Accepting request 547285 from home:pcerny:factory-temp

temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547285
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=126
This commit is contained in:
Petr Cerny 2017-12-01 22:12:05 +00:00 committed by Git OBS Bridge
parent 09d123e96c
commit ad9209ae06
4 changed files with 76 additions and 14 deletions

View File

@ -1,17 +1,35 @@
# HG changeset patch # HG changeset patch
# Parent 4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa # Parent 49d9204835f069a6b628e7bf4ed53baf81f8bf91
Do not allow unix socket when running without privilege separation to prevent Do not allow unix socket when running without privilege separation to prevent
privilege escalation through a socket created with root: ownership. privilege escalation through a socket created with root: ownership.
CVE-2016-10010 CVE-2016-10010
bsc#1016368 bsc#1016368
bsc#1051559
backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4 backported upstream commits
b737e4d7433577403a31cff6614f6a1b0b5e22f4
51045869fa084cdd016fdd721ea760417c0a3bf3
diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
--- a/openssh-7.2p2/serverloop.c --- a/openssh-7.2p2/serverloop.c
+++ b/openssh-7.2p2/serverloop.c +++ b/openssh-7.2p2/serverloop.c
@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void) @@ -979,28 +979,32 @@ server_request_direct_tcpip(void)
}
static Channel *
server_request_direct_streamlocal(void)
{
Channel *c = NULL;
char *target, *originator;
u_short originator_port;
+ struct passwd *pw = the_authctxt->pw;
+
+ if (pw == NULL || !the_authctxt->valid)
+ fatal("server_input_global_request: no/invalid user");
target = packet_get_string(NULL);
originator = packet_get_string(NULL);
originator_port = packet_get_int(); originator_port = packet_get_int();
packet_check_eom(); packet_check_eom();
@ -21,7 +39,7 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
/* XXX fine grained permissions */ /* XXX fine grained permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
- !no_port_forwarding_flag) { - !no_port_forwarding_flag) {
+ !no_port_forwarding_flag && use_privsep) { + !no_port_forwarding_flag && (pw->pw_uid == 0 || use_privsep)) {
c = channel_connect_to_path(target, c = channel_connect_to_path(target,
"direct-streamlocal@openssh.com", "direct-streamlocal"); "direct-streamlocal@openssh.com", "direct-streamlocal");
} else { } else {
@ -30,7 +48,41 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
originator, originator_port, target); originator, originator_port, target);
} }
@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_ @@ -1212,29 +1216,29 @@ server_input_hostkeys_prove(struct sshbu
static int
server_input_global_request(int type, u_int32_t seq, void *ctxt)
{
char *rtype;
int want_reply;
int r, success = 0, allocated_listen_port = 0;
struct sshbuf *resp = NULL;
+ struct passwd *pw = the_authctxt->pw;
+
+ if (pw == NULL || !the_authctxt->valid)
+ fatal("server_input_global_request: no/invalid user");
rtype = packet_get_string(NULL);
want_reply = packet_get_char();
debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
/* -R style forwarding */
if (strcmp(rtype, "tcpip-forward") == 0) {
- struct passwd *pw;
struct Forward fwd;
- pw = the_authctxt->pw;
- if (pw == NULL || !the_authctxt->valid)
- fatal("server_input_global_request: no/invalid user");
memset(&fwd, 0, sizeof(fwd));
fwd.listen_host = packet_get_string(NULL);
fwd.listen_port = (u_short)packet_get_int();
debug("server_input_global_request: tcpip-forward listen %s port %d",
fwd.listen_host, fwd.listen_port);
/* check permissions */
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
@@ -1274,19 +1278,20 @@ server_input_global_request(int type, u_
memset(&fwd, 0, sizeof(fwd)); memset(&fwd, 0, sizeof(fwd));
fwd.listen_path = packet_get_string(NULL); fwd.listen_path = packet_get_string(NULL);
@ -40,12 +92,16 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
/* check permissions */ /* check permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
- || no_port_forwarding_flag) { - || no_port_forwarding_flag) {
+ || no_port_forwarding_flag || !use_privsep) { + || no_port_forwarding_flag || (pw->pw_uid != 0 && !use_privsep)) {
success = 0; success = 0;
packet_send_debug("Server has disabled port forwarding."); - packet_send_debug("Server has disabled port forwarding.");
+ packet_send_debug("Server has disabled "
+ "streamlocal forwarding.");
} else { } else {
/* Start listening on the socket */ /* Start listening on the socket */
success = channel_setup_remote_fwd_listener( success = channel_setup_remote_fwd_listener(
&fwd, NULL, &options.fwd_opts); &fwd, NULL, &options.fwd_opts);
} }
free(fwd.listen_path); free(fwd.listen_path);
} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
struct Forward fwd;

