packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync from sp1

Browse Source 
(cherry picked from commit c9ca9cd82558ea419c793bc6d372bbc1ac52519f)
This commit is contained in:
renmingshuai 2023-12-28 17:35:47 +08:00 committed by openeuler-sync-bot
parent dc71184201
commit 8d5a10f9fa
6 changed files with 1762 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch Normal file
View File

@ -0,0 +1,41 @@
From a0b5816f8f1f645acdf74f7bc11b34455ec30bac Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 18 Mar 2022 02:31:25 +0000
Subject: [PATCH] upstream: ssh-keygen -Y check-novalidate requires namespace
or SEGV
will ensue. Patch from Mateusz Adamowski via GHPR#307
OpenBSD-Commit-ID: 99e8ec38f9feb38bce6de240335be34aedeba5fd
Reference:https://github.com/openssh/openssh-portable/commit/a0b5816f8f1f645acdf74f7bc11b34455ec30bac
Conflict:NA
---
ssh-keygen.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ssh-keygen.c b/ssh-keygen.c
index d2b4781..9559f70 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.398 2020/02/07 03:27:54 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.449 2022/03/18 02:31:25 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3405,6 +3405,12 @@ main(int argc, char **argv)
return sig_sign(identity_file, cert_principals,
argc, argv);
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
+ if (cert_principals == NULL ||
+ *cert_principals == '\0') {
+ error("Too few arguments for check-novalidate: "
+ "missing namespace");
+ exit(1);
+ }
if (ca_key_path == NULL) {
error("Too few arguments for check-novalidate: "
"missing signature file");
--
2.23.0

