!160 回合openssh社区补丁

From: @renmingshuai Reviewed-by: @kircher Signed-off-by: @kircher
2022-12-29 07:42:35 +00:00 · 2022-12-29 07:42:35 +00:00 · 25c3cf968a
commit 25c3cf968a
parent fa2b7fae7d da28ce97d9
9 changed files with 540 additions and 1 deletions
--- a/backport-Don-t-leak-the-strings-allocated-by-order_h.patch
+++ b/backport-Don-t-leak-the-strings-allocated-by-order_h.patch
@ -0,0 +1,130 @@
 From 6c31ba10e97b6953c4f325f526f3e846dfea647a Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 1 Jul 2022 03:39:44 +0000
 Subject: upstream: Don't leak the strings allocated by order_hostkeyalgs()
 and list_hostkey_types() that are passed to compat_pkalg_proposal(). Part of
 github PR#324 from ZoltanFridrich, ok djm@
 This is a roll-forward of the previous rollback now that the required
 changes in compat.c have been done.
 OpenBSD-Commit-ID: c7cd93730b3b9f53cdad3ae32462922834ef73eb
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=6c31ba10e97b6953c4f325f526f3e846dfea647a
 ---
 sshconnect2.c | 16 ++++++++++------
 sshd.c        | 17 +++++++++++------
 2 files changed, 21 insertions(+), 12 deletions(-)
 diff --git a/sshconnect2.c b/sshconnect2.c
 index 150d419..eb0df92 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshconnect2.c,v 1.351 2021/07/23 05:24:02 djm Exp $ */
 +/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 {
 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
 	char *s, *all_key;
 +	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
 	int r, use_known_hosts_order = 0;
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
 		fatal_f("kex_names_cat");
 -	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s);
 +	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 -	    compat_cipher_proposal(ssh, options.ciphers);
 -	myproposal[PROPOSAL_ENC_ALGS_STOC] =
 +	    myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
 	    compat_cipher_proposal(ssh, options.ciphers);
 	myproposal[PROPOSAL_COMP_ALGS_CTOS] =
 	    myproposal[PROPOSAL_COMP_ALGS_STOC] =
@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 	if (use_known_hosts_order) {
 		/* Query known_hosts and prefer algorithms that appear there */
 -		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 +		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 		    compat_pkalg_proposal(ssh,
 		    order_hostkeyalgs(host, hostaddr, port, cinfo));
 	} else {
 		/* Use specified HostkeyAlgorithms exactly */
 -		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 +		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 		    compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
 	}
@@ -380,6 +380,10 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	    (r = ssh_packet_write_wait(ssh)) != 0)
 		fatal_fr(r, "send packet");
 #endif
 +	/* Free only parts of proposal that were dynamically allocated here. */
 +	free(prop_kex);
 +	free(prop_enc);
 +	free(prop_hostkey);
 }
 /*
 diff --git a/sshd.c b/sshd.c
 index 98a9754..6c77f07 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshd.c,v 1.578 2021/07/19 02:21:50 dtucker Exp $ */
 +/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2522,12 +2522,14 @@ do_ssh2_kex(struct ssh *ssh)
 {
 	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
 	struct kex *kex;
 +	char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
 	int r;
 -	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
 +	myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
 	    options.kex_algorithms);
 -	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
 -	    options.ciphers);
 +	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
 +		compat_cipher_proposal(ssh, options.ciphers);
 	myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
 	    options.ciphers);
 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
@@ -2542,8 +2544,8 @@ do_ssh2_kex(struct ssh *ssh)
 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
 		    options.rekey_interval);
 	/* coverity[leaked_storage : FALSE]*/
 -	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 -	    ssh, list_hostkey_types());
 +	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
 +		compat_pkalg_proposal(ssh, list_hostkey_types());
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
 	{
@@ -2639,6 +2641,9 @@ do_ssh2_kex(struct ssh *ssh)
 	    (r = ssh_packet_write_wait(ssh)) != 0)
 		fatal_fr(r, "send test");
 #endif
 +	free(prop_kex);
 +	free(prop_enc);
 +	free(prop_hostkey);
 	debug("KEX done");
 }
 -- 
 2.33.0
--- a/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
+++ b/backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
@ -0,0 +1,43 @@
 From 527cb43fa1b4e55df661feabbac51b8e608b6519 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Thu, 14 Jul 2022 11:22:08 +1000
 Subject: Return ERANGE from getcwd() if buffer size is 1.