View File

@ -1,5 +1,5 @@
# HG changeset patch # HG changeset patch
# Parent 1ba8782c9cf18b104779c751839f3a2575c87954 # Parent 9e5f1fd5b5e2c3d8416cb2e2e539f43d8f1f173b
Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
run-time switchable through the new UseTCPWrappers option for sshd. run-time switchable through the new UseTCPWrappers option for sshd.
@ -79,7 +79,7 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
if test "x$withval" != "xno" ; then if test "x$withval" != "xno" ; then
if test "x$withval" != "xyes" ; then if test "x$withval" != "xyes" ; then
@@ -5135,16 +5191,17 @@ echo " sshd superuser user PATH @@ -5159,16 +5215,17 @@ echo " sshd superuser user PATH
fi fi
echo " Manpage format: $MANTYPE" echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG" echo " PAM support: $PAM_MSG"
@ -94,9 +94,9 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG" echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG" echo " Solaris privilege support: $SPP_MSG"
echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
--- a/openssh-7.2p2/servconf.c --- a/openssh-7.2p2/servconf.c
+++ b/openssh-7.2p2/servconf.c +++ b/openssh-7.2p2/servconf.c
@ -281,7 +281,7 @@ diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
--- a/openssh-7.2p2/sshd.c --- a/openssh-7.2p2/sshd.c
+++ b/openssh-7.2p2/sshd.c +++ b/openssh-7.2p2/sshd.c
@@ -128,16 +128,23 @@ @@ -132,16 +132,23 @@
#include "ssherr.h" #include "ssherr.h"
#include "fips.h" #include "fips.h"
@ -305,7 +305,7 @@ diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3) #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
@@ -2285,16 +2292,37 @@ main(int ac, char **av) @@ -2298,16 +2305,37 @@ main(int ac, char **av)
* the socket goes away. * the socket goes away.
*/ */
remote_ip = get_remote_ipaddr(); remote_ip = get_remote_ipaddr();

View File

@ -16,7 +16,9 @@ Fri Dec 1 13:18:24 UTC 2017 - pcerny@suse.com
to 7.2p2. TCP wrappers support will be dripped with the next to 7.2p2. TCP wrappers support will be dripped with the next
version upgrade. version upgrade.
[openssh-7.2p2-tcpwrappers.patch] [openssh-7.2p2-tcpwrappers.patch]
- fix regression of (bsc#823710) - fix regression in UNIX domain socket forwarding introduced
by the fix for CVE-2016-10010 (bsc#1051559)
- fix bug in auditing code (bsc#823710)
[openssh-7.2p2-audit_fixes.patch] [openssh-7.2p2-audit_fixes.patch]
- new switch for printing diagnostic messages in sftp client's - new switch for printing diagnostic messages in sftp client's
batch mode (bsc#1023275) batch mode (bsc#1023275)

View File

@ -86,6 +86,7 @@ BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
%if %{uses_systemd} %if %{uses_systemd}
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
BuildRequires: systemd-devel
%{?systemd_requires} %{?systemd_requires}
%endif %endif
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
@ -164,7 +165,8 @@ Patch48: openssh-7.2p2-s390_hw_crypto_syscalls.patch
Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch Patch49: openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch Patch50: openssh-7.2p2-sftp_print_diagnostic_messages.patch
Patch51: openssh-7.2p2-stricter_readonly_sftp.patch Patch51: openssh-7.2p2-stricter_readonly_sftp.patch
Patch52: openssh-7.2p2-tcpwrappers.patch Patch52: openssh-7.2p2-systemd-notify.patch
Patch53: openssh-7.2p2-tcpwrappers.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Conflicts: nonfreessh Conflicts: nonfreessh
Recommends: audit Recommends: audit
@ -268,6 +270,7 @@ FIPS140 CAVS tests related parts of the OpenSSH package
%patch50 -p2 %patch50 -p2
%patch51 -p2 %patch51 -p2
%patch52 -p2 %patch52 -p2
%patch53 -p2
cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
%build %build
@ -300,6 +303,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%endif %endif
%if %{uses_systemd} %if %{uses_systemd}
--with-pid-dir=/run \ --with-pid-dir=/run \
--with-systemd \
%endif %endif
--with-ssl-engine \ --with-ssl-engine \
--with-pam \ --with-pam \