1565
feature-add-SMx-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

132
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0} %{?no_gtk2:%global gtk2 0}
%global sshd_uid 74 %global sshd_uid 74
%global openssh_release 22 %global openssh_release 28
Name: openssh Name: openssh
Version: 8.2p1 Version: 8.2p1
@ -29,6 +29,7 @@ Source12: sshd-keygen@.service
Source13: sshd-keygen Source13: sshd-keygen
Source14: sshd.tmpfiles Source14: sshd.tmpfiles
Source15: sshd-keygen.target Source15: sshd-keygen.target
Source16: ssh-keygen-bash-completion.sh
Patch0: openssh-6.7p1-coverity.patch Patch0: openssh-6.7p1-coverity.patch
Patch1: openssh-7.6p1-audit.patch Patch1: openssh-7.6p1-audit.patch
Patch2: openssh-7.1p2-audit-race-condition.patch Patch2: openssh-7.1p2-audit-race-condition.patch
@ -97,14 +98,17 @@ Patch64: backport-CVE-2021-41617-2.patch
Patch65: backport-CVE-2021-28041.patch Patch65: backport-CVE-2021-28041.patch
Patch66: backport-change-convtime-form-returning-long-to-returning-int.patch Patch66: backport-change-convtime-form-returning-long-to-returning-int.patch
Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patch Patch67: backport-change-types-in-convtime-unit-test-to-int-to-match.patch
Patch68: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch Patch68: feature-add-SMx-support.patch
Patch69: set-ssh-config.patch Patch69: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
Patch70: backport-fix-CVE-2023-38408-upstream-terminate-process.patch Patch70: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
Patch71: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch Patch71: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
Patch72: set-ssh-config.patch
Patch73: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Requires: /sbin/nologin Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
Requires: openssh-server = %{version}-%{release} %{name}-help Requires: openssh-server = %{version}-%{release}
Requires: openssl-libs >= 1:1.1.1f-1
BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators
BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0 BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0
@ -274,6 +278,8 @@ popd
%patch69 -p1 %patch69 -p1
%patch70 -p1 %patch70 -p1
%patch71 -p1 %patch71 -p1
%patch72 -p1
%patch73 -p1
autoreconf autoreconf
pushd pam_ssh_agent_auth-0.10.3 pushd pam_ssh_agent_auth-0.10.3
@ -354,6 +360,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/bash_completion.d
%make_install %make_install
@ -377,6 +384,7 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -415,6 +423,7 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
%attr(0644,root,root) %{_sysconfdir}/bash_completion.d/ssh-keygen-bash-completion.sh
%files clients %files clients
%attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/ssh
@ -480,58 +489,97 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog %changelog
* Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-22 * Mon Dec 25 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-28
- Type:CVE - Type:CVE
- CVE:CVE-2023-51385 - CVE:CVE-2023-51385
- SUG:NA - SUG:NA
- DESC:fix CVE-2023-51385 - DESC:fix CVE-2023-51385
* Wed Aug 02 2023 wangqia <wangqia@uniontech.com> - 8.2p1-21 * Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-27
- CVE:CVE-2023-38408
* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-20
- Type:CVE - Type:CVE
- CVE:CVE-2023-38408 - CVE:CVE-2023-38408
- SUG:NA - SUG:NA
- DESC:fix CVE-2023-38408 - DESC:fix CVE-2023-38408 and set ssh default config
* Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-19 * Mon Jan 09 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-26
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:set default ssh_config
* Mon Jan 09 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-18
- Type:bugfix - Type:bugfix
- CVE: - CVE:
- SUG:NA - SUG:NA
- DESC:fix possible NULL deref when built without FIDO - DESC:fix possible NULL deref when built without FIDO
* Fri Jan 06 2023 renmingshuai<renmingshuai@hauwei.com> - 8.2p1-17 * Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.cn> - 8.2p1-25
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:enable make tests
* Tue Feb 8 2022 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-16
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:
- SUG:NA - SUG:NA
- DESC:change convtime from returning long to returning int - DESC:always make tests
* Wed Dec 15 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-15 * Mon Nov 28 2022 renmingshuai<renmingshuai@huawei.cn> - 8.2P1-24
- Type:bugfix
- CVE:
- SUG:NA
- DESC:ssh-keygen -Y check-novalidate requires namespace or SEGV
* Fri Sep 9 2022 lvfei<lvfei@kylinos.cn> - 8.2P1-23
- Type:bugfix
- CVE:
- SUG:NA
- DESC: remove require openssh-help version
* Thu Sep 8 2022 licihua<licihua@huawei.com> - 8.2P1-22
- Type:bugfix
- CVE:
- SUG:NA
- DESC: define openssh-develp version
* Wed Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-21
- Type:bugfix
- CVE:
- SUG:NA
- DESC:add require openssl version
* Mon Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-20
- Type:bugfix
- CVE:
- SUG:NA
- DESC:set ssh_config
* Mon Sep 5 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-19
- Type:bugfix
- CVE:
- SUG:NA
- DESC:add ssh-keygen bash completion
* Sat Sep 3 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-18
- Type:bugfix
- CVE:
- SUG:NA
- DESC:modify After=network.target in sshd.service
* Thu Sep 1 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-17
- Type:requirement
- CVE:
- SUG:NA
- DESC:add SMx support in openssh
* Tue Feb 8 2022 renmingshuai<renmingshuai@huawei.com> - 8.2P1-16
- Type:bugfix
- CVE:
- SUG:NA
- DESC:change convtime form returning long to returning int
* Wed Dec 15 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-15
- Type:cves - Type:cves
- CVE:CVE-2021-28041 - CVE:CVE-2021-28041
- SUG:NA - SUG:NA
- DESC:fix CVE-2021-28041 - DESC:fix CVE-2021-28041
* Sat Oct 09 2021 renmingshuai<renmingshuai@hauwei.com> - 8.2P1-14 * Sat Oct 09 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-14
- Type:bugfix - Type:bugfix
- CVE:CVE-2021-41617 - CVE:CVE-2021-41617
- SUG:NA - SUG:NA
- DESC:fix CVE-2021-41617 - DESC:fix CVE-2021-41617
* Sat Aug 7 2021 seuzw<930zhaowei@163.com> - 8.2P1-13 * Mon Aug 09 2021 chxssg<chxssg@qq.com> - 8.2P1-13
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA
@ -543,28 +591,28 @@ getent passwd sshd >/dev/null || \
- SUG:NA - SUG:NA
- DESC:add strict-scp-check for check command injection - DESC:add strict-scp-check for check command injection
* Wed Jul 21 2021 panchenbo<panchenbo@uniontech.com> - 8.2P1-11 * Mon Jul 12 2021 panchenbo<panchenbo@uniontech.com> - 8.2P1-11
- fix pam_ssh_agent_auth.8.gz conflicts - fix pam_ssh_agent_auth.8.gz conflicts
* Fri May 21 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-10 * Tue Jan 12 2021 yuboyun<yuboyun@huawei.com> - 8.2P1-10
- Type:cves
- ID:NA
- SUG:NA
- DESC:fix /etc/ssh generate key file access permission error
* Tue Jan 12 2021 yuboyun<yuboyun@huawei.com> - 8.2P1-9
- Type:cves - Type:cves
- ID:CVE-2020-14145 - ID:CVE-2020-14145
- SUG:NA - SUG:NA
- DESC:Fix CVE-2020-14145 - DESC:Fix CVE-2020-14145
* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-8 * Fri Dec 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-9
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA
- DESC:adjust pam_ssh_agent_auth release number - DESC:update key file permissions to 600
* Tue Nov 17 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-7 * Wed Dec 09 2020 quanhongfei<quanhongfei@huawei.com> - 8.2P1-8
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix /etc/ssh/ generate key file access premission error
* Wed Nov 18 2020 gaihuiying<gaihuiying1@huawei.com> - 8.2P1-7
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA

2
set-ssh-config.patch
View File

@ -21,7 +21,7 @@ index df22e2f..46b0987 100644
+ ForwardX11Trusted yes + ForwardX11Trusted yes
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFIACTION LC_ALL_LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS + SendEnv XMODIFIERS
+ +
Include /etc/ssh/ssh_config.d/*.conf Include /etc/ssh/ssh_config.d/*.conf

63
ssh-keygen-bash-completion.sh Normal file
View File

@ -0,0 +1,63 @@
# ssh-keygen(1) completion -*- shell-script -*-
_ssh_keygen()
{
local cur prev words cword
_init_completion -n = || return
case $prev in
-*[abCIJjMNnrPSVWz])
return
;;
-*E)
COMPREPLY=( $(compgen -W 'md5 sha256' -- "$cur") )
return
;;
-*[FR])
# TODO: trim this down to actual entries in known hosts files
_known_hosts_real -- "$cur"
return
;;
-*D)
_filedir so
return
;;
-*[fGKsT])
_filedir
return
;;
-*m)
COMPREPLY=( $(compgen -W 'PEM PKCS8 RFC4716' -- "$cur") )
return
;;
-*O)
if [[ $cur != *=* ]]; then
COMPREPLY=( $(compgen -W 'clear force-command=
no-agent-forwarding no-port-forwarding no-pty no-user-rc
no-x11-forwarding permit-agent-forwarding
permit-port-forwarding permit-pty permit-user-rc
permit-x11-forwarding source-address=' -- "$cur") )
[[ $COMPREPLY == *= ]] && compopt -o nospace
fi
return
;;
-*t)
local protocols=$(_xfunc ssh _ssh_query "$1" protocol-version)
local types='dsa ecdsa ed25519 rsa sm2'
if [[ $protocols == *1* ]]; then
types+=' rsa1'
fi
COMPREPLY=( $(compgen -W "$types" -- "$cur") )
return
;;
esac
if [[ $cur == -* ]]; then
local opts=$(_parse_usage "$1" "-?")
[[ -z "$opts" ]] && opts=$(_parse_help "$1" "-?") # OpenSSH < 7
COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
fi
} &&
complete -F _ssh_keygen ssh-keygen
# ex: filetype=sh

3
sshd.service
View File

@ -1,7 +1,8 @@
# /usr/lib/systemd/system/sshd.service
[Unit] [Unit]
Description=OpenSSH server daemon Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target After=network-online.target sshd-keygen.target
Wants=sshd-keygen.target Wants=sshd-keygen.target
[Service] [Service]