 If getcwd() is supplied a buffer size of exactly 1 and a path of "/", it
 could result in a nul byte being written out of array bounds.  POSIX says
 it should return ERANGE if the path will not fit in the available buffer
 (with terminating nul). 1 byte cannot fit any possible path with its nul,
 so immediately return ERANGE in that case.
 OpenSSH never uses getcwd() with this buffer size, and all current
 (and even quite old) platforms that we are currently known to work
 on have a native getcwd() so this code is not used on those anyway.
 Reported by Qualys, ok djm@
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=527cb43fa1b4e55df661feabbac51b8e608b6519
 Conflict:NA
 ---
 openbsd-compat/getcwd.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c
 index e4f7f5a..a403a01 100644
 --- a/openbsd-compat/getcwd.c
 +++ b/openbsd-compat/getcwd.c
@@ -71,9 +71,12 @@ getcwd(char *pt, size_t size)
 	 */
 	if (pt) {
 		ptsize = 0;
 -		if (!size) {
 +		if (size == 0) {
 			errno = EINVAL;
 			return (NULL);
 +		} else if (size == 1) {
 +			errno = ERANGE;
 +			return (NULL);
 		}
 		ept = pt + size;
 	} else {
 -- 
 2.33.0
--- a/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
+++ b/backport-upstream-Always-return-allocated-strings-from-the-ke.patch
@ -0,0 +1,88 @@
 From 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 1 Jul 2022 03:35:45 +0000
 Subject: upstream: Always return allocated strings from the kex filtering so
 that we can free them later.  Fix one leak in compat_kex_proposal.  Based on
 github PR#324 from ZoltanFridrich with some simplications by me. ok djm@
 OpenBSD-Commit-ID: 9171616da3307612d0ede086fd511142f91246e4
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=486c4dc3b83b4b67d663fb0fa62bc24138ec3946
 ---
 compat.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/compat.c b/compat.c
 index 9120bd2..1d50349 100644
 --- a/compat.c
 +++ b/compat.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: compat.c,v 1.119 2021/09/10 05:46:09 djm Exp $ */
 +/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -156,11 +156,12 @@ compat_banner(struct ssh *ssh, const char *version)
 	debug_f("no match: %s", version);
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
 {
 	if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
 -		return cipher_prop;
 +		return xstrdup(cipher_prop);
 	debug2_f("original cipher proposal: %s", cipher_prop);
 	if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
 		fatal("match_filter_denylist failed");
@@ -170,11 +171,12 @@ compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
 	return cipher_prop;
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 {
 	if (!(ssh->compat & SSH_BUG_RSASIGMD5))
 -		return pkalg_prop;
 +		return xstrdup(pkalg_prop);
 	debug2_f("original public key proposal: %s", pkalg_prop);
 	if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
 		fatal("match_filter_denylist failed");
@@ -184,11 +186,15 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 	return pkalg_prop;
 }
 +/* Always returns pointer to allocated memory, caller must free. */
 char *
 compat_kex_proposal(struct ssh *ssh, char *p)
 {
 +	char *cp = NULL;
 +
 +
 	if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
 -		return p;
 +		return xstrdup(p);
 	debug2_f("original KEX proposal: %s", p);
 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
 		/* coverity[overwrite_var : FALSE] */
@@ -196,11 +202,13 @@ compat_kex_proposal(struct ssh *ssh, char *p)
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_denylist failed");
 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
 +		cp = p;
 		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 			fatal("match_filter_denylist failed");
 +		free(cp);
 	}
 	debug2_f("compat KEX proposal: %s", p);
 	if (*p == '\0')
 -- 
 2.33.0
--- a/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
+++ b/backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
@ -0,0 +1,37 @@
 From f29d6cf98c25bf044079032d22c1a57c63ab9d8e Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Sat, 18 Jun 2022 02:17:16 +0000
 Subject: upstream: Don't attempt to fprintf a null identity comment. From
 Martin Vahlensieck via tech@.
 OpenBSD-Commit-ID: 4c54d20a8e8e4e9912c38a7b4ef5bfc5ca2e05c2
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=f29d6cf98c25bf044079032d22c1a57c63ab9d8e
 ---
 ssh-add.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/ssh-add.c b/ssh-add.c
 index 29c0b17..d60bafc 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh-add.c,v 1.160 2021/04/03 06:18:41 djm Exp $ */
 +/* $OpenBSD: ssh-add.c,v 1.166 2022/06/18 02:17:16 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -125,7 +125,7 @@ delete_one(int agent_fd, const struct sshkey *key, const char *comment,
 	}
 	if (!qflag) {
 		fprintf(stderr, "Identity removed: %s %s (%s)\n", path,
 -		    sshkey_type(key), comment);
 +		    sshkey_type(key), comment ? comment : "no comment");
 	}
 	return 0;
 }
 -- 
 2.33.0
--- a/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
+++ b/backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
@ -0,0 +1,63 @@
 From 17904f05802988d0bb9ed3c8d1d37411e8f459c3 Mon Sep 17 00:00:00 2001
 From: "tobhe@openbsd.org" <tobhe@openbsd.org>
 Date: Tue, 21 Jun 2022 14:52:13 +0000
 Subject: upstream: Make sure not to fclose() the same fd twice in case of an
 error.
 ok dtucker@
 OpenBSD-Commit-ID: e384c4e05d5521e7866b3d53ca59acd2a86eef99
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=17904f05802988d0bb9ed3c8d1d37411e8f459c3
 ---
 authfile.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)
 diff --git a/authfile.c b/authfile.c
 index 8990137..dce1e84 100644
 --- a/authfile.c
 +++ b/authfile.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
 +/* $OpenBSD: authfile.c,v 1.143 2022/06/21 14:52:13 tobhe Exp $ */
 /*
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
@@ -515,20 +515,25 @@ sshkey_save_public(const struct sshkey *key, const char *path,
 		return SSH_ERR_SYSTEM_ERROR;
 	if ((f = fdopen(fd, "w")) == NULL) {
 		r = SSH_ERR_SYSTEM_ERROR;
 +		close(fd);
 		goto fail;
 	}
 	if ((r = sshkey_write(key, f)) != 0)
 		goto fail;
 	fprintf(f, " %s\n", comment);
 -	if (ferror(f) || fclose(f) != 0) {
 +	if (ferror(f)) {
 		r = SSH_ERR_SYSTEM_ERROR;
 +		goto fail;
 +	}
 +	if (fclose(f) != 0) {
 +		r = SSH_ERR_SYSTEM_ERROR;
 +		f = NULL;
  fail:
 -		oerrno = errno;
 -		if (f != NULL)
 +		if (f != NULL) {
 +			oerrno = errno;
 			fclose(f);
 -		else
 -			close(fd);
 -		errno = oerrno;
 +			errno = oerrno;
 +		}
 		return r;
 	}
 	return 0;
 -- 
 2.33.0
--- a/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
+++ b/backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
@ -0,0 +1,56 @@
 From 5062ad48814b06162511c4f5924a33d97b6b2566 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 19 Aug 2022 03:06:30 +0000
 Subject: upstream: double free() in error path; from Eusgor via GHPR333
 OpenBSD-Commit-ID: 39f35e16ba878c8d02b4d01d8826d9b321be26d4
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=5062ad48814b06162511c4f5924a33d97b6b2566
 ---
 sshsig.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/sshsig.c b/sshsig.c
 index 0e8abf1..58c7df4 100644
 --- a/sshsig.c
 +++ b/sshsig.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshsig.c,v 1.21 2021/07/23 04:00:59 djm Exp $ */
 +/* $OpenBSD: sshsig.c,v 1.30 2022/08/19 03:06:30 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 {
 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
 	ssize_t n, total = 0;
 -	struct ssh_digest_ctx *ctx;
 +	struct ssh_digest_ctx *ctx = NULL;
 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
 	struct sshbuf *b = NULL;
@@ -514,7 +514,6 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 				continue;
 			oerrno = errno;
 			error_f("read: %s", strerror(errno));
 -			ssh_digest_free(ctx);
 			ctx = NULL;
 			errno = oerrno;
 			r = SSH_ERR_SYSTEM_ERROR;
@@ -550,9 +549,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 	/* success */
 	r = 0;
  out:
 +	oerrno = errno;
 	sshbuf_free(b);
 	ssh_digest_free(ctx);
 	explicit_bzero(hash, sizeof(hash));
 +	errno = oerrno;
 	return r;
 }
 -- 
 2.33.0
--- a/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
+++ b/backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
@ -0,0 +1,54 @@
 From 2c334fd36f80cb91cc42e4b978b10aa35e0df236 Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 27 May 2022 04:29:40 +0000
 Subject: upstream: f sshpkt functions fail, then password is not cleared
 with freezero. Unconditionally call freezero to guarantee that password is
 removed from RAM.
