6c861e0b33
- remaining patches that were still missing since the update to 7.2p2 (FATE#319675): [openssh-7.2p2-disable_openssl_abi_check.patch] - fix forwarding with IPv6 addresses in DISPLAY (bnc#847710) [openssh-7.2p2-IPv6_X_forwarding.patch] - ignore PAM environment when using login (bsc#975865, CVE-2015-8325) [openssh-7.2p2-ignore_PAM_with_UseLogin.patch] - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) [openssh-7.2p2-limit_password_length.patch] - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [openssh-7.2p2-prevent_timing_user_enumeration.patch] - Add auditing for PRNG re-seeding [openssh-7.2p2-audit_seed_prng.patch] OBS-URL: https://build.opensuse.org/request/show/433779 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
32 lines
821 B
Diff
32 lines
821 B
Diff
# HG changeset patch
|
|
# Parent c66097e5e31cd607bf2206b2da95730cce518b7a
|
|
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
|
|
from being killed by the seccomp filter
|
|
|
|
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
|
|
@@ -142,16 +142,22 @@ static const struct sock_filter preauth_
|
|
SC_ALLOW(exit_group),
|
|
#endif
|
|
#ifdef __NR_getpgid
|
|
SC_ALLOW(getpgid),
|
|
#endif
|
|
#ifdef __NR_getpid
|
|
SC_ALLOW(getpid),
|
|
#endif
|
|
+#ifdef __NR_getuid
|
|
+ SC_ALLOW(getuid),
|
|
+#endif
|
|
+#ifdef __NR_getuid32
|
|
+ SC_ALLOW(getuid32),
|
|
+#endif
|
|
#ifdef __NR_getrandom
|
|
SC_ALLOW(getrandom),
|
|
#endif
|
|
#ifdef __NR_gettimeofday
|
|
SC_ALLOW(gettimeofday),
|
|
#endif
|
|
#ifdef __NR_madvise
|
|
SC_ALLOW(madvise),
|