Projects
home:sgz:branches:Mega-LLVM:24.03
openssh
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:openssh.spec
Changed
@@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 2 +%global openssh_release 6 Name: openssh Version: 9.3p2 @@ -99,6 +99,9 @@ Patch77: set-ssh-config.patch Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch80: backport-fix-CVE-2024-6387.patch +Patch81: backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch +Patch82: 0001-add-include.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -175,78 +178,81 @@ %setup -q -a 3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 -%patch3 -p2 -b .psaa-build -%patch4 -p2 -b .psaa-seteuid -%patch5 -p2 -b .psaa-visibility -%patch7 -p2 -b .psaa-compat -%patch6 -p2 -b .psaa-agent -%patch8 -p2 -b .psaa-deref -%patch9 -p2 -b .rsasha2 -%patch10 -p1 -b .psaa-configure-c99 +%patch 3 -p2 -b .psaa-build +%patch 4 -p2 -b .psaa-seteuid +%patch 5 -p2 -b .psaa-visibility +%patch 7 -p2 -b .psaa-compat +%patch 6 -p2 -b .psaa-agent +%patch 8 -p2 -b .psaa-deref +%patch 9 -p2 -b .rsasha2 +%patch 10 -p1 -b .psaa-configure-c99 # Remove duplicate headers and library files rm -f $(cat %{SOURCE4}) popd -%patch11 -p1 -b .role-mls -%patch12 -p1 -b .privsep-selinux -%patch14 -p1 -b .keycat -%patch15 -p1 -b .ip-opts -%patch17 -p1 -b .ipv6man -%patch18 -p1 -b .sigpipe -%patch19 -p1 -b .x11 -%patch21 -p1 -b .progress -%patch22 -p1 -b .grab-info -%patch23 -p1 -%patch24 -p1 -b .log-usepam-no -%patch28 -p1 -b .gsskex -%patch29 -p1 -b .force_krb -%patch31 -p1 -b .ccache_name -%patch32 -p1 -b .k5login -%patch33 -p1 -b .kuserok -%patch34 -p1 -b .fromto-remote -%patch35 -p1 -b .contexts -%patch36 -p1 -b .log-in-chroot -%patch37 -p1 -b .scp -%patch30 -p1 -b .GSSAPIEnablek5users -%patch38 -p1 -b .sshdt -%patch39 -p1 -b .sftp-force-mode -%patch40 -p1 -b .s390-dev -%patch41 -p1 -b .x11max -%patch42 -p1 -b .systemd -%patch43 -p1 -b .refactor -%patch44 -p1 -b .sandbox -%patch45 -p1 -b .pkcs11-uri -%patch46 -p1 -b .scp-ipv6 -%patch48 -p1 -b .crypto-policies -%patch49 -p1 -b .openssl-evp -%patch50 -p1 -b .openssl-kdf -%patch51 -p1 -b .visibility -%patch52 -p1 -b .x11-ipv6 -%patch53 -p1 -b .keygen-strip-doseol -%patch54 -p1 -b .preserve-pam-errors -%patch55 -p1 -b .kill-scp -%patch56 -p1 -b .scp-sftpdirs -%patch57 -p1 -b .minrsabits -%patch58 -p1 -b .ibmca -%patch60 -p1 -b .ssh-manpage -%patch61 -p1 -b .negotiate-supported-algs -%patch1 -p1 -b .audit -%patch2 -p1 -b .audit-race -%patch0 -p1 -b .coverity - -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch74 -p1 -%patch75 -p1 -%patch77 -p1 -%patch78 -p1 -%patch79 -p1 +%patch 11 -p1 -b .role-mls +%patch 12 -p1 -b .privsep-selinux +%patch 14 -p1 -b .keycat +%patch 15 -p1 -b .ip-opts +%patch 17 -p1 -b .ipv6man +%patch 18 -p1 -b .sigpipe +%patch 19 -p1 -b .x11 +%patch 21 -p1 -b .progress +%patch 22 -p1 -b .grab-info +%patch 23 -p1 +%patch 24 -p1 -b .log-usepam-no +%patch 28 -p1 -b .gsskex +%patch 29 -p1 -b .force_krb +%patch 31 -p1 -b .ccache_name +%patch 32 -p1 -b .k5login +%patch 33 -p1 -b .kuserok +%patch 34 -p1 -b .fromto-remote +%patch 35 -p1 -b .contexts +%patch 36 -p1 -b .log-in-chroot +%patch 37 -p1 -b .scp +%patch 30 -p1 -b .GSSAPIEnablek5users +%patch 38 -p1 -b .sshdt +%patch 39 -p1 -b .sftp-force-mode +%patch 40 -p1 -b .s390-dev +%patch 41 -p1 -b .x11max +%patch 42 -p1 -b .systemd +%patch 43 -p1 -b .refactor +%patch 44 -p1 -b .sandbox +%patch 45 -p1 -b .pkcs11-uri +%patch 46 -p1 -b .scp-ipv6 +%patch 48 -p1 -b .crypto-policies +%patch 49 -p1 -b .openssl-evp +%patch 50 -p1 -b .openssl-kdf +%patch 51 -p1 -b .visibility +%patch 52 -p1 -b .x11-ipv6 +%patch 53 -p1 -b .keygen-strip-doseol +%patch 54 -p1 -b .preserve-pam-errors +%patch 55 -p1 -b .kill-scp +%patch 56 -p1 -b .scp-sftpdirs +%patch 57 -p1 -b .minrsabits +%patch 58 -p1 -b .ibmca +%patch 60 -p1 -b .ssh-manpage +%patch 61 -p1 -b .negotiate-supported-algs +%patch 1 -p1 -b .audit +%patch 2 -p1 -b .audit-race +%patch 0 -p1 -b .coverity + +%patch 66 -p1 +%patch 67 -p1 +%patch 68 -p1 +%patch 69 -p1 +%patch 70 -p1 +%patch 71 -p1 +%patch 72 -p1 +%patch 73 -p1 +%patch 74 -p1 +%patch 75 -p1 +%patch 77 -p1 +%patch 78 -p1 +%patch 79 -p1 +%patch 80 -p1 +%patch 81 -p1 +%patch 82 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -318,8 +324,30 @@ popd %check +if -e /sys/fs/selinux/enforce ; then + # Store the SElinux state only if the file exists + if -w /sys/fs/selinux/enforce && -w. ; then + cat /sys/fs/selinux/enforce > selinux.tmp + setenforce 0 + else + echo "Insufficient permissions to handle SELinux state. Skipping modification." + fi +else + echo "SELinux is not enabled or enforce file not found. Skipping modification." +fi + make tests +if -e /sys/fs/selinux/enforce ; then + # Restore the SElinux state only if the file exists + if -w /sys/fs/selinux/enforce && -f selinux.tmp ; then + cat selinux.tmp > /sys/fs/selinux/enforce + rm -rf selinux.tmp + else + echo "Insufficient permissions or temp file not found. Skipping restoration of SELinux state." + fi +fi + %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d @@ -453,6 +481,30 @@ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Tue Aug 27 2024 shenchenbang <1944340417@qq.com> - 9.3p2-6 +- Type:CVE +- CVE:CVE-2023-51384 +- SUG:NA +- DESC:Fix add include pkcs11 + +* Fri Jul 12 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-5 +- Type:CVE +- CVE:CVE-2023-51384 +- SUG:NA +- DESC:Fix CVE-2023-51384 + +* Tue Jul 2 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-4 +- Type:CVE +- CVE:CVE-2024-6387 +- SUG:NA +- DESC:Fix CVE-2024-6387 + +* Mon Apr 29 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-3 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:Disable SElinux when make tests + * Wed Jan 31 2024 renmingshuai<renmingshuai@huawei.com> - 9.3p2-2 - Type:bugfix - CVE:NA
View file
_service:tar_scm:0001-add-include.patch
Added
@@ -0,0 +1,38 @@ +From df8b36b20e40855848e4fd5c1f447a2607976809 Mon Sep 17 00:00:00 2001 +From: "Shencb@123" <1944340417@qq.com> +Date: Sun, 1 Sep 2024 21:13:41 +0800 +Subject: PATCH add include + +--- + ssh-ecdsa.c | 2 +- + ssh-rsa.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c +index 341c324..6fe5e42 100644 +--- a/ssh-ecdsa.c ++++ b/ssh-ecdsa.c +@@ -42,7 +42,7 @@ + #include "digest.h" + #define SSHKEY_INTERNAL + #include "sshkey.h" +- ++#include "ssh-pkcs11.h" + #include "openbsd-compat/openssl-compat.h" + + static u_int +diff --git a/ssh-rsa.c b/ssh-rsa.c +index be8f51e..2c8b044 100644 +--- a/ssh-rsa.c ++++ b/ssh-rsa.c +@@ -26,7 +26,7 @@ + + #include <stdarg.h> + #include <string.h> +- ++#include "ssh-pkcs11.h" + #include "sshbuf.h" + #include "ssherr.h" + #define SSHKEY_INTERNAL +-- +2.45.2.windows.1 \ No newline at end of file
View file
_service:tar_scm:backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
Added
@@ -0,0 +1,174 @@ +From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:46:12 +0000 +Subject: PATCH upstream: apply destination constraints to all p11 keys + +Previously applied only to the first key returned from each token. + +ok markus@ + +OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d + +Reference:https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b +--- + ssh-agent.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 100 insertions(+), 5 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index f52861163..1d4c321eb 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.301 2023/12/18 14:46:12 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs) + free(dcs); + } + ++static void ++dup_dest_constraint_hop(const struct dest_constraint_hop *dch, ++ struct dest_constraint_hop *out) ++{ ++ u_int i; ++ int r; ++ ++ out->user = dch->user == NULL ? NULL : xstrdup(dch->user); ++ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); ++ out->is_ca = dch->is_ca; ++ out->nkeys = dch->nkeys; ++ out->keys = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->keys)); ++ out->key_is_ca = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->key_is_ca)); ++ for (i = 0; i < dch->nkeys; i++) { ++ if (dch->keysi != NULL && ++ (r = sshkey_from_private(dch->keysi, ++ &(out->keysi))) != 0) ++ fatal_fr(r, "copy key"); ++ out->key_is_cai = dch->key_is_cai; ++ } ++} ++ ++static struct dest_constraint * ++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) ++{ ++ size_t i; ++ struct dest_constraint *ret; ++ ++ if (ndcs == 0) ++ return NULL; ++ ret = xcalloc(ndcs, sizeof(*ret)); ++ for (i = 0; i < ndcs; i++) { ++ dup_dest_constraint_hop(&dcsi.from, &reti.from); ++ dup_dest_constraint_hop(&dcsi.to, &reti.to); ++ } ++ return ret; ++} ++ ++#ifdef DEBUG_CONSTRAINTS ++static void ++dump_dest_constraint_hop(const struct dest_constraint_hop *dch) ++{ ++ u_int i; ++ char *fp; ++ ++ debug_f("user %s hostname %s is_ca %d nkeys %u", ++ dch->user == NULL ? "(null)" : dch->user, ++ dch->hostname == NULL ? "(null)" : dch->hostname, ++ dch->is_ca, dch->nkeys); ++ for (i = 0; i < dch->nkeys; i++) { ++ fp = NULL; ++ if (dch->keysi != NULL && ++ (fp = sshkey_fingerprint(dch->keysi, ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, ++ dch->keysi == NULL ? "" : sshkey_ssh_name(dch->keysi), ++ dch->keysi == NULL ? "" : " ", ++ dch->keysi == NULL ? "none" : fp, ++ dch->key_is_cai); ++ free(fp); ++ } ++} ++#endif /* DEBUG_CONSTRAINTS */ ++ ++static void ++dump_dest_constraints(const char *context, ++ const struct dest_constraint *dcs, size_t ndcs) ++{ ++#ifdef DEBUG_CONSTRAINTS ++ size_t i; ++ ++ debug_f("%s: %zu constraints", context, ndcs); ++ for (i = 0; i < ndcs; i++) { ++ debug_f("constraint %zu / %zu: from: ", i, ndcs); ++ dump_dest_constraint_hop(&dcsi.from); ++ debug_f("constraint %zu / %zu: to: ", i, ndcs); ++ dump_dest_constraint_hop(&dcsi.to); ++ } ++ debug_f("done for %s", context); ++#endif /* DEBUG_CONSTRAINTS */ ++} ++ + static void + free_identity(Identity *id) + { +@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e) + Identity *id; + struct sshbuf *msg, *keys; + int r; +- u_int nentries = 0; ++ u_int i = 0, nentries = 0; ++ char *fp; + + debug2_f("entering"); + + if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + TAILQ_FOREACH(id, &idtab->idlist, next) { ++ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u / %u: %s %s", i++, idtab->nentries, ++ sshkey_ssh_name(id->key), fp); ++ dump_dest_constraints(__func__, ++ id->dest_constraints, id->ndest_constraints); ++ free(fp); + /* identity not visible, don't include in response */ + if (identity_permitted(id, e, NULL, NULL, NULL) != 0) + continue; +@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e) + sshbuf_reset(e->request); + goto out; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + + if (sk_provider != NULL) { + if (!sshkey_is_sk(k)) { +@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); +@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e) + } + id->death = death; + id->confirm = confirm; +- id->dest_constraints = dest_constraints; ++ id->dest_constraints = dup_dest_constraints( ++ dest_constraints, ndest_constraints); + id->ndest_constraints = ndest_constraints; +- dest_constraints = NULL; /* transferred */ +- ndest_constraints = 0; + TAILQ_INSERT_TAIL(&idtab->idlist, id, next); + idtab->nentries++; + success = 1; +-- +2.33.0 +
View file
_service:tar_scm:backport-fix-CVE-2024-6387.patch
Added
@@ -0,0 +1,28 @@ +Reference:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt +Conflict:NA +--- + log.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/log.c b/log.c +index dca08e4..5ca403a 100644 +--- a/log.c ++++ b/log.c +@@ -458,12 +458,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +-- +2.33.0 +
View file
_service
Changed
@@ -1,8 +1,8 @@ <services> <service name="tar_scm"> <param name="scm">git</param> - <param name="url">git@gitee.com:src-openeuler/openssh.git</param> - <param name="revision">openEuler-24.03-LTS</param> + <param name="url">git@gitee.com:shen-chenbang/openssh.git</param> + <param name="revision">13</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2