From fc1725b12ffae83614d3792ec9a8fae764fa8213 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Thu, 30 Jan 2020 10:38:26 +0000 Subject: system/openssh: Bump to 8.1p1, fixes for time64 --- system/openssh/APKBUILD | 20 +++---- system/openssh/CVE-2018-20685.patch | 33 ------------ system/openssh/bsd-compatible-realpath.patch | 62 ---------------------- system/openssh/fix-utmpx.patch | 2 +- .../openssh-7.9_p1-openssl-1.0.2-compat.patch | 13 ----- system/openssh/openssh7.4-peaktput.patch | 62 ---------------------- system/openssh/sftp-interactive.patch | 2 +- system/openssh/time64-seccomp.patch | 43 +++++++++++++++ 8 files changed, 52 insertions(+), 185 deletions(-) delete mode 100644 system/openssh/CVE-2018-20685.patch delete mode 100644 system/openssh/bsd-compatible-realpath.patch delete mode 100644 system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch delete mode 100644 system/openssh/openssh7.4-peaktput.patch create mode 100644 system/openssh/time64-seccomp.patch (limited to 'system') diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD index 10eee5514..7466d2844 100644 --- a/system/openssh/APKBUILD +++ b/system/openssh/APKBUILD @@ -2,9 +2,9 @@ # Contributor: Valery Kartel # Maintainer: Horst Burkhardt pkgname=openssh -pkgver=7.9_p1 +pkgver=8.1_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=4 +pkgrel=0 pkgdesc="Port of OpenBSD's free SSH release" url="https://www.openssh.com/portable.html" arch="all" @@ -25,13 +25,10 @@ subpackages="$pkgname-doc " source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz - bsd-compatible-realpath.patch - CVE-2018-20685.patch disable-forwarding-by-default.patch fix-utmpx.patch - openssh7.4-peaktput.patch - openssh-7.9_p1-openssl-1.0.2-compat.patch sftp-interactive.patch + time64-seccomp.patch sshd.initd sshd.confd @@ -149,13 +146,10 @@ openrc() { install_if="openssh-server=$pkgver-r$pkgrel openrc" } -sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e openssh-7.9p1.tar.gz -f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch -b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04 CVE-2018-20685.patch +sha512sums="b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 openssh-8.1p1.tar.gz f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch -0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch -398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch -dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 openssh-7.9_p1-openssl-1.0.2-compat.patch -c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch +9033520d18ccfea87628c78008591ae8a143999868254eabc926ca0665611c9f09c221265b1b6f552b82eca58558244a020d615b55249a02f96e298c1f7ff520 fix-utmpx.patch +34c0673f550e7afcd47eda4fe1da48fb42e5344c95ba8064c9c3c137fda9c43635b0f7b8145d0300f59c79f75a396ebd467afb54cdaa42aa251d624d0752dc84 sftp-interactive.patch +ad5b209f7f3fff69c10bae34da143e071e107a2141eee94f393532d6bb04a36bfe6d9b5d2c08b713f67118503c38d11b4aad689df1df7c8a918d52db8326821d time64-seccomp.patch 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd" diff --git a/system/openssh/CVE-2018-20685.patch b/system/openssh/CVE-2018-20685.patch deleted file mode 100644 index f2f1ecfc5..000000000 --- a/system/openssh/CVE-2018-20685.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Fri, 16 Nov 2018 03:03:10 +0000 -Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer - to the - -current directory; based on report/patch from Harry Sintonen - -OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 ---- - scp.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/scp.c b/scp.c -index 60682c687..4f3fdcd3d 100644 ---- a/scp.c -+++ b/scp.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */ -+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */ - /* - * scp - secure remote copy. This is basically patched BSD rcp which - * uses ssh to do the data transfer (instead of using rcmd). -@@ -1106,7 +1106,8 @@ sink(int argc, char **argv) - SCREWUP("size out of range"); - size = (off_t)ull; - -- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ if (*cp == '\0' || strchr(cp, '/') != NULL || -+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { - run_err("error: unexpected filename: %s", cp); - exit(1); - } diff --git a/system/openssh/bsd-compatible-realpath.patch b/system/openssh/bsd-compatible-realpath.patch deleted file mode 100644 index 1cdb4f7c5..000000000 --- a/system/openssh/bsd-compatible-realpath.patch +++ /dev/null @@ -1,62 +0,0 @@ -fix issues with fortify-headers and the way openssh handles the needed -BSD compatible realpath(3). - -unconditionally use the provided realpath() as otherwise cross-builds -would try to use musl realpath() which is posix compliant and not -working to openssh expectations. - -diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h ---- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h 2016-07-18 13:33:16.260357745 +0300 -@@ -68,17 +68,7 @@ - void *reallocarray(void *, size_t, size_t); - #endif - --#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) --/* -- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the -- * compat version. -- */ --# ifdef BROKEN_REALPATH --# define realpath(x, y) _ssh_compat_realpath(x, y) --# endif -- --char *realpath(const char *path, char *resolved); --#endif -+char *ssh_realpath(const char *path, char *resolved); - - #ifndef HAVE_RRESVPORT_AF - int rresvport_af(int *alport, sa_family_t af); -diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c ---- openssh-7.2p2.orig/openbsd-compat/realpath.c 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/openbsd-compat/realpath.c 2016-07-18 13:33:45.420721690 +0300 -@@ -31,7 +31,7 @@ - - #include "includes.h" - --#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) -+#if 1 - - #include - #include -@@ -58,7 +58,7 @@ - * in which case the path which caused trouble is left in (resolved). - */ - char * --realpath(const char *path, char *resolved) -+ssh_realpath(const char *path, char *resolved) - { - struct stat sb; - char *p, *q, *s; -diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c ---- openssh-7.2p2.orig/sftp-server.c 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/sftp-server.c 2016-07-18 13:34:29.131267241 +0300 -@@ -1162,7 +1162,7 @@ - } - debug3("request %u: realpath", id); - verbose("realpath \"%s\"", path); -- if (realpath(path, resolvedname) == NULL) { -+ if (ssh_realpath(path, resolvedname) == NULL) { - send_status(id, errno_to_portable(errno)); - } else { - Stat s; diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch index 7f05add35..5e43eaf06 100644 --- a/system/openssh/fix-utmpx.patch +++ b/system/openssh/fix-utmpx.patch @@ -1,6 +1,6 @@ --- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500 +++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500 -@@ -1656,7 +1656,11 @@ +@@ -1659,7 +1659,11 @@ const char *ttyn) { int fd; diff --git a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch b/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch deleted file mode 100644 index c1c310e8f..000000000 --- a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c -index 8b4a3627..590b66d1 100644 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - OPENSSL_config(NULL); - #else - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | diff --git a/system/openssh/openssh7.4-peaktput.patch b/system/openssh/openssh7.4-peaktput.patch deleted file mode 100644 index 6fc6140a6..000000000 --- a/system/openssh/openssh7.4-peaktput.patch +++ /dev/null @@ -1,62 +0,0 @@ ---- a/progressmeter.c -+++ b/progressmeter.c -@@ -69,6 +69,8 @@ - static off_t start_pos; /* initial position of transfer */ - static off_t end_pos; /* ending position of transfer */ - static off_t cur_pos; /* transfer position as of last refresh */ -+static off_t last_pos; -+static off_t max_delta_pos = 0; - static volatile off_t *counter; /* progress counter */ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ -@@ -128,12 +130,17 @@ - int hours, minutes, seconds; - int i, len; - int file_len; -+ off_t delta_pos; - - transferred = *counter - (cur_pos ? cur_pos : start_pos); - cur_pos = *counter; - now = monotime_double(); - bytes_left = end_pos - cur_pos; - -+ delta_pos = cur_pos - last_pos; -+ if (delta_pos > max_delta_pos) -+ max_delta_pos = delta_pos; -+ - if (bytes_left > 0) - elapsed = now - last_update; - else { -@@ -158,7 +165,7 @@ - - /* filename */ - buf[0] = '\0'; -- file_len = win_size - 35; -+ file_len = win_size - 45; - if (file_len > 0) { - len = snprintf(buf, file_len + 1, "\r%s", file); - if (len < 0) -@@ -188,6 +195,15 @@ - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); - -+ /* instantaneous rate */ -+ if (bytes_left > 0) -+ format_rate(buf + strlen(buf), win_size - strlen(buf), -+ delta_pos); -+ else -+ format_rate(buf + strlen(buf), win_size - strlen(buf), -+ max_delta_pos); -+ strlcat(buf, "/s ", win_size); -+ - /* ETA */ - if (!transferred) - stalled += elapsed; -@@ -224,6 +240,7 @@ - - atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1); - last_update = now; -+ last_pos = cur_pos; - } - - /*ARGSUSED*/ diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch index ab14f3a6b..e4b8967bf 100644 --- a/system/openssh/sftp-interactive.patch +++ b/system/openssh/sftp-interactive.patch @@ -1,6 +1,6 @@ --- a/sftp.c 2014-10-24 10:32:15.793544472 +0500 +++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500 -@@ -2076,8 +2076,10 @@ +@@ -2243,8 +2243,10 @@ signal(SIGINT, SIG_IGN); if (el == NULL) { diff --git a/system/openssh/time64-seccomp.patch b/system/openssh/time64-seccomp.patch new file mode 100644 index 000000000..9f9a8a247 --- /dev/null +++ b/system/openssh/time64-seccomp.patch @@ -0,0 +1,43 @@ +From b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Wed, 13 Nov 2019 23:19:35 +1100 +Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox. + +seccomp: Allow clock_nanosleep() to make OpenSSH working with latest +glibc. Patch from Jakub Jelen via bz #3093. + +From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Mon, 16 Dec 2019 13:55:56 +1100 +Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox. + +Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com. + +From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 7 Jan 2020 16:26:45 -0800 +Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox. + +This helps sshd accept connections on mips platforms with +upcoming glibc ( 2.31 ) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70bb..96ab141f7 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif -- cgit v1.2.3-70-g09d2