system/openssh: Bump to 8.1p1, fixes for time64

author: A. Wilcox <AWilcox@Wilcox-Tech.com> 2020-01-30 10:38:26 +0000
committer: A. Wilcox <AWilcox@Wilcox-Tech.com> 2020-01-30 10:38:26 +0000
commit: fc1725b12ffae83614d3792ec9a8fae764fa8213 (patch)
tree: 5b2963169a97ac6fc0a40498e9dd008ade9e6ca1
parent: ae3f7a857962a758a7783cb4d343760a9582478d (diff)
download: packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.gz
packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.bz2
packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.xz
packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.zip
8 files changed, 52 insertions, 185 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD
index 10eee5514..7466d2844 100644
--- a/system/openssh/APKBUILD
+++ b/system/openssh/APKBUILD
@@ -2,9 +2,9 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 # Maintainer: Horst Burkhardt <horst@adelielinux.org>
 pkgname=openssh
-pkgver=7.9_p1
+pkgver=8.1_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=4
+pkgrel=0
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.com/portable.html"
 arch="all"
@@ -25,13 +25,10 @@ subpackages="$pkgname-doc
 	"
 
 source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
-	bsd-compatible-realpath.patch
-	CVE-2018-20685.patch
 	disable-forwarding-by-default.patch
 	fix-utmpx.patch
-	openssh7.4-peaktput.patch
-	openssh-7.9_p1-openssl-1.0.2-compat.patch
 	sftp-interactive.patch
+	time64-seccomp.patch
 
 	sshd.initd
 	sshd.confd
@@ -149,13 +146,10 @@ openrc() {
 	install_if="openssh-server=$pkgver-r$pkgrel openrc"
 }
 
-sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e  openssh-7.9p1.tar.gz
-f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
-b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04  CVE-2018-20685.patch
+sha512sums="b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925  openssh-8.1p1.tar.gz
 f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6  disable-forwarding-by-default.patch
-0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7  fix-utmpx.patch
-398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6  openssh7.4-peaktput.patch
-dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6  openssh-7.9_p1-openssl-1.0.2-compat.patch
-c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
+9033520d18ccfea87628c78008591ae8a143999868254eabc926ca0665611c9f09c221265b1b6f552b82eca58558244a020d615b55249a02f96e298c1f7ff520  fix-utmpx.patch
+34c0673f550e7afcd47eda4fe1da48fb42e5344c95ba8064c9c3c137fda9c43635b0f7b8145d0300f59c79f75a396ebd467afb54cdaa42aa251d624d0752dc84  sftp-interactive.patch
+ad5b209f7f3fff69c10bae34da143e071e107a2141eee94f393532d6bb04a36bfe6d9b5d2c08b713f67118503c38d11b4aad689df1df7c8a918d52db8326821d  time64-seccomp.patch
 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f  sshd.initd
 ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4  sshd.confd"
diff --git a/system/openssh/CVE-2018-20685.patch b/system/openssh/CVE-2018-20685.patch
deleted file mode 100644
index f2f1ecfc5..000000000
--- a/system/openssh/CVE-2018-20685.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Fri, 16 Nov 2018 03:03:10 +0000
-Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
- to the
-
-current directory; based on report/patch from Harry Sintonen
-
-OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
----
- scp.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/scp.c b/scp.c
-index 60682c687..4f3fdcd3d 100644
---- a/scp.c
-+++ b/scp.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
-+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
- /*
-  * scp - secure remote copy.  This is basically patched BSD rcp which
-  * uses ssh to do the data transfer (instead of using rcmd).
-@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
- 			SCREWUP("size out of range");
- 		size = (off_t)ull;
- 
--		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-+		if (*cp == '\0' || strchr(cp, '/') != NULL ||
-+		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
- 			run_err("error: unexpected filename: %s", cp);
- 			exit(1);
- 		}
diff --git a/system/openssh/bsd-compatible-realpath.patch b/system/openssh/bsd-compatible-realpath.patch
deleted file mode 100644
index 1cdb4f7c5..000000000
--- a/system/openssh/bsd-compatible-realpath.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-fix issues with fortify-headers and the way openssh handles the needed
-BSD compatible realpath(3).
-
-unconditionally use the provided realpath() as otherwise cross-builds
-would try to use musl realpath() which is posix compliant and not
-working to openssh expectations.
-
-diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h
---- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h	2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h	2016-07-18 13:33:16.260357745 +0300
-@@ -68,17 +68,7 @@
- void *reallocarray(void *, size_t, size_t);
- #endif
- 
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
--/*
-- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
-- * compat version.
-- */
--# ifdef BROKEN_REALPATH
--#  define realpath(x, y) _ssh_compat_realpath(x, y)
--# endif
--
--char *realpath(const char *path, char *resolved);
--#endif
-+char *ssh_realpath(const char *path, char *resolved);
- 
- #ifndef HAVE_RRESVPORT_AF
- int rresvport_af(int *alport, sa_family_t af);
-diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c
---- openssh-7.2p2.orig/openbsd-compat/realpath.c	2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/realpath.c	2016-07-18 13:33:45.420721690 +0300
-@@ -31,7 +31,7 @@
- 
- #include "includes.h"
- 
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-+#if 1
- 
- #include <sys/types.h>
- #include <sys/param.h>
-@@ -58,7 +58,7 @@
-  * in which case the path which caused trouble is left in (resolved).
-  */
- char *
--realpath(const char *path, char *resolved)
-+ssh_realpath(const char *path, char *resolved)
- {
- 	struct stat sb;
- 	char *p, *q, *s;
-diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c
---- openssh-7.2p2.orig/sftp-server.c	2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/sftp-server.c	2016-07-18 13:34:29.131267241 +0300
-@@ -1162,7 +1162,7 @@
- 	}
- 	debug3("request %u: realpath", id);
- 	verbose("realpath \"%s\"", path);
--	if (realpath(path, resolvedname) == NULL) {
-+	if (ssh_realpath(path, resolvedname) == NULL) {
- 		send_status(id, errno_to_portable(errno));
- 	} else {
- 		Stat s;
diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch
index 7f05add35..5e43eaf06 100644
--- a/system/openssh/fix-utmpx.patch
+++ b/system/openssh/fix-utmpx.patch
@@ -1,6 +1,6 @@
 --- openssh-7.7p1/loginrec.c.old	2018-04-02 00:38:28.000000000 -0500
 +++ openssh-7.7p1/loginrec.c	2018-06-15 22:09:00.091482769 -0500
-@@ -1656,7 +1656,11 @@
+@@ -1659,7 +1659,11 @@
      const char *ttyn)
  {
  	int fd;
diff --git a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch b/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
deleted file mode 100644
index c1c310e8f..000000000
--- a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 8b4a3627..590b66d1 100644
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
- 	ENGINE_load_builtin_engines();
- 	ENGINE_register_all_complete();
-
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	OPENSSL_config(NULL);
- #else
- 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
diff --git a/system/openssh/openssh7.4-peaktput.patch b/system/openssh/openssh7.4-peaktput.patch
deleted file mode 100644
index 6fc6140a6..000000000
--- a/system/openssh/openssh7.4-peaktput.patch
+++ /dev/null
@@ -1,62 +0,0 @@
---- a/progressmeter.c
-+++ b/progressmeter.c
-@@ -69,6 +69,8 @@
- static off_t start_pos;		/* initial position of transfer */
- static off_t end_pos;		/* ending position of transfer */
- static off_t cur_pos;		/* transfer position as of last refresh */
-+static off_t last_pos;
-+static off_t max_delta_pos = 0;
- static volatile off_t *counter;	/* progress counter */
- static long stalled;		/* how long we have been stalled */
- static int bytes_per_second;	/* current speed in bytes per second */
-@@ -128,12 +130,17 @@
- 	int hours, minutes, seconds;
- 	int i, len;
- 	int file_len;
-+	off_t delta_pos;
- 
- 	transferred = *counter - (cur_pos ? cur_pos : start_pos);
- 	cur_pos = *counter;
- 	now = monotime_double();
- 	bytes_left = end_pos - cur_pos;
- 
-+	delta_pos = cur_pos - last_pos;
-+	if (delta_pos > max_delta_pos)
-+		max_delta_pos = delta_pos;
-+
- 	if (bytes_left > 0)
- 		elapsed = now - last_update;
- 	else {
-@@ -158,7 +165,7 @@
- 
- 	/* filename */
- 	buf[0] = '\0';
--	file_len = win_size - 35;
-+	file_len = win_size - 45;
- 	if (file_len > 0) {
- 		len = snprintf(buf, file_len + 1, "\r%s", file);
- 		if (len < 0)
-@@ -188,6 +195,15 @@
- 	    (off_t)bytes_per_second);
- 	strlcat(buf, "/s ", win_size);
- 
-+	/* instantaneous rate */
-+	if (bytes_left > 0)
-+		format_rate(buf + strlen(buf), win_size - strlen(buf),
-+			    delta_pos);
-+	else
-+		format_rate(buf + strlen(buf), win_size - strlen(buf),
-+			    max_delta_pos);
-+	strlcat(buf, "/s ", win_size);
-+
- 	/* ETA */
- 	if (!transferred)
- 		stalled += elapsed;
-@@ -224,6 +240,7 @@
- 
- 	atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
- 	last_update = now;
-+	last_pos = cur_pos;
- }
- 
- /*ARGSUSED*/
diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch
index ab14f3a6b..e4b8967bf 100644
--- a/system/openssh/sftp-interactive.patch
+++ b/system/openssh/sftp-interactive.patch
@@ -1,6 +1,6 @@
 --- a/sftp.c	2014-10-24 10:32:15.793544472 +0500
 +++ b/sftp.c	2014-10-24 10:35:22.329199875 +0500
-@@ -2076,8 +2076,10 @@
+@@ -2243,8 +2243,10 @@
  		signal(SIGINT, SIG_IGN);
  
  		if (el == NULL) {
diff --git a/system/openssh/time64-seccomp.patch b/system/openssh/time64-seccomp.patch
new file mode 100644
index 000000000..9f9a8a247
--- /dev/null
+++ b/system/openssh/time64-seccomp.patch
@@ -0,0 +1,43 @@
+From b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc.  Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+
+From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM.  bz#3100, patch from jjelen@redhat.com.
+
+From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..96ab141f7 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ 	SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++	SC_ALLOW(__NR_clock_nanosleep),
++#endif
++#ifdef __NR_clock_nanosleep_time64
++       SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
++#ifdef __NR_clock_gettime64
++	SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ 	SC_ALLOW(__NR__newselect),
+ #endif
author	A. Wilcox <AWilcox@Wilcox-Tech.com>	2020-01-30 10:38:26 +0000
committer	A. Wilcox <AWilcox@Wilcox-Tech.com>	2020-01-30 10:38:26 +0000
commit	fc1725b12ffae83614d3792ec9a8fae764fa8213 (patch)
tree	5b2963169a97ac6fc0a40498e9dd008ade9e6ca1
parent	ae3f7a857962a758a7783cb4d343760a9582478d (diff)
download	packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.gz packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.bz2 packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.tar.xz packages-fc1725b12ffae83614d3792ec9a8fae764fa8213.zip