!160 回合openssh社区补丁

From: @renmingshuai 
Reviewed-by: @kircher 
Signed-off-by: @kircher

backport-Don-t-leak-the-strings-allocated-by-order_h.patch

@@ -0,0 +1,130 @@
+From 6c31ba10e97b6953c4f325f526f3e846dfea647a Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Fri, 1 Jul 2022 03:39:44 +0000
+Subject: upstream: Don't leak the strings allocated by order_hostkeyalgs()
+
+and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
+github PR#324 from ZoltanFridrich, ok djm@
+
+This is a roll-forward of the previous rollback now that the required
+changes in compat.c have been done.
+
+OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=6c31ba10e97b6953c4f325f526f3e846dfea647a
+
+---
+ sshconnect2.c | 16 ++++++++++------
+ sshd.c        | 17 +++++++++++------
+ 2 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 150d419..eb0df92 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */
++/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2008 Damien Miller.  All rights reserved.
+@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+ {
+ 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ 	char *s, *all_key;
++	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
+ 	int r, use_known_hosts_order = 0;
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+ 
+ 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ 		fatal_f("kex_names_cat");
+-	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
++	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
+ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+-	    compat_cipher_proposal(ssh, options.ciphers);
+-	myproposal[PROPOSAL_ENC_ALGS_STOC] =
++	    myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
+ 	    compat_cipher_proposal(ssh, options.ciphers);
+ 	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+ 	    myproposal[PROPOSAL_COMP_ALGS_STOC] =
+@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+ 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ 	if (use_known_hosts_order) {
+ 		/* Query known_hosts and prefer algorithms that appear there */
+-		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
++		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+ 		    compat_pkalg_proposal(ssh,
+ 		    order_hostkeyalgs(host, hostaddr, port, cinfo));
+ 	} else {
+ 		/* Use specified HostkeyAlgorithms exactly */
+-		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
++		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+ 		    compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
+ 	}
+ 
+@@ -380,6 +380,10 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
+ 	    (r = ssh_packet_write_wait(ssh)) != 0)
+ 		fatal_fr(r, "send packet");
+ #endif
++	/* Free only parts of proposal that were dynamically allocated here. */
++	free(prop_kex);
++	free(prop_enc);
++	free(prop_hostkey);
+ }
+ 
+ /*
+diff --git a/sshd.c b/sshd.c
+index 98a9754..6c77f07 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshd.c,v 1.578 2021/07/19 02:21:50 dtucker Exp $ */
++/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -2522,12 +2522,14 @@ do_ssh2_kex(struct ssh *ssh)
+ {
+ 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
+ 	struct kex *kex;
++	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
+ 	int r;
+ 
+-	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
++	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
+ 	    options.kex_algorithms);
+-	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
+-	    options.ciphers);
++	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
++		myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
++		compat_cipher_proposal(ssh, options.ciphers);
+ 	myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
+ 	    options.ciphers);
+ 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+@@ -2542,8 +2544,8 @@ do_ssh2_kex(struct ssh *ssh)
+ 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
+ 		    options.rekey_interval);
+ 	/* coverity[leaked_storage : FALSE]*/
+-	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+-	    ssh, list_hostkey_types());
++	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
++		compat_pkalg_proposal(ssh, list_hostkey_types());
+ 
+ #if defined(GSSAPI) && defined(WITH_OPENSSL)
+ 	{
+@@ -2639,6 +2641,9 @@ do_ssh2_kex(struct ssh *ssh)
+ 	    (r = ssh_packet_write_wait(ssh)) != 0)
+ 		fatal_fr(r, "send test");
+ #endif
++	free(prop_kex);
++	free(prop_enc);
++	free(prop_hostkey);
+ 	debug("KEX done");
+ }
+ 
+-- 
+2.33.0
+

backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch

@@ -0,0 +1,43 @@
+From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Thu, 14 Jul 2022 11:22:08 +1000
+Subject: Return ERANGE from getcwd() if buffer size is 1.
+
+If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
+could result in a nul byte being written out of array bounds.  POSIX says
+it should return ERANGE if the path will not fit in the available buffer
+(with terminating nul). 1 byte cannot fit any possible path with its nul,
+so immediately return ERANGE in that case.
+
+OpenSSH never uses getcwd() with this buffer size, and all current
+(and even quite old) platforms that we are currently known to work
+on have a native getcwd() so this code is not used on those anyway.
+Reported by Qualys, ok djm@
+
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519
+Conflict:NA
+---
+ openbsd-compat/getcwd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
+index e4f7f5a..a403a01 100644
+--- a/openbsd-compat/getcwd.c
++++ b/openbsd-compat/getcwd.c
+@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size)
+ 	 */
+ 	if (pt) {
+ 		ptsize = 0;
+-		if (!size) {
++		if (size == 0) {
+ 			errno = EINVAL;
+ 			return (NULL);
++		} else if (size == 1) {
++			errno = ERANGE;
++			return (NULL);
+ 		}
+ 		ept = pt + size;
+ 	} else {
+-- 
+2.33.0
+

backport-upstream-Always-return-allocated-strings-from-the-ke.patch

@@ -0,0 +1,88 @@
+From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Fri, 1 Jul 2022 03:35:45 +0000
+Subject: upstream: Always return allocated strings from the kex filtering so
+
+that we can free them later.  Fix one leak in compat_kex_proposal.  Based on
+github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
+
+OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946
+---
+ compat.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/compat.c b/compat.c
+index 9120bd2..1d50349 100644
+--- a/compat.c
++++ b/compat.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
++/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
+ /*
+  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
+  *
+@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version)
+ 	debug_f("no match: %s", version);
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
+ {
+ 	if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
+-		return cipher_prop;
++		return xstrdup(cipher_prop);
+ 	debug2_f("original cipher proposal: %s", cipher_prop);
+ 	if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
+ 		fatal("match_filter_denylist failed");
+@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
+ 	return cipher_prop;
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ {
+ 	if (!(ssh->compat & SSH_BUG_RSASIGMD5))
+-		return pkalg_prop;
++		return xstrdup(pkalg_prop);
+ 	debug2_f("original public key proposal: %s", pkalg_prop);
+ 	if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
+ 		fatal("match_filter_denylist failed");
+@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
+ 	return pkalg_prop;
+ }
+ 
++/* Always returns pointer to allocated memory, caller must free. */
+ char *
+ compat_kex_proposal(struct ssh *ssh, char *p)
+ {
++	char *cp = NULL;
++
++
+ 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
+-		return p;
++		return xstrdup(p);
+ 	debug2_f("original KEX proposal: %s", p);
+ 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+ 		/* coverity[overwrite_var : FALSE] */
+@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p)
+ 		    "curve25519-sha256@libssh.org")) == NULL)
+ 			fatal("match_filter_denylist failed");
+ 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
++		cp = p;
+ 		/* coverity[overwrite_var : FALSE] */
+ 		if ((p = match_filter_denylist(p,
+ 		    "diffie-hellman-group-exchange-sha256,"
+ 		    "diffie-hellman-group-exchange-sha1")) == NULL)
+ 			fatal("match_filter_denylist failed");
++		free(cp);
+ 	}
+ 	debug2_f("compat KEX proposal: %s", p);
+ 	if (*p == '\0')
+-- 
+2.33.0
+

backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch

@@ -0,0 +1,37 @@
+From f29d6cf98c25bf044079032d22c1a57c63ab9d8e Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Sat, 18 Jun 2022 02:17:16 +0000
+Subject: upstream: Don't attempt to fprintf a null identity comment. From
+
+Martin Vahlensieck via tech@.
+
+OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=f29d6cf98c25bf044079032d22c1a57c63ab9d8e
+---
+ ssh-add.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-add.c b/ssh-add.c
+index 29c0b17..d60bafc 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-add.c,v 1.160 2021/04/03 06:18:41 djm Exp $ */
++/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -125,7 +125,7 @@ delete_one(int agent_fd, const struct sshkey *key, const char *comment,
+ 	}
+ 	if (!qflag) {
+ 		fprintf(stderr, "Identity removed: %s %s (%s)\n", path,
+-		    sshkey_type(key), comment);
++		    sshkey_type(key), comment ? comment : "no comment");
+ 	}
+ 	return 0;
+ }
+-- 
+2.33.0
+

backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch

@@ -0,0 +1,63 @@
+From 17904f05802988d0bb9ed3c8d1d37411e8f459c3 Mon Sep 17 00:00:00 2001
+From: "tobhe@openbsd.org" <tobhe@openbsd.org>
+Date: Tue, 21 Jun 2022 14:52:13 +0000
+Subject: upstream: Make sure not to fclose() the same fd twice in case of an
+
+error.
+
+ok dtucker@
+
+OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=17904f05802988d0bb9ed3c8d1d37411e8f459c3
+
+---
+ authfile.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/authfile.c b/authfile.c
+index 8990137..dce1e84 100644
+--- a/authfile.c
++++ b/authfile.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
++/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */
+ /*
+  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
+  *
+@@ -515,20 +515,25 @@ sshkey_save_public(const struct sshkey *key, const char *path,
+ 		return SSH_ERR_SYSTEM_ERROR;
+ 	if ((f = fdopen(fd, "w")) == NULL) {
+ 		r = SSH_ERR_SYSTEM_ERROR;
++		close(fd);
+ 		goto fail;
+ 	}
+ 	if ((r = sshkey_write(key, f)) != 0)
+ 		goto fail;
+ 	fprintf(f, " %s\n", comment);
+-	if (ferror(f) || fclose(f) != 0) {
++	if (ferror(f)) {
+ 		r = SSH_ERR_SYSTEM_ERROR;
++		goto fail;
++	}
++	if (fclose(f) != 0) {
++		r = SSH_ERR_SYSTEM_ERROR;
++		f = NULL;
+  fail:
+-		oerrno = errno;
+-		if (f != NULL)
++		if (f != NULL) {
++			oerrno = errno;
+ 			fclose(f);
+-		else
+-			close(fd);
+-		errno = oerrno;
++			errno = oerrno;
++		}
+ 		return r;
+ 	}
+ 	return 0;
+-- 
+2.33.0
+

backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch

@@ -0,0 +1,56 @@
+From 5062ad48814b06162511c4f5924a33d97b6b2566 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 19 Aug 2022 03:06:30 +0000
+Subject: upstream: double free() in error path; from Eusgor via GHPR333
+
+OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=5062ad48814b06162511c4f5924a33d97b6b2566
+
+---
+ sshsig.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sshsig.c b/sshsig.c
+index 0e8abf1..58c7df4 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */
++/* $OpenBSD: sshsig.c,v 1.30 2022/08/19 03:06:30 djm Exp $ */
+ /*
+  * Copyright (c) 2019 Google LLC
+  *
+@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ {
+ 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
+ 	ssize_t n, total = 0;
+-	struct ssh_digest_ctx *ctx;
++	struct ssh_digest_ctx *ctx = NULL;
+ 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
+ 	struct sshbuf *b = NULL;
+ 
+@@ -514,7 +514,6 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ 				continue;
+ 			oerrno = errno;
+ 			error_f("read: %s", strerror(errno));
+-			ssh_digest_free(ctx);
+ 			ctx = NULL;
+ 			errno = oerrno;
+ 			r = SSH_ERR_SYSTEM_ERROR;
+@@ -550,9 +549,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ 	/* success */
+ 	r = 0;
+  out:
++	oerrno = errno;
+ 	sshbuf_free(b);
+ 	ssh_digest_free(ctx);
+ 	explicit_bzero(hash, sizeof(hash));
++	errno = oerrno;
+ 	return r;
+ }
+ 
+-- 
+2.33.0
+

backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch

@@ -0,0 +1,54 @@
+From 2c334fd36f80cb91cc42e4b978b10aa35e0df236 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Fri, 27 May 2022 04:29:40 +0000
+Subject: upstream: f sshpkt functions fail, then password is not cleared
+
+with freezero. Unconditionally call freezero to guarantee that password is
+removed from RAM.
+
+From tobias@ and c3h2_ctf via github PR#286, ok djm@
+
+OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/commit?id=2c334fd36f80cb91cc42e4b978b10aa35e0df236
+
+---
+ auth2-passwd.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/auth2-passwd.c b/auth2-passwd.c
+index be4b860..1d80481 100644
+--- a/auth2-passwd.c
++++ b/auth2-passwd.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */
++/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
+ /*
+  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+  *
+@@ -51,16 +51,18 @@ extern ServerOptions options;
+ static int
+ userauth_passwd(struct ssh *ssh)
+ {
+-	char *password;
++	char *password = NULL;
+ 	int authenticated = 0, r;
+ 	u_char change;
+-	size_t len;
++	size_t len = 0;
+ 
+ 	if ((r = sshpkt_get_u8(ssh, &change)) != 0 ||
+ 	    (r = sshpkt_get_cstring(ssh, &password, &len)) != 0 ||
+ 	    (change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) ||
+-	    (r = sshpkt_get_end(ssh)) != 0)
++	    (r = sshpkt_get_end(ssh)) != 0) {
++		freezero(password, len);
+ 		fatal_fr(r, "parse packet");
++	}
+ 
+ 	if (change)
+ 		logit("password change not supported");
+-- 
+2.33.0
+

backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch

@@ -0,0 +1,46 @@
+From 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 1 Jul 2022 00:36:30 +0000
+Subject: upstream: ignore SIGPIPE earlier in main(), specifically before
+
+muxclient() which performs operations that could cause one; Reported by Noam
+Lewis via bz3454, ok dtucker@
+
+OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
+
+Conflict:NA
+Reference:https://anongit.mindrot.org/openssh.git/patch/?id=96faa0de6c673a2ce84736eba37fc9fb723d9e5c
+---
+ ssh.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index f55ff73..e987cd5 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
++/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1135,6 +1135,8 @@ main(int ac, char **av)
+ 		}
+ 	}
+ 
++	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
++
+ 	/*
+ 	 * Initialize "log" output.  Since we are the client all output
+ 	 * goes to stderr unless otherwise specified by -y or -E.
+@@ -1660,7 +1662,6 @@ main(int ac, char **av)
+ 	    options.num_system_hostfiles);
+ 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
+ 
+-	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+ 	ssh_signal(SIGCHLD, main_sigchld_handler);
+ 
+ 	/* Log into the remote system.  Never returns if the login fails. */
+-- 
+2.33.0
+

openssh.spec

@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 11
+%global openssh_release 12
 
 Name:           openssh
 Version:        8.8p1
@@ -93,6 +93,14 @@ Patch62:        backport-upstream-better-debugging-for-connect_next.patch
 Patch63:        add-loongarch.patch
 Patch64:        backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
 Patch65:        openssh-Add-sw64-architecture.patch
+Patch66:        backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
+Patch67:        backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
+Patch68:        backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
+Patch69:        backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
+Patch70:        backport-upstream-Always-return-allocated-strings-from-the-ke.patch
+Patch71:        backport-Don-t-leak-the-strings-allocated-by-order_h.patch
+Patch72:        backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
+Patch73:        backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -236,6 +244,14 @@ popd
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
+%patch67 -p1
+%patch68 -p1
+%patch69 -p1
+%patch70 -p1
+%patch71 -p1
+%patch72 -p1
+%patch73 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@@ -437,6 +453,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport some upstream patches
+
 * Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-11
 - Type:requirement
 - CVE:NA