Accepting request 358392 from home:elvigia:branches:network

- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size attribute so the compiler knows these functions allocate memory so overflow or misuse can be detected sooner. - openssh-allow_getrandom.patch; allow the getrandom(2) system call in the seccomp sandbox, upstream commit 26ad18247213 - openssh-fix-b64_xx-detection.patch: configure.ac has incorrect tests for b64_ntop, b64_pton on linux/glibc. OBS-URL: https://build.opensuse.org/request/show/358392 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=96
2016-02-10 15:40:35 +00:00 · 2016-02-10 15:40:35 +00:00 · b83f96744f
commit b83f96744f
parent 642f5e8889
5 changed files with 82 additions and 0 deletions
--- a/openssh-alloc_size.patch
+++ b/openssh-alloc_size.patch
@ -0,0 +1,28 @@
+--- openssh-7.1p2.orig/xmalloc.h
+++ openssh-7.1p2/xmalloc.h
+@@ -16,10 +16,10 @@
+  * called by a name other than "ssh" or "Secure Shell".
+  */
+ 
+-void	*xmalloc(size_t);
+-void	*xcalloc(size_t, size_t);
+-void	*xreallocarray(void *, size_t, size_t);
+-char	*xstrdup(const char *);
+void	*xmalloc(size_t) __attribute__((__malloc__, __alloc_size__(1)));
+void	*xcalloc(size_t, size_t) __attribute__((__malloc__, __alloc_size__(1,2)));
+void	*xreallocarray(void *, size_t, size_t) __attribute__((__alloc_size__(2,3)));
+char	*xstrdup(const char *) __attribute__((__malloc__));
+ int	 xasprintf(char **, const char *, ...)
+                 __attribute__((__format__ (printf, 2, 3)))
+                 __attribute__((__nonnull__ (2)));
+--- openssh-7.1p2.orig/openbsd-compat/openbsd-compat.h
+++ openssh-7.1p2/openbsd-compat/openbsd-compat.h
+@@ -66,7 +66,7 @@ char *getcwd(char *pt, size_t size);
+ #endif 
+ 
+ #ifndef HAVE_REALLOCARRAY
+-void *reallocarray(void *, size_t, size_t);
+void *reallocarray(void *, size_t, size_t) __attribute__((__alloc_size__(2,3)));
+ #endif
+ 
+ #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
--- a/openssh-allow_getrandom.patch
+++ b/openssh-allow_getrandom.patch
@ -0,0 +1,12 @@
+--- openssh-7.1p2.orig/sandbox-seccomp-filter.c
+++ openssh-7.1p2/sandbox-seccomp-filter.c
+@@ -153,6 +153,9 @@ static const struct sock_filter preauth_
+ #ifdef __NR_getuid32
+ 	SC_ALLOW(getuid32),
+ #endif
+#ifdef __NR_getrandom
+	SC_ALLOW(getrandom),
+#endif
+ #ifdef __NR_gettimeofday
+ 	SC_ALLOW(gettimeofday),
+ #endif
--- a/openssh-fix-b64_xx-detection.patch
+++ b/openssh-fix-b64_xx-detection.patch
@ -0,0 +1,24 @@
+--- openssh-7.1p2.orig/configure.ac
+++ openssh-7.1p2/configure.ac
+@@ -2873,6 +2873,10 @@ else
+ 	AC_CHECK_FUNCS([crypt])
+ fi
+ 
+AC_CHECK_DECLS([b64_ntop, b64_pton], [], [], [#include <resolv.h>]) 
+AC_SEARCH_LIBS([__b64_ntop], [resolv]) 
+AC_SEARCH_LIBS([__b64_pton], [resolv]) 
+
+ AC_CHECK_FUNCS([ \
+ 	arc4random \
+ 	arc4random_buf \
+--- openssh-7.1p2.orig/Makefile.in
+++ openssh-7.1p2/Makefile.in
+@@ -45,7 +45,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -include config.h
+ LIBS=@LIBS@
+ K5LIBS=@K5LIBS@
+ GSSLIBS=@GSSLIBS@
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Mon Feb  8 16:54:22 UTC 2016 - crrodriguez@opensuse.org
+
+- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size
+ attribute so the compiler knows these functions allocate memory
+ so overflow or misuse can be detected sooner.
+- openssh-allow_getrandom.patch; allow the getrandom(2) system
+  call in the seccomp sandbox, upstream commit 26ad18247213
+- openssh-fix-b64_xx-detection.patch: configure.ac has incorrect
+  tests for b64_ntop, b64_pton on linux/glibc.
+
 -------------------------------------------------------------------
 Wed Jan 20 11:18:48 UTC 2016 - tchvatal@suse.com

--- a/openssh.spec
+++ b/openssh.spec
@ -93,6 +93,9 @@ Patch35:        openssh-6.6p1-sftp_force_permissions.patch
 Patch36:        openssh-6.6p1-seccomp_getuid.patch
 Patch37:        openssh-6.6p1-X_forward_with_disabled_ipv6.patch
 Patch39:        openssh-6.6p1-ldap.patch
+Patch40:        openssh-alloc_size.patch
+Patch41:        openssh-allow_getrandom.patch
+Patch42:        openssh-fix-b64_xx-detection.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  fipscheck-devel
@ -181,7 +184,11 @@ cryptomodule.
 %patch36 -p1
 %patch37 -p2
 %patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
 %patch17 -p1
+
 cp %{SOURCE3} %{SOURCE4} .

 %build