 2019 +0100 + + sandbox-seccomp: Allow clock_nanosleep on ARM + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index be239767..3ef30c9d 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh.spec b/openssh.spec index cd44e45..8f8c8f8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -73,7 +74,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -278,6 +279,8 @@ Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch +Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -369,7 +372,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} License: BSD %description @@ -517,6 +520,8 @@ popd %patch100 -p1 -b .coverity +%patch1001 -p1 + autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -801,6 +806,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed May 24 2023 Weitao Zhou - 8.0p1-17.0.1 +- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 + * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2151334) - Avoid ssh banner one-byte overflow (#2138344) -- Gitee From c8895134057bcdaa68cdb8932343a1b912def38a Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:04:11 +0800 Subject: [PATCH 3/4] build: support loongarch64 seccomp_filter sandbox --- 1000-openssh-anolis-fix-seccomp-error.patch | 26 +++++++++++++++++++++ openssh.spec | 7 ++++++ 2 files changed, 33 insertions(+) create mode 100644 1000-openssh-anolis-fix-seccomp-error.patch diff --git a/1000-openssh-anolis-fix-seccomp-error.patch b/1000-openssh-anolis-fix-seccomp-error.patch new file mode 100644 index 0000000..f398ce9 --- /dev/null +++ b/1000-openssh-anolis-fix-seccomp-error.patch @@ -0,0 +1,26 @@ +diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure +--- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 ++++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 +@@ -7875,6 +7875,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; +diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac +--- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 ++++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 +@@ -882,6 +882,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; diff --git a/openssh.spec b/openssh.spec index 8f8c8f8..453c704 100644 --- a/openssh.spec +++ b/openssh.spec @@ -281,6 +281,11 @@ Patch987: openssh-8.0p1-ipv6-process.patch Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch +# Add by Anolis +# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu +Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch +# End + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -521,6 +526,7 @@ popd %patch100 -p1 -b .coverity %patch1001 -p1 +%patch1002 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -808,6 +814,7 @@ getent passwd sshd >/dev/null || \ %changelog * Wed May 24 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 +- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2151334) -- Gitee From 1fe933ab1b14ef041dd5f954709f4251e5ccbf26 Mon Sep 17 00:00:00 2001 From: jiangyong Date: Mon, 20 Mar 2023 19:32:24 +0800 Subject: [PATCH 4/4] another case where a utimes() failure could make scp send a desynchronising error; detail: scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. upstream url: https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 --- ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++ openssh.spec | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch new file mode 100644 index 0000000..d522f28 --- /dev/null +++ b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch @@ -0,0 +1,14 @@ +diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c +--- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 ++++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 +@@ -1431,9 +1431,7 @@ + sink(1, vect, src); + if (setimes) { + setimes = 0; +- if (utimes(vect[0], tv) < 0) +- run_err("%s: set times: %s", +- vect[0], strerror(errno)); ++ (void) utimes(vect[0], tv); + } + if (mod_flag) + (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 453c704..47add37 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -285,6 +285,7 @@ Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch # fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # End +Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch License: BSD Group: Applications/Internet @@ -527,6 +528,7 @@ popd %patch1001 -p1 %patch1002 -p1 +%patch1004 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -815,6 +817,7 @@ getent passwd sshd >/dev/null || \ * Wed May 24 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) +- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2151334) -- Gitee