Verified Commit fc1725b1 authored by A. Wilcox's avatar A. Wilcox 🦊
Browse files

system/openssh: Bump to 8.1p1, fixes for time64

parent ae3f7a85
...@@ -2,9 +2,9 @@ ...@@ -2,9 +2,9 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com> # Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Horst Burkhardt <horst@adelielinux.org> # Maintainer: Horst Burkhardt <horst@adelielinux.org>
pkgname=openssh pkgname=openssh
pkgver=7.9_p1 pkgver=8.1_p1
_myver=${pkgver%_*}${pkgver#*_} _myver=${pkgver%_*}${pkgver#*_}
pkgrel=4 pkgrel=0
pkgdesc="Port of OpenBSD's free SSH release" pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.com/portable.html" url="https://www.openssh.com/portable.html"
arch="all" arch="all"
...@@ -25,13 +25,10 @@ subpackages="$pkgname-doc ...@@ -25,13 +25,10 @@ subpackages="$pkgname-doc
" "
source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
bsd-compatible-realpath.patch
CVE-2018-20685.patch
disable-forwarding-by-default.patch disable-forwarding-by-default.patch
fix-utmpx.patch fix-utmpx.patch
openssh7.4-peaktput.patch
openssh-7.9_p1-openssl-1.0.2-compat.patch
sftp-interactive.patch sftp-interactive.patch
time64-seccomp.patch
sshd.initd sshd.initd
sshd.confd sshd.confd
...@@ -149,13 +146,10 @@ openrc() { ...@@ -149,13 +146,10 @@ openrc() {
install_if="openssh-server=$pkgver-r$pkgrel openrc" install_if="openssh-server=$pkgver-r$pkgrel openrc"
} }
sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e openssh-7.9p1.tar.gz sha512sums="b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 openssh-8.1p1.tar.gz
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04 CVE-2018-20685.patch
f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch
0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch 9033520d18ccfea87628c78008591ae8a143999868254eabc926ca0665611c9f09c221265b1b6f552b82eca58558244a020d615b55249a02f96e298c1f7ff520 fix-utmpx.patch
398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch 34c0673f550e7afcd47eda4fe1da48fb42e5344c95ba8064c9c3c137fda9c43635b0f7b8145d0300f59c79f75a396ebd467afb54cdaa42aa251d624d0752dc84 sftp-interactive.patch
dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 openssh-7.9_p1-openssl-1.0.2-compat.patch ad5b209f7f3fff69c10bae34da143e071e107a2141eee94f393532d6bb04a36bfe6d9b5d2c08b713f67118503c38d11b4aad689df1df7c8a918d52db8326821d time64-seccomp.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd 394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd
ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd" ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd"
From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 16 Nov 2018 03:03:10 +0000
Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
to the
current directory; based on report/patch from Harry Sintonen
OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
---
scp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 60682c687..4f3fdcd3d 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
SCREWUP("size out of range");
size = (off_t)ull;
- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
run_err("error: unexpected filename: %s", cp);
exit(1);
}
fix issues with fortify-headers and the way openssh handles the needed
BSD compatible realpath(3).
unconditionally use the provided realpath() as otherwise cross-builds
would try to use musl realpath() which is posix compliant and not
working to openssh expectations.
diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h
--- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h 2016-03-09 20:04:48.000000000 +0200
+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h 2016-07-18 13:33:16.260357745 +0300
@@ -68,17 +68,7 @@
void *reallocarray(void *, size_t, size_t);
#endif
-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-/*
- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
- * compat version.
- */
-# ifdef BROKEN_REALPATH
-# define realpath(x, y) _ssh_compat_realpath(x, y)
-# endif
-
-char *realpath(const char *path, char *resolved);
-#endif
+char *ssh_realpath(const char *path, char *resolved);
#ifndef HAVE_RRESVPORT_AF
int rresvport_af(int *alport, sa_family_t af);
diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c
--- openssh-7.2p2.orig/openbsd-compat/realpath.c 2016-03-09 20:04:48.000000000 +0200
+++ openssh-7.2p2/openbsd-compat/realpath.c 2016-07-18 13:33:45.420721690 +0300
@@ -31,7 +31,7 @@
#include "includes.h"
-#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
+#if 1
#include <sys/types.h>
#include <sys/param.h>
@@ -58,7 +58,7 @@
* in which case the path which caused trouble is left in (resolved).
