开源软件构建与测试

_service:tar_scm:openssh.spec Changed

@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 2
+%global openssh_release 6
 
 Name:           openssh
 Version:        9.3p2
@@ -99,6 +99,9 @@
 Patch77:        set-ssh-config.patch
 Patch78:        backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
 Patch79:        backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
+Patch80:        backport-fix-CVE-2024-6387.patch
+Patch81:        backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
+Patch82:        0001-add-include.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -175,78 +178,81 @@
 %setup -q -a 3
 
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
-%patch3 -p2 -b .psaa-build
-%patch4 -p2 -b .psaa-seteuid
-%patch5 -p2 -b .psaa-visibility
-%patch7 -p2 -b .psaa-compat
-%patch6 -p2 -b .psaa-agent
-%patch8 -p2 -b .psaa-deref
-%patch9 -p2 -b .rsasha2
-%patch10 -p1 -b .psaa-configure-c99
+%patch 3 -p2 -b .psaa-build
+%patch 4 -p2 -b .psaa-seteuid
+%patch 5 -p2 -b .psaa-visibility
+%patch 7 -p2 -b .psaa-compat
+%patch 6 -p2 -b .psaa-agent
+%patch 8 -p2 -b .psaa-deref
+%patch 9 -p2 -b .rsasha2
+%patch 10 -p1 -b .psaa-configure-c99
 # Remove duplicate headers and library files
 rm -f $(cat %{SOURCE4})
 popd
 
-%patch11 -p1 -b .role-mls
-%patch12 -p1 -b .privsep-selinux
-%patch14 -p1 -b .keycat
-%patch15 -p1 -b .ip-opts
-%patch17 -p1 -b .ipv6man
-%patch18 -p1 -b .sigpipe
-%patch19 -p1 -b .x11
-%patch21 -p1 -b .progress
-%patch22 -p1 -b .grab-info
-%patch23 -p1
-%patch24 -p1 -b .log-usepam-no
-%patch28 -p1 -b .gsskex
-%patch29 -p1 -b .force_krb
-%patch31 -p1 -b .ccache_name
-%patch32 -p1 -b .k5login
-%patch33 -p1 -b .kuserok
-%patch34 -p1 -b .fromto-remote
-%patch35 -p1 -b .contexts
-%patch36 -p1 -b .log-in-chroot
-%patch37 -p1 -b .scp
-%patch30 -p1 -b .GSSAPIEnablek5users
-%patch38 -p1 -b .sshdt
-%patch39 -p1 -b .sftp-force-mode
-%patch40 -p1 -b .s390-dev
-%patch41 -p1 -b .x11max
-%patch42 -p1 -b .systemd
-%patch43 -p1 -b .refactor
-%patch44 -p1 -b .sandbox
-%patch45 -p1 -b .pkcs11-uri
-%patch46 -p1 -b .scp-ipv6
-%patch48 -p1 -b .crypto-policies
-%patch49 -p1 -b .openssl-evp
-%patch50 -p1 -b .openssl-kdf
-%patch51 -p1 -b .visibility
-%patch52 -p1 -b .x11-ipv6
-%patch53 -p1 -b .keygen-strip-doseol
-%patch54 -p1 -b .preserve-pam-errors
-%patch55 -p1 -b .kill-scp
-%patch56 -p1 -b .scp-sftpdirs
-%patch57 -p1 -b .minrsabits
-%patch58 -p1 -b .ibmca
-%patch60 -p1 -b .ssh-manpage
-%patch61 -p1 -b .negotiate-supported-algs
-%patch1 -p1 -b .audit
-%patch2 -p1 -b .audit-race
-%patch0 -p1 -b .coverity
-
-%patch66 -p1
-%patch67 -p1
-%patch68 -p1
-%patch69 -p1
-%patch70 -p1
-%patch71 -p1
-%patch72 -p1
-%patch73 -p1
-%patch74 -p1
-%patch75 -p1
-%patch77 -p1
-%patch78 -p1
-%patch79 -p1
+%patch 11 -p1 -b .role-mls
+%patch 12 -p1 -b .privsep-selinux
+%patch 14 -p1 -b .keycat
+%patch 15 -p1 -b .ip-opts
+%patch 17 -p1 -b .ipv6man
+%patch 18 -p1 -b .sigpipe
+%patch 19 -p1 -b .x11
+%patch 21 -p1 -b .progress
+%patch 22 -p1 -b .grab-info
+%patch 23 -p1
+%patch 24 -p1 -b .log-usepam-no
+%patch 28 -p1 -b .gsskex
+%patch 29 -p1 -b .force_krb
+%patch 31 -p1 -b .ccache_name
+%patch 32 -p1 -b .k5login
+%patch 33 -p1 -b .kuserok
+%patch 34 -p1 -b .fromto-remote
+%patch 35 -p1 -b .contexts
+%patch 36 -p1 -b .log-in-chroot
+%patch 37 -p1 -b .scp
+%patch 30 -p1 -b .GSSAPIEnablek5users
+%patch 38 -p1 -b .sshdt
+%patch 39 -p1 -b .sftp-force-mode
+%patch 40 -p1 -b .s390-dev
+%patch 41 -p1 -b .x11max
+%patch 42 -p1 -b .systemd
+%patch 43 -p1 -b .refactor
+%patch 44 -p1 -b .sandbox
+%patch 45 -p1 -b .pkcs11-uri
+%patch 46 -p1 -b .scp-ipv6
+%patch 48 -p1 -b .crypto-policies
+%patch 49 -p1 -b .openssl-evp
+%patch 50 -p1 -b .openssl-kdf
+%patch 51 -p1 -b .visibility
+%patch 52 -p1 -b .x11-ipv6
+%patch 53 -p1 -b .keygen-strip-doseol
+%patch 54 -p1 -b .preserve-pam-errors
+%patch 55 -p1 -b .kill-scp
+%patch 56 -p1 -b .scp-sftpdirs
+%patch 57 -p1 -b .minrsabits
+%patch 58 -p1 -b .ibmca
+%patch 60 -p1 -b .ssh-manpage
+%patch 61 -p1 -b .negotiate-supported-algs
+%patch 1 -p1 -b .audit
+%patch 2 -p1 -b .audit-race
+%patch 0 -p1 -b .coverity
+
+%patch 66 -p1
+%patch 67 -p1
+%patch 68 -p1
+%patch 69 -p1
+%patch 70 -p1
+%patch 71 -p1
+%patch 72 -p1
+%patch 73 -p1
+%patch 74 -p1
+%patch 75 -p1
+%patch 77 -p1
+%patch 78 -p1
+%patch 79 -p1
+%patch 80 -p1
+%patch 81 -p1
+%patch 82 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -318,8 +324,30 @@
 popd
 
