Accepting request 358392 from home:elvigia:branches:network

- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size
 attribute so the compiler knows these functions allocate memory
 so overflow or misuse can be detected sooner.
- openssh-allow_getrandom.patch; allow the getrandom(2) system
  call in the seccomp sandbox, upstream commit 26ad18247213
- openssh-fix-b64_xx-detection.patch: configure.ac has incorrect
  tests for b64_ntop, b64_pton on linux/glibc.

OBS-URL: https://build.opensuse.org/request/show/358392
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=96
This commit is contained in:
Petr Cerny 2016-02-10 15:40:35 +00:00 committed by Git OBS Bridge
parent 642f5e8889
commit b83f96744f
5 changed files with 82 additions and 0 deletions

28
openssh-alloc_size.patch Normal file
View File

@ -0,0 +1,28 @@
--- openssh-7.1p2.orig/xmalloc.h
+++ openssh-7.1p2/xmalloc.h
@@ -16,10 +16,10 @@
* called by a name other than "ssh" or "Secure Shell".
*/
-void *xmalloc(size_t);
-void *xcalloc(size_t, size_t);
-void *xreallocarray(void *, size_t, size_t);
-char *xstrdup(const char *);
+void *xmalloc(size_t) __attribute__((__malloc__, __alloc_size__(1)));
+void *xcalloc(size_t, size_t) __attribute__((__malloc__, __alloc_size__(1,2)));
+void *xreallocarray(void *, size_t, size_t) __attribute__((__alloc_size__(2,3)));
+char *xstrdup(const char *) __attribute__((__malloc__));
int xasprintf(char **, const char *, ...)
__attribute__((__format__ (printf, 2, 3)))
__attribute__((__nonnull__ (2)));
--- openssh-7.1p2.orig/openbsd-compat/openbsd-compat.h
+++ openssh-7.1p2/openbsd-compat/openbsd-compat.h
@@ -66,7 +66,7 @@ char *getcwd(char *pt, size_t size);
#endif
#ifndef HAVE_REALLOCARRAY
-void *reallocarray(void *, size_t, size_t);
+void *reallocarray(void *, size_t, size_t) __attribute__((__alloc_size__(2,3)));
#endif
#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)

View File

@ -0,0 +1,12 @@
--- openssh-7.1p2.orig/sandbox-seccomp-filter.c
+++ openssh-7.1p2/sandbox-seccomp-filter.c
@@ -153,6 +153,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(getuid32),
#endif
+#ifdef __NR_getrandom
+ SC_ALLOW(getrandom),
+#endif
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif

View File

@ -0,0 +1,24 @@
--- openssh-7.1p2.orig/configure.ac
+++ openssh-7.1p2/configure.ac
@@ -2873,6 +2873,10 @@ else
AC_CHECK_FUNCS([crypt])
fi
+AC_CHECK_DECLS([b64_ntop, b64_pton], [], [], [#include <resolv.h>])
+AC_SEARCH_LIBS([__b64_ntop], [resolv])
+AC_SEARCH_LIBS([__b64_pton], [resolv])
+
AC_CHECK_FUNCS([ \
arc4random \
arc4random_buf \
--- openssh-7.1p2.orig/Makefile.in
+++ openssh-7.1p2/Makefile.in
@@ -45,7 +45,7 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -include config.h
LIBS=@LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Feb 8 16:54:22 UTC 2016 - crrodriguez@opensuse.org
- openssh-alloc_size.patch: anotate xmalloc.h with alloc_size
attribute so the compiler knows these functions allocate memory
so overflow or misuse can be detected sooner.
- openssh-allow_getrandom.patch; allow the getrandom(2) system
call in the seccomp sandbox, upstream commit 26ad18247213
- openssh-fix-b64_xx-detection.patch: configure.ac has incorrect
tests for b64_ntop, b64_pton on linux/glibc.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 20 11:18:48 UTC 2016 - tchvatal@suse.com Wed Jan 20 11:18:48 UTC 2016 - tchvatal@suse.com

View File

@ -93,6 +93,9 @@ Patch35: openssh-6.6p1-sftp_force_permissions.patch
Patch36: openssh-6.6p1-seccomp_getuid.patch Patch36: openssh-6.6p1-seccomp_getuid.patch
Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch Patch37: openssh-6.6p1-X_forward_with_disabled_ipv6.patch
Patch39: openssh-6.6p1-ldap.patch Patch39: openssh-6.6p1-ldap.patch
Patch40: openssh-alloc_size.patch
Patch41: openssh-allow_getrandom.patch
Patch42: openssh-fix-b64_xx-detection.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: fipscheck-devel BuildRequires: fipscheck-devel
@ -181,7 +184,11 @@ cryptomodule.
%patch36 -p1 %patch36 -p1
%patch37 -p2 %patch37 -p2
%patch39 -p1 %patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch17 -p1 %patch17 -p1
cp %{SOURCE3} %{SOURCE4} . cp %{SOURCE3} %{SOURCE4} .
%build %build