Accepting request 392910 from network

fix broken seccomp sandbox (forwarded request 392909 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/392910
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=105
This commit is contained in:
Dominique Leuenberger 2016-05-05 11:18:08 +00:00 committed by Git OBS Bridge
commit 7c21c564dc
4 changed files with 45 additions and 8 deletions

View File

@ -0,0 +1,28 @@
# HG changeset patch
# Parent 8c8249d4e830ade9dfa1d2294c6218bbe439cb4a
Allow the stat() syscall for OpenSSL re-seed patch
(which causes OpenSSL use stat() on some file)
bnc#912436
diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
--- a/openssh-6.6p1/sandbox-seccomp-filter.c
+++ b/openssh-6.6p1/sandbox-seccomp-filter.c
@@ -97,16 +97,17 @@ static const struct sock_filter preauth_
SC_ALLOW(gettimeofday),
SC_ALLOW(clock_gettime),
#ifdef __NR_time /* not defined on EABI ARM */
SC_ALLOW(time),
#endif
SC_ALLOW(read),
SC_ALLOW(write),
SC_ALLOW(close),
+ SC_ALLOW(stat),
#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
SC_ALLOW(shutdown),
#endif
SC_ALLOW(brk),
SC_ALLOW(poll),
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#else

View File

@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Apr 29 15:56:38 UTC 2016 - pcerny@suse.com
- update seccomp sandbox that broke after OpenSSL update
(bsc#912436, bsc#977812)
[openssh-6.6p1-seccomp_stat.patch]
-------------------------------------------------------------------
Wed Apr 6 11:42:35 UTC 2016 - kukuk@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package openssh
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -149,10 +149,11 @@ Patch33: openssh-6.6p1-host_ident.patch
Patch34: openssh-6.6p1-sftp_homechroot.patch
Patch35: openssh-6.6p1-sftp_force_permissions.patch
Patch36: openssh-6.6p1-seccomp_getuid.patch
Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch38: openssh-6.6p1-fips-checks.patch
Patch39: openssh-6.6p1-ldap.patch
Patch40: CVE-2016-0777_CVE-2016-0778.patch
Patch37: openssh-6.6p1-seccomp_stat.patch
Patch38: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch39: openssh-6.6p1-fips-checks.patch
Patch40: openssh-6.6p1-ldap.patch
Patch41: CVE-2016-0777_CVE-2016-0778.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -228,14 +229,15 @@ cryptomodule.
%patch37 -p2
%patch38 -p2
%patch39 -p2
%patch40 -p0
%patch40 -p2
%patch41 -p0
cp %{SOURCE3} %{SOURCE4} .
%build
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
$( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
$( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
autoreconf -fiv