Accepting request 547285 from home:pcerny:factory-temp

temporarily downgrading to 7.2p2 to run tests on additional 7.2p2 patches

OBS-URL: https://build.opensuse.org/request/show/547285
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=126

openssh-7.2p2-secure_unix_sockets_forwarding.patch

@@ -1,17 +1,35 @@
 # HG changeset patch
-# Parent  4e1fd41aaa9cafe8f7b07868ac38ed4dbdf594aa
+# Parent  49d9204835f069a6b628e7bf4ed53baf81f8bf91
 Do not allow unix socket when running without privilege separation to prevent
 privilege escalation through a socket created with root: ownership.
 
 CVE-2016-10010
 bsc#1016368
+bsc#1051559
 
-backported upstream commit b737e4d7433577403a31cff6614f6a1b0b5e22f4
+backported upstream commits
+b737e4d7433577403a31cff6614f6a1b0b5e22f4
+51045869fa084cdd016fdd721ea760417c0a3bf3
 
 diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
 --- a/openssh-7.2p2/serverloop.c
 +++ b/openssh-7.2p2/serverloop.c
-@@ -990,17 +990,17 @@ server_request_direct_streamlocal(void)
+@@ -979,28 +979,32 @@ server_request_direct_tcpip(void)
+ }
+ 
+ static Channel *
+ server_request_direct_streamlocal(void)
+ {
+ 	Channel *c = NULL;
+ 	char *target, *originator;
+ 	u_short originator_port;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	target = packet_get_string(NULL);
+ 	originator = packet_get_string(NULL);
  	originator_port = packet_get_int();
  	packet_check_eom();
  
@@ -21,7 +39,7 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
  	/* XXX fine grained permissions */
  	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
 -	    !no_port_forwarding_flag) {
-+	    !no_port_forwarding_flag && use_privsep) {
++	    !no_port_forwarding_flag && (pw->pw_uid == 0 || use_privsep)) {
  		c = channel_connect_to_path(target,
  		    "direct-streamlocal@openssh.com", "direct-streamlocal");
  	} else {
@@ -30,7 +48,41 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
  		    originator, originator_port, target);
  	}
  
-@@ -1274,17 +1274,17 @@ server_input_global_request(int type, u_
+@@ -1212,29 +1216,29 @@ server_input_hostkeys_prove(struct sshbu
+ 
+ static int
+ server_input_global_request(int type, u_int32_t seq, void *ctxt)
+ {
+ 	char *rtype;
+ 	int want_reply;
+ 	int r, success = 0, allocated_listen_port = 0;
+ 	struct sshbuf *resp = NULL;
++	struct passwd *pw = the_authctxt->pw;
++
++	if (pw == NULL || !the_authctxt->valid)
++		fatal("server_input_global_request: no/invalid user");
+ 
+ 	rtype = packet_get_string(NULL);
+ 	want_reply = packet_get_char();
+ 	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
+ 
+ 	/* -R style forwarding */
+ 	if (strcmp(rtype, "tcpip-forward") == 0) {
+-		struct passwd *pw;
+ 		struct Forward fwd;
+ 
+-		pw = the_authctxt->pw;
+-		if (pw == NULL || !the_authctxt->valid)
+-			fatal("server_input_global_request: no/invalid user");
+ 		memset(&fwd, 0, sizeof(fwd));
+ 		fwd.listen_host = packet_get_string(NULL);
+ 		fwd.listen_port = (u_short)packet_get_int();
+ 		debug("server_input_global_request: tcpip-forward listen %s port %d",
+ 		    fwd.listen_host, fwd.listen_port);
+ 
+ 		/* check permissions */
+ 		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
+@@ -1274,19 +1278,20 @@ server_input_global_request(int type, u_
  
  		memset(&fwd, 0, sizeof(fwd));
  		fwd.listen_path = packet_get_string(NULL);
@@ -40,12 +92,16 @@ diff --git a/openssh-7.2p2/serverloop.c b/openssh-7.2p2/serverloop.c
  		/* check permissions */
  		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
 -		    || no_port_forwarding_flag) {
-+		    || no_port_forwarding_flag || !use_privsep) {
++		    || no_port_forwarding_flag || (pw->pw_uid != 0 && !use_privsep)) {
  			success = 0;
- 			packet_send_debug("Server has disabled port forwarding.");
+-			packet_send_debug("Server has disabled port forwarding.");
++			packet_send_debug("Server has disabled "
++			    "streamlocal forwarding.");
  		} else {
  			/* Start listening on the socket */
  			success = channel_setup_remote_fwd_listener(
  			    &fwd, NULL, &options.fwd_opts);
  		}
  		free(fwd.listen_path);
+ 	} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
+ 		struct Forward fwd;

