diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch new file mode 100644 index 0000000..0af1d3d --- /dev/null +++ b/openssh-8.4p1-debian-compat.patch @@ -0,0 +1,57 @@ +--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700 ++++ compat.h 2020-10-05 10:10:17.587733113 -0700 +@@ -34,7 +34,7 @@ + + #define SSH_BUG_UTF8TTYMODE 0x00000001 + #define SSH_BUG_SIGTYPE 0x00000002 +-/* #define unused 0x00000004 */ ++#define SSH_BUG_SIGTYPE74 0x00000004 + /* #define unused 0x00000008 */ + #define SSH_OLD_SESSIONID 0x00000010 + /* #define unused 0x00000020 */ +--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700 ++++ compat.c 2020-10-05 10:13:11.637282492 -0700 +@@ -65,11 +65,12 @@ + { "OpenSSH_6.5*," + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| + SSH_BUG_SIGTYPE}, ++ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| ++ SSH_BUG_SIGTYPE74}, + { "OpenSSH_7.0*," + "OpenSSH_7.1*," + "OpenSSH_7.2*," + "OpenSSH_7.3*," +- "OpenSSH_7.4*," + "OpenSSH_7.5*," + "OpenSSH_7.6*," + "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, +--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700 ++++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700 +@@ -1305,6 +1305,26 @@ + break; + } + free(oallowed); ++ /* ++ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its ++ * support. For that release, check the local policy against the ++ * SHA2 signature types. ++ */ ++ if (alg == NULL && ++ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) { ++ oallowed = allowed = xstrdup(options.pubkey_key_types); ++ while ((cp = strsep(&allowed, ",")) != NULL) { ++ if (sshkey_type_from_name(cp) != key->type) ++ continue; ++ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL); ++ if (tmp != NULL) ++ alg = xstrdup(cp); ++ free(tmp); ++ if (alg != NULL) ++ break; ++ } ++ free(oallowed); ++ } + return alg; + } + + diff --git a/openssh-8.4p1-sandbox-seccomp.patch b/openssh-8.4p1-sandbox-seccomp.patch new file mode 100644 index 0000000..ac4ee61 --- /dev/null +++ b/openssh-8.4p1-sandbox-seccomp.patch @@ -0,0 +1,14 @@ +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c06..5065ae7e 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/openssh.spec b/openssh.spec index df39c02..feba23f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.4p1 -%global openssh_rel 2 +%global openssh_rel 3 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 1 @@ -197,6 +197,10 @@ Patch965: openssh-8.2p1-visibility.patch # Do not break X11 without IPv6 Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch967: openssh-8.4p1-ssh-copy-id.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=3232 +Patch968: openssh-8.4p1-sandbox-seccomp.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 +Patch969: openssh-8.4p1-debian-compat.patch License: BSD Requires: /sbin/nologin @@ -381,6 +385,8 @@ popd %patch965 -p1 -b .visibility %patch966 -p1 -b .x11-ipv6 %patch967 -p1 -b .ssh-copy-id +%patch968 -p1 -b .seccomp +%patch969 -p0 -b .debian %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -663,6 +669,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Nov 19 2020 Jakub Jelen - 8.4p1-3 + 0.10.4-1 +- Unbreak seccomp filter on arm (#1897712) +- Add a workaround for Debian's broken OpenSSH (#1881301) + * Tue Oct 06 2020 Jakub Jelen - 8.4p1-2 + 0.10.4-1 - Unbreak ssh-copy-id after a release (#1884231) - Remove misleading comment from sysconfig