 %check
+if  -e /sys/fs/selinux/enforce ; then
+    # Store the SElinux state only if the file exists
+    if  -w /sys/fs/selinux/enforce  &&  -w. ; then
+        cat /sys/fs/selinux/enforce > selinux.tmp
+        setenforce 0
+    else
+        echo "Insufficient permissions to handle SELinux state. Skipping modification."
+    fi
+else
+    echo "SELinux is not enabled or enforce file not found. Skipping modification."
+fi
+
 make tests
 
+if  -e /sys/fs/selinux/enforce ; then
+    # Restore the SElinux state only if the file exists
+    if  -w /sys/fs/selinux/enforce  &&  -f selinux.tmp ; then
+        cat selinux.tmp > /sys/fs/selinux/enforce
+        rm -rf selinux.tmp
+    else
+        echo "Insufficient permissions or temp file not found. Skipping restoration of SELinux state."
+    fi
+fi
+
 %install
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
@@ -453,6 +481,30 @@
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Tue Aug 27 2024 shenchenbang <1944340417@qq.com> - 9.3p2-6
+- Type:CVE
+- CVE:CVE-2023-51384
+- SUG:NA
+- DESC:Fix add include pkcs11
+
+* Fri Jul 12 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-5
+- Type:CVE
+- CVE:CVE-2023-51384
+- SUG:NA
+- DESC:Fix CVE-2023-51384
+
+* Tue Jul 2 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-4
+- Type:CVE
+- CVE:CVE-2024-6387
+- SUG:NA
+- DESC:Fix CVE-2024-6387
+
+* Mon Apr 29 2024 renmingshuai <renmingshuai@huawei.com> - 9.3p2-3
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:Disable SElinux when make tests
+
 * Wed Jan 31 2024 renmingshuai<renmingshuai@huawei.com> - 9.3p2-2
 - Type:bugfix
 - CVE:NA

_service:tar_scm:0001-add-include.patch Added

_service:tar_scm:backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch Added

