From 2054b73e66d8197292ecffd910fb5dd05727e788 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 21 2021 14:15:25 +0000 Subject: import openssh-8.0p1-7.el8 --- diff --git a/SOURCES/openssh-7.9p1-ssh-copy-id.patch b/SOURCES/openssh-7.9p1-ssh-copy-id.patch index d47880a..6ff2b25 100644 --- a/SOURCES/openssh-7.9p1-ssh-copy-id.patch +++ b/SOURCES/openssh-7.9p1-ssh-copy-id.patch @@ -11,6 +11,17 @@ diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh # implement something like getopt to avoid Solaris pain case "$1" in -i?*|-o?*|-p?*) +@@ -185,8 +185,8 @@ + usage + fi + +-# drop trailing colon +-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//') ++# don't drop trailing colon because it can be a valid ipv6 address ++USER_HOST=$(printf "%s\n" "$1") + # tack the hostname onto SSH_OPTS + SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'" + # and populate "$@" for later use (only way to get proper quoting of options) @@ -261,7 +262,7 @@ populate_new_ids() { fi if [ -z "$NEW_IDS" ] ; then diff --git a/SOURCES/openssh-8.0p1-channel-limits.patch b/SOURCES/openssh-8.0p1-channel-limits.patch new file mode 100644 index 0000000..47e1f87 --- /dev/null +++ b/SOURCES/openssh-8.0p1-channel-limits.patch @@ -0,0 +1,33 @@ +diff -up openssh-8.0p1/channels.c.channel-limits openssh-8.0p1/channels.c +--- openssh-8.0p1/channels.c.channel-limits 2021-03-16 12:17:58.905576511 +0100 ++++ openssh-8.0p1/channels.c 2021-03-16 12:17:58.925576667 +0100 +@@ -354,6 +354,7 @@ channel_new(struct ssh *ssh, char *ctype + struct ssh_channels *sc = ssh->chanctxt; + u_int i, found; + Channel *c; ++ int r; + + /* Try to find a free slot where to put the new channel. */ + for (i = 0; i < sc->channels_alloc; i++) { +@@ -383,6 +384,8 @@ channel_new(struct ssh *ssh, char *ctype + (c->output = sshbuf_new()) == NULL || + (c->extended = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); ++ if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0) ++ fatal("%s: sshbuf_set_max_size: %s", __func__, ssh_err(r)); + c->ostate = CHAN_OUTPUT_OPEN; + c->istate = CHAN_INPUT_OPEN; + channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); +diff -up openssh-8.0p1/channels.h.channel-limits openssh-8.0p1/channels.h +--- openssh-8.0p1/channels.h.channel-limits 2021-03-16 12:17:58.868576223 +0100 ++++ openssh-8.0p1/channels.h 2021-03-16 12:17:58.907576527 +0100 +@@ -215,6 +215,9 @@ struct Channel { + /* Read buffer size */ + #define CHAN_RBUF (16*1024) + ++/* Maximum channel input buffer size */ ++#define CHAN_INPUT_MAX (16*1024*1024) ++ + /* Hard limit on number of channels */ + #define CHANNELS_MAX_CHANNELS (16*1024) + diff --git a/SOURCES/openssh-8.0p1-keygen-strip-doseol.patch b/SOURCES/openssh-8.0p1-keygen-strip-doseol.patch new file mode 100644 index 0000000..3117a7a --- /dev/null +++ b/SOURCES/openssh-8.0p1-keygen-strip-doseol.patch @@ -0,0 +1,12 @@ +diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c +--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100 ++++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100 +@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw) + while (getline(&line, &linesize, f) != -1) { + lnum++; + cp = line; +- cp[strcspn(cp, "\n")] = '\0'; ++ cp[strcspn(cp, "\r\n")] = '\0'; + /* Trim leading space and comments */ + cp = line + strspn(line, " \t"); + if (*cp == '#' || *cp == '\0') diff --git a/SOURCES/openssh-8.0p1-pkcs11-uri.patch b/SOURCES/openssh-8.0p1-pkcs11-uri.patch index a24dea6..80af3e0 100644 --- a/SOURCES/openssh-8.0p1-pkcs11-uri.patch +++ b/SOURCES/openssh-8.0p1-pkcs11-uri.patch @@ -1167,7 +1167,7 @@ new file mode 100644 index 00000000..e1a7b4e0 --- /dev/null +++ b/ssh-pkcs11-uri.c -@@ -0,0 +1,421 @@ +@@ -0,0 +1,425 @@ +/* + * Copyright (c) 2017 Red Hat + * @@ -1419,6 +1419,10 @@ index 00000000..e1a7b4e0 +void +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11) +{ ++ if (pkcs11 == NULL) { ++ return; ++ } ++ + free(pkcs11->id); + free(pkcs11->module_path); + free(pkcs11->token); @@ -2677,6 +2681,9 @@ index 70f06bff..59332945 100644 + } + + provider_uri = pkcs11_uri_get(uri); ++ if (pin == NULL && uri->pin != NULL) { ++ pin = uri->pin; ++ } + nkeys = 0; + for (i = 0; i < p->module->nslots; i++) { + token = &p->module->slotinfo[i].token; @@ -2712,9 +2719,6 @@ index 70f06bff..59332945 100644 + provider_uri, (unsigned long)i, token->label, token->manufacturerID, token->model, token->serialNumber, token->flags); -+ if (pin == NULL && uri->pin != NULL) { -+ pin = uri->pin; -+ } /* - * open session, login with pin and retrieve public - * keys (if keyp is provided) @@ -2741,8 +2745,8 @@ index 70f06bff..59332945 100644 + uri->object = label; + } } -+ pin = NULL; /* Will be cleaned up with URI */ } ++ pin = NULL; /* Will be cleaned up with URI */ /* now owned by caller */ *providerp = p; diff --git a/SOURCES/openssh-8.0p1-preserve-pam-errors.patch b/SOURCES/openssh-8.0p1-preserve-pam-errors.patch new file mode 100644 index 0000000..dbdbe93 --- /dev/null +++ b/SOURCES/openssh-8.0p1-preserve-pam-errors.patch @@ -0,0 +1,44 @@ +diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c +--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200 ++++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200 +@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp) + goto auth_fail; + + if (!do_pam_account()) { +- sshpam_err = PAM_ACCT_EXPIRED; ++ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN. ++ * Backward compatibility for other errors. */ ++ if (sshpam_err != PAM_PERM_DENIED ++ && sshpam_err != PAM_USER_UNKNOWN) ++ sshpam_err = PAM_ACCT_EXPIRED; + goto auth_fail; + } + if (sshpam_authctxt->force_pwchange) { +@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp) + pam_strerror(sshpam_handle, sshpam_err))) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + /* XXX - can't do much about an error here */ +- if (sshpam_err == PAM_ACCT_EXPIRED) +- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer); ++ if (sshpam_err == PAM_PERM_DENIED ++ || sshpam_err == PAM_USER_UNKNOWN ++ || sshpam_err == PAM_ACCT_EXPIRED) ++ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer); + else if (sshpam_maxtries_reached) + ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer); + else +@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha + plen++; + free(msg); + break; ++ case PAM_USER_UNKNOWN: ++ case PAM_PERM_DENIED: + case PAM_ACCT_EXPIRED: ++ sshpam_account_status = 0; ++ /* FALLTHROUGH */ + case PAM_MAXTRIES: +- if (type == PAM_ACCT_EXPIRED) +- sshpam_account_status = 0; + if (type == PAM_MAXTRIES) + sshpam_set_maxtries_reached(1); + /* FALLTHROUGH */ diff --git a/SOURCES/openssh-8.0p1-sftp-timespeccmp.patch b/SOURCES/openssh-8.0p1-sftp-timespeccmp.patch new file mode 100644 index 0000000..7254b4a --- /dev/null +++ b/SOURCES/openssh-8.0p1-sftp-timespeccmp.patch @@ -0,0 +1,16 @@ +diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c +--- openssh-8.0p1/sftp.c.original 2020-12-22 17:05:02.105698989 +0900 ++++ openssh-8.0p1/sftp.c 2020-12-22 17:05:42.922035780 +0900 +@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b + return (rmul * strcmp(ap, bp)); + else if (sort_flag & LS_TIME_SORT) { + #if defined(HAVE_STRUCT_STAT_ST_MTIM) +- return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <)); ++ if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){ ++ return rmul; ++ } else { ++ return -rmul; ++ } + #elif defined(HAVE_STRUCT_STAT_ST_MTIME) + return (rmul * NCMP(as->st_mtime, bs->st_mtime)); + #else diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index feecf68..bd8260f 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -66,7 +66,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 5 +%global openssh_rel 7 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 @@ -230,6 +230,15 @@ Patch970: openssh-8.0p1-rdomain.patch # Do not fail X11 forwarding if IPv6 is disabled (#1662189) # https://bugzilla.mindrot.org/show_bug.cgi?id=2143 Patch971: openssh-8.0p1-x11-without-ipv6.patch +# Client window fix (#1913041) +Patch972: openssh-8.0p1-channel-limits.patch +# SFTP sort upon the modification time (#1909988) +# https://bugzilla.mindrot.org/show_bug.cgi?id=3248 +Patch973: openssh-8.0p1-sftp-timespeccmp.patch +# ssh-keygen printing fingerprint issue with Windows keys (#1901518) +Patch974: openssh-8.0p1-keygen-strip-doseol.patch +# sshd provides PAM an incorrect error code (#1879503) +Patch975: openssh-8.0p1-preserve-pam-errors.patch License: BSD Group: Applications/Internet @@ -448,6 +457,10 @@ popd %patch969 -p1 -b .keygen-sha2 %patch970 -p1 -b .rdomain %patch971 -p1 -b .x11-ipv6 +%patch972 -p1 -b .channel-limits +%patch973 -p1 -b .sftp-timespeccmp +%patch974 -p1 -b .keygen-strip-doseol +%patch975 -p1 -b .preserve-pam-errors %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -739,6 +752,17 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Apr 09 2021 Dmitry Belyavskiy - 8.0p1-7 + 0.10.3-7 +- SFTP sort upon the modification time (#1909988) +- ssh-keygen printing fingerprint issue with Windows keys (#1901518) +- PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372) +- ssh-agent segfaults during ssh-add -s pkcs11 (#1868996) +- ssh-copy-id could not resolve ipv6 address ends with colon (#1933517) +- sshd provides PAM an incorrect error code (#1879503) + +* Tue Mar 16 2021 Dmitry Belyavskiy - 8.0p1-6 + 0.10.3-7 +- Openssh client window fix (#1913041) + * Tue Mar 24 2020 Jakub Jelen - 8.0p1-5 + 0.10.3-7 - Do not print "no slots" warning by default (#1744220) - Unbreak connecting using gssapi through proxy commands (#1749862)