Accepting request 547285 from home:pcerny:factory-temp
temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches OBS-URL: https://build.opensuse.org/request/show/547285 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=126
This commit is contained in:
parent
09d123e96c
commit
ad9209ae06
@ -1,17 +1,35 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
|
# Parent 49d9204835f069a6b628e7bf4ed53baf81f8bf91
|
||||||
Do not allow unix socket when running without privilege separation to prevent
|
Do not allow unix socket when running without privilege separation to prevent
|
||||||
privilege escalation through a socket created with root: ownership.
|
privilege escalation through a socket created with root: ownership.
|
||||||
|
|
||||||
CVE-2016-10010
|
CVE-2016-10010
|
||||||
bsc#1016368
|
bsc#1016368
|
||||||
|
bsc#1051559
|
||||||
|
|
||||||
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
backported upstream commits
|
||||||
|
b737e4d7433577403a31cff6614f6a1b0b5e22f4
|
||||||
|
51045869fa084cdd016fdd721ea760417c0a3bf3
|
||||||
|
|
||||||
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
||||||
--- a/openssh-7.2p2/serverloop.c
|
--- a/openssh-7.2p2/serverloop.c
|
||||||
+++ b/openssh-7.2p2/serverloop.c
|
+++ b/openssh-7.2p2/serverloop.c
|
||||||
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
|
@@ -979,28 +979,32 @@ server_request_direct_tcpip(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
static Channel *
|
||||||
|
server_request_direct_streamlocal(void)
|
||||||
|
{
|
||||||
|
Channel *c = NULL;
|
||||||
|
char *target, *originator;
|
||||||
|
u_short originator_port;
|
||||||
|
+ struct passwd *pw = the_authctxt->pw;
|
||||||
|
+
|
||||||
|
+ if (pw == NULL || !the_authctxt->valid)
|
||||||
|
+ fatal("server_input_global_request: no/invalid user");
|
||||||
|
|
||||||
|
target = packet_get_string(NULL);
|
||||||
|
originator = packet_get_string(NULL);
|
||||||
originator_port = packet_get_int();
|
originator_port = packet_get_int();
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
|
||||||
@ -21,7 +39,7 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
|||||||
/* XXX fine grained permissions */
|
/* XXX fine grained permissions */
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
|
||||||
- !no_port_forwarding_flag) {
|
- !no_port_forwarding_flag) {
|
||||||
+ !no_port_forwarding_flag && use_privsep) {
|
+ !no_port_forwarding_flag && (pw->pw_uid == 0 || use_privsep)) {
|
||||||
c = channel_connect_to_path(target,
|
c = channel_connect_to_path(target,
|
||||||
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
"direct-streamlocal@openssh.com", "direct-streamlocal");
|
||||||
} else {
|
} else {
|
||||||
@ -30,7 +48,41 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
|||||||
originator, originator_port, target);
|
originator, originator_port, target);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
|
@@ -1212,29 +1216,29 @@ server_input_hostkeys_prove(struct sshbu
|
||||||
|
|
||||||
|
static int
|
||||||
|
server_input_global_request(int type, u_int32_t seq, void *ctxt)
|
||||||
|
{
|
||||||
|
char *rtype;
|
||||||
|
int want_reply;
|
||||||
|
int r, success = 0, allocated_listen_port = 0;
|
||||||
|
struct sshbuf *resp = NULL;
|
||||||
|
+ struct passwd *pw = the_authctxt->pw;
|
||||||
|
+
|
||||||
|
+ if (pw == NULL || !the_authctxt->valid)
|
||||||
|
+ fatal("server_input_global_request: no/invalid user");
|
||||||
|
|
||||||
|
rtype = packet_get_string(NULL);
|
||||||
|
want_reply = packet_get_char();
|
||||||
|
debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
|
||||||
|
|
||||||
|
/* -R style forwarding */
|
||||||
|
if (strcmp(rtype, "tcpip-forward") == 0) {
|
||||||
|
- struct passwd *pw;
|
||||||
|
struct Forward fwd;
|
||||||
|
|
||||||
|
- pw = the_authctxt->pw;
|
||||||
|
- if (pw == NULL || !the_authctxt->valid)
|
||||||
|
- fatal("server_input_global_request: no/invalid user");
|
||||||
|
memset(&fwd, 0, sizeof(fwd));
|
||||||
|
fwd.listen_host = packet_get_string(NULL);
|
||||||
|
fwd.listen_port = (u_short)packet_get_int();
|
||||||
|
debug("server_input_global_request: tcpip-forward listen %s port %d",
