Accepting request 392909 from home:pcerny:factory

fix broken seccomp sandbox

OBS-URL: https://build.opensuse.org/request/show/392909
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=101

openssh-6.6p1-seccomp_stat.patch

@@ -0,0 +1,28 @@
+# HG changeset patch
+# Parent  8c8249d4e830ade9dfa1d2294c6218bbe439cb4a
+Allow the stat() syscall for OpenSSL re-seed patch
+(which causes OpenSSL use stat() on some file)
+
+bnc#912436
+
+diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
+--- a/openssh-6.6p1/sandbox-seccomp-filter.c
++++ b/openssh-6.6p1/sandbox-seccomp-filter.c
+@@ -97,16 +97,17 @@ static const struct sock_filter preauth_
+ 	SC_ALLOW(gettimeofday),
+ 	SC_ALLOW(clock_gettime),
+ #ifdef __NR_time /* not defined on EABI ARM */
+ 	SC_ALLOW(time),
+ #endif
+ 	SC_ALLOW(read),
+ 	SC_ALLOW(write),
+ 	SC_ALLOW(close),
++	SC_ALLOW(stat),
+ #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
+ 	SC_ALLOW(shutdown),
+ #endif
+ 	SC_ALLOW(brk),
+ 	SC_ALLOW(poll),
+ #ifdef __NR__newselect
+ 	SC_ALLOW(_newselect),
+ #else

openssh-askpass-gnome.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssh-askpass-gnome
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed

openssh.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Apr 29 15:56:38 UTC 2016 - pcerny@suse.com
+
+- update seccomp sandbox that broke after OpenSSL update 
+  (bsc#912436, bsc#977812)
+  [openssh-6.6p1-seccomp_stat.patch]
+
 -------------------------------------------------------------------
 Wed Apr  6 11:42:35 UTC 2016 - kukuk@suse.com
 

openssh.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openssh
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -149,10 +149,11 @@ Patch33:        openssh-6.6p1-host_ident.patch
 Patch34:        openssh-6.6p1-sftp_homechroot.patch
 Patch35:        openssh-6.6p1-sftp_force_permissions.patch
 Patch36:        openssh-6.6p1-seccomp_getuid.patch
-Patch37:        openssh-6.6p1-X_forward_with_disabled_ipv6.patch
-Patch38:        openssh-6.6p1-fips-checks.patch
-Patch39:        openssh-6.6p1-ldap.patch
-Patch40:        CVE-2016-0777_CVE-2016-0778.patch
+Patch37:        openssh-6.6p1-seccomp_stat.patch
+Patch38:        openssh-6.6p1-X_forward_with_disabled_ipv6.patch
+Patch39:        openssh-6.6p1-fips-checks.patch
+Patch40:        openssh-6.6p1-ldap.patch
+Patch41:        CVE-2016-0777_CVE-2016-0778.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -228,14 +229,15 @@ cryptomodule.
 %patch37 -p2
 %patch38 -p2
 %patch39 -p2
-%patch40 -p0
+%patch40 -p2
+%patch41 -p0
 cp %{SOURCE3} %{SOURCE4} .
 
 %build
 # set libexec dir in the LDAP patch
 sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
     $( grep -Rl @LIBEXECDIR@ \
-        $( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
+        $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
     )
 
 autoreconf -fiv