openssh/openssh-6.6p1-blocksigalrm.patch

# block SIGALRM while logging through syslog to prevent deadlocks (through
# grace_alarm_handler)
# bnc#57354

Index: b/log.c
===================================================================
--- a/log.c
+++ b/log.c
@@ -51,6 +51,7 @@
 #endif
 
 #include "log.h"
+#include <signal.h>
 
 static LogLevel log_level = SYSLOG_LEVEL_INFO;
 static int log_on_stderr = 1;
@@ -388,6 +389,7 @@ do_log(LogLevel level, const char *fmt,
 	char fmtbuf[MSGBUFSIZ];
 	char *txt = NULL;
 	int pri = LOG_INFO;
+	sigset_t nset, oset;
 	int saved_errno = errno;
 	log_handler_fn *tmp_handler;
 
@@ -446,6 +448,14 @@ do_log(LogLevel level, const char *fmt,
 		snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
 		(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));
 	} else {
+		/* Prevent a race between the grace_alarm
+		* which writes a log message and terminates
+		* and main sshd code that leads to deadlock 
+		* as syslog is not async safe.
+		*/ 
+		sigemptyset(&nset);
+		sigaddset(&nset, SIGALRM);
+		sigprocmask(SIG_BLOCK, &nset, &oset);
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
@@ -455,6 +465,7 @@ do_log(LogLevel level, const char *fmt,
 		syslog(pri, "%.500s", fmtbuf);
 		closelog();
 #endif
+		sigprocmask(SIG_SETMASK, &oset, NULL);
 	}
 	errno = saved_errno;
 }
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`# block SIGALRM while logging through syslog to prevent deadlocks (through`
			`# grace_alarm_handler)`
			`# bnc#57354`

Accepting request 354941 from home:scarabeus_iv:branches:network - Cleanup with spec-cleaner - Update of the master OpenSSH to 7.1p2 - Take refreshed and updated audit patch from redhat * Remove our old patches: + openssh-6.6p1-audit1-remove_duplicit_audit.patch + openssh-6.6p1-audit2-better_audit_of_user_actions.patch + openssh-6.6p1-audit3-key_auth_usage-fips.patch + openssh-6.6p1-audit3-key_auth_usage.patch + openssh-6.6p1-audit4-kex_results-fips.patch + openssh-6.6p1-audit4-kex_results.patch + openssh-6.6p1-audit5-session_key_destruction.patch + openssh-6.6p1-audit6-server_key_destruction.patch + openssh-6.6p1-audit7-libaudit_compat.patch + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch * add openssh-6.7p1-audit.patch - Reenable the openssh-6.6p1-ldap.patch - Update the fips patch from RH build openssh-6.6p1-fips.patch - Update and refresh openssh-6.6p1-gssapi_key_exchange.patch - Remove fips-check patch as it is merged to fips patch * openssh-6.6p1-fips-checks.patch - Rebase and enable chroot patch: * openssh-6.6p1-sftp_homechroot.patch - Reenable rebased patch for linux seed: * openssh-6.6p1-seed-prng.patch - Reenable key converting patch: * openssh-6.6p1-key-converter.patch - Version update to 7.1p2: * various upstream bugfixes and cleanups OBS-URL: https://build.opensuse.org/request/show/354941 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95 2016-01-21 08:28:30 +01:00			`Index: b/log.c`
			`===================================================================`
			`--- a/log.c`
			`+++ b/log.c`
			`@@ -51,6 +51,7 @@`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`#endif`

