From 0c4516eae3fc5eeaf37faaa2f75fc1f4dbd62803 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Tue, 15 Aug 2023 10:27:21 +0800
Subject: [PATCH] In channel_request_remote_forwarding the parameters

---
 backport-openssh-6.7p1-coverity.patch         | 26 --------
 ...nel_request_remote_forwarding-the-pa.patch | 62 +++++++++++++++++++
 openssh.spec                                  | 10 ++-
 3 files changed, 71 insertions(+), 27 deletions(-)
 create mode 100644 backport-upstream-In-channel_request_remote_forwarding-the-pa.patch

diff --git a/backport-openssh-6.7p1-coverity.patch b/backport-openssh-6.7p1-coverity.patch
index 4731c85..f1a8d2b 100644
--- a/backport-openssh-6.7p1-coverity.patch
+++ b/backport-openssh-6.7p1-coverity.patch
@@ -78,32 +78,6 @@ Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-ope
  			close(c->sock);
  			c->sock = c->rfd = c->wfd = sock;
  			channel_find_maxfd(ssh->chanctxt);
-@@ -3804,7 +3804,7 @@ int
- channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
- {
- 	int r, success = 0, idx = -1;
--	char *host_to_connect, *listen_host, *listen_path;
-+	char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
- 	int port_to_connect, listen_port;
- 
- 	/* Send the forward request to the remote side. */
-@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
- 	success = 1;
- 	if (success) {
- 		/* Record that connection to this host/port is permitted. */
--		host_to_connect = listen_host = listen_path = NULL;
- 		port_to_connect = listen_port = 0;
- 		if (fwd->connect_path != NULL) {
- 			host_to_connect = xstrdup(fwd->connect_path);
-@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
- 		    host_to_connect, port_to_connect,
- 		    listen_host, listen_path, listen_port, NULL);
- 	}
-+	free(host_to_connect);
-+	free(listen_host);
-+	free(listen_path);
- 	return idx;
- }
  
 diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
 --- openssh-8.5p1/compat.c.coverity	2021-03-24 12:03:33.768968062 +0100
diff --git a/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch b/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
new file mode 100644
index 0000000..369e432
--- /dev/null
+++ b/backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
@@ -0,0 +1,62 @@
+From d323f7ecf52e3d4ec1f4939bf31693e02f891dca Mon Sep 17 00:00:00 2001
+From: "mbuhl@openbsd.org" <mbuhl@openbsd.org>
+Date: Fri, 18 Nov 2022 19:47:40 +0000
+Subject: [PATCH] upstream: In channel_request_remote_forwarding the parameters
+ for
+
+permission_set_add are leaked as they are also duplicated in the call. Found
+by CodeChecker. ok djm
+
+OpenBSD-Commit-ID: 4aef50fa9be7c0b138188814c8fe3dccc196f61e
+
+Reference:https://github.com/openssh/openssh-portable/commit/d323f7ecf52e3d4ec1f4939bf31693e02f891dca
+Conflict:NA
+---
+ channels.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/channels.c b/channels.c
+index e75a0cf9..7c2c882d 100644
+--- a/channels.c
++++ b/channels.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
++/* $OpenBSD: channels.c,v 1.421 2022/11/18 19:47:40 mbuhl Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -4081,7 +4081,7 @@ int
+ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
+ {
+ 	int r, success = 0, idx = -1;
+-	char *host_to_connect, *listen_host, *listen_path;
++	const char *host_to_connect, *listen_host, *listen_path;
+ 	int port_to_connect, listen_port;
+ 
+ 	/* Send the forward request to the remote side. */
+@@ -4112,18 +4112,17 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
+ 		host_to_connect = listen_host = listen_path = NULL;
+ 		port_to_connect = listen_port = 0;
+ 		if (fwd->connect_path != NULL) {
+-			host_to_connect = xstrdup(fwd->connect_path);
++			host_to_connect = fwd->connect_path;
+ 			port_to_connect = PORT_STREAMLOCAL;
+ 		} else {
+-			host_to_connect = xstrdup(fwd->connect_host);
++			host_to_connect = fwd->connect_host;
+ 			port_to_connect = fwd->connect_port;
+ 		}
+ 		if (fwd->listen_path != NULL) {
+-			listen_path = xstrdup(fwd->listen_path);
++			listen_path = fwd->listen_path;
+ 			listen_port = PORT_STREAMLOCAL;
+ 		} else {
+-			if (fwd->listen_host != NULL)
+-				listen_host = xstrdup(fwd->listen_host);
++			listen_host = fwd->listen_host;
+ 			listen_port = fwd->listen_port;
+ 		}
+ 		idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
+-- 
+2.23.0
+
diff --git a/openssh.spec b/openssh.spec
index e51b5f7..b5b8af7 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 21
+%global openssh_release 22
 
 Name:           openssh
 Version:        8.8p1
@@ -111,6 +111,7 @@ Patch78:        skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
 Patch79:        set-ssh-config.patch
 Patch80:        backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
 Patch81:        backport-fix-CVE-2023-38408-upstream-terminate-process.patch
+Patch82:        backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -271,6 +272,7 @@ popd
 %patch79 -p1
 %patch80 -p1
 %patch81 -p1
+%patch82 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -467,6 +469,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Tue Aug 15 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-22
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:In channel_request_remote_forwarding the parameters
+
 * Thu Jul 27 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-21
 - Type:CVE
 - CVE:CVE-2023-38408
-- 
Gitee