From 631079e45ea5d6d90253306ba633835c4a34ea4f Mon Sep 17 00:00:00 2001 From: bitianyuan Date: Thu, 5 Dec 2024 06:13:31 +0000 Subject: [PATCH] Set OPENSSL_BIN from OpenSSL directory remove unused patch skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch Signed-off-by: bitianyuan --- ...t-OPENSSL_BIN-from-OpenSSL-directory.patch | 78 ++++++++++++++ openssh.spec | 10 +- ...-if-there-is-no-openssl-on-local-pat.patch | 100 ------------------ 3 files changed, 87 insertions(+), 101 deletions(-) create mode 100644 backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch delete mode 100644 skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch diff --git a/backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch b/backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch new file mode 100644 index 0000000..d6c9e33 --- /dev/null +++ b/backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch @@ -0,0 +1,78 @@ +From 3c80942727444934fef8e06b2fd6ae51f1025d6d Mon Sep 17 00:00:00 2001 +From: bitianyuan +Date: Thu, 5 Dec 2024 04:41:40 +0000 +Subject: [PATCH] backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory + +--- + Makefile.in | 1 + + configure.ac | 6 ++++++ + regress/test-exec.sh | 3 ++- + 3 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 01895a7..b26e3a2 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -736,6 +736,7 @@ tests: file-tests t-exec interop-tests unit + unit: regress-unit-binaries + BUILDDIR=`pwd`; \ + cd $(srcdir)/regress || exit $$?; \ ++ OPENSSL_BIN='@OPENSSL_BIN' \ + $(MAKE) \ + .OBJDIR="$${BUILDDIR}/regress" \ + .CURDIR="`pwd`" \ +diff --git a/configure.ac b/configure.ac +index d5a156c..0b36b5e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -119,10 +119,12 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ + ]) + + openssl=yes ++openssl_bin=openssl + AC_ARG_WITH([openssl], + [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], + [ if test "x$withval" = "xno" ; then + openssl=no ++ openssl_bin="" + fi + ] + ) +@@ -2674,6 +2676,7 @@ AC_CHECK_FUNCS([getpgrp],[ + # Search for OpenSSL + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" ++openssl_bin_PATH="$PATH" + AC_ARG_WITH([ssl-dir], + [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], + [ +@@ -2709,9 +2712,12 @@ AC_ARG_WITH([ssl-dir], + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi ++ openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps" + fi + ] + ) ++AC_PATH_PROGS([openssl_bin], openssl, [], [$openssl_bin_PATH]) ++AC_SUBST(OPENSSL_BIN, [${openssl_bin}]) + + AC_ARG_WITH([openssl-header-check], + [ --without-openssl-header-check Disable OpenSSL version consistency check], +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 3e3b20e..44cf725 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -102,7 +102,8 @@ CONCH=conch + + # Tools used by multiple tests + NC=$OBJ/netcat +-OPENSSL_BIN="${OPENSSL_BIN:-openssl}" ++# Always use the one configure tells us to, even if that's empty. ++#OPENSSL_BIN="${OPENSSL_BIN:-openssl}" + + if [ "x$TEST_SSH_SSH" != "x" ]; then + SSH="${TEST_SSH_SSH}" +-- +2.33.0 + diff --git a/openssh.spec b/openssh.spec index 73f5d25..2c9cdc7 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 32 +%global openssh_release 33 Name: openssh Version: 8.8p1 @@ -133,6 +133,7 @@ Patch103: backport-CVE-2023-48795.patch Patch104: fix-memory-leak-in-kex-exchange.patch Patch105: backport-fix-CVE-2024-6387.patch Patch106: backport-fix-CVE-2024-6409.patch +Patch107: backport-upstream-Set-OPENSSL_BIN-from-OpenSSL-directory.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -316,6 +317,7 @@ popd %patch104 -p1 %patch105 -p1 %patch106 -p1 +%patch107 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -522,6 +524,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Thu Dec 5 2024 bitianyuan - 8.8p1-33 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:Set OPENSSL_BIN from OpenSSL directory + * Wed Jul 10 2024 songjuntao - 8.8p1-32 - Type:CVE - CVE:CVE-2024-6409 diff --git a/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch b/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch deleted file mode 100644 index f56ed5b..0000000 --- a/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch +++ /dev/null @@ -1,100 +0,0 @@ -From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001 -From: chengyechun -Date: Thu, 5 Jan 2023 23:43:22 +0800 -Subject: [PATCH] skip tests for '%C' if there is no openssl on local path - ---- - regress/percent.sh | 24 +++++++++++---- - ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++ - 2 files changed, 48 insertions(+), 6 deletions(-) - create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch - -diff --git a/regress/percent.sh b/regress/percent.sh -index 7ed4184..9c112eb 100644 ---- a/regress/percent.sh -+++ b/regress/percent.sh -@@ -13,6 +13,10 @@ USERID=`id -u` - HOST=`hostname | cut -f1 -d.` - HOSTNAME=`hostname` - -+# Check if there is openssl in local PATH -+NOOPENSSL=0 -+for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done -+ - # Localcommand is evaluated after connection because %T is not available - # until then. Because of this we use a different method of exercising it, - # and we can't override the remote user otherwise authentication will fail. -@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - if [ "$i" = "$localcommand" ]; then - trial $i '%T' NONE - fi -- # Matches implementation in readconf.c:ssh_connection_hash() -- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -- $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ # skip tests for '%C' since no openssl in local PATH -+ if [ $NOOPENSSL -eq 1 ]; then -+ # Matches implementation in readconf.c:ssh_connection_hash() -+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -+ $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ fi - trial $i '%%' '%' -- trial $i '%C' $HASH -+ if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi - trial $i '%i' $USERID - trial $i '%h' 127.0.0.1 - trial $i '%L' $HOST -@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - # containing %d for UserKnownHostsFile - if [ "$i" != "userknownhostsfile" ]; then - trial $i '%d' $HOME -- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ if [ $NOOPENSSL -eq 0 ]; then -+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ else -+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ fi - fi - done - -diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -new file mode 100644 -index 0000000..c7af5d9 ---- /dev/null -+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -@@ -0,0 +1,30 @@ -+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001 -+From: chengyechun -+Date: Thu, 5 Jan 2023 23:43:22 +0800 -+Subject: [PATCH] skip percent test if there is no openssl on local path as -+ scp3 did -+ -+--- -+ regress/percent.sh | 6 ++++++ -+ 1 file changed, 6 insertions(+) -+ -+diff --git a/regress/percent.sh b/regress/percent.sh -+index 7ed4184..08afbc8 100644 -+--- a/regress/percent.sh -++++ b/regress/percent.sh -+@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then -+ export PATH -+ fi -+ -++NOOPENSSL=0 -++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done -++if [ $? -eq 0 ]; then -++ skip "No openssl on local path." -++fi -++ -+ USER=`id -u -n` -+ USERID=`id -u` -+ HOST=`hostname | cut -f1 -d.` -+-- -+2.23.0 -+ --- -2.23.0 - -- Gitee