diff options
Diffstat (limited to 'system')
| -rw-r--r-- | system/openssh/APKBUILD | 18 | ||||
| -rw-r--r-- | system/openssh/fix-utmpx.patch | 14 | ||||
| -rw-r--r-- | system/openssh/sftp-interactive.patch | 14 | ||||
| -rw-r--r-- | system/openssh/time64-seccomp.patch | 43 | ||||
| -rw-r--r-- | system/openssh/utmpx.patch | 103 |
5 files changed, 111 insertions, 81 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD index 05c36455b..c17e23c4b 100644 --- a/system/openssh/APKBUILD +++ b/system/openssh/APKBUILD @@ -2,7 +2,7 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Horst Burkhardt <horst@adelielinux.org> pkgname=openssh -pkgver=9.4_p1 +pkgver=9.9_p2 _myver=${pkgver%_*}${pkgver#*_} pkgrel=0 pkgdesc="Remote login tool using encrypted SSH protocol" @@ -11,7 +11,7 @@ arch="all" options="suid !check" license="BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause" depends="openssh-client openssh-sftp-server openssh-server" -makedepends_build="linux-pam-dev gettext-tiny" +makedepends_build="autoconf automake linux-pam-dev gettext-tiny" makedepends_host="openssl-dev zlib-dev linux-headers linux-pam-dev gettext-tiny-dev utmps-dev" makedepends="$makedepends_build $makedepends_host" @@ -26,13 +26,12 @@ subpackages="$pkgname-doc source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz disable-forwarding-by-default.patch - fix-utmpx.patch - sftp-interactive.patch - time64-seccomp.patch + utmpx.patch sshd.initd sshd.confd " + # secfixes: # 9.0_p1-r0: # - CVE-2021-41617 @@ -53,6 +52,7 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta builddir="$srcdir"/$pkgname-$_myver build() { + autoreconf -vif export LD="$CC" LIBS="-lutmps -lskarnet" ./configure --build=$CBUILD \ --host=$CHOST \ @@ -65,7 +65,7 @@ build() { --with-ldflags="${LDFLAGS}" \ --enable-lastlog \ --disable-strip \ - --enable-wtmp \ + --enable-wtmpx \ --with-privsep-path=/var/empty \ --with-xauth=/usr/bin/xauth \ --with-privsep-user=sshd \ @@ -148,10 +148,8 @@ openrc() { install_if="openssh-server=$pkgver-r$pkgrel openrc" } -sha512sums="0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25 openssh-9.4p1.tar.gz +sha512sums="4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 openssh-9.9p2.tar.gz f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch -70bffa6c061a02dd790dbaa68cd0b488395aa2312039b037e1a707e8cf7465754bf376d943d351914b64044c074af7504e845de865dec45ea00d992c2bbb8925 fix-utmpx.patch -34c0673f550e7afcd47eda4fe1da48fb42e5344c95ba8064c9c3c137fda9c43635b0f7b8145d0300f59c79f75a396ebd467afb54cdaa42aa251d624d0752dc84 sftp-interactive.patch -ad5b209f7f3fff69c10bae34da143e071e107a2141eee94f393532d6bb04a36bfe6d9b5d2c08b713f67118503c38d11b4aad689df1df7c8a918d52db8326821d time64-seccomp.patch +56543469db242699d8a04d0ba133b9ab0d980224035de57f70f773ca1593828cf4e41d3306f72b5ac95423f1e512bd6b92f69f86b847e05abfbd48737431104b utmpx.patch 964c0f8538ba25bdc9cdbd1467bbdfb2090e38492ff0ef7c64473785713fe26d752ea6a7b0ee7a0b34e08f4d3b4bccf6a69e6c456f0c57d0d0c581aa8a046936 sshd.initd ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd" diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch deleted file mode 100644 index d04742e2f..000000000 --- a/system/openssh/fix-utmpx.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500 -+++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500 -@@ -1663,7 +1663,11 @@ - const char *ttyn) - { - int fd; -+#if defined(USE_UTMPX) -+ struct utmpx ut; -+#else - struct utmp ut; -+#endif - struct sockaddr_storage from; - socklen_t fromlen = sizeof(from); - struct sockaddr_in *a4; diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch deleted file mode 100644 index e4b8967bf..000000000 --- a/system/openssh/sftp-interactive.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/sftp.c 2014-10-24 10:32:15.793544472 +0500 -+++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500 -@@ -2243,8 +2243,10 @@ - signal(SIGINT, SIG_IGN); - - if (el == NULL) { -- if (interactive) -+ if (interactive) { - printf("sftp> "); -+ fflush(stdout); -+ } - if (fgets(cmd, sizeof(cmd), infile) == NULL) { - if (interactive) - printf("\n"); diff --git a/system/openssh/time64-seccomp.patch b/system/openssh/time64-seccomp.patch deleted file mode 100644 index 9f9a8a247..000000000 --- a/system/openssh/time64-seccomp.patch +++ /dev/null @@ -1,43 +0,0 @@ -From b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56 Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Wed, 13 Nov 2019 23:19:35 +1100 -Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox. - -seccomp: Allow clock_nanosleep() to make OpenSSH working with latest -glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093. - -From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001 -From: Darren Tucker <dtucker@dtucker.net> -Date: Mon, 16 Dec 2019 13:55:56 +1100 -Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox. - -Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. - -From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 7 Jan 2020 16:26:45 -0800 -Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox. - -This helps sshd accept connections on mips platforms with -upcoming glibc ( 2.31 ) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70bb..96ab141f7 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,15 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/system/openssh/utmpx.patch b/system/openssh/utmpx.patch new file mode 100644 index 000000000..d3f24aa76 --- /dev/null +++ b/system/openssh/utmpx.patch @@ -0,0 +1,103 @@ +--- openssh-9.9p2/configure.ac.old 2025-02-18 02:15:08.000000000 -0600 ++++ openssh-9.9p2/configure.ac 2025-02-18 20:57:12.172701096 -0600 +@@ -5449,7 +5449,9 @@ + AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_LASTLOG_H + # include <lastlog.h> + #endif +@@ -5466,7 +5468,9 @@ + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_LASTLOG_H + # include <lastlog.h> + #endif +@@ -5504,7 +5508,9 @@ + AC_MSG_CHECKING([if your system defines UTMP_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_PATHS_H + # include <paths.h> + #endif +@@ -5534,7 +5540,9 @@ + AC_MSG_CHECKING([if your system defines WTMP_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_PATHS_H + # include <paths.h> + #endif +@@ -5564,7 +5572,9 @@ + AC_MSG_CHECKING([if your system defines WTMPX_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_UTMPX_H + #include <utmpx.h> + #endif +--- openssh-9.9p2/loginrec.c.old 2025-02-18 02:15:08.000000000 -0600 ++++ openssh-9.9p2/loginrec.c 2025-02-18 21:01:26.034757676 -0600 +@@ -614,7 +614,7 @@ + ** into account. + **/ + +-#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) ++#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) + + /* build the utmp structure */ + void +@@ -698,7 +698,7 @@ + } + # endif + } +-#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */ ++#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ + + /** + ** utmpx utility functions +@@ -1644,7 +1644,13 @@ + const char *ttyn) + { + int fd; ++#if defined(USE_UTMP) + struct utmp ut; ++#elif defined(USE_UTMPX) ++ struct utmpx ut; ++#else ++# error either UTMP or UTMPX must be present to use BTMP ++#endif + struct logininfo li; + socklen_t fromlen = sizeof(li.hostaddr); + time_t t; +@@ -1681,7 +1687,11 @@ + (void)getpeername(ssh_packet_get_connection_in(ssh), + &li.hostaddr.sa, &fromlen); + } ++#if defined(USE_UTMP) + construct_utmp(&li, &ut); ++#elif defined(USE_UTMPX) ++ construct_utmpx(&li, &ut); ++#endif + + if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut)) { + error("Failed to write to %s: %s", _PATH_BTMP, |