openssh-7.2p2-tcpwrappers.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  1ba8782c9cf18b104779c751839f3a2575c87954
+# Parent  9e5f1fd5b5e2c3d8416cb2e2e539f43d8f1f173b
 Forward port TCP wrappers support (libwrap) from OpenSSH 6.6p1. Make it
 run-time switchable through the new UseTCPWrappers option for sshd.
 
@@ -79,7 +79,7 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
          if test "x$withval" != "xno" ; then
  
  			if test "x$withval" != "xyes" ; then
-@@ -5135,16 +5191,17 @@ echo "          sshd superuser user PATH
+@@ -5159,16 +5215,17 @@ echo "          sshd superuser user PATH
  fi
  echo "                    Manpage format: $MANTYPE"
  echo "                       PAM support: $PAM_MSG"
@@ -94,9 +94,9 @@ diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
  echo "         Solaris privilege support: $SPP_MSG"
+ echo "                   systemd support: $SYSTEMD_MSG"
  echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c
 --- a/openssh-7.2p2/servconf.c
 +++ b/openssh-7.2p2/servconf.c
@@ -281,7 +281,7 @@ diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8
 diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
 --- a/openssh-7.2p2/sshd.c
 +++ b/openssh-7.2p2/sshd.c
-@@ -128,16 +128,23 @@
+@@ -132,16 +132,23 @@
  #include "ssherr.h"
  
  #include "fips.h"
@@ -305,7 +305,7 @@ diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
  #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
  #define REEXEC_CONFIG_PASS_FD		(STDERR_FILENO + 3)
-@@ -2285,16 +2292,37 @@ main(int ac, char **av)
+@@ -2298,16 +2305,37 @@ main(int ac, char **av)
  	 * the socket goes away.
  	 */
  	remote_ip = get_remote_ipaddr();

openssh.changes

@@ -16,7 +16,9 @@ Fri Dec  1 13:18:24 UTC 2017 - pcerny@suse.com
   to 7.2p2. TCP wrappers support will be dripped with the next
   version upgrade.
   [openssh-7.2p2-tcpwrappers.patch]
-- fix regression of (bsc#823710)
+- fix regression in UNIX domain socket forwarding introduced
+  by the fix for CVE-2016-10010 (bsc#1051559)
+- fix bug in auditing code (bsc#823710)
   [openssh-7.2p2-audit_fixes.patch]
 - new switch for printing diagnostic messages in sftp client's
   batch mode (bsc#1023275)

openssh.spec

@@ -86,6 +86,7 @@ BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 %if %{uses_systemd}
 BuildRequires:  pkgconfig(systemd)
+BuildRequires:  systemd-devel
 %{?systemd_requires}
 %endif
 BuildRequires:  tcpd-devel
@@ -164,7 +165,8 @@ Patch48:        openssh-7.2p2-s390_hw_crypto_syscalls.patch
 Patch49:        openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch
 Patch50:        openssh-7.2p2-sftp_print_diagnostic_messages.patch
 Patch51:        openssh-7.2p2-stricter_readonly_sftp.patch
-Patch52:        openssh-7.2p2-tcpwrappers.patch
+Patch52:        openssh-7.2p2-systemd-notify.patch
+Patch53:        openssh-7.2p2-tcpwrappers.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Conflicts:      nonfreessh
 Recommends:     audit
@@ -268,6 +270,7 @@ FIPS140 CAVS tests related parts of the OpenSSH package
 %patch50 -p2
 %patch51 -p2
 %patch52 -p2
+%patch53 -p2
 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
 
 %build
@@ -300,6 +303,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 %endif
 %if %{uses_systemd}
     --with-pid-dir=/run \
+    --with-systemd \
 %endif
     --with-ssl-engine \
     --with-pam \