@@ -0,0 +1,174 @@
+From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:46:12 +0000
+Subject: PATCH upstream: apply destination constraints to all p11 keys
+
+Previously applied only to the first key returned from each token.
+
+ok markus@
+
+OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+
+Reference:https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
+---
+ ssh-agent.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 100 insertions(+), 5 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index f52861163..1d4c321eb 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */
++/* $OpenBSD: ssh-agent.c,v 1.301 2023/12/18 14:46:12 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
+ 	free(dcs);
+ }
+ 
++static void
++dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
++    struct dest_constraint_hop *out)
++{
++	u_int i;
++	int r;
++
++	out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
++	out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
++	out->is_ca = dch->is_ca;
++	out->nkeys = dch->nkeys;
++	out->keys = out->nkeys == 0 ? NULL :
++	    xcalloc(out->nkeys, sizeof(*out->keys));
++	out->key_is_ca = out->nkeys == 0 ? NULL :
++	    xcalloc(out->nkeys, sizeof(*out->key_is_ca));
++	for (i = 0; i < dch->nkeys; i++) {
++		if (dch->keysi != NULL &&
++		    (r = sshkey_from_private(dch->keysi,
++		    &(out->keysi))) != 0)
++			fatal_fr(r, "copy key");
++		out->key_is_cai = dch->key_is_cai;
++	}
++}
++
++static struct dest_constraint *
++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
++{
++	size_t i;
++	struct dest_constraint *ret;
++
++	if (ndcs == 0)
++		return NULL;
++	ret = xcalloc(ndcs, sizeof(*ret));
++	for (i = 0; i < ndcs; i++) {
++		dup_dest_constraint_hop(&dcsi.from, &reti.from);
++		dup_dest_constraint_hop(&dcsi.to, &reti.to);
++	}
++	return ret;
++}
++
++#ifdef DEBUG_CONSTRAINTS
++static void
++dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
++{
++	u_int i;
++	char *fp;
++
++	debug_f("user %s hostname %s is_ca %d nkeys %u",
++	    dch->user == NULL ? "(null)" : dch->user,
++	    dch->hostname == NULL ? "(null)" : dch->hostname,
++	    dch->is_ca, dch->nkeys);
++	for (i = 0; i < dch->nkeys; i++) {
++		fp = NULL;
++		if (dch->keysi != NULL &&
++		    (fp = sshkey_fingerprint(dch->keysi,
++		    SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++			fatal_f("fingerprint failed");
++		debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
++		    dch->keysi == NULL ? "" : sshkey_ssh_name(dch->keysi),
++		    dch->keysi == NULL ? "" : " ",
++		    dch->keysi == NULL ? "none" : fp,
++		    dch->key_is_cai);
++		free(fp);
++	}
++}
++#endif /* DEBUG_CONSTRAINTS */
++
++static void
++dump_dest_constraints(const char *context,
++    const struct dest_constraint *dcs, size_t ndcs)
++{
++#ifdef DEBUG_CONSTRAINTS
++	size_t i;
++
++	debug_f("%s: %zu constraints", context, ndcs);
++	for (i = 0; i < ndcs; i++) {
++		debug_f("constraint %zu / %zu: from: ", i, ndcs);
++		dump_dest_constraint_hop(&dcsi.from);
++		debug_f("constraint %zu / %zu: to: ", i, ndcs);
++		dump_dest_constraint_hop(&dcsi.to);
++	}
++	debug_f("done for %s", context);
++#endif /* DEBUG_CONSTRAINTS */
++}
++
+ static void
+ free_identity(Identity *id)
+ {
+@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e)
+ 	Identity *id;
+ 	struct sshbuf *msg, *keys;
+ 	int r;
+-	u_int nentries = 0;
++	u_int i = 0, nentries = 0;
++	char *fp;
+ 
+ 	debug2_f("entering");
+ 
+ 	if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
+ 		fatal_f("sshbuf_new failed");
+ 	TAILQ_FOREACH(id, &idtab->idlist, next) {
++		if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
++		    SSH_FP_DEFAULT)) == NULL)
++			fatal_f("fingerprint failed");
++		debug_f("key %u / %u: %s %s", i++, idtab->nentries,
++		    sshkey_ssh_name(id->key), fp);
++		dump_dest_constraints(__func__,
++		    id->dest_constraints, id->ndest_constraints);
++		free(fp);
+ 		/* identity not visible, don't include in response */
+ 		if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
+ 			continue;
+@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e)
+ 		sshbuf_reset(e->request);
+ 		goto out;
+ 	}
++	dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+ 
+ 	if (sk_provider != NULL) {
+ 		if (!sshkey_is_sk(k)) {
+@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e)
+ 		error_f("failed to parse constraints");
+ 		goto send;
+ 	}
++	dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
+ 	if (e->nsession_ids != 0 && !remote_add_provider) {
+ 		verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
+ 		    "providers is disabled", provider);
+@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e)
+ 			}
+ 			id->death = death;
+ 			id->confirm = confirm;
+-			id->dest_constraints = dest_constraints;
++			id->dest_constraints = dup_dest_constraints(
++			    dest_constraints, ndest_constraints);
+ 			id->ndest_constraints = ndest_constraints;
+-			dest_constraints = NULL; /* transferred */
+-			ndest_constraints = 0;
+ 			TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
+ 			idtab->nentries++;
+ 			success = 1;
+-- 
+2.33.0
+

_service:tar_scm:backport-fix-CVE-2024-6387.patch Added

_service Changed

Changes of Revision 2