			`#include "log.h"`
			`+#include <signal.h>`

			`static LogLevel log_level = SYSLOG_LEVEL_INFO;`
			`static int log_on_stderr = 1;`
Accepting request 354941 from home:scarabeus_iv:branches:network - Cleanup with spec-cleaner - Update of the master OpenSSH to 7.1p2 - Take refreshed and updated audit patch from redhat * Remove our old patches: + openssh-6.6p1-audit1-remove_duplicit_audit.patch + openssh-6.6p1-audit2-better_audit_of_user_actions.patch + openssh-6.6p1-audit3-key_auth_usage-fips.patch + openssh-6.6p1-audit3-key_auth_usage.patch + openssh-6.6p1-audit4-kex_results-fips.patch + openssh-6.6p1-audit4-kex_results.patch + openssh-6.6p1-audit5-session_key_destruction.patch + openssh-6.6p1-audit6-server_key_destruction.patch + openssh-6.6p1-audit7-libaudit_compat.patch + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch * add openssh-6.7p1-audit.patch - Reenable the openssh-6.6p1-ldap.patch - Update the fips patch from RH build openssh-6.6p1-fips.patch - Update and refresh openssh-6.6p1-gssapi_key_exchange.patch - Remove fips-check patch as it is merged to fips patch * openssh-6.6p1-fips-checks.patch - Rebase and enable chroot patch: * openssh-6.6p1-sftp_homechroot.patch - Reenable rebased patch for linux seed: * openssh-6.6p1-seed-prng.patch - Reenable key converting patch: * openssh-6.6p1-key-converter.patch - Version update to 7.1p2: * various upstream bugfixes and cleanups OBS-URL: https://build.opensuse.org/request/show/354941 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95 2016-01-21 08:28:30 +01:00			`@@ -388,6 +389,7 @@ do_log(LogLevel level, const char *fmt,`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`char fmtbuf[MSGBUFSIZ];`
			`char *txt = NULL;`
			`int pri = LOG_INFO;`
			`+ sigset_t nset, oset;`
			`int saved_errno = errno;`
			`log_handler_fn *tmp_handler;`

