From 9a9eba19723302613698eb384b6db829b4c7f4fd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:14:17 +0000 Subject: import openssh-7.4p1-16.el7 --- diff --git a/SOURCES/openssh-7.4p1-audit.patch b/SOURCES/openssh-7.4p1-audit.patch index 4ce694a..5fb3753 100644 --- a/SOURCES/openssh-7.4p1-audit.patch +++ b/SOURCES/openssh-7.4p1-audit.patch @@ -1606,6 +1606,20 @@ diff -up openssh-7.4p1/packet.c.audit openssh-7.4p1/packet.c /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. +@@ -510,11 +510,12 @@ + const char * + ssh_remote_ipaddr(struct ssh *ssh) + { +- const int sock = ssh->state->connection_in; ++ int sock; + + /* Check whether we have cached the ipaddr. */ + if (ssh->remote_ipaddr == NULL) { + if (ssh_packet_connection_is_on_socket(ssh)) { ++ sock = ssh->state->connection_in; + ssh->remote_ipaddr = get_peer_ipaddr(sock); + ssh->remote_port = get_peer_port(sock); + ssh->local_ipaddr = get_local_ipaddr(sock); @@ -562,13 +570,6 @@ ssh_packet_close(struct ssh *ssh) if (!state->initialized) return; diff --git a/SOURCES/openssh-7.4p1-authorized_keys_command.patch b/SOURCES/openssh-7.4p1-authorized_keys_command.patch new file mode 100644 index 0000000..86f887d --- /dev/null +++ b/SOURCES/openssh-7.4p1-authorized_keys_command.patch @@ -0,0 +1,38 @@ +From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 30 Dec 2016 22:08:02 +0000 +Subject: [PATCH] upstream commit + +fix deadlock when keys/principals command produces a lot of +output and a key is matched early; bz#2655, patch from jboning AT gmail.com + +Upstream-ID: e19456429bf99087ea994432c16d00a642060afe +--- + auth2-pubkey.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 20f3309e1..70c021589 100644 +--- a/auth2-pubkey.c ++++ b/auth2-pubkey.c +@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) + + ok = process_principals(f, NULL, pw, cert); + ++ fclose(f); ++ f = NULL; ++ + if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0) + goto out; + +@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) + + ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); + ++ fclose(f); ++ f = NULL; ++ + if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0) + goto out; + + diff --git a/SOURCES/openssh-7.4p1-fips.patch b/SOURCES/openssh-7.4p1-fips.patch index 38bd6f8..d325029 100644 --- a/SOURCES/openssh-7.4p1-fips.patch +++ b/SOURCES/openssh-7.4p1-fips.patch @@ -80,6 +80,18 @@ diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c #endif return (&aes_ctr); } +diff -up openssh-7.4p1/clientloop.c.fips openssh-7.4p1/clientloop.c +--- openssh-7.4p1/clientloop.c.fips 2017-05-30 19:10:26.537505598 +0200 ++++ openssh-7.4p1/clientloop.c 2017-05-30 19:10:26.571505583 +0200 +@@ -2452,7 +2452,7 @@ client_input_hostkeys(void) + /* Check that the key is accepted in HostkeyAlgorithms */ + if (match_pattern_list(sshkey_ssh_name(key), + options.hostkeyalgorithms ? options.hostkeyalgorithms : +- KEX_DEFAULT_PK_ALG, 0) != 1) { ++ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), 0) != 1) { + debug3("%s: %s key not permitted by HostkeyAlgorithms", + __func__, sshkey_ssh_name(key)); + continue; diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h --- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/dh.h 2017-02-09 14:53:47.182347441 +0100 @@ -309,9 +321,24 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h ---- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/myproposal.h 2017-02-09 14:53:47.184347440 +0100 -@@ -144,6 +144,37 @@ +--- openssh-7.4p1/myproposal.h.fips 2017-05-30 19:10:26.535505599 +0200 ++++ openssh-7.4p1/myproposal.h 2017-05-30 19:10:26.574505582 +0200 +@@ -119,6 +119,14 @@ + "ssh-rsa," \ + "ssh-dss" + ++#define KEX_FIPS_PK_ALG \ ++ HOSTKEY_ECDSA_CERT_METHODS \ ++ "ssh-rsa-cert-v01@openssh.com," \ ++ HOSTKEY_ECDSA_METHODS \ ++ "rsa-sha2-512," \ ++ "rsa-sha2-256," \ ++ "ssh-rsa" ++ + /* the actual algorithms */ + + #define KEX_CLIENT_ENCRYPT \ +@@ -144,6 +152,37 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC @@ -365,22 +392,39 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips op diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c --- openssh-7.4p1/readconf.c.fips 2017-02-09 14:53:47.185347438 +0100 +++ openssh-7.4p1/readconf.c 2017-02-09 14:56:24.840191308 +0100 -@@ -2104,9 +2104,12 @@ fill_default_options(Options * options) +@@ -2104,12 +2104,17 @@ fill_default_options(Options * options) } if (options->update_hostkeys == -1) options->update_hostkeys = 0; - if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || - kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || - kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || +- kex_assemble_names(KEX_DEFAULT_PK_ALG, + if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT + : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 || + kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC + : KEX_CLIENT_MAC), &options->macs) != 0 || + kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS + : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), &options->hostbased_key_types) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, +- kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), + &options->pubkey_key_types) != 0) + fatal("%s: kex_assemble_names failed", __func__); + +@@ -2559,7 +2564,8 @@ dump_client_config(Options *o, const cha + char buf[8]; + + /* This is normally prepared in ssh_kex2 */ +- if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0) ++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), &o->hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_names failed", __func__); + + /* Most interesting options first: user, host, port */ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c --- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2017-02-09 14:53:47.177347446 +0100 +++ openssh-7.4p1/sandbox-seccomp-filter.c 2017-02-09 14:53:47.185347438 +0100 @@ -395,25 +439,36 @@ diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-secco SC_DENY(openat, EACCES), #endif diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c ---- openssh-7.4p1/servconf.c.fips 2017-02-09 14:53:47.169347454 +0100 -+++ openssh-7.4p1/servconf.c 2017-02-09 14:57:24.957131771 +0100 -@@ -184,9 +184,12 @@ option_clear_or_none(const char *o) +--- openssh-7.4p1/servconf.c.fips 2017-06-07 13:07:28.403983349 +0200 ++++ openssh-7.4p1/servconf.c 2017-06-07 13:09:46.710997099 +0200 +@@ -185,14 +185,20 @@ option_clear_or_none(const char *o) static void assemble_algorithms(ServerOptions *o) { - if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || - kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || - kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || +- kex_assemble_names(KEX_DEFAULT_PK_ALG, + if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT + : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 || + kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC + : KEX_SERVER_MAC), &o->macs) != 0 || + kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS + : KEX_SERVER_KEX), &o->kex_algorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), &o->hostkeyalgorithms) != 0 || - kex_assemble_names(KEX_DEFAULT_PK_ALG, -@@ -2386,8 +2389,10 @@ dump_config(ServerOptions *o) +- kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), + &o->hostbased_key_types) != 0 || +- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) ++ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0) + fatal("kex_assemble_names failed"); + } + +@@ -2390,8 +2396,10 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); @@ -426,7 +481,7 @@ diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); -@@ -2402,8 +2407,8 @@ dump_config(ServerOptions *o) +@@ -2406,14 +2414,17 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); @@ -435,8 +490,20 @@ diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c + dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : + FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX); dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? - o->hostbased_key_types : KEX_DEFAULT_PK_ALG); +- o->hostbased_key_types : KEX_DEFAULT_PK_ALG); ++ o->hostbased_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG)); dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? +- o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); ++ o->hostkeyalgorithms : (FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG)); + dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? +- o->pubkey_key_types : KEX_DEFAULT_PK_ALG); ++ o->pubkey_key_types : (FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG)); + + /* string arguments requiring a lookup */ + dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c --- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/ssh.c 2017-02-09 14:53:47.185347438 +0100 @@ -518,7 +585,17 @@ diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -172,21 +174,26 @@ ssh_kex2(char *host, struct sockaddr *ho +@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct soc + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + +- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); ++ oavail = avail = xstrdup((FIPS_mode() ++ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); + last = xmalloc(maxlen); +@@ -172,21 +175,26 @@ ssh_kex2(char *host, struct sockaddr *ho #ifdef GSSAPI if (options.gss_keyex) { @@ -560,6 +637,25 @@ diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c } } #endif +@@ -204,14 +212,16 @@ ssh_kex2(char *host, struct sockaddr *ho + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (options.hostkeyalgorithms != NULL) { +- if (kex_assemble_names(KEX_DEFAULT_PK_ALG, ++ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG ++ : KEX_DEFAULT_PK_ALG), + &options.hostkeyalgorithms) != 0) + fatal("%s: kex_assemble_namelist", __func__); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + compat_pkalg_proposal(options.hostkeyalgorithms); + } else { + /* Enforce default */ +- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); ++ options.hostkeyalgorithms = xstrdup((FIPS_mode() ++ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); + /* Prefer algorithms that we already have keys for */ + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + compat_pkalg_proposal( diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c --- openssh-7.4p1/sshd.c.fips 2017-02-09 14:53:47.178347445 +0100 +++ openssh-7.4p1/sshd.c 2017-02-09 14:53:47.186347437 +0100 diff --git a/SOURCES/openssh-7.4p1-rekeying-timeouts.patch b/SOURCES/openssh-7.4p1-rekeying-timeouts.patch new file mode 100644 index 0000000..50e4257 --- /dev/null +++ b/SOURCES/openssh-7.4p1-rekeying-timeouts.patch @@ -0,0 +1,18 @@ +diff --git a/serverloop.c b/serverloop.c +index b5eb3440..1535eeb2 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -225,9 +225,10 @@ wait_until_can_do_something(int connection_in, int connection_out, + uint64_t keepalive_ms = + (uint64_t)options.client_alive_interval * 1000; + +- client_alive_scheduled = 1; +- if (max_time_ms == 0 || max_time_ms > keepalive_ms) ++ if (max_time_ms == 0 || max_time_ms > keepalive_ms) { + max_time_ms = keepalive_ms; ++ client_alive_scheduled = 1; ++ } + } + + #if 0 + diff --git a/SOURCES/openssh-7.4p1-sandbox-ibmca.patch b/SOURCES/openssh-7.4p1-sandbox-ibmca.patch index 5479c65..c5a3d28 100644 --- a/SOURCES/openssh-7.4p1-sandbox-ibmca.patch +++ b/SOURCES/openssh-7.4p1-sandbox-ibmca.patch @@ -147,3 +147,65 @@ index 6e7de31..e86aa2c 100644 #endif -- 1.9.1 + +The EP11 crypto card needs to make an ioctl call, which receives an +specific argument. This crypto card is for s390 only. + +Signed-off-by: Eduardo Barretto +--- + sandbox-seccomp-filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e86aa2c..98062f1 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = { + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), ++ /* Allow ioctls for EP11 crypto card on s390 */ ++ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB), + #endif /* defined(__NR_ioctl) && defined(__s390__) */ + + /* Default deny */ +-- +1.9.1 + +In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock +and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 +implementation) which calls the libraries that will communicate with the +crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, +this is only need on s390 architecture. + +Signed-off-by: Eduardo Barretto +--- + sandbox-seccomp-filter.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index ca75cc7..6e7de31 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_exit_group + SC_ALLOW(exit_group), + #endif ++#if defined(__NR_flock) && defined(__s390__) ++ SC_ALLOW(flock), ++#endif + #ifdef __NR_getpgid + SC_ALLOW(getpgid), + #endif +@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_gettimeofday + SC_ALLOW(gettimeofday), + #endif ++#if defined(__NR_ipc) && defined(__s390__) ++ SC_ALLOW(ipc), ++#endif + #ifdef __NR_madvise + SC_ALLOW(madvise), + #endif +-- +1.9.1 diff --git a/SOURCES/openssh-7.4p1-winscp-compat.patch b/SOURCES/openssh-7.4p1-winscp-compat.patch new file mode 100644 index 0000000..55fa6fc --- /dev/null +++ b/SOURCES/openssh-7.4p1-winscp-compat.patch @@ -0,0 +1,31 @@ +commit 2985d4062ebf4204bbd373456a810d558698f9f5 +Author: dtucker@openbsd.org +Date: Tue Jul 25 09:22:25 2017 +0000 + + upstream commit + + Make WinSCP patterns for SSH_OLD_DHGEX more specific to + exclude WinSCP 5.10.x and up. bz#2748, from martin at winscp.net, ok djm@ + + Upstream-ID: 6fd7c32e99af3952db007aa180e73142ddbc741a + +diff --git a/compat.c b/compat.c +index 156a5ea8..d82135e2 100644 +--- a/compat.c ++++ b/compat.c +@@ -177,9 +177,12 @@ compat_datafellows(const char *version) + "TTSSH/2.72*", SSH_BUG_HOSTKEYS }, + { "WinSCP_release_4*," + "WinSCP_release_5.0*," +- "WinSCP_release_5.1*," +- "WinSCP_release_5.5*," +- "WinSCP_release_5.6*," ++ "WinSCP_release_5.1," ++ "WinSCP_release_5.1.*," ++ "WinSCP_release_5.5," ++ "WinSCP_release_5.5.*," ++ "WinSCP_release_5.6," ++ "WinSCP_release_5.6.*," + "WinSCP_release_5.7," + "WinSCP_release_5.7.1," + "WinSCP_release_5.7.2," diff --git a/SOURCES/openssh-7.5p1-sftp-empty-files.patch b/SOURCES/openssh-7.5p1-sftp-empty-files.patch new file mode 100644 index 0000000..c32ad20 --- /dev/null +++ b/SOURCES/openssh-7.5p1-sftp-empty-files.patch @@ -0,0 +1,35 @@ +From 4d827f0d75a53d3952288ab882efbddea7ffadfe Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 4 Apr 2017 00:24:56 +0000 +Subject: [PATCH] upstream commit + +disallow creation (of empty files) in read-only mode; +reported by Michal Zalewski, feedback & ok deraadt@ + +Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b +--- + sftp-server.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sftp-server.c b/sftp-server.c +index 3619cdfc0..df0fb5068 100644 +--- a/sftp-server.c ++++ b/sftp-server.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */ ++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */ + /* + * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. + * +@@ -691,8 +691,8 @@ process_open(u_int32_t id) + logit("open \"%s\" flags %s mode 0%o", + name, string_from_portable(pflags), mode); + if (readonly && +- ((flags & O_ACCMODE) == O_WRONLY || +- (flags & O_ACCMODE) == O_RDWR)) { ++ ((flags & O_ACCMODE) != O_RDONLY || ++ (flags & (O_CREAT|O_TRUNC)) != 0)) { + verbose("Refusing open request in read-only mode"); + status = SSH2_FX_PERMISSION_DENIED; + } else { + diff --git a/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch b/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch index 91e1c3d..e9822ac 100644 --- a/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch +++ b/SOURCES/pam_ssh_agent_auth-0.10.3-agent_structure.patch @@ -633,7 +633,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa- /* extern u_char *session_id2; extern uint8_t session_id_len; */ -@@ -58,7 +60,8 @@ userauth_pubkey_from_id(const char *ruse +@@ -58,40 +60,41 @@ userauth_pubkey_from_id(const char *ruse Buffer b = { 0 }; char *pkalg = NULL; u_char *pkblob = NULL, *sig = NULL; @@ -643,7 +643,11 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa- int authenticated = 0; pkalg = (char *) key_ssh_name(id->key); -@@ -67,31 +70,31 @@ userauth_pubkey_from_id(const char *ruse + ++ /* construct packet to sign and test */ ++ buffer_init(&b); ++ + /* first test if this key is even allowed */ if(! pam_user_key_allowed(ruser, id->key)) goto user_auth_clean_exit; @@ -651,10 +655,9 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa- + if(key_to_blob(id->key, &pkblob, &blen) == 0) goto user_auth_clean_exit; - /* construct packet to sign and test */ +- /* construct packet to sign and test */ - pamsshagentauth_buffer_init(&b); -+ buffer_init(&b); - +- - pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset); - pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST); - pamsshagentauth_buffer_put_cstring(&b, ruser); diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index c2ce291..5c030bc 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -64,9 +64,9 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 7.4p1 -%define openssh_rel 13 +%define openssh_rel 16 %define pam_ssh_agent_ver 0.10.3 -%define pam_ssh_agent_rel 1 +%define pam_ssh_agent_rel 2 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -242,6 +242,14 @@ Patch954: openssh-7.4p1-ControlPath_too_long.patch Patch955: openssh-7.4p1-sandbox-ibmca.patch # Back to UseDNS=yes by default (#1478175) Patch956: openssh-7.4p1-usedns-yes.patch +# Clatch between ClientAlive timeouts and rekeying (#1480510) +Patch957: openssh-7.4p1-rekeying-timeouts.patch +# WinSCP 5.10+ compatibility (#1496808) +Patch958: openssh-7.4p1-winscp-compat.patch +# SSH AuthorizedKeysCommand hangs when output is too large (#1496467) +Patch959: openssh-7.4p1-authorized_keys_command.patch +# Fix for CVE-2017-15906 (#1517226) +Patch960: openssh-7.5p1-sftp-empty-files.patch License: BSD Group: Applications/Internet @@ -492,6 +500,10 @@ popd %patch954 -p1 -b .ControlPath %patch955 -p1 -b .ibmca %patch956 -p1 -b .usedns +%patch957 -p1 -b .rekey-timeout +%patch958 -p1 -b .winscp +%patch959 -p1 -b .large-command +%patch960 -p1 -b .sftp-empty %patch200 -p1 -b .audit %patch202 -p1 -b .audit-race @@ -817,6 +829,21 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Nov 24 2017 Jakub Jelen - 7.4p1-16 + 0.10.3-2 +- Fix for CVE-2017-15906 (#1517226) + +* Mon Nov 06 2017 Jakub Jelen - 7.4p1-15 + 0.10.3-2 +- Do not hang if SSH AuthorizedKeysCommand output is too large (#1496467) +- Do not segfault pam_ssh_agent_auth if keyfile is missing (#1494268) +- Do not segfault in audit code during cleanup (#1488083) +- Add WinSCP 5.10+ compatibility (#1496808) +- Clatch between ClientAlive and rekeying timeouts (#1480510) +- Exclude dsa and ed25519 from default proposed keys in FIPS mode (#1456853) +- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1478035) + +* Fri Nov 3 2017 Nikos Mavrogiannopoulos - 7.4p1-14 + 0.10.3-2 +- Rebuilt for RHEL-7.5 + * Wed Sep 13 2017 Jakub Jelen - 7.4p1-13 + 0.10.3-1 - Revert default of GSSAPIStrictAcceptorCheck=no back to yes (#1488982)