*/
char *
-realpath(const char *path, char *resolved)
+ssh_realpath(const char *path, char *resolved)
{
struct stat sb;
char *p, *q, *s;
diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c
--- openssh-7.2p2.orig/sftp-server.c 2016-03-09 20:04:48.000000000 +0200
+++ openssh-7.2p2/sftp-server.c 2016-07-18 13:34:29.131267241 +0300
@@ -1162,7 +1162,7 @@
}
debug3("request %u: realpath", id);
verbose("realpath \"%s\"", path);
- if (realpath(path, resolvedname) == NULL) {
+ if (ssh_realpath(path, resolvedname) == NULL) {
send_status(id, errno_to_portable(errno));
} else {
Stat s;
--- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500 --- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500
+++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500 +++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500
@@ -1656,7 +1656,11 @@ @@ -1659,7 +1659,11 @@
const char *ttyn) const char *ttyn)
{ {
int fd; int fd;
......
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 8b4a3627..590b66d1 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -69,6 +69,8 @@
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
+static off_t last_pos;
+static off_t max_delta_pos = 0;
static volatile off_t *counter; /* progress counter */
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -128,12 +130,17 @@
int hours, minutes, seconds;
int i, len;
int file_len;
+ off_t delta_pos;
transferred = *counter - (cur_pos ? cur_pos : start_pos);
cur_pos = *counter;
now = monotime_double();
bytes_left = end_pos - cur_pos;
+ delta_pos = cur_pos - last_pos;
+ if (delta_pos > max_delta_pos)
+ max_delta_pos = delta_pos;
+
if (bytes_left > 0)
elapsed = now - last_update;
else {
@@ -158,7 +165,7 @@
/* filename */
buf[0] = '\0';
- file_len = win_size - 35;
+ file_len = win_size - 45;
if (file_len > 0) {
len = snprintf(buf, file_len + 1, "\r%s", file);
if (len < 0)
@@ -188,6 +195,15 @@
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
+ /* instantaneous rate */
+ if (bytes_left > 0)
+ format_rate(buf + strlen(buf), win_size - strlen(buf),
+ delta_pos);
+ else
+ format_rate(buf + strlen(buf), win_size - strlen(buf),
+ max_delta_pos);
+ strlcat(buf, "/s ", win_size);
+
/* ETA */
if (!transferred)
stalled += elapsed;
@@ -224,6 +240,7 @@
atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
last_update = now;
+ last_pos = cur_pos;
}
/*ARGSUSED*/
--- a/sftp.c 2014-10-24 10:32:15.793544472 +0500 --- a/sftp.c 2014-10-24 10:32:15.793544472 +0500
+++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500 +++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500
@@ -2076,8 +2076,10 @@ @@ -2243,8 +2243,10 @@
signal(SIGINT, SIG_IGN); signal(SIGINT, SIG_IGN);
if (el == NULL) { if (el == NULL) {
......
From b1c82f4b8adf3f42476d8a1f292df33fb7aa1a56 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 13 Nov 2019 23:19:35 +1100
Subject: [PATCH] seccomp: Allow clock_nanosleep() in sandbox.
seccomp: Allow clock_nanosleep() to make OpenSSH working with latest
glibc. Patch from Jakub Jelen <jjelen@redhat.com> via bz #3093.
From 5af6fd5461bb709304e6979c8b7856c7af921c9e Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Mon, 16 Dec 2019 13:55:56 +1100
Subject: [PATCH] Allow clock_nanosleep_time64 in seccomp sandbox.
Needed on Linux ARM. bz#3100, patch from jjelen@redhat.com.
From b110cefdfbf5a20f49b774a55062d6ded2fb6e22 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 7 Jan 2020 16:26:45 -0800
Subject: [PATCH] seccomp: Allow clock_gettime64() in sandbox.
This helps sshd accept connections on mips platforms with
upcoming glibc ( 2.31 )
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index b5cda70bb..96ab141f7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -242,6 +242,15 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_nanosleep
SC_ALLOW(__NR_nanosleep),
#endif
+#ifdef __NR_clock_nanosleep
+ SC_ALLOW(__NR_clock_nanosleep),
+#endif
+#ifdef __NR_clock_nanosleep_time64
+ SC_ALLOW(__NR_clock_nanosleep_time64),
+#endif
+#ifdef __NR_clock_gettime64
+ SC_ALLOW(__NR_clock_gettime64),
+#endif
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment