From ad0f74a489664d53d4f78655edf6c3db5c07eec6 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 27 Aug 2024 14:51:41 +0800 Subject: [PATCH 1/6] update to openssh-8.0p1-25.src.rpm Signed-off-by: Zhao Hang --- 1000-openssh-anolis-fix-seccomp-error.patch | 26 - 1001-openssh-8.1p1-seccomp-nanosleep.patch | 44 -- ...ate-pkcs11-process-for-bad-libraries.patch | 30 -- dist | 2 +- openssh-6.7p1-coverity.patch | 12 - openssh-7.7p1-fips.patch | 56 ++- openssh-8.0p1-avoidkillall.patch | 20 + openssh-8.0p1-bigsshdconfig.patch | 13 + openssh-8.0p1-gssapi-keyex.patch | 85 ++-- openssh-8.0p1-sw.patch | 43 -- openssh-8.0p1-upstream-ignore-SIGPIPE.patch | 38 ++ ...3p1-fix-desynchronised-utimes-failed.patch | 14 - openssh-9.3p1-upstream-cve-2023-38408.patch | 17 + openssh-9.4p2-limit-delay.patch | 33 ++ openssh-9.6p1-CVE-2023-48795.patch | 447 ++++++++++++++++++ ...atch => openssh-9.6p1-CVE-2023-51385.patch | 23 +- openssh.spec | 116 +++-- 17 files changed, 755 insertions(+), 264 deletions(-) delete mode 100644 1000-openssh-anolis-fix-seccomp-error.patch delete mode 100644 1001-openssh-8.1p1-seccomp-nanosleep.patch delete mode 100644 1005-terminate-pkcs11-process-for-bad-libraries.patch create mode 100644 openssh-8.0p1-avoidkillall.patch create mode 100644 openssh-8.0p1-bigsshdconfig.patch delete mode 100644 openssh-8.0p1-sw.patch create mode 100644 openssh-8.0p1-upstream-ignore-SIGPIPE.patch delete mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch create mode 100644 openssh-9.3p1-upstream-cve-2023-38408.patch create mode 100644 openssh-9.4p2-limit-delay.patch create mode 100644 openssh-9.6p1-CVE-2023-48795.patch rename openssh-8.0p1-CVE-2023-51385.patch => openssh-9.6p1-CVE-2023-51385.patch (67%) diff --git a/1000-openssh-anolis-fix-seccomp-error.patch b/1000-openssh-anolis-fix-seccomp-error.patch deleted file mode 100644 index f398ce9..0000000 --- a/1000-openssh-anolis-fix-seccomp-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure ---- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 -+++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 -@@ -7875,6 +7875,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; -diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac ---- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 -+++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 -@@ -882,6 +882,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; diff --git a/1001-openssh-8.1p1-seccomp-nanosleep.patch b/1001-openssh-8.1p1-seccomp-nanosleep.patch deleted file mode 100644 index 4ff852c..0000000 --- a/1001-openssh-8.1p1-seccomp-nanosleep.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 7e929163ed40f9ce90060a3ca6df558c3d901379 -Author: Jakub Jelen -Date: Wed Nov 13 12:57:05 2019 +0100 - - seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..be239767 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - -commit 500c30eaf88f26e4a74b06717fe04afec7a7516f -Author: Jakub Jelen -Date: Wed Nov 27 11:06:55 2019 +0100 - - sandbox-seccomp: Allow clock_nanosleep on ARM - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be239767..3ef30c9d 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/1005-terminate-pkcs11-process-for-bad-libraries.patch b/1005-terminate-pkcs11-process-for-bad-libraries.patch deleted file mode 100644 index 1332eda..0000000 --- a/1005-terminate-pkcs11-process-for-bad-libraries.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 369df9638eb59ab24dd2d627b78c264478f07e4d Mon Sep 17 00:00:00 2001 -From: Liwei Ge -Date: Wed, 2 Aug 2023 10:45:03 +0800 -Subject: [PATCH] terminate pkcs11 process for bad libraries - -backport from https://github.com/openssh/openssh-portable/ -commit/b23fe83f06ee7e721033769cfa03ae840476d280 - -Signed-off-by: Liwei Ge ---- - ssh-pkcs11.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c -index 0130b00..db275d4 100644 ---- a/ssh-pkcs11.c -+++ b/ssh-pkcs11.c -@@ -1665,8 +1665,7 @@ pkcs11_initialize_provider(struct pkcs11_uri *uri, struct pkcs11_provider **prov - goto fail; - } - if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { -- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); -- goto fail; -+ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); - } - - p->module->handle = handle; --- -2.27.0 - diff --git a/dist b/dist index 9c0e36e..1fe92cf 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 0159482..d24c4a2 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -136,18 +136,6 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != (int)tun) goto done; -diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c ---- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 -@@ -224,7 +224,7 @@ killchild(int signo) - { - if (sshpid > 1) { - kill(sshpid, SIGTERM); -- waitpid(sshpid, NULL, 0); -+ (void) waitpid(sshpid, NULL, 0); - } - - _exit(1); diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 1f6fdc2..0cbd22f 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -471,12 +471,53 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c #include "xmss_fast.h" +@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey + { + EVP_MD_CTX *ctx = NULL; + u_char *sig = NULL; +- int ret, slen, len; ++ int ret, slen; ++ size_t len; + + if (sigp == NULL || lenp == NULL) { + return SSH_ERR_INVALID_ARGUMENT; +@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey + ret = SSH_ERR_ALLOC_FAIL; + goto error; + } +- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_SignUpdate(ctx, data, datalen) <= 0 || +- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) { ++ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestSignUpdate(ctx, data, datalen) != 1 || ++ EVP_DigestSignFinal(ctx, sig, &len) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto error; + } +@@ -440,12 +444,13 @@ sshkey_verify_signature(EVP_PKEY *pkey + if ((ctx = EVP_MD_CTX_new()) == NULL) { + return SSH_ERR_ALLOC_FAIL; + } +- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_VerifyUpdate(ctx, data, datalen) <= 0) { ++ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto done; + } +- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); ++ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen); + switch (ret) { + case 1: + ret = 0; @@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { -+ if (FIPS_mode()) -+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); ++ if (FIPS_mode()) ++ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -515,3 +556,14 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c if ((fd = mkstemp(prv_tmp)) == -1) { error("Could not save your public key in %s: %s", prv_tmp, strerror(errno)); +diff -up openssh-8.0p1/sshd_config.xxx openssh-8.0p1/sshd_config +--- openssh-8.0p1/sshd_config.xxx 2023-10-30 13:01:59.150952364 +0100 ++++ openssh-8.0p1/sshd_config 2023-10-30 13:02:56.662231354 +0100 +@@ -21,6 +21,7 @@ + + HostKey /etc/ssh/ssh_host_rsa_key + HostKey /etc/ssh/ssh_host_ecdsa_key ++#In FIPS mode Ed25519 keys are not supported, please comment out the next line + HostKey /etc/ssh/ssh_host_ed25519_key + + # Ciphers and keying diff --git a/openssh-8.0p1-avoidkillall.patch b/openssh-8.0p1-avoidkillall.patch new file mode 100644 index 0000000..77331e8 --- /dev/null +++ b/openssh-8.0p1-avoidkillall.patch @@ -0,0 +1,20 @@ +diff --git a/sftp.c b/sftp.c +index b66037f1..54538ff9 100644 +--- a/sftp.c ++++ b/sftp.c +@@ -220,9 +220,12 @@ static const struct CMD cmds[] = { + static void + killchild(int signo) + { +- if (sshpid > 1) { +- kill(sshpid, SIGTERM); +- waitpid(sshpid, NULL, 0); ++ pid_t pid; ++ ++ pid = sshpid; ++ if (pid > 1) { ++ kill(pid, SIGTERM); ++ (void)waitpid(pid, NULL, 0); + } + + _exit(1); diff --git a/openssh-8.0p1-bigsshdconfig.patch b/openssh-8.0p1-bigsshdconfig.patch new file mode 100644 index 0000000..2158ffe --- /dev/null +++ b/openssh-8.0p1-bigsshdconfig.patch @@ -0,0 +1,13 @@ +diff --git a/msg.c b/msg.c +index 99c25cd2..574a566e 100644 +--- a/msg.c ++++ b/msg.c +@@ -77,7 +77,7 @@ ssh_msg_recv(int fd, struct sshbuf *m) + return (-1); + } + msg_len = get_u32(buf); +- if (msg_len > 256 * 1024) { ++ if (msg_len > sshbuf_max_size(m)) { + error("ssh_msg_recv: read: bad msg_len %u", msg_len); + return (-1); + } diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index a8f2838..2182c49 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -1509,7 +1509,7 @@ new file mode 100644 index 00000000..0b2f6a56 --- /dev/null +++ b/kexgssc.c -@@ -0,0 +1,595 @@ +@@ -0,0 +1,618 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1571,7 +1571,7 @@ index 00000000..0b2f6a56 + struct sshbuf *server_blob = NULL; + struct sshbuf *shared_secret = NULL; + struct sshbuf *server_host_key_blob = NULL; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char *msg; + int type = 0; + int first = 1; @@ -1610,8 +1610,10 @@ index 00000000..0b2f6a56 + default: + fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + } -+ if (r != 0) ++ if (r != 0) { ++ ssh_gssapi_delete_ctx(&ctxt); + return r; ++ } + + token_ptr = GSS_C_NO_BUFFER; + @@ -1674,11 +1676,16 @@ index 00000000..0b2f6a56 + do { + type = ssh_packet_read(ssh); + if (type == SSH2_MSG_KEXGSS_HOSTKEY) { ++ char *tmp = NULL; ++ size_t tmp_len = 0; ++ + debug("Received KEXGSS_HOSTKEY"); + if (server_host_key_blob) + fatal("Server host key received more than once"); -+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) ++ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0) + fatal("Failed to read server host key: %s", ssh_err(r)); ++ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL) ++ fatal("sshbuf_from failed"); + } + } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + @@ -1779,6 +1786,11 @@ index 00000000..0b2f6a56 + if (r != 0) + goto out; + ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ + hashlen = sizeof(hash); + if ((r = kex_gen_hash( + kex->hash_alg, @@ -1848,7 +1860,7 @@ index 00000000..0b2f6a56 + size_t hashlen; + const BIGNUM *pub_key, *dh_p, *dh_g; + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; -+ struct sshbuf *empty = sshbuf_new(); ++ struct sshbuf *empty = NULL; + u_char c; + int r; + @@ -1960,11 +1972,16 @@ index 00000000..0b2f6a56 + do { + type = ssh_packet_read(ssh); + if (type == SSH2_MSG_KEXGSS_HOSTKEY) { ++ char *tmp = NULL; ++ size_t tmp_len = 0; ++ + debug("Received KEXGSS_HOSTKEY"); + if (server_host_key_blob) + fatal("Server host key received more than once"); -+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) ++ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0) + fatal("sshpkt failed: %s", ssh_err(r)); ++ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL) ++ fatal("sshbuf_from failed"); + } + } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + @@ -2040,6 +2057,7 @@ index 00000000..0b2f6a56 + (r = sshbuf_get_bignum2(buf, &dh_server_pub)) != 0) + goto out; + sshbuf_free(buf); ++ buf = NULL; + + if ((shared_secret = sshbuf_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; @@ -2048,6 +2066,10 @@ index 00000000..0b2f6a56 + + if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) + goto out; ++ if ((empty = sshbuf_new()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + + DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); + hashlen = sizeof(hash); @@ -2094,6 +2116,7 @@ index 00000000..0b2f6a56 + if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0) + r = kex_send_newkeys(ssh); +out: ++ sshbuf_free(buf); + sshbuf_free(server_blob); + sshbuf_free(empty); + explicit_bzero(hash, sizeof(hash)); @@ -2110,7 +2133,7 @@ new file mode 100644 index 00000000..60bc02de --- /dev/null +++ b/kexgsss.c -@@ -0,0 +1,474 @@ +@@ -0,0 +1,482 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2177,7 +2200,7 @@ index 00000000..60bc02de + */ + + OM_uint32 ret_flags = 0; -+ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; + struct sshbuf *shared_secret = NULL; @@ -2217,7 +2240,7 @@ index 00000000..60bc02de + type = ssh_packet_read(ssh); + switch(type) { + case SSH2_MSG_KEXGSS_INIT: -+ if (client_pubkey != NULL) ++ if (gssbuf.value != NULL) + fatal("Received KEXGSS_INIT after initialising"); + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, + &recv_tok)) != 0 || @@ -2248,6 +2271,31 @@ index 00000000..60bc02de + goto out; + + /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ ++ ++ /* Calculate the hash early so we can free the ++ * client_pubkey, which has reference to the parent ++ * buffer state->incoming_packet ++ */ ++ hashlen = sizeof(hash); ++ if ((r = kex_gen_hash( ++ kex->hash_alg, ++ kex->client_version, ++ kex->server_version, ++ kex->peer, ++ kex->my, ++ empty, ++ client_pubkey, ++ server_pubkey, ++ shared_secret, ++ hash, &hashlen)) != 0) ++ goto out; ++ ++ gssbuf.value = hash; ++ gssbuf.length = hashlen; ++ ++ sshbuf_free(client_pubkey); ++ client_pubkey = NULL; ++ + break; + case SSH2_MSG_KEXGSS_CONTINUE: + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, @@ -2269,7 +2317,7 @@ index 00000000..60bc02de + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) + fatal("Zero length token output when incomplete"); + -+ if (client_pubkey == NULL) ++ if (gssbuf.value == NULL) + fatal("No client public key"); + + if (maj_status & GSS_S_CONTINUE_NEEDED) { @@ -2298,23 +2346,6 @@ index 00000000..60bc02de + if (!(ret_flags & GSS_C_INTEG_FLAG)) + fatal("Integrity flag wasn't set"); + -+ hashlen = sizeof(hash); -+ if ((r = kex_gen_hash( -+ kex->hash_alg, -+ kex->client_version, -+ kex->server_version, -+ kex->peer, -+ kex->my, -+ empty, -+ client_pubkey, -+ server_pubkey, -+ shared_secret, -+ hash, &hashlen)) != 0) -+ goto out; -+ -+ gssbuf.value = hash; -+ gssbuf.length = hashlen; -+ + if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) + fatal("Couldn't get MIC"); + diff --git a/openssh-8.0p1-sw.patch b/openssh-8.0p1-sw.patch deleted file mode 100644 index ec68163..0000000 --- a/openssh-8.0p1-sw.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d79f3b68e7eb6638a27bab8853f790d10aa88d93 Mon Sep 17 00:00:00 2001 -From: Weisson -Date: Tue, 21 Nov 2023 10:44:32 +0800 -Subject: [PATCH] Add sw build support. - -Signed-off-by: Weisson ---- - configure.ac | 3 +++ - .../ed25519-donna/ed25519-donna-portable-identify.h | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 6e57635..9e32389 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -879,6 +879,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - arm*-*) - seccomp_audit_arch=AUDIT_ARCH_ARM - ;; -+ sw_64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_SW64 -+ ;; - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -diff --git a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -index 26a264c..4457e9a 100644 ---- a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -+++ b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -@@ -79,6 +79,10 @@ - #define CPU_HPPA - #endif - -+#if defined(__sw_64__) || defined(__sw_64) || defined(_M_SW_64) -+ #define CPU_SW_64 -+#endif -+ - #if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) - #define CPU_ALPHA - #endif --- -2.31.1 - diff --git a/openssh-8.0p1-upstream-ignore-SIGPIPE.patch b/openssh-8.0p1-upstream-ignore-SIGPIPE.patch new file mode 100644 index 0000000..0e85815 --- /dev/null +++ b/openssh-8.0p1-upstream-ignore-SIGPIPE.patch @@ -0,0 +1,38 @@ +From d33ff14309e33aa79fdf95e1bc4facafa80b90a9 Mon Sep 17 00:00:00 2001 +From: Stepan Broz +Date: Tue, 25 Jun 2024 17:38:22 +0200 +Subject: [PATCH] upstream: ignore SIGPIPE earlier in main(), specifically + before + +muxclient() which performs operations that could cause one; Reported by Noam +Lewis via bz3454, ok dtucker@ + +OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47 +--- + ssh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 786e26d..e037c66 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1115,6 +1115,8 @@ main(int ac, char **av) + } + } + ++ signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ ++ + /* + * Initialize "log" output. Since we are the client all output + * goes to stderr unless otherwise specified by -y or -E. +@@ -1545,7 +1547,6 @@ main(int ac, char **av) + options.num_system_hostfiles); + tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); + +- signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + signal(SIGCHLD, main_sigchld_handler); + + /* Log into the remote system. Never returns if the login fails. */ +-- +2.45.2 + diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch deleted file mode 100644 index d522f28..0000000 --- a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c ---- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 -+++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 -@@ -1431,9 +1431,7 @@ - sink(1, vect, src); - if (setimes) { - setimes = 0; -- if (utimes(vect[0], tv) < 0) -- run_err("%s: set times: %s", -- vect[0], strerror(errno)); -+ (void) utimes(vect[0], tv); - } - if (mod_flag) - (void) chmod(vect[0], mode); diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch new file mode 100644 index 0000000..5632ba1 --- /dev/null +++ b/openssh-9.3p1-upstream-cve-2023-38408.patch @@ -0,0 +1,17 @@ +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 6be647ec..ebddf6c3 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ diff --git a/openssh-9.4p2-limit-delay.patch b/openssh-9.4p2-limit-delay.patch new file mode 100644 index 0000000..009fcc7 --- /dev/null +++ b/openssh-9.4p2-limit-delay.patch @@ -0,0 +1,33 @@ +diff -u -p -r1.166 auth2.c +--- a/auth2.c 8 Mar 2023 04:43:12 -0000 1.166 ++++ b/auth2.c 28 Aug 2023 08:32:44 -0000 +@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_ + } + + #define MIN_FAIL_DELAY_SECONDS 0.005 ++#define MAX_FAIL_DELAY_SECONDS 5.0 + static double + user_specific_delay(const char *user) + { +@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, + struct timespec ts; + double elapsed = monotime_double() - start, req = seconds, remain; + ++ if (elapsed > MAX_FAIL_DELAY_SECONDS) { ++ debug3("elapsed %0.3lfms exceeded the max delay " ++ "requested %0.3lfms)", elapsed*1000, req*1000); ++ return; ++ } ++ + /* if we've already passed the requested time, scale up */ + while ((remain = seconds - elapsed) < 0.0) + seconds *= 2; +@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32 + debug2("input_userauth_request: try method %s", method); + authenticated = m->userauth(ssh); + } +- if (!authctxt->authenticated) ++ if (!authctxt->authenticated && strcmp(method, "none") != 0) + ensure_minimum_time_since(tstart, + user_specific_delay(authctxt->user)); + userauth_finish(ssh, authenticated, method, NULL); diff --git a/openssh-9.6p1-CVE-2023-48795.patch b/openssh-9.6p1-CVE-2023-48795.patch new file mode 100644 index 0000000..16ff4c4 --- /dev/null +++ b/openssh-9.6p1-CVE-2023-48795.patch @@ -0,0 +1,447 @@ +diff --git a/PROTOCOL b/PROTOCOL +index d453c779..ded935eb 100644 +--- a/PROTOCOL ++++ b/PROTOCOL +@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very + described at: + http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 + ++1.9 transport: strict key exchange extension ++ ++OpenSSH supports a number of transport-layer hardening measures under ++a "strict KEX" feature. This feature is signalled similarly to the ++RFC8308 ext-info feature: by including a additional algorithm in the ++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append ++"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server ++may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms ++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored ++if they are present in subsequent SSH2_MSG_KEXINIT packets. ++ ++When an endpoint that supports this extension observes this algorithm ++name in a peer's KEXINIT packet, it MUST make the following changes to ++the the protocol: ++ ++a) During initial KEX, terminate the connection if any unexpected or ++ out-of-sequence packet is received. This includes terminating the ++ connection if the first packet received is not SSH2_MSG_KEXINIT. ++ Unexpected packets for the purpose of strict KEX include messages ++ that are otherwise valid at any time during the connection such as ++ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. ++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the ++ packet sequence number to zero. This behaviour persists for the ++ duration of the connection (i.e. not just the first ++ SSH2_MSG_NEWKEYS). ++ + 2. Connection protocol changes + + 2.1. connection: Channel write close extension "eow@openssh.com" +diff --git a/kex.c b/kex.c +index aa5e792d..d478ff6e 100644 +--- a/kex.c ++++ b/kex.c +@@ -65,7 +65,7 @@ + #endif + + /* prototype */ +-static int kex_choose_conf(struct ssh *); ++static int kex_choose_conf(struct ssh *, uint32_t seq); + static int kex_input_newkeys(int, u_int32_t, struct ssh *); + + static const char *proposal_names[PROPOSAL_MAX] = { +@@ -177,6 +177,18 @@ kex_names_valid(const char *names) + return 1; + } + ++/* returns non-zero if proposal contains any algorithm from algs */ ++static int ++has_any_alg(const char *proposal, const char *algs) ++{ ++ char *cp; ++ ++ if ((cp = match_list(proposal, algs, NULL)) == NULL) ++ return 0; ++ free(cp); ++ return 1; ++} ++ + /* + * Concatenate algorithm names, avoiding duplicates in the process. + * Caller must free returned string. +@@ -184,7 +196,7 @@ kex_names_valid(const char *names) + char * + kex_names_cat(const char *a, const char *b) + { +- char *ret = NULL, *tmp = NULL, *cp, *p, *m; ++ char *ret = NULL, *tmp = NULL, *cp, *p; + size_t len; + + if (a == NULL || *a == '\0') +@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b) + } + strlcpy(ret, a, len); + for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { +- if ((m = match_list(ret, p, NULL)) != NULL) { +- free(m); ++ if (has_any_alg(ret, p)) + continue; /* Algorithm already present */ +- } + if (strlcat(ret, ",", len) >= len || + strlcat(ret, p, len) >= len) { + free(tmp); +@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) + { + int r; + +- error("kex protocol error: type %d seq %u", type, seq); ++ /* If in strict mode, any unexpected message is an error */ ++ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) { ++ ssh_packet_disconnect(ssh, "strict KEX violation: " ++ "unexpected packet type %u (seqnr %u)", type, seq); ++ } ++ error("type %u seq %u", type, seq); + if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || + (r = sshpkt_put_u32(ssh, seq)) != 0 || + (r = sshpkt_send(ssh)) != 0) +@@ -548,6 +572,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) + return r; ++ if (ninfo >= 1024) { ++ error("SSH2_MSG_EXT_INFO with too many entries, expected " ++ "<=1024, received %u", ninfo); ++ return dispatch_protocol_error(type, seq, ssh); ++ } + for (i = 0; i < ninfo; i++) { + if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) + return r; +@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + +- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + if (!(kex->flags & KEX_INIT_SENT)) + if ((r = kex_send_kexinit(ssh)) != 0) + return r; +- if ((r = kex_choose_conf(ssh)) != 0) ++ if ((r = kex_choose_conf(ssh, seq)) != 0) + return r; + + if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) +@@ -981,20 +1005,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) + return (1); + } + +-/* returns non-zero if proposal contains any algorithm from algs */ + static int +-has_any_alg(const char *proposal, const char *algs) ++kexalgs_contains(char **peer, const char *ext) + { +- char *cp; +- +- if ((cp = match_list(proposal, algs, NULL)) == NULL) +- return 0; +- free(cp); +- return 1; ++ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext); + } + + static int +-kex_choose_conf(struct ssh *ssh) ++kex_choose_conf(struct ssh *ssh, uint32_t seq) + { + struct kex *kex = ssh->kex; + struct newkeys *newkeys; +@@ -1019,13 +1037,23 @@ kex_choose_conf(struct ssh *ssh) + sprop=peer; + } + +- /* Check whether client supports ext_info_c */ +- if (kex->server && (kex->flags & KEX_INITIAL)) { +- char *ext; +- +- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL); +- kex->ext_info_c = (ext != NULL); +- free(ext); ++ /* Check whether peer supports ext_info/kex_strict */ ++ if ((kex->flags & KEX_INITIAL) != 0) { ++ if (kex->server) { ++ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c"); ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-c-v00@openssh.com"); ++ } else { ++ kex->kex_strict = kexalgs_contains(peer, ++ "kex-strict-s-v00@openssh.com"); ++ } ++ if (kex->kex_strict) { ++ debug3("will use strict KEX ordering"); ++ if (seq != 0) ++ ssh_packet_disconnect(ssh, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } + } + + /* Check whether client supports rsa-sha2 algorithms */ +diff --git a/kex.h b/kex.h +index 5f7ef784..272ebb43 100644 +--- a/kex.h ++++ b/kex.h +@@ -149,6 +149,7 @@ struct kex { + u_int kex_type; + char *server_sig_algs; + int ext_info_c; ++ int kex_strict; + struct sshbuf *my; + struct sshbuf *peer; + struct sshbuf *client_version; +diff --git a/packet.c b/packet.c +index 52017def..beb214f9 100644 +--- a/packet.c ++++ b/packet.c +@@ -1207,8 +1207,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + sshbuf_dump(state->output, stderr); + #endif + /* increment sequence number for outgoing packets */ +- if (++state->p_send.seqnr == 0) ++ if (++state->p_send.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "outgoing sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("outgoing seqnr wraps around"); ++ } + if (++state->p_send.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1216,6 +1221,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh) + state->p_send.bytes += len; + sshbuf_reset(state->outgoing_packet); + ++ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug("resetting send seqnr %u", state->p_send.seqnr); ++ state->p_send.seqnr = 0; ++ } ++ + if (type == SSH2_MSG_NEWKEYS) + r = ssh_set_newkeys(ssh, MODE_OUT); + else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) +@@ -1344,8 +1354,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + /* Stay in the loop until we have received a complete packet. */ + for (;;) { + /* Try to read a packet from the buffer. */ +- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p); +- if (r != 0) ++ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0) + break; + /* If we got a packet, return it. */ + if (*typep != SSH_MSG_NONE) +@@ -1629,10 +1615,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) + goto out; + } ++ + if (seqnr_p != NULL) + *seqnr_p = state->p_read.seqnr; +- if (++state->p_read.seqnr == 0) ++ if (++state->p_read.seqnr == 0) { ++ if ((ssh->kex->flags & KEX_INITIAL) != 0) { ++ ssh_packet_disconnect(ssh, "incoming sequence number " ++ "wrapped during initial key exchange"); ++ } + logit("incoming seqnr wraps around"); ++ } + if (++state->p_read.packets == 0) + if (!(ssh->compat & SSH_BUG_NOREKEY)) + return SSH_ERR_NEED_REKEY; +@@ -1698,6 +1690,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + #endif + /* reset for next packet */ + state->packlen = 0; ++ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { ++ debug("resetting read seqnr %u", state->p_read.seqnr); ++ state->p_read.seqnr = 0; ++ } + + /* do we need to rekey? */ + if (ssh_packet_need_rekeying(ssh, 0)) { +@@ -1720,10 +1716,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + r = ssh_packet_read_poll2(ssh, typep, seqnr_p); + if (r != 0) + return r; +- if (*typep) { +- state->keep_alive_timeouts = 0; +- DBG(debug("received packet type %d", *typep)); ++ if (*typep == 0) { ++ /* no message ready */ ++ return 0; + } ++ state->keep_alive_timeouts = 0; ++ DBG(debug("received packet type %d", *typep)); ++ ++ /* Always process disconnect messages */ ++ if (*typep == SSH2_MSG_DISCONNECT) { ++ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || ++ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) ++ return r; ++ /* Ignore normal client exit notifications */ ++ do_log2(ssh->state->server_side && ++ reason == SSH2_DISCONNECT_BY_APPLICATION ? ++ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, ++ "Received disconnect from %s port %d:" ++ "%u: %.400s", ssh_remote_ipaddr(ssh), ++ ssh_remote_port(ssh), reason, msg); ++ free(msg); ++ return SSH_ERR_DISCONNECTED; ++ } ++ ++ /* ++ * Do not implicitly handle any messages here during initial ++ * KEX when in strict mode. They will be need to be allowed ++ * explicitly by the KEX dispatch table or they will generate ++ * protocol errors. ++ */ ++ if (ssh->kex != NULL && ++ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) ++ return 0; ++ /* Implicitly handle transport-level messages */ + switch (*typep) { + case SSH2_MSG_IGNORE: + debug3("Received SSH2_MSG_IGNORE"); +@@ -1738,19 +1763,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) + debug("Remote: %.900s", msg); + free(msg); + break; +- case SSH2_MSG_DISCONNECT: +- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 || +- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0) +- return r; +- /* Ignore normal client exit notifications */ +- do_log2(ssh->state->server_side && +- reason == SSH2_DISCONNECT_BY_APPLICATION ? +- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR, +- "Received disconnect from %s port %d:" +- "%u: %.400s", ssh_remote_ipaddr(ssh), +- ssh_remote_port(ssh), reason, msg); +- free(msg); +- return SSH_ERR_DISCONNECTED; + case SSH2_MSG_UNIMPLEMENTED: + if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) + return r; +@@ -2242,6 +2254,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) + (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || + (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || + (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || ++ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 || + (r = sshbuf_put_stringb(m, kex->my)) != 0 || + (r = sshbuf_put_stringb(m, kex->peer)) != 0 || + (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || +@@ -2404,6 +2417,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || + (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || + (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || ++ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 || + (r = sshbuf_get_stringb(m, kex->my)) != 0 || + (r = sshbuf_get_stringb(m, kex->peer)) != 0 || + (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || +@@ -2732,6 +2746,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); + ++ debug2("sending SSH2_MSG_DISCONNECT: %s", buf); + if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || + (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || + (r = sshpkt_put_cstring(ssh, buf)) != 0 || +diff --git a/sshconnect2.c b/sshconnect2.c +index df6caf81..0cccbcc4 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -253,7 +253,8 @@ ssh_kex2(struct ssh *ssh, char *host, st + xxx_host = host; + xxx_hostaddr = hostaddr; + +- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) + fatal("%s: kex_names_cat", __func__); + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +@@ -358,7 +358,6 @@ struct cauthmethod { + }; + + static int input_userauth_service_accept(int, u_int32_t, struct ssh *); +-static int input_userauth_ext_info(int, u_int32_t, struct ssh *); + static int input_userauth_success(int, u_int32_t, struct ssh *); + static int input_userauth_failure(int, u_int32_t, struct ssh *); + static int input_userauth_banner(int, u_int32_t, struct ssh *); +@@ -472,7 +471,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + ssh->authctxt = &authctxt; + ssh_dispatch_init(ssh, &input_userauth_error); +- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info); ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info); + ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); + ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ + pubkey_cleanup(ssh); +@@ -531,12 +530,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) + } + + /* ARGSUSED */ +-static int +-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh) +-{ +- return kex_input_ext_info(type, seqnr, ssh); +-} +- + void + userauth(struct ssh *ssh, char *authlist) + { +@@ -615,6 +608,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) + free(authctxt->methoddata); + authctxt->methoddata = NULL; + authctxt->success = 1; /* break out */ ++ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error); + return 0; + } + +diff -up openssh-8.7p1/sshd.c.kexstrict openssh-8.7p1/sshd.c +--- openssh-8.7p1/sshd.c.kexstrict 2023-11-27 13:19:18.855433602 +0100 ++++ openssh-8.7p1/sshd.c 2023-11-27 13:28:10.441325314 +0100 +@@ -2531,10 +2531,14 @@ do_ssh2_kex(struct ssh *ssh) + { + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; ++ char *cp; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( +- options.kex_algorithms); ++ if ((cp = kex_names_cat(options.kex_algorithms, ++ "kex-strict-s-v00@openssh.com")) == NULL) ++ fatal("kex_names_cat"); ++ ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(cp); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( + options.ciphers); + myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal( +@@ -2586,7 +2586,7 @@ do_ssh2_kex(struct ssh *ssh) + if (gss && orig) + xasprintf(&newstr, "%s,%s", gss, orig); + else if (gss) +- newstr = gss; ++ xasprintf(&newstr, "%s,%s", gss, "kex-strict-s-v00@openssh.com"); + else if (orig) + newstr = orig; + +@@ -2650,6 +2654,7 @@ do_ssh2_kex(struct ssh *ssh) + packet_send(); + packet_write_wait(); + #endif ++ free(cp); + debug("KEX done"); + } + diff --git a/openssh-8.0p1-CVE-2023-51385.patch b/openssh-9.6p1-CVE-2023-51385.patch similarity index 67% rename from openssh-8.0p1-CVE-2023-51385.patch rename to openssh-9.6p1-CVE-2023-51385.patch index 6ae70d4..a7e6a32 100644 --- a/openssh-8.0p1-CVE-2023-51385.patch +++ b/openssh-9.6p1-CVE-2023-51385.patch @@ -1,18 +1,8 @@ -From 2cf82a21d2ec27723e1c18915752fca8e3314697 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=86=AF=E5=B7=9D=E4=B8=8010346279?= - -Date: Tue, 16 Jan 2024 14:22:15 +0800 -Subject: [PATCH] new - ---- - ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 40 insertions(+), 1 deletion(-) - diff --git a/ssh.c b/ssh.c -index 91e7c35..448c0f4 100644 +index 35c48e62..48d93ddf 100644 --- a/ssh.c +++ b/ssh.c -@@ -575,6 +575,41 @@ set_addrinfo_port(struct addrinfo *addrs, int port) +@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo) } } @@ -54,12 +44,10 @@ index 91e7c35..448c0f4 100644 /* * Main program for the ssh client. */ -@@ -1036,7 +1071,11 @@ main(int ac, char **av) - /* Check that we got a host name. */ +@@ -1118,6 +1153,10 @@ main(int ac, char **av) if (!host) usage(); -- -+ + + if (!valid_hostname(host)) + fatal("hostname contains invalid characters"); + if (options.user != NULL && !valid_ruser(options.user)) @@ -67,6 +55,3 @@ index 91e7c35..448c0f4 100644 host_arg = xstrdup(host); /* Initialize the command to execute on remote host. */ --- -2.27.0 - diff --git a/openssh.spec b/openssh.spec index f22529c..a07dbd3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.4 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -67,14 +66,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 20 +%global openssh_rel 25 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -278,20 +277,23 @@ Patch985: openssh-8.7p1-minimize-sha1-use.patch Patch986: openssh-9.1p1-sshbanner.patch # Upstream 25e3bccbaa63d27b9d5e09c123f1eb28594d2bd6 Patch987: openssh-8.0p1-ipv6-process.patch - -Patch1001: 1001-openssh-8.1p1-seccomp-nanosleep.patch - -# Add by Anolis -# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu -Patch1002: 1000-openssh-anolis-fix-seccomp-error.patch -# End -Patch1004: openssh-8.3p1-fix-desynchronised-utimes-failed.patch -Patch1005: 1005-terminate-pkcs11-process-for-bad-libraries.patch -Patch1006: openssh-8.0p1-CVE-2023-51385.patch -#Fix CVE-2020-15778 -Patch1007: openssh-8.7p1-scp-kill-switch.patch - -Patch2000: openssh-8.0p1-sw.patch +# Upstream 4332b4fe49360679647a8705bc08f4e81323f6b4 +Patch988: openssh-8.0p1-avoidkillall.patch +# Upstream 89b54900ac61986760452f132bbe3fb7249cfdac +Patch989: openssh-8.0p1-bigsshdconfig.patch +# upsream commit +# b23fe83f06ee7e721033769cfa03ae840476d280 +Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch +#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec +Patch1017: openssh-9.4p2-limit-delay.patch +#upstream commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 +Patch1018: openssh-9.6p1-CVE-2023-48795.patch +#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a +Patch1019: openssh-9.6p1-CVE-2023-51385.patch +# SCP kill switch +Patch1020: openssh-8.7p1-scp-kill-switch.patch +#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c +Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch License: BSD Group: Applications/Internet @@ -384,7 +386,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -525,6 +527,8 @@ popd %patch985 -p1 -b .minimize-sha1-use %patch986 -p1 -b .banner %patch987 -p1 -b .sftp_ipv6 +%patch988 -p1 -b .killall +%patch989 -p1 -b .bigsshdconfig %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -532,13 +536,12 @@ popd %patch100 -p1 -b .coverity -%patch1001 -p1 -%patch1002 -p1 -%patch1004 -p1 -%patch1005 -p1 -%patch1006 -p1 -%patch1007 -p1 -%patch2000 -p1 +%patch1015 -p1 -b .cve-2023-38408 +%patch1017 -p1 -b .limitdelay +%patch1018 -p1 -b .cve-2023-48795 +%patch1019 -p1 -b .cve-2023-51385 +%patch1020 -p1 -b .scp-kill-switch +%patch1021 -p1 -b .ignore-SIGPIPE autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -824,28 +827,49 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Fri Jun 07 2024 Kai Song - 8.0p1-20.0.4 -- Fix CVE-2020-15778 - -* Wed Mar 20 2024 Weisson - 8.0p1-20.0.3 -- adapt macro `seccomp_audit_arch` to kernel-headers. - -* Wed Mar 20 2024 wxiat - 8.0p1-20.0.2 -- add sw patch - -* Tue Jan 16 2024 Chuanyi Feng - 8.0p1-20.0.1 -- Fix CVE-2023-51385 - -* Tue Sep 19 2023 Ren Bo - 8.0p1-19.0.1 -- Rebuild - -* Wed Aug 2 2023 Liwei Ge - 8.0p1-18.0.1 -- Fix CVE-2023-38408 +* Tue Jun 25 2024 Stepan Broz - 8.0p1-25 +- Upstream: Ignore SIGPIPE earlier in main() + Resolves: RHEL-37743 + +* Tue Feb 06 2024 Dmitry Belyavskiy - 8.0p1-24 +- Providing a kill switch for scp to deal with CVE-2020-15778 + Resolves: RHEL-22870 + +* Fri Jan 05 2024 Dmitry Belyavskiy - 8.0p1-23 +- Fix Terrapin attack + Resolves: RHEL-19308 + +* Thu Dec 21 2023 Dmitry Belyavskiy - 8.0p1-22 +- Fix Terrapin attack + Resolves: RHEL-19308 +- Forbid shell metasymbols in username/hostname + Resolves: RHEL-19788 + +* Tue Nov 07 2023 Dmitry Belyavskiy - 8.0p1-21 +- Using DigestSign/DigestVerify functions for better FIPS compatibility + Resolves: RHEL-5217 + +* Mon Oct 30 2023 Dmitry Belyavskiy - 8.0p1-20 +- Limit artificial delays in sshd while login using AD user + Resolves: RHEL-1684 +- Add comment to OpenSSH server config about FIPS-incompatible key + Resolves: RHEL-5221 +- Avoid killing all processes on system in case of race condition + Resolves: RHEL-11548 +- Avoid sshd_config 256K limit + Resolves: RHEL-5279 +- Using DigestSign/DigestVerify functions for better FIPS compatibility + Resolves: RHEL-5217 +- Fix GSS KEX causing ssh failures when connecting to WinSSHD + Resolves: RHEL-5321 + +* Thu Aug 24 2023 Dmitry Belyavskiy - 8.0p1-19 +- rebuilt + Related: CVE-2023-38408 -* Wed May 24 2023 Weitao Zhou - 8.0p1-17.0.1 -- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 -- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.0p1-18 +- Avoid remote code execution in ssh-agent PKCS#11 support + Resolves: CVE-2023-38408 * Tue Dec 20 2022 Dmitry Belyavskiy - 8.0p1-17 - Fix parsing of IPv6 IPs in sftp client (#2151334) -- Gitee From e6b7ab68bb17deac53ecebda7cf7d0c1a7342ce1 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:02:21 +0800 Subject: [PATCH 2/6] seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 --- 10001-openssh-8.1p1-seccomp-nanosleep.patch | 44 +++++++++++++++++++++ openssh.spec | 11 +++++- 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 10001-openssh-8.1p1-seccomp-nanosleep.patch diff --git a/10001-openssh-8.1p1-seccomp-nanosleep.patch b/10001-openssh-8.1p1-seccomp-nanosleep.patch new file mode 100644 index 0000000..4ff852c --- /dev/null +++ b/10001-openssh-8.1p1-seccomp-nanosleep.patch @@ -0,0 +1,44 @@ +commit 7e929163ed40f9ce90060a3ca6df558c3d901379 +Author: Jakub Jelen +Date: Wed Nov 13 12:57:05 2019 +0100 + + seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70b..be239767 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif + +commit 500c30eaf88f26e4a74b06717fe04afec7a7516f +Author: Jakub Jelen +Date: Wed Nov 27 11:06:55 2019 +0100 + + sandbox-seccomp: Allow clock_nanosleep on ARM + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index be239767..3ef30c9d 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh.spec b/openssh.spec index a07dbd3..d80d9f2 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -73,7 +74,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -295,6 +296,8 @@ Patch1020: openssh-8.7p1-scp-kill-switch.patch #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch +Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -386,7 +389,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} License: BSD %description @@ -542,6 +545,7 @@ popd %patch1019 -p1 -b .cve-2023-51385 %patch1020 -p1 -b .scp-kill-switch %patch1021 -p1 -b .ignore-SIGPIPE +%patch10001 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -827,6 +831,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Wed Aug 28 2024 Weitao Zhou - 8.0p1-25.0.1 +- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 + * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() Resolves: RHEL-37743 -- Gitee From 268a95d9f16ea908029f434e32387320862cec8d Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:04:11 +0800 Subject: [PATCH 3/6] build: support loongarch64 seccomp_filter sandbox --- 10000-openssh-anolis-fix-seccomp-error.patch | 26 ++++++++++++++++++++ openssh.spec | 7 ++++++ 2 files changed, 33 insertions(+) create mode 100644 10000-openssh-anolis-fix-seccomp-error.patch diff --git a/10000-openssh-anolis-fix-seccomp-error.patch b/10000-openssh-anolis-fix-seccomp-error.patch new file mode 100644 index 0000000..f398ce9 --- /dev/null +++ b/10000-openssh-anolis-fix-seccomp-error.patch @@ -0,0 +1,26 @@ +diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure +--- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 ++++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 +@@ -7875,6 +7875,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; +diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac +--- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 ++++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 +@@ -882,6 +882,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; diff --git a/openssh.spec b/openssh.spec index d80d9f2..969a65f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -298,6 +298,11 @@ Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch +# Add by Anolis +# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu +Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch +# End + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -546,6 +551,7 @@ popd %patch1020 -p1 -b .scp-kill-switch %patch1021 -p1 -b .ignore-SIGPIPE %patch10001 -p1 +%patch10002 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -833,6 +839,7 @@ getent passwd sshd >/dev/null || \ %changelog * Wed Aug 28 2024 Weitao Zhou - 8.0p1-25.