openssh/openssh-8.4p1-vendordir.patch
Antonio Larrosa da2c6cc517 - Update to openssh 9.8p1:
* No changes for askpass, see main package changelog for
    details.

- Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
- Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch

- Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to
    the maximum the server will accept. Exploitation on 64-bit
    systems is believed to be possible but has not been
    demonstrated at this time. It's likely that these attacks will
    be improved upon.
    Exploitation on non-glibc systems is conceivable but has not
    been examined. Systems that lack ASLR or users of downstream
    Linux distributions that have modified OpenSSH to disable
    per-connection ASLR re-randomisation (yes - this is a thing, no
    - we don't understand why) may potentially have an easier path
    to exploitation. OpenBSD is not vulnerable.

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=272
2024-08-12 09:54:46 +00:00

203 lines
7.1 KiB
Diff

Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib.
Index: openssh-8.9p1/dh.c
===================================================================
--- openssh-8.9p1.orig/dh.c
+++ openssh-8.9p1/dh.c
@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file
static const char * get_moduli_filename(void)
{
- return moduli_filename ? moduli_filename : _PATH_DH_MODULI;
+ struct stat st;
+
+ if (moduli_filename)
+ return moduli_filename;
+
+ if (stat(_PATH_VENDOR_DH_MODULI, &st) == 0 &&
+ stat(_PATH_DH_MODULI, &st) == -1) {
+ return _PATH_VENDOR_DH_MODULI;
+ }
+
+ return _PATH_DH_MODULI;
}
static int
Index: openssh-8.9p1/pathnames.h
===================================================================
--- openssh-8.9p1.orig/pathnames.h
+++ openssh-8.9p1/pathnames.h
@@ -18,6 +18,8 @@
#define SSHDIR ETCDIR "/ssh"
#endif
+#define VENDORDIR "/usr/etc/ssh"
+
#ifndef _PATH_SSH_PIDDIR
#define _PATH_SSH_PIDDIR "/var/run"
#endif
@@ -35,13 +37,17 @@
* should be world-readable.
*/
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
+#define _PATH_SERVER_VENDOR_CONFIG_FILE VENDORDIR "/sshd_config"
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
+#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config"
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
#define _PATH_DH_MODULI SSHDIR "/moduli"
+#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli"
+
#ifndef _PATH_SSH_PROGRAM
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
Index: openssh-8.9p1/ssh.c
===================================================================
--- openssh-8.9p1.orig/ssh.c
+++ openssh-8.9p1/ssh.c
@@ -549,6 +549,7 @@ static void
process_config_files(const char *host_name, struct passwd *pw, int final_pass,
int *want_final_pass)
{
+ struct stat st;
char buf[PATH_MAX];
int r;
@@ -567,10 +568,23 @@ process_config_files(const char *host_na
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
- /* Read systemwide configuration file after user config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
- host, host_name, &options,
- final_pass ? SSHCONF_FINAL : 0, want_final_pass);
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_HOST_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_HOST_CONFIG_FILE, &st) == -1) {
+ /* Read vendor distributed configuration file. */
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE,
+ pw, host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ } else {
+ /* Read systemwide configuration file after user config. */
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
+ host, host_name, &options,
+ final_pass ? SSHCONF_FINAL : 0,
+ want_final_pass);
+ }
}
}
Index: openssh-8.9p1/ssh_config.5
===================================================================
--- openssh-8.9p1.orig/ssh_config.5
+++ openssh-8.9p1/ssh_config.5
@@ -54,6 +54,9 @@ user's configuration file
.It
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
+.It
+vendor configuration file
+.Pq Pa /usr/etc/ssh/ssh_config
.El
.Pp
Unless noted otherwise, for each parameter, the first obtained value
@@ -2220,6 +2223,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
This file must be world-readable.
+.It Pa /usr/etc/ssh/ssh_config
+Vendor specific configuraiton file.
+This file provides the vendor defaults and is used as fallback if the
+.Ic /etc/ssh/ssh_config
+configuration file does not exist.
.El
.Sh SEE ALSO
.Xr ssh 1
Index: openssh-8.9p1/sshd.c
===================================================================
--- openssh-8.9p1.orig/sshd.c
+++ openssh-8.9p1/sshd.c
@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
extern char *optarg;
extern int optind;
int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
+ char *config_file_name = NULL;
+ struct stat st;
int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
/* Fetch our configuration */
if ((cfg = sshbuf_new()) == NULL)
fatal("sshbuf_new config failed");
+ if (config_file_name == NULL) {
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
+ if (stat(_PATH_SERVER_VENDOR_CONFIG_FILE, &st) == 0 &&
+ stat(_PATH_SERVER_CONFIG_FILE, &st) == -1) {
+ /* fill with global distributor settings */
+ config_file_name = _PATH_SERVER_VENDOR_CONFIG_FILE;
+ } else {
+ /* load global admin settings */
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
+ }
+ load_server_config(config_file_name, cfg);
- if (strcasecmp(config_file_name, "none") != 0)
+ } else if (strcasecmp(config_file_name, "none") != 0)
+ /* load config specified on commandline */
load_server_config(config_file_name, cfg);
parse_server_config(&options, config_file_name, cfg,
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -44,7 +44,9 @@
.Xr sshd 8
reads configuration data from
.Pa /etc/ssh/sshd_config
-(or the file specified with
+(
+.Pa /usr/etc/ssh/sshd_config
+if the file does not exist or the file specified with
.Fl f
on the command line).
The file contains keyword-argument pairs, one per line.
Index: openssh-8.9p1/ssh-keysign.c
===================================================================
--- openssh-8.9p1.orig/ssh-keysign.c
+++ openssh-8.9p1/ssh-keysign.c
@@ -186,6 +186,7 @@ main(int argc, char **argv)
u_char *signature, *data, rver;
char *host, *fp, *pkalg;
size_t slen, dlen;
+ struct stat st;
if (pledge("stdio rpath getpw dns id", NULL) != 0)
fatal("%s: pledge: %s", __progname, strerror(errno));
@@ -219,8 +220,14 @@ main(int argc, char **argv)
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
- &options, 0, NULL);
+
+ if (stat(_PATH_HOST_CONFIG_FILE, &st) == 0)
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+ else
+ (void)read_config_file(_PATH_HOST_VENDOR_CONFIG_FILE, pw, "", "",
+ &options, 0, NULL);
+
(void)fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
fatal("ssh-keysign not enabled in %s",