openssh/openssh-7.2p2-seccomp_getuid.patch
Petr Cerny 6c861e0b33 Accepting request 433779 from home:pcerny:factory
- remaining patches that were still missing
  since the update to 7.2p2 (FATE#319675):
  [openssh-7.2p2-disable_openssl_abi_check.patch]
- fix forwarding with IPv6 addresses in DISPLAY (bnc#847710)
  [openssh-7.2p2-IPv6_X_forwarding.patch]
- ignore PAM environment when using login
  (bsc#975865, CVE-2015-8325)
  [openssh-7.2p2-ignore_PAM_with_UseLogin.patch]
- limit accepted password length (prevents possible DoS)
  (bsc#992533, CVE-2016-6515)
  [openssh-7.2p2-limit_password_length.patch]
- Prevent user enumeration through the timing of password
  processing (bsc#989363, CVE-2016-6210)
  [openssh-7.2p2-prevent_timing_user_enumeration.patch]
- Add auditing for PRNG re-seeding
  [openssh-7.2p2-audit_seed_prng.patch]

OBS-URL: https://build.opensuse.org/request/show/433779
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=113
2016-10-07 15:57:29 +00:00

32 lines
821 B
Diff

# HG changeset patch
# Parent c66097e5e31cd607bf2206b2da95730cce518b7a
add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
from being killed by the seccomp filter
diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c
--- a/openssh-7.2p2/sandbox-seccomp-filter.c
+++ b/openssh-7.2p2/sandbox-seccomp-filter.c
@@ -142,16 +142,22 @@ static const struct sock_filter preauth_
SC_ALLOW(exit_group),
#endif
#ifdef __NR_getpgid
SC_ALLOW(getpgid),
#endif
#ifdef __NR_getpid
SC_ALLOW(getpid),
#endif
+#ifdef __NR_getuid
+ SC_ALLOW(getuid),
+#endif
+#ifdef __NR_getuid32
+ SC_ALLOW(getuid32),
+#endif
#ifdef __NR_getrandom
SC_ALLOW(getrandom),
#endif
#ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday),
#endif
#ifdef __NR_madvise
SC_ALLOW(madvise),