diff --git a/openssh-7.9p1-ssh-copy-id.patch b/openssh-7.9p1-ssh-copy-id.patch new file mode 100644 index 0000000..cab8d11 --- /dev/null +++ b/openssh-7.9p1-ssh-copy-id.patch @@ -0,0 +1,12 @@ +diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id +--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2019-01-23 20:44:32.880912180 +0100 ++++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:44:24.512842410 +0100 +@@ -296,7 +296,7 @@ case "$REMOTE_VERSION" in + # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; + # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh. + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ +- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ ++ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ + || exit 1 + ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) + ;; diff --git a/openssh.spec b/openssh.spec index 1aa5240..412ae5e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -233,6 +233,9 @@ Patch955: openssh-7.9p1-match-final.patch Patch956: openssh-7.9p1-backports.patch # Backport patch for CVE-2018-20685 (#1665786) Patch957: openssh-7.9p1-CVE-2018-20685.patch +# ssh-copy-id is unmaintained: Aggreagete patches +# - do not return 0 if the write fails (full disk) +Patch958: openssh-7.9p1-ssh-copy-id.patch License: BSD Requires: /sbin/nologin @@ -452,6 +455,7 @@ popd %patch955 -p1 -b .match-final %patch956 -p1 -b .backports %patch957 -p1 -b .CVE-2018-20685 +%patch958 -p1 -b .ssh-copy-id %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race