update to 9.3p2

2024-01-24 08:09:19 +00:00 · 2024-01-24 08:09:19 +00:00 · ddf95d2612
commit ddf95d2612
parent 0725f97c53
7 changed files with 28 additions and 156 deletions
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@ -1035,7 +1035,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c
 	int r, i, count = 0, success = 0, confirm = 0;
 	u_int seconds = 0;
@@ -869,33 +931,28 @@ process_add_smartcard_key(SocketEntry *e
- 		error_f("failed to parse constraints");
+ 		    "providers is disabled", provider);
 		goto send;
 	}
 -	if (realpath(provider, canonical_provider) == NULL) {
@ -2157,7 +2157,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 	int ret = -1;
 	struct pkcs11_provider *p = NULL;
 	void *handle = NULL;
-@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_
+@@ -1517,162 +1702,296 @@ pkcs11_register_provider(char *provider_
 	CK_FUNCTION_LIST *f = NULL;
 	CK_TOKEN_INFO *token;
 	CK_ULONG i;
@ -2213,10 +2213,8 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 +		error("dlopen %s failed: %s", provider_module, dlerror());
 		goto fail;
 	}
- 	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
- 