summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/openssh/APKBUILD20
-rw-r--r--system/openssh/CVE-2018-20685.patch33
-rw-r--r--system/openssh/bsd-compatible-realpath.patch62
-rw-r--r--system/openssh/fix-utmpx.patch2
-rw-r--r--system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch13
-rw-r--r--system/openssh/openssh7.4-peaktput.patch62
-rw-r--r--system/openssh/sftp-interactive.patch2
-rw-r--r--system/openssh/time64-seccomp.patch43
8 files changed, 52 insertions, 185 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD
index 10eee5514..7466d2844 100644
--- a/system/openssh/APKBUILD
+++ b/system/openssh/APKBUILD
@@ -2,9 +2,9 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Horst Burkhardt <horst@adelielinux.org>
pkgname=openssh
-pkgver=7.9_p1
+pkgver=8.1_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=4
+pkgrel=0
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html"
arch="all"
@@ -25,13 +25,10 @@ subpackages="$pkgname-doc
"
source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
- bsd-compatible-realpath.patch
- CVE-2018-20685.patch
disable-forwarding-by-default.patch
fix-utmpx.patch
- openssh7.4-peaktput.patch
- openssh-7.9_p1-openssl-1.0.2-compat.patch
sftp-interactive.patch
+ time64-seccomp.patch
sshd.initd
sshd.confd
@@ -149,13 +146,10 @@ openrc() {
install_if="openssh-server=$pkgver-r$pkgrel openrc"
}
-sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e openssh-7.9p1.tar.gz
-f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
-b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04 CVE-2018-20685.patch
+sha512sums="b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 openssh-8.1p1.tar.gz
f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch
-0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch
-398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch
-dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 openssh-7.9_p1-openssl-1.0.2-compat.patch
-c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
+9033520d18ccfea87628c78008591ae8a143999868254eabc926ca0665611c9f09c221265b1b6f552b82eca58558244a020d615b55249a02f96e298c1f7ff520 fix-utmpx.patch
+34c0673f550e7afcd47eda4fe1da48fb42e5344c95ba8064c9c3c137fda9c43635b0f7b8145d0300f59c79f75a396ebd467afb54cdaa42aa251d624d0752dc84 sftp-interactive.patch
+ad5b209f7f3fff69c10bae34da143e071e107a2141eee94f393532d6bb04a36bfe6d9b5d2c08b713f67118503c38d11b4aad689df1df7c8a918d52db8326821d time64-seccomp.patch
394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd
ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd"
diff --git a/system/openssh/CVE-2018-20685.patch b/system/openssh/CVE-2018-20685.patch
deleted file mode 100644
index f2f1ecfc5..000000000
--- a/system/openssh/CVE-2018-20685.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Fri, 16 Nov 2018 03:03:10 +0000
-Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
- to the
-
-current directory; based on report/patch from Harry Sintonen
-
-OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
----
- scp.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/scp.c b/scp.c
-index 60682c687..4f3fdcd3d 100644
---- a/scp.c
-+++ b/scp.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
-+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
- /*
- * scp - secure remote copy. This is basically patched BSD rcp which
- * uses ssh to do the data transfer (instead of using rcmd).
-@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
- SCREWUP("size out of range");
- size = (off_t)ull;
-
-- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
-+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
- run_err("error: unexpected filename: %s", cp);
- exit(1);
- }
diff --git a/system/openssh/bsd-compatible-realpath.patch b/system/openssh/bsd-compatible-realpath.patch
deleted file mode 100644
index 1cdb4f7c5..000000000
--- a/system/openssh/bsd-compatible-realpath.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-fix issues with fortify-headers and the way openssh handles the needed
-BSD compatible realpath(3).
-
-unconditionally use the provided realpath() as otherwise cross-builds
-would try to use musl realpath() which is posix compliant and not
-working to openssh expectations.
-
-diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h
---- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h 2016-07-18 13:33:16.260357745 +0300
-@@ -68,17 +68,7 @@
- void *reallocarray(void *, size_t, size_t);
- #endif
-
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
--/*
-- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
-- * compat version.
-- */
--# ifdef BROKEN_REALPATH
--# define realpath(x, y) _ssh_compat_realpath(x, y)
--# endif
--
--char *realpath(const char *path, char *resolved);
--#endif
-+char *ssh_realpath(const char *path, char *resolved);
-
- #ifndef HAVE_RRESVPORT_AF
- int rresvport_af(int *alport, sa_family_t af);
-diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c
---- openssh-7.2p2.orig/openbsd-compat/realpath.c 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/realpath.c 2016-07-18 13:33:45.420721690 +0300
-@@ -31,7 +31,7 @@
-
- #include "includes.h"
-
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-+#if 1
-
- #include <sys/types.h>
- #include <sys/param.h>
-@@ -58,7 +58,7 @@
- * in which case the path which caused trouble is left in (resolved).
