diff --git a/openssh-9.6_p1-CVE-2024-6387.patch b/openssh-9.6_p1-CVE-2024-6387.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b7fb70380d9f942632035a8d9cc4292f19a68ff --- /dev/null +++ b/openssh-9.6_p1-CVE-2024-6387.patch @@ -0,0 +1,19 @@ +https://bugs.gentoo.org/935271 +Backport proposed by upstream at https://marc.info/?l=oss-security&m=171982317624594&w=2. +--- a/log.c ++++ b/log.c +@@ -451,12 +451,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#ifdef SYSLOG_R_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + diff --git a/openssh.spec b/openssh.spec index 030c8d7258dc0f7b19581aa566723c5e98840875..c2dcb8f053cbfd0ca0302236402a108b180dca7b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 3 +%global openssh_release 4 Name: openssh Version: 9.3p2 @@ -99,6 +99,7 @@ Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch Patch77: set-ssh-config.patch Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch80: openssh-9.6_p1-CVE-2024-6387.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -175,78 +176,79 @@ instance. The module is most useful for su and sudo service stacks. %setup -q -a 3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 -%patch3 -p2 -b .psaa-build -%patch4 -p2 -b .psaa-seteuid -%patch5 -p2 -b .psaa-visibility -%patch7 -p2 -b .psaa-compat -%patch6 -p2 -b .psaa-agent -%patch8 -p2 -b .psaa-deref -%patch9 -p2 -b .rsasha2 -%patch10 -p1 -b .psaa-configure-c99 +%patch -P3 -p2 -b .psaa-build +%patch -P4 -p2 -b .psaa-seteuid +%patch -P5 -p2 -b .psaa-visibility +%patch -P7 -p2 -b .psaa-compat +%patch -P6 -p2 -b .psaa-agent +%patch -P8 -p2 -b .psaa-deref +%patch -P9 -p2 -b .rsasha2 +%patch -P10 -p1 -b .psaa-configure-c99 # Remove duplicate headers and library files rm -f $(cat %{SOURCE4}) popd -%patch11 -p1 -b .role-mls -%patch12 -p1 -b .privsep-selinux -%patch14 -p1 -b .keycat -%patch15 -p1 -b .ip-opts -%patch17 -p1 -b .ipv6man -%patch18 -p1 -b .sigpipe -%patch19 -p1 -b .x11 -%patch21 -p1 -b .progress -%patch22 -p1 -b .grab-info -%patch23 -p1 -%patch24 -p1 -b .log-usepam-no -%patch28 -p1 -b .gsskex -%patch29 -p1 -b .force_krb -%patch31 -p1 -b .ccache_name -%patch32 -p1 -b .k5login -%patch33 -p1 -b .kuserok -%patch34 -p1 -b .fromto-remote -%patch35 -p1 -b .contexts -%patch36 -p1 -b .log-in-chroot -%patch37 -p1 -b .scp -%patch30 -p1 -b .GSSAPIEnablek5users -%patch38 -p1 -b .sshdt -%patch39 -p1 -b .sftp-force-mode -%patch40 -p1 -b .s390-dev -%patch41 -p1 -b .x11max -%patch42 -p1 -b .systemd -%patch43 -p1 -b .refactor -%patch44 -p1 -b .sandbox -%patch45 -p1 -b .pkcs11-uri -%patch46 -p1 -b .scp-ipv6 -%patch48 -p1 -b .crypto-policies -%patch49 -p1 -b .openssl-evp -%patch50 -p1 -b .openssl-kdf -%patch51 -p1 -b .visibility -%patch52 -p1 -b .x11-ipv6 -%patch53 -p1 -b .keygen-strip-doseol -%patch54 -p1 -b .preserve-pam-errors -%patch55 -p1 -b .kill-scp -%patch56 -p1 -b .scp-sftpdirs -%patch57 -p1 -b .minrsabits -%patch58 -p1 -b .ibmca -%patch60 -p1 -b .ssh-manpage -%patch61 -p1 -b .negotiate-supported-algs -%patch1 -p1 -b .audit -%patch2 -p1 -b .audit-race -%patch0 -p1 -b .coverity - -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch74 -p1 -%patch75 -p1 -%patch77 -p1 -%patch78 -p1 -%patch79 -p1 +%patch -P11 -p1 -b .role-mls +%patch -P12 -p1 -b .privsep-selinux +%patch -P14 -p1 -b .keycat +%patch -P15 -p1 -b .ip-opts +%patch -P17 -p1 -b .ipv6man +%patch -P18 -p1 -b .sigpipe +%patch -P19 -p1 -b .x11 +%patch -P21 -p1 -b .progress +%patch -P22 -p1 -b .grab-info +%patch -P23 -p1 +%patch -P24 -p1 -b .log-usepam-no +%patch -P28 -p1 -b .gsskex +%patch -P29 -p1 -b .force_krb +%patch -P31 -p1 -b .ccache_name +%patch -P32 -p1 -b .k5login +%patch -P33 -p1 -b .kuserok +%patch -P34 -p1 -b .fromto-remote +%patch -P35 -p1 -b .contexts +%patch -P36 -p1 -b .log-in-chroot +%patch -P37 -p1 -b .scp +%patch -P30 -p1 -b .GSSAPIEnablek5users +%patch -P38 -p1 -b .sshdt +%patch -P39 -p1 -b .sftp-force-mode +%patch -P40 -p1 -b .s390-dev +%patch -P41 -p1 -b .x11max +%patch -P42 -p1 -b .systemd +%patch -P43 -p1 -b .refactor +%patch -P44 -p1 -b .sandbox +%patch -P45 -p1 -b .pkcs11-uri +%patch -P46 -p1 -b .scp-ipv6 +%patch -P48 -p1 -b .crypto-policies +%patch -P49 -p1 -b .openssl-evp +%patch -P50 -p1 -b .openssl-kdf +%patch -P51 -p1 -b .visibility +%patch -P52 -p1 -b .x11-ipv6 +%patch -P53 -p1 -b .keygen-strip-doseol +%patch -P54 -p1 -b .preserve-pam-errors +%patch -P55 -p1 -b .kill-scp +%patch -P56 -p1 -b .scp-sftpdirs +%patch -P57 -p1 -b .minrsabits +%patch -P58 -p1 -b .ibmca +%patch -P60 -p1 -b .ssh-manpage +%patch -P61 -p1 -b .negotiate-supported-algs +%patch -P1 -p1 -b .audit +%patch -P2 -p1 -b .audit-race +%patch -P0 -p1 -b .coverity + +%patch -P66 -p1 +%patch -P67 -p1 +%patch -P68 -p1 +%patch -P69 -p1 +%patch -P70 -p1 +%patch -P71 -p1 +%patch -P72 -p1 +%patch -P73 -p1 +%patch -P74 -p1 +%patch -P75 -p1 +%patch -P77 -p1 +%patch -P78 -p1 +%patch -P79 -p1 +%patch -P80 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -463,6 +465,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Tue Jul 02 2024 Funda Wang - 9.3p2-4 +- Type:CVE +- CVE-2024-6387 +- SUG:NA +- DESC:fix CVE-2024-6387 + * Mon Apr 29 2024 renmingshuai - 9.3p2-3 - Type:bugfix - CVE: