From 252ed8ae18f3e2ae5449de8e2a519ffcc212e6c961fa8534741ed8d8b6196eab Mon Sep 17 00:00:00 2001 From: Petr Cerny Date: Fri, 29 Apr 2016 16:34:58 +0000 Subject: [PATCH] Accepting request 392909 from home:pcerny:factory fix broken seccomp sandbox OBS-URL: https://build.opensuse.org/request/show/392909 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=101 --- openssh-6.6p1-seccomp_stat.patch | 28 ++++++++++++++++++++++++++++ openssh-askpass-gnome.spec | 2 +- openssh.changes | 7 +++++++ openssh.spec | 16 +++++++++------- 4 files changed, 45 insertions(+), 8 deletions(-) create mode 100644 openssh-6.6p1-seccomp_stat.patch diff --git a/openssh-6.6p1-seccomp_stat.patch b/openssh-6.6p1-seccomp_stat.patch new file mode 100644 index 0000000..80d1fd2 --- /dev/null +++ b/openssh-6.6p1-seccomp_stat.patch @@ -0,0 +1,28 @@ +# HG changeset patch +# Parent 8c8249d4e830ade9dfa1d2294c6218bbe439cb4a +Allow the stat() syscall for OpenSSL re-seed patch +(which causes OpenSSL use stat() on some file) + +bnc#912436 + +diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c +--- a/openssh-6.6p1/sandbox-seccomp-filter.c ++++ b/openssh-6.6p1/sandbox-seccomp-filter.c +@@ -97,16 +97,17 @@ static const struct sock_filter preauth_ + SC_ALLOW(gettimeofday), + SC_ALLOW(clock_gettime), + #ifdef __NR_time /* not defined on EABI ARM */ + SC_ALLOW(time), + #endif + SC_ALLOW(read), + SC_ALLOW(write), + SC_ALLOW(close), ++ SC_ALLOW(stat), + #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ + SC_ALLOW(shutdown), + #endif + SC_ALLOW(brk), + SC_ALLOW(poll), + #ifdef __NR__newselect + SC_ALLOW(_newselect), + #else diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 6410b72..883a1e8 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/openssh.changes b/openssh.changes index b001797..ccd8f5d 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Apr 29 15:56:38 UTC 2016 - pcerny@suse.com + +- update seccomp sandbox that broke after OpenSSL update + (bsc#912436, bsc#977812) + [openssh-6.6p1-seccomp_stat.patch] + ------------------------------------------------------------------- Wed Apr 6 11:42:35 UTC 2016 - kukuk@suse.com diff --git a/openssh.spec b/openssh.spec index d44cb90..5dd129b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -149,10 +149,11 @@ Patch33: openssh-6.6p1-host_ident.patch Patch34: openssh-6.6p1-sftp_homechroot.patch Patch35: openssh-6.6p1-sftp_force_permissions.patch Patch36: openssh-6.6p1-seccomp_getuid.patch -Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch -Patch38: openssh-6.6p1-fips-checks.patch -Patch39: openssh-6.6p1-ldap.patch -Patch40: CVE-2016-0777_CVE-2016-0778.patch +Patch37: openssh-6.6p1-seccomp_stat.patch +Patch38: openssh-6.6p1-X_forward_with_disabled_ipv6.patch +Patch39: openssh-6.6p1-fips-checks.patch +Patch40: openssh-6.6p1-ldap.patch +Patch41: CVE-2016-0777_CVE-2016-0778.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -228,14 +229,15 @@ cryptomodule. %patch37 -p2 %patch38 -p2 %patch39 -p2 -%patch40 -p0 +%patch40 -p2 +%patch41 -p0 cp %{SOURCE3} %{SOURCE4} . %build # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) autoreconf -fiv