- */
- char *
--realpath(const char *path, char *resolved)
-+ssh_realpath(const char *path, char *resolved)
- {
- struct stat sb;
- char *p, *q, *s;
-diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c
---- openssh-7.2p2.orig/sftp-server.c 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/sftp-server.c 2016-07-18 13:34:29.131267241 +0300
-@@ -1162,7 +1162,7 @@
- }
- debug3("request %u: realpath", id);
- verbose("realpath \"%s\"", path);
-- if (realpath(path, resolvedname) == NULL) {
-+ if (ssh_realpath(path, resolvedname) == NULL) {
- send_status(id, errno_to_portable(errno));
- } else {
- Stat s;
diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch
index 7f05add35..5e43eaf06 100644
--- a/system/openssh/fix-utmpx.patch
+++ b/system/openssh/fix-utmpx.patch
@@ -1,6 +1,6 @@
--- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500
+++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500
-@@ -1656,7 +1656,11 @@
+@@ -1659,7 +1659,11 @@
const char *ttyn)
{
int fd;
diff --git a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch b/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
deleted file mode 100644
index c1c310e8f..000000000
--- a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 8b4a3627..590b66d1 100644
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
-
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- OPENSSL_config(NULL);
- #else
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
diff --git a/system/openssh/openssh7.4-peaktput.patch b/system/openssh/openssh7.4-peaktput.patch
deleted file mode 100644
index 6fc6140a6..000000000
--- a/system/openssh/openssh7.4-peaktput.patch
+++ /dev/null
@@ -1,62 +0,0 @@
---- a/progressmeter.c
-+++ b/progressmeter.c
-@@ -69,6 +69,8 @@
- static off_t start_pos; /* initial position of transfer */
- static off_t end_pos; /* ending position of transfer */
- static off_t cur_pos; /* transfer position as of last refresh */
-+static off_t last_pos;
-+static off_t max_delta_pos = 0;
- static volatile off_t *counter; /* progress counter */
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
-@@ -128,12 +130,17 @@
- int hours, minutes, seconds;
- int i, len;
- int file_len;
-+ off_t delta_pos;
-
- transferred = *counter - (cur_pos ? cur_pos : start_pos);
- cur_pos = *counter;
- now = monotime_double();
- bytes_left = end_pos - cur_pos;
-
-+ delta_pos = cur_pos - last_pos;
-+ if (delta_pos > max_delta_pos)
-+ max_delta_pos = delta_pos;
-+
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
-@@ -158,7 +165,7 @@
-
- /* filename */
- buf[0] = '\0';
-- file_len = win_size - 35;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
-@@ -188,6 +195,15 @@
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-
-+ /* instantaneous rate */
-+ if (bytes_left > 0)
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ delta_pos);
-+ else
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ max_delta_pos);
-+ strlcat(buf, "/s ", win_size);
-+
- /* ETA */
- if (!transferred)
- stalled += elapsed;
-@@ -224,6 +240,7 @@
-
- atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
- last_update = now;
-+ last_pos = cur_pos;
- }
-
- /*ARGSUSED*/
diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch
index ab14f3a6b..e4b8967bf 100644
--- a/system/openssh/sftp-interactive.patch
+++ b/system/openssh/sftp-interactive.patch
@@ -1,6 +1,6 @@
--- a/sftp.c 2014-10-24 10:32:15.793544472 +0500
+++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500
-@@ -2076,8 +2076,10 @@
+@@ -2243,8 +2243,10 @@
signal(SIGINT, SIG_IGN);
if (el == NULL) {
diff --git a/system/openssh/time64-seccomp.patch b/system/openssh/time64-seccomp.patch
new file mode 100644
index 000000000..9f9a8a247
--- /dev/null
+++ b/system/openssh/time64-seccomp.patch
@@ -0,0 +1,43 @@
+From b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Wed, 13 Nov 2019 23:19:35 +1100
+Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
+
+seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
+glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
+
+From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 16 Dec 2019 13:55:56 +1100
+Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
+
+Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
+
+From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 7 Jan 2020 16:26:45 -0800
+Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
+
+This helps sshd accept connections on mips platforms with
+upcoming glibc ( 2.31 )
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index b5cda70bb..96ab141f7 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -242,6 +242,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_nanosleep
+ SC_ALLOW(__NR_nanosleep),
+ #endif
++#ifdef __NR_clock_nanosleep
++ SC_ALLOW(__NR_clock_nanosleep),
++#endif
++#ifdef __NR_clock_nanosleep_time64
++ SC_ALLOW(__NR_clock_nanosleep_time64),
++#endif
++#ifdef __NR_clock_gettime64
++ SC_ALLOW(__NR_clock_gettime64),
++#endif
+ #ifdef __NR__newselect
+ SC_ALLOW(__NR__newselect),
+ #endif