|
||||||
|
fwd.listen_host, fwd.listen_port);
|
||||||
|
|
||||||
|
/* check permissions */
|
||||||
|
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
|
||||||
|
@@ -1274,19 +1278,20 @@ server_input_global_request(int type, u_
|
||||||
|
|
||||||
memset(&fwd, 0, sizeof(fwd));
|
memset(&fwd, 0, sizeof(fwd));
|
||||||
fwd.listen_path = packet_get_string(NULL);
|
fwd.listen_path = packet_get_string(NULL);
|
||||||
@ -40,12 +92,16 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
|
|||||||
/* check permissions */
|
/* check permissions */
|
||||||
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|
||||||
- || no_port_forwarding_flag) {
|
- || no_port_forwarding_flag) {
|
||||||
+ || no_port_forwarding_flag || !use_privsep) {
|
+ || no_port_forwarding_flag || (pw->pw_uid != 0 && !use_privsep)) {
|
||||||
success = 0;
|
success = 0;
|
||||||
packet_send_debug("Server has disabled port forwarding.");
|
- packet_send_debug("Server has disabled port forwarding.");
|
||||||
|
+ packet_send_debug("Server has disabled "
|
||||||
|
+ "streamlocal forwarding.");
|
||||||
} else {
|
} else {
|
||||||
/* Start listening on the socket */
|
/* Start listening on the socket */
|
||||||
success = channel_setup_remote_fwd_listener(
|
success = channel_setup_remote_fwd_listener(
|
||||||
&fwd, NULL, &options.fwd_opts);
|
&fwd, NULL, &options.fwd_opts);
|
||||||
}
|
}
|
||||||
free(fwd.listen_path);
|
free(fwd.listen_path);
|
||||||
|
} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
|
||||||
|
struct Forward fwd;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
# HG changeset patch
|
# HG changeset patch
|
||||||
# Parent 1ba8782c9cf18b104779c751839f3a2575c87954
|
# Parent 9e5f1fd5b5e2c3d8416cb2e2e539f43d8f1f173b
|
||||||
Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
|
Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
|
||||||
run-time switchable through the new UseTCPWrappers option for sshd.
|
run-time switchable through the new UseTCPWrappers option for sshd.
|
||||||
|
|
||||||
@ -79,7 +79,7 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|||||||
if test "x$withval" != "xno" ; then
|
if test "x$withval" != "xno" ; then
|
||||||
|
|
||||||
if test "x$withval" != "xyes" ; then
|
if test "x$withval" != "xyes" ; then
|
||||||
@@ -5135,16 +5191,17 @@ echo " sshd superuser user PATH
|
@@ -5159,16 +5215,17 @@ echo " sshd superuser user PATH
|
||||||
fi
|
fi
|
||||||
echo " Manpage format: $MANTYPE"
|
echo " Manpage format: $MANTYPE"
|
||||||
echo " PAM support: $PAM_MSG"
|
echo " PAM support: $PAM_MSG"
|
||||||
@ -94,9 +94,9 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
|
|||||||
echo " Solaris process contract support: $SPC_MSG"
|
echo " Solaris process contract support: $SPC_MSG"
|
||||||
echo " Solaris project support: $SP_MSG"
|
echo " Solaris project support: $SP_MSG"
|
||||||
echo " Solaris privilege support: $SPP_MSG"
|
echo " Solaris privilege support: $SPP_MSG"
|
||||||
|
echo " systemd support: $SYSTEMD_MSG"
|
||||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
||||||
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
|
||||||
--- a/openssh-7.2p2/servconf.c
|
--- a/openssh-7.2p2/servconf.c
|
||||||
+++ b/openssh-7.2p2/servconf.c
|
+++ b/openssh-7.2p2/servconf.c
|
||||||
@ -281,7 +281,7 @@ diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
|
|||||||
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
||||||
--- a/openssh-7.2p2/sshd.c
|
--- a/openssh-7.2p2/sshd.c
|
||||||
+++ b/openssh-7.2p2/sshd.c
|
+++ b/openssh-7.2p2/sshd.c
|
||||||
@@ -128,16 +128,23 @@
|
@@ -132,16 +132,23 @@
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
|
|
||||||
#include "fips.h"
|
#include "fips.h"
|
||||||
@ -305,7 +305,7 @@ diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
|
|||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||||
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
|
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
|
||||||
@@ -2285,16 +2292,37 @@ main(int ac, char **av)
|
@@ -2298,16 +2305,37 @@ main(int ac, char **av)
|
||||||
* the socket goes away.
