From 33efe20cdee5a9bbc21c96258cbb1d5a7bc75f9c Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Wed, 2 Aug 2023 10:51:40 +0800 Subject: [PATCH] terminate pkcs11 process for bad libraries Signed-off-by: Liwei Ge --- ...ate-pkcs11-process-for-bad-libraries.patch | 30 +++++++++++++++++++ openssh.spec | 9 ++++-- 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 1005-terminate-pkcs11-process-for-bad-libraries.patch diff --git a/1005-terminate-pkcs11-process-for-bad-libraries.patch b/1005-terminate-pkcs11-process-for-bad-libraries.patch new file mode 100644 index 0000000..1332eda --- /dev/null +++ b/1005-terminate-pkcs11-process-for-bad-libraries.patch @@ -0,0 +1,30 @@ +From 369df9638eb59ab24dd2d627b78c264478f07e4d Mon Sep 17 00:00:00 2001 +From: Liwei Ge +Date: Wed, 2 Aug 2023 10:45:03 +0800 +Subject: [PATCH] terminate pkcs11 process for bad libraries + +backport from https://github.com/openssh/openssh-portable/ +commit/b23fe83f06ee7e721033769cfa03ae840476d280 + +Signed-off-by: Liwei Ge +--- + ssh-pkcs11.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 0130b00..db275d4 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1665,8 +1665,7 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov + goto fail; + } + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + } + + p->module->handle = handle; +-- +2.27.0 + diff --git a/openssh.spec b/openssh.spec index 47add37..8446bfa 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.2 +%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -67,7 +67,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 17 +%global openssh_rel 18 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -286,6 +286,7 @@ Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch # End Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch +Patch1005: 1005-terminate-pkcs11-process-for-bad-libraries.patch License: BSD Group: Applications/Internet @@ -529,6 +530,7 @@ popd %patch1001 -p1 %patch1002 -p1 %patch1004 -p1 +%patch1005 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -814,6 +816,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Aug 2 2023 Liwei Ge - 8.0p1-18.0.1 +- Fix CVE-2023-38408 + * Wed May 24 2023 Weitao Zhou - 8.0p1-17.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- Gitee