Accepting request 354941 from home:scarabeus_iv:branches:network - Cleanup with spec-cleaner - Update of the master OpenSSH to 7.1p2 - Take refreshed and updated audit patch from redhat * Remove our old patches: + openssh-6.6p1-audit1-remove_duplicit_audit.patch + openssh-6.6p1-audit2-better_audit_of_user_actions.patch + openssh-6.6p1-audit3-key_auth_usage-fips.patch + openssh-6.6p1-audit3-key_auth_usage.patch + openssh-6.6p1-audit4-kex_results-fips.patch + openssh-6.6p1-audit4-kex_results.patch + openssh-6.6p1-audit5-session_key_destruction.patch + openssh-6.6p1-audit6-server_key_destruction.patch + openssh-6.6p1-audit7-libaudit_compat.patch + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch * add openssh-6.7p1-audit.patch - Reenable the openssh-6.6p1-ldap.patch - Update the fips patch from RH build openssh-6.6p1-fips.patch - Update and refresh openssh-6.6p1-gssapi_key_exchange.patch - Remove fips-check patch as it is merged to fips patch * openssh-6.6p1-fips-checks.patch - Rebase and enable chroot patch: * openssh-6.6p1-sftp_homechroot.patch - Reenable rebased patch for linux seed: * openssh-6.6p1-seed-prng.patch - Reenable key converting patch: * openssh-6.6p1-key-converter.patch - Version update to 7.1p2: * various upstream bugfixes and cleanups OBS-URL: https://build.opensuse.org/request/show/354941 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95 2016-01-21 08:28:30 +01:00			`@@ -446,6 +448,14 @@ do_log(LogLevel level, const char *fmt,`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);`
Accepting request 220466 from home:pcerny:factory - Update of the underlying OpenSSH to 6.4p1 - Update to 6.4p1 Features since 6.2p2: * ssh-agent(1) support in sshd(8); allows encrypted hostkeys, or hostkeys on smartcards. * ssh(1)/sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config as well as on the client. * sshd(8): standardise logging of information during user authentication. * The presented key/cert and the remote username (if available) is now logged in the authentication success/failure message on the same log line as the local username, remote host/port and protocol in use. Certificates contents and the key fingerprint of the signing CA are logged too. * ssh(1) ability to query what cryptographic algorithms are supported in the binary. * ssh(1): ProxyCommand=- for cases where stdin and stdout already point to the proxy. * ssh(1): allow IdentityFile=none * ssh(1)/sshd(8): -E option to append debugging logs to a specified file instead of stderr or syslog. * sftp(1): support resuming partial downloads with the "reget" command and on the sftp commandline or on the "get" commandline with the "-a" (append) option. * ssh(1): "IgnoreUnknown" configuration option to selectively suppress errors arising from unknown configuration directives. * sshd(8): support for submethods to be appended to required authentication methods listed via AuthenticationMethods. OBS-URL: https://build.opensuse.org/request/show/220466 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=58 2014-01-31 13:18:41 +01:00			`(void)write(log_stderr_fd, msgbuf, strlen(msgbuf));`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`} else {`
			`+ /* Prevent a race between the grace_alarm`
			`+ * which writes a log message and terminates`
			`+ * and main sshd code that leads to deadlock`
			`+ * as syslog is not async safe.`
			`+ */`
			`+ sigemptyset(&nset);`
			`+ sigaddset(&nset, SIGALRM);`
			`+ sigprocmask(SIG_BLOCK, &nset, &oset);`
			`#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)`
			`openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);`
			`syslog_r(pri, &sdata, "%.500s", fmtbuf);`
Accepting request 354941 from home:scarabeus_iv:branches:network - Cleanup with spec-cleaner - Update of the master OpenSSH to 7.1p2 - Take refreshed and updated audit patch from redhat * Remove our old patches: + openssh-6.6p1-audit1-remove_duplicit_audit.patch + openssh-6.6p1-audit2-better_audit_of_user_actions.patch + openssh-6.6p1-audit3-key_auth_usage-fips.patch + openssh-6.6p1-audit3-key_auth_usage.patch + openssh-6.6p1-audit4-kex_results-fips.patch + openssh-6.6p1-audit4-kex_results.patch + openssh-6.6p1-audit5-session_key_destruction.patch + openssh-6.6p1-audit6-server_key_destruction.patch + openssh-6.6p1-audit7-libaudit_compat.patch + openssh-6.6p1-audit8-libaudit_dns_timeouts.patch * add openssh-6.7p1-audit.patch - Reenable the openssh-6.6p1-ldap.patch - Update the fips patch from RH build openssh-6.6p1-fips.patch - Update and refresh openssh-6.6p1-gssapi_key_exchange.patch - Remove fips-check patch as it is merged to fips patch * openssh-6.6p1-fips-checks.patch - Rebase and enable chroot patch: * openssh-6.6p1-sftp_homechroot.patch - Reenable rebased patch for linux seed: * openssh-6.6p1-seed-prng.patch - Reenable key converting patch: * openssh-6.6p1-key-converter.patch - Version update to 7.1p2: * various upstream bugfixes and cleanups OBS-URL: https://build.opensuse.org/request/show/354941 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=95 2016-01-21 08:28:30 +01:00			`@@ -455,6 +465,7 @@ do_log(LogLevel level, const char *fmt,`
Accepting request 199679 from home:pcerny:factory - spec file cleanup (don't pointelssly build whole OpenSSH) - spec file and patch cleanup * removing obsoleted auditing patch (openssh-%{version}-audit.patch) - added patches from SLE * GSSAPI key exchange * FIPS enablement (currently disabled) * small bugfixes - split the LDAP helper into a separate package: openssh-akc-ldap OBS-URL: https://build.opensuse.org/request/show/199679 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=55 2013-09-19 06:09:33 +02:00			`syslog(pri, "%.500s", fmtbuf);`
			`closelog();`
			`#endif`
			`+ sigprocmask(SIG_SETMASK, &oset, NULL);`
			`}`
			`errno = saved_errno;`
			`}`