Projects
home:sgz:branches:Mega-LLVM:24.03
openssh
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Difference Between Revision 2 and
Mega-LLVM:24.03
/
openssh
View file
_service:tar_scm:openssh.spec
Changed
@@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 2 +%global openssh_release 6 Name: openssh Version: 9.3p2 @@ -99,6 +99,9 @@ Patch77: set-ssh-config.patch Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch80: backport-fix-CVE-2024-6387.patch +Patch81: backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch +Patch82: 0001-add-include.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -175,78 +178,81 @@ %setup -q -a 3 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 -%patch3 -p2 -b .psaa-build -%patch4 -p2 -b .psaa-seteuid -%patch5 -p2 -b .psaa-visibility -%patch7 -p2 -b .psaa-compat -%patch6 -p2 -b .psaa-agent -%patch8 -p2 -b .psaa-deref -%patch9 -p2 -b .rsasha2 -%patch10 -p1 -b .psaa-configure-c99 +%patch 3 -p2 -b .psaa-build +%patch 4 -p2 -b .psaa-seteuid +%patch 5 -p2 -b .psaa-visibility +%patch 7 -p2 -b .psaa-compat +%patch 6 -p2 -b .psaa-agent +%patch 8 -p2 -b .psaa-deref +%patch 9 -p2 -b .rsasha2 +%patch 10 -p1 -b .psaa-configure-c99 # Remove duplicate headers and library files rm -f $(cat %{SOURCE4}) popd -%patch11 -p1 -b .role-mls -%patch12 -p1 -b .privsep-selinux -%patch14 -p1 -b .keycat -%patch15 -p1 -b .ip-opts -%patch17 -p1 -b .ipv6man -%patch18 -p1 -b .sigpipe -%patch19 -p1 -b .x11 -%patch21 -p1 -b .progress -%patch22 -p1 -b .grab-info -%patch23 -p1 -%patch24 -p1 -b .log-usepam-no -%patch28 -p1 -b .gsskex -%patch29 -p1 -b .force_krb -%patch31 -p1 -b .ccache_name -%patch32 -p1 -b .k5login -%patch33 -p1 -b .kuserok -%patch34 -p1 -b .fromto-remote -%patch35 -p1 -b .contexts -%patch36 -p1 -b .log-in-chroot -%patch37 -p1 -b .scp -%patch30 -p1 -b .GSSAPIEnablek5users -%patch38 -p1 -b .sshdt -%patch39 -p1 -b .sftp-force-mode -%patch40 -p1 -b .s390-dev -%patch41 -p1 -b .x11max -%patch42 -p1 -b .systemd -%patch43 -p1 -b .refactor -%patch44 -p1 -b .sandbox -%patch45 -p1 -b .pkcs11-uri -%patch46 -p1 -b .scp-ipv6 -%patch48 -p1 -b .crypto-policies -%patch49 -p1 -b .openssl-evp -%patch50 -p1 -b .openssl-kdf -%patch51 -p1 -b .visibility -%patch52 -p1 -b .x11-ipv6 -%patch53 -p1 -b .keygen-strip-doseol -%patch54 -p1 -b .preserve-pam-errors -%patch55 -p1 -b .kill-scp -%patch56 -p1 -b .scp-sftpdirs -%patch57 -p1 -b .minrsabits -%patch58 -p1 -b .ibmca -%patch60 -p1 -b .ssh-manpage -%patch61 -p1 -b .negotiate-supported-algs -%patch1 -p1 -b .audit -%patch2 -p1 -b .audit-race -%patch0 -p1 -b .coverity - -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch74 -p1 -%patch75 -p1 -%patch77 -p1 -%patch78 -p1 -%patch79 -p1 +%patch 11 -p1 -b .role-mls +%patch 12 -p1 -b .privsep-selinux +%patch 14 -p1 -b .keycat +%patch 15 -p1 -b .ip-opts +%patch 17 -p1 -b .ipv6man +%patch 18 -p1 -b .sigpipe +%patch 19 -p1 -b .x11 +%patch 21 -p1 -b .progress +%patch 22 -p1 -b .grab-info +%patch 23 -p1 +%patch 24 -p1 -b .log-usepam-no +%patch 28 -p1 -b .gsskex +%patch 29 -p1 -b .force_krb +%patch 31 -p1 -b .ccache_name +%patch 32 -p1 -b .k5login +%patch 33 -p1 -b .kuserok +%patch 34 -p1 -b .fromto-remote +%patch 35 -p1 -b .contexts +%patch 36 -p1 -b .log-in-chroot +%patch 37 -p1 -b .scp +%patch 30 -p1 -b .GSSAPIEnablek5users +%patch 38 -p1 -b .sshdt +%patch 39 -p1 -b .sftp-force-mode +%patch 40 -p1 -b .s390-dev +%patch 41 -p1 -b .x11max +%patch 42 -p1 -b .systemd +%patch 43 -p1 -b .refactor +%patch 44 -p1 -b .sandbox +%patch 45 -p1 -b .pkcs11-uri +%patch 46 -p1 -b .scp-ipv6 +%patch 48 -p1 -b .crypto-policies +%patch 49 -p1 -b .openssl-evp +%patch 50 -p1 -b .openssl-kdf +%patch 51 -p1 -b .visibility +%patch 52 -p1 -b .x11-ipv6 +%patch 53 -p1 -b .keygen-strip-doseol +%patch 54 -p1 -b .preserve-pam-errors +%patch 55 -p1 -b .kill-scp +%patch 56 -p1 -b .scp-sftpdirs +%patch 57 -p1 -b .minrsabits +%patch 58 -p1 -b .ibmca +%patch 