|
* the socket goes away.
|
||||||
*/
|
*/
|
||||||
remote_ip = get_remote_ipaddr();
|
remote_ip = get_remote_ipaddr();
|
||||||
|
@ -16,7 +16,9 @@ Fri Dec 1 13:18:24 UTC 2017 - pcerny@suse.com
|
|||||||
to 7.2p2. TCP wrappers support will be dripped with the next
|
to 7.2p2. TCP wrappers support will be dripped with the next
|
||||||
version upgrade.
|
version upgrade.
|
||||||
[openssh-7.2p2-tcpwrappers.patch]
|
[openssh-7.2p2-tcpwrappers.patch]
|
||||||
- fix regression of (bsc#823710)
|
- fix regression in UNIX domain socket forwarding introduced
|
||||||
|
by the fix for CVE-2016-10010 (bsc#1051559)
|
||||||
|
- fix bug in auditing code (bsc#823710)
|
||||||
[openssh-7.2p2-audit_fixes.patch]
|
[openssh-7.2p2-audit_fixes.patch]
|
||||||
- new switch for printing diagnostic messages in sftp client's
|
- new switch for printing diagnostic messages in sftp client's
|
||||||
batch mode (bsc#1023275)
|
batch mode (bsc#1023275)
|
||||||
|
@ -86,6 +86,7 @@ BuildRequires: openldap2-devel
|
|||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
|
BuildRequires: systemd-devel
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
@ -164,7 +165,8 @@ Patch48: openssh-7.2p2-s390_hw_crypto_syscalls.patch
|
|||||||
Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
|
||||||
Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch
|
Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch
|
||||||
Patch51: openssh-7.2p2-stricter_readonly_sftp.patch
|
Patch51: openssh-7.2p2-stricter_readonly_sftp.patch
|
||||||
Patch52: openssh-7.2p2-tcpwrappers.patch
|
Patch52: openssh-7.2p2-systemd-notify.patch
|
||||||
|
Patch53: openssh-7.2p2-tcpwrappers.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
Conflicts: nonfreessh
|
Conflicts: nonfreessh
|
||||||
Recommends: audit
|
Recommends: audit
|
||||||
@ -268,6 +270,7 @@ FIPS140 CAVS tests related parts of the OpenSSH package
|
|||||||
%patch50 -p2
|
%patch50 -p2
|
||||||
%patch51 -p2
|
%patch51 -p2
|
||||||
%patch52 -p2
|
%patch52 -p2
|
||||||
|
%patch53 -p2
|
||||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -300,6 +303,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
|
|||||||
%endif
|
%endif
|
||||||
%if %{uses_systemd}
|
%if %{uses_systemd}
|
||||||
--with-pid-dir=/run \
|
--with-pid-dir=/run \
|
||||||
|
--with-systemd \
|
||||||
%endif
|
%endif
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-pam \
|
--with-pam \
|
||||||
|
Loading…
Reference in New Issue
Block a user