- Add patch to fix a race condition in a signal handler by removing

the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
  * fix-CVE-2024-6387.patch

OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=269

fix-CVE-2024-6387.patch

@@ -0,0 +1,19 @@
+Index: openssh-9.6p1/log.c
+===================================================================
+--- openssh-9.6p1.orig/log.c
++++ openssh-9.6p1/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 

openssh.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jul  1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch to fix a race condition in a signal handler by removing
+  the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
+  * fix-CVE-2024-6387.patch
+
 -------------------------------------------------------------------
 Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 

openssh.spec

@@ -128,6 +128,8 @@ Patch106:       openssh-7.6p1-cleanup-selinux.patch
 # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
 Patch107:       openssh-9.6p1-crypto-policies.patch
 Patch108:       openssh-9.6p1-crypto-policies-man.patch
+# PATCH-FIX-SUSE bsc#1226642 fix CVE-2024-6387
+Patch109:       fix-CVE-2024-6387.patch
 %if 0%{with allow_root_password_login_by_default}
 Patch1000:      openssh-7.7p1-allow_root_password_login.patch
 %endif