Accepting request 392910 from network
fix broken seccomp sandbox (forwarded request 392909 from pcerny) OBS-URL: https://build.opensuse.org/request/show/392910 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=105
This commit is contained in:
commit
7c21c564dc
28
openssh-6.6p1-seccomp_stat.patch
Normal file
28
openssh-6.6p1-seccomp_stat.patch
Normal file
@ -0,0 +1,28 @@
|
||||
# HG changeset patch
|
||||
# Parent 8c8249d4e830ade9dfa1d2294c6218bbe439cb4a
|
||||
Allow the stat() syscall for OpenSSL re-seed patch
|
||||
(which causes OpenSSL use stat() on some file)
|
||||
|
||||
bnc#912436
|
||||
|
||||
diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c
|
||||
--- a/openssh-6.6p1/sandbox-seccomp-filter.c
|
||||
+++ b/openssh-6.6p1/sandbox-seccomp-filter.c
|
||||
@@ -97,16 +97,17 @@ static const struct sock_filter preauth_
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(clock_gettime),
|
||||
#ifdef __NR_time /* not defined on EABI ARM */
|
||||
SC_ALLOW(time),
|
||||
#endif
|
||||
SC_ALLOW(read),
|
||||
SC_ALLOW(write),
|
||||
SC_ALLOW(close),
|
||||
+ SC_ALLOW(stat),
|
||||
#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
|
||||
SC_ALLOW(shutdown),
|
||||
#endif
|
||||
SC_ALLOW(brk),
|
||||
SC_ALLOW(poll),
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#else
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh-askpass-gnome
|
||||
#
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 29 15:56:38 UTC 2016 - pcerny@suse.com
|
||||
|
||||
- update seccomp sandbox that broke after OpenSSL update
|
||||
(bsc#912436, bsc#977812)
|
||||
[openssh-6.6p1-seccomp_stat.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 6 11:42:35 UTC 2016 - kukuk@suse.com
|
||||
|
||||
|
16
openssh.spec
16
openssh.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package openssh
|
||||
#
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -149,10 +149,11 @@ Patch33: openssh-6.6p1-host_ident.patch
|
||||
Patch34: openssh-6.6p1-sftp_homechroot.patch
|
||||
Patch35: openssh-6.6p1-sftp_force_permissions.patch
|
||||
Patch36: openssh-6.6p1-seccomp_getuid.patch
|
||||
Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
|
||||
Patch38: openssh-6.6p1-fips-checks.patch
|
||||
Patch39: openssh-6.6p1-ldap.patch
|
||||
Patch40: CVE-2016-0777_CVE-2016-0778.patch
|
||||
Patch37: openssh-6.6p1-seccomp_stat.patch
|
||||
Patch38: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
|
||||
Patch39: openssh-6.6p1-fips-checks.patch
|
||||
Patch40: openssh-6.6p1-ldap.patch
|
||||
Patch41: CVE-2016-0777_CVE-2016-0778.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -228,14 +229,15 @@ cryptomodule.
|
||||
%patch37 -p2
|
||||
%patch38 -p2
|
||||
%patch39 -p2
|
||||
%patch40 -p0
|
||||
%patch40 -p2
|
||||
%patch41 -p0
|
||||
cp %{SOURCE3} %{SOURCE4} .
|
||||
|
||||
%build
|
||||
# set libexec dir in the LDAP patch
|
||||
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
|
||||
$( grep -Rl @LIBEXECDIR@ \
|
||||
$( grep "^+++" %{PATCH39} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
$( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
|
||||
)
|
||||
|
||||
autoreconf -fiv
|
||||
|
Loading…
Reference in New Issue
Block a user