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 +- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() -- Gitee From 8f2070d5b77450fe21a6a86d7cfb6cac3f846827 Mon Sep 17 00:00:00 2001 From: jiangyong Date: Mon, 20 Mar 2023 19:32:24 +0800 Subject: [PATCH 4/6] another case where a utimes() failure could make scp send a desynchronising error; detail: scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. upstream url: https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 --- ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++ openssh.spec | 3 +++ 2 files changed, 17 insertions(+) create mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch new file mode 100644 index 0000000..d522f28 --- /dev/null +++ b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch @@ -0,0 +1,14 @@ +diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c +--- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 ++++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 +@@ -1431,9 +1431,7 @@ + sink(1, vect, src); + if (setimes) { + setimes = 0; +- if (utimes(vect[0], tv) < 0) +- run_err("%s: set times: %s", +- vect[0], strerror(errno)); ++ (void) utimes(vect[0], tv); + } + if (mod_flag) + (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 969a65f..ddda83d 100644 --- a/openssh.spec +++ b/openssh.spec @@ -302,6 +302,7 @@ Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch # fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch # End +Patch10003: openssh-8.3p1-fix-desynchronised-utimes-failed.patch License: BSD Group: Applications/Internet @@ -552,6 +553,7 @@ popd %patch1021 -p1 -b .ignore-SIGPIPE %patch10001 -p1 %patch10002 -p1 +%patch10003 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -840,6 +842,7 @@ getent passwd sshd >/dev/null || \ * Wed Aug 28 2024 Weitao Zhou - 8.0p1-25.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) +- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() -- Gitee From ac156fa6610042163aa44f70f2585cfd8af06f08 Mon Sep 17 00:00:00 2001 From: wxiat Date: Wed, 14 Jun 2023 14:44:23 +0800 Subject: [PATCH 5/6] add sw Signed-off-by: wxiat --- openssh-8.0p1-sw.patch | 27 +++++++++++++++++++++++++++ openssh.spec | 4 ++++ 2 files changed, 31 insertions(+) create mode 100644 openssh-8.0p1-sw.patch diff --git a/openssh-8.0p1-sw.patch b/openssh-8.0p1-sw.patch new file mode 100644 index 0000000..79873e1 --- /dev/null +++ b/openssh-8.0p1-sw.patch @@ -0,0 +1,27 @@ +diff -Naur openssh-8.0p1.org/configure.ac openssh-8.0p1.sw/configure.ac +--- openssh-8.0p1.org/configure.ac 2023-05-17 14:30:46.480006046 +0800 ++++ openssh-8.0p1.sw/configure.ac 2023-05-17 14:32:34.862821373 +0800 +@@ -879,6 +879,9 @@ + arm*-*) + seccomp_audit_arch=AUDIT_ARCH_ARM + ;; ++ sw_64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_SW_64 ++ ;; + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; +diff -Naur openssh-8.0p1.org/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h openssh-8.0p1.sw/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h +--- openssh-8.0p1.org/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h 2016-11-13 11:24:41.000000000 +0800 ++++ openssh-8.0p1.sw/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h 2023-05-17 14:33:39.453095103 +0800 +@@ -79,6 +79,10 @@ + #define CPU_HPPA + #endif + ++#if defined(__sw_64__) || defined(__sw_64) || defined(_M_SW_64) ++ #define CPU_SW_64 ++#endif ++ + #if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) + #define CPU_ALPHA + #endif diff --git a/openssh.spec b/openssh.spec index ddda83d..3face61 100644 --- a/openssh.spec +++ b/openssh.spec @@ -304,6 +304,8 @@ Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch # End Patch10003: openssh-8.3p1-fix-desynchronised-utimes-failed.patch +Patch20000: openssh-8.0p1-sw.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -554,6 +556,7 @@ popd %patch10001 -p1 %patch10002 -p1 %patch10003 -p1 +%patch20000 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -843,6 +846,7 @@ getent passwd sshd >/dev/null || \ - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) - another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) +- add sw patch (nijie@wxiat.com) * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() -- Gitee From ea67be81d4183ff3b805c2d87d86feac7d8c0a00 Mon Sep 17 00:00:00 2001 From: Weisson Date: Tue, 21 Nov 2023 10:51:48 +0800 Subject: [PATCH 6/6] adapt macro `seccomp_audit_arch` to kernel-headers. Signed-off-by: Weisson --- openssh-8.0p1-sw.patch | 32 ++++++++++++++++++++++++-------- openssh.spec | 1 + 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/openssh-8.0p1-sw.patch b/openssh-8.0p1-sw.patch index 79873e1..ec68163 100644 --- a/openssh-8.0p1-sw.patch +++ b/openssh-8.0p1-sw.patch @@ -1,19 +1,32 @@ -diff -Naur openssh-8.0p1.org/configure.ac openssh-8.0p1.sw/configure.ac ---- openssh-8.0p1.org/configure.ac 2023-05-17 14:30:46.480006046 +0800 -+++ openssh-8.0p1.sw/configure.ac 2023-05-17 14:32:34.862821373 +0800 -@@ -879,6 +879,9 @@ +From d79f3b68e7eb6638a27bab8853f790d10aa88d93 Mon Sep 17 00:00:00 2001 +From: Weisson +Date: Tue, 21 Nov 2023 10:44:32 +0800 +Subject: [PATCH] Add sw build support. + +Signed-off-by: Weisson +--- + configure.ac | 3 +++ + .../ed25519-donna/ed25519-donna-portable-identify.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 6e57635..9e32389 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -879,6 +879,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) arm*-*) seccomp_audit_arch=AUDIT_ARCH_ARM ;; + sw_64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_SW_64 ++ seccomp_audit_arch=AUDIT_ARCH_SW64 + ;; aarch64*-*) seccomp_audit_arch=AUDIT_ARCH_AARCH64 ;; -diff -Naur openssh-8.0p1.org/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h openssh-8.0p1.sw/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h ---- openssh-8.0p1.org/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h 2016-11-13 11:24:41.000000000 +0800 -+++ openssh-8.0p1.sw/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h 2023-05-17 14:33:39.453095103 +0800 +diff --git a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h +index 26a264c..4457e9a 100644 +--- a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h ++++ b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h @@ -79,6 +79,10 @@ #define CPU_HPPA #endif @@ -25,3 +38,6 @@ diff -Naur openssh-8.0p1.org/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-don #if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) #define CPU_ALPHA #endif +-- +2.31.1 + diff --git a/openssh.spec b/openssh.spec index 3face61..807fda8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -847,6 +847,7 @@ getent passwd sshd >/dev/null || \ - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) - another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) - add sw patch (nijie@wxiat.com) +- adapt macro `seccomp_audit_arch` to kernel-headers. (Weisson@linux.alibaba.com) * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() -- Gitee