 From tobias@ and c3h2_ctf via github PR#286, ok djm@
 OpenBSD-Commit-ID: 6b093619c9515328e25b0f8093779c52402c89cd
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/commit?id=2c334fd36f80cb91cc42e4b978b10aa35e0df236
 ---
 auth2-passwd.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/auth2-passwd.c b/auth2-passwd.c
 index be4b860..1d80481 100644
 --- a/auth2-passwd.c
 +++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: auth2-passwd.c,v 1.19 2020/10/18 11:32:01 djm Exp $ */
 +/* $OpenBSD: auth2-passwd.c,v 1.21 2022/05/27 04:29:40 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -51,16 +51,18 @@ extern ServerOptions options;
 static int
 userauth_passwd(struct ssh *ssh)
 {
 -	char *password;
 +	char *password = NULL;
 	int authenticated = 0, r;
 	u_char change;
 -	size_t len;
 +	size_t len = 0;
 	if ((r = sshpkt_get_u8(ssh, &change)) != 0 ||
 	    (r = sshpkt_get_cstring(ssh, &password, &len)) != 0 ||
 	    (change && (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) ||
 -	    (r = sshpkt_get_end(ssh)) != 0)
 +	    (r = sshpkt_get_end(ssh)) != 0) {
 +		freezero(password, len);
 		fatal_fr(r, "parse packet");
 +	}
 	if (change)
 		logit("password change not supported");
 -- 
 2.33.0
--- a/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
+++ b/backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
@ -0,0 +1,46 @@
 From 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 1 Jul 2022 00:36:30 +0000
 Subject: upstream: ignore SIGPIPE earlier in main(), specifically before
 muxclient() which performs operations that could cause one; Reported by Noam
 Lewis via bz3454, ok dtucker@
 OpenBSD-Commit-ID: 63d8e13276869eebac6d7a05d5a96307f9026e47
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/patch/?id=96faa0de6c673a2ce84736eba37fc9fb723d9e5c
 ---
 ssh.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/ssh.c b/ssh.c
 index f55ff73..e987cd5 100644
 --- a/ssh.c
 +++ b/ssh.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: ssh.c,v 1.569 2021/09/20 04:02:13 dtucker Exp $ */
 +/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1135,6 +1135,8 @@ main(int ac, char **av)
 		}
 	}
 +	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
 +
 	/*
 	 * Initialize "log" output.  Since we are the client all output
 	 * goes to stderr unless otherwise specified by -y or -E.
@@ -1660,7 +1662,6 @@ main(int ac, char **av)
 	    options.num_system_hostfiles);
 	tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
 -	ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
 	ssh_signal(SIGCHLD, main_sigchld_handler);
 	/* Log into the remote system.  Never returns if the login fails. */
 -- 
 2.33.0
--- a/openssh.spec
+++ b/openssh.spec
@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 %global sshd_uid    74
-%global openssh_release 11
+%global openssh_release 12
 Name:           openssh
 Version:        8.8p1
@ -93,6 +93,14 @@ Patch62:        backport-upstream-better-debugging-for-connect_next.patch
 Patch63:        add-loongarch.patch
 Patch64:        backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
 Patch65:        openssh-Add-sw64-architecture.patch
 Patch66:        backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
 Patch67:        backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
 Patch68:        backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
 Patch69:        backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
 Patch70:        backport-upstream-Always-return-allocated-strings-from-the-ke.patch
 Patch71:        backport-Don-t-leak-the-strings-allocated-by-order_h.patch
 Patch72:        backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
 Patch73:        backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -236,6 +244,14 @@ popd
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
 %patch71 -p1
 %patch72 -p1
 %patch73 -p1
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -437,6 +453,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %changelog
 * Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-12
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:backport some upstream patches
 * Thu Dec 29 2022 renmingshuai <renmingshuai@huawei.com> - 8.8p1-11
 - Type:requirement
 - CVE:NA