From c8a4397d72dae675dc0ed82e9129fa148e14a3a9 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Nov 22 2020 16:58:56 +0000 Subject: Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssh.git#126d278fec03d044c5d4a19015f1214420ec9097 --- diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch new file mode 100644 index 0000000..0af1d3d --- /dev/null +++ b/openssh-8.4p1-debian-compat.patch @@ -0,0 +1,57 @@ +--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700 ++++ compat.h 2020-10-05 10:10:17.587733113 -0700 +@@ -34,7 +34,7 @@ + + #define SSH_BUG_UTF8TTYMODE 0x00000001 + #define SSH_BUG_SIGTYPE 0x00000002 +-/* #define unused 0x00000004 */ ++#define SSH_BUG_SIGTYPE74 0x00000004 + /* #define unused 0x00000008 */ + #define SSH_OLD_SESSIONID 0x00000010 + /* #define unused 0x00000020 */ +--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700 ++++ compat.c 2020-10-05 10:13:11.637282492 -0700 +@@ -65,11 +65,12 @@ + { "OpenSSH_6.5*," + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| + SSH_BUG_SIGTYPE}, ++ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| ++ SSH_BUG_SIGTYPE74}, + { "OpenSSH_7.0*," + "OpenSSH_7.1*," + "OpenSSH_7.2*," + "OpenSSH_7.3*," +- "OpenSSH_7.4*," + "OpenSSH_7.5*," + "OpenSSH_7.6*," + "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, +--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700 ++++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700 +@@ -1305,6 +1305,26 @@ + break; + } + free(oallowed); ++ /* ++ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its ++ * support. For that release, check the local policy against the ++ * SHA2 signature types. ++ */ ++ if (alg == NULL && ++ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) { ++ oallowed = allowed = xstrdup(options.pubkey_key_types); ++ while ((cp = strsep(&allowed, ",")) != NULL) { ++ if (sshkey_type_from_name(cp) != key->type) ++ continue; ++ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL); ++ if (tmp != NULL) ++ alg = xstrdup(cp); ++ free(tmp); ++ if (alg != NULL) ++ break; ++ } ++ free(oallowed); ++ } + return alg; + } + + diff --git a/openssh-8.4p1-sandbox-seccomp.patch b/openssh-8.4p1-sandbox-seccomp.patch new file mode 100644 index 0000000..ac4ee61 --- /dev/null +++ b/openssh-8.4p1-sandbox-seccomp.patch @@ -0,0 +1,14 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c06..5065ae7e 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/openssh.spec b/openssh.spec index df39c02..feba23f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.4p1 -%global openssh_rel 2 +%global openssh_rel 3 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 1 @@ -197,6 +197,10 @@ Patch965: openssh-8.2p1-visibility.patch # Do not break X11 without IPv6 Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch967: openssh-8.4p1-ssh-copy-id.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=3232 +Patch968: openssh-8.4p1-sandbox-seccomp.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 +Patch969: openssh-8.4p1-debian-compat.patch License: BSD Requires: /sbin/nologin @@ -381,6 +385,8 @@ popd %patch965 -p1 -b .visibility %patch966 -p1 -b .x11-ipv6 %patch967 -p1 -b .ssh-copy-id +%patch968 -p1 -b .seccomp +%patch969 -p0 -b .debian %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -663,6 +669,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Nov 19 2020 Jakub Jelen - 8.4p1-3 + 0.10.4-1 +- Unbreak seccomp filter on arm (#1897712) +- Add a workaround for Debian's broken OpenSSH (#1881301) + * Tue Oct 06 2020 Jakub Jelen - 8.4p1-2 + 0.10.4-1 - Unbreak ssh-copy-id after a release (#1884231) - Remove misleading comment from sysconfig