60 -p1 -b .ssh-manpage +%patch 61 -p1 -b .negotiate-supported-algs +%patch 1 -p1 -b .audit +%patch 2 -p1 -b .audit-race +%patch 0 -p1 -b .coverity + +%patch 66 -p1 +%patch 67 -p1 +%patch 68 -p1 +%patch 69 -p1 +%patch 70 -p1 +%patch 71 -p1 +%patch 72 -p1 +%patch 73 -p1 +%patch 74 -p1 +%patch 75 -p1 +%patch 77 -p1 +%patch 78 -p1 +%patch 79 -p1 +%patch 80 -p1 +%patch 81 -p1 +%patch 82 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -318,8 +324,30 @@ popd %check +if -e /sys/fs/selinux/enforce ; then + # Store the SElinux state only if the file exists + if -w /sys/fs/selinux/enforce && -w. ; then + cat /sys/fs/selinux/enforce > selinux.tmp + setenforce 0 + else + echo "Insufficient permissions to handle SELinux state. Skipping modification." + fi +else + echo "SELinux is not enabled or enforce file not found. Skipping modification." +fi + make tests +if -e /sys/fs/selinux/enforce ; then + # Restore the SElinux state only if the file exists + if -w /sys/fs/selinux/enforce && -f selinux.tmp ; then + cat selinux.tmp > /sys/fs/selinux/enforce + rm -rf selinux.tmp + else + echo "Insufficient permissions or temp file not found. Skipping restoration of SELinux state." + fi +fi + %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
View file
_service:tar_scm:0001-add-include.patch
Added
@@ -0,0 +1,38 @@ +From df8b36b20e40855848e4fd5c1f447a2607976809 Mon Sep 17 00:00:00 2001 +From: "Shencb@123" <1944340417@qq.com> +Date: Sun, 1 Sep 2024 21:13:41 +0800 +Subject: PATCH add include + +--- + ssh-ecdsa.c | 2 +- + ssh-rsa.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c +index 341c324..6fe5e42 100644 +--- a/ssh-ecdsa.c ++++ b/ssh-ecdsa.c +@@ -42,7 +42,7 @@ + #include "digest.h" + #define SSHKEY_INTERNAL + #include "sshkey.h" +- ++#include "ssh-pkcs11.h" + #include "openbsd-compat/openssl-compat.h" + + static u_int +diff --git a/ssh-rsa.c b/ssh-rsa.c +index be8f51e..2c8b044 100644 +--- a/ssh-rsa.c ++++ b/ssh-rsa.c +@@ -26,7 +26,7 @@ + + #include <stdarg.h> + #include <string.h> +- ++#include "ssh-pkcs11.h" + #include "sshbuf.h" + #include "ssherr.h" + #define SSHKEY_INTERNAL +-- +2.45.2.windows.1 \ No newline at end of file
View file
_service:tar_scm:backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
Added
@@ -0,0 +1,174 @@ +From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 18 Dec 2023 14:46:12 +0000 +Subject: PATCH upstream: apply destination constraints to all p11 keys + +Previously applied only to the first key returned from each token. + +ok markus@ + +OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d + +Reference:https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b +--- + ssh-agent.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 100 insertions(+), 5 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index f52861163..1d4c321eb 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.301 2023/12/18 14:46:12 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs) + free(dcs); + } + ++static void ++dup_dest_constraint_hop(const struct dest_constraint_hop *dch, ++ struct dest_constraint_hop *out) ++{ ++ u_int i; ++ int r; ++ ++ out->user = dch->user == NULL ? NULL : xstrdup(dch->user); ++ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); ++ out->is_ca = dch->is_ca; ++ out->nkeys = dch->nkeys; ++ out->keys = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->keys)); ++ out->key_is_ca = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->key_is_ca)); ++ for (i = 0; i < dch->nkeys; i++) { ++ if (dch->keysi != NULL && ++ (r = sshkey_from_private(dch->keysi, ++ &(out->keysi))) != 0) ++ fatal_fr(r, "copy key"); ++ out->key_is_cai = dch->key_is_cai; ++ } ++} ++ ++static struct dest_constraint * ++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) ++{ ++ size_t i; ++ struct dest_constraint *ret; ++ ++ if (ndcs == 0) ++ return NULL; ++ ret = xcalloc(ndcs, sizeof(*ret)); ++ for (i = 0; i < ndcs; i++) { ++ dup_dest_constraint_hop(&dcsi.from, &reti.from); ++ dup_dest_constraint_hop(&dcsi.to, &reti.to); ++ } ++ return ret; ++} ++ ++#ifdef DEBUG_CONSTRAINTS ++static void ++dump_dest_constraint_hop(const struct dest_constraint_hop *dch) ++{ ++ u_int i; ++ char *fp; ++ ++ debug_f("user %s hostname %s is_ca %d nkeys %u", ++ dch->user == NULL ? "(null)" : dch->user, ++ dch->hostname == NULL ? "(null)" : dch->hostname, ++ dch->is_ca, dch->nkeys); ++ for (i = 0; i < dch->nkeys; i++) { ++ fp = NULL; ++ if (dch->keysi != NULL && ++ (fp = sshkey_fingerprint(dch->keysi, ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, ++ dch->keysi == NULL ? "" : sshkey_ssh_name(dch->keysi), ++ dch->keysi == NULL ? "" : " ", ++ dch->keysi == NULL ? "none" : fp, ++ dch->key_is_cai); ++ free(fp); ++ } ++} ++#endif /* DEBUG_CONSTRAINTS */ ++ ++static void ++dump_dest_constraints(const char *context, ++ const struct dest_constraint *dcs, size_t ndcs) ++{ ++#ifdef DEBUG_CONSTRAINTS ++ size_t i; ++ ++ debug_f("%s: %zu constraints", context, ndcs); ++ for (i = 0; i < ndcs; i++) { ++ debug_f("constraint %zu / %zu: from: ", i, ndcs); ++ dump_dest_constraint_hop(&dcsi.from); ++ debug_f("constraint %zu / %zu: to: ", i, ndcs); ++ dump_dest_constraint_hop(&dcsi.to); ++ } ++ debug_f("done for %s", context); ++#endif /* DEBUG_CONSTRAINTS */ ++} ++ + static void + free_identity(Identity *id) + { +@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e) + Identity *id; + struct sshbuf *msg, *keys; + int r; +- u_int nentries = 0; ++ u_int i = 0, nentries = 0; ++ char *fp; + + debug2_f("entering"); + + if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + TAILQ_FOREACH(id, &idtab->idlist, next) { ++ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u / %u: %s %s", i++, idtab->nentries, ++ sshkey_ssh_name(id->key), fp); ++ dump_dest_constraints(__func__, ++ id->dest_constraints, id->ndest_constraints); ++ free(fp); + /* identity not visible, don't include in response */ + if (identity_permitted(id, e, NULL, NULL, NULL) != 0) + continue; +@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e) + sshbuf_reset(e->request); + goto out; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + + if (sk_provider != NULL) { + if (!sshkey_is_sk(k)) { +@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + if (e->nsession_ids != 0 && !remote_add_provider) { + verbose("failed PKCS#11 add of \"%.100s\": remote addition of " + "providers is disabled", provider); +@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e) + } + id->death = death; + id->confirm = confirm; +- id->dest_constraints = dest_constraints; ++ id->dest_constraints = dup_dest_constraints( ++ dest_constraints, ndest_constraints); + id->ndest_constraints = ndest_constraints; +- dest_constraints = NULL; /* transferred */ +- ndest_constraints = 0; + TAILQ_INSERT_TAIL(&idtab->idlist, id, next); + idtab->nentries++; + success = 1; +-- +2.33.0 +
View file
_service:tar_scm:backport-fix-CVE-2024-6387.patch
Added
@@ -0,0 +1,28 @@ +Reference:https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt +Conflict:NA +--- + log.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/log.c b/log.c +index dca08e4..5ca403a 100644 +--- a/log.c ++++ b/log.c +@@ -458,12 +458,14 @@ void + sshsigdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) + { ++#if 0 + va_list args; + + va_start(args, fmt); + sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL, + suffix, fmt, args); + va_end(args); ++#endif + _exit(1); + } + +-- +2.33.0 +
View file
_service
Changed
@@ -1,8 +1,8 @@ <services> <service name="tar_scm"> <param name="scm">git</param> - <param name="url">git@gitee.com:src-openeuler/openssh.git</param> - <param name="revision">openEuler-24.03-LTS</param> + <param name="url">git@gitee.com:shen-chenbang/openssh.git</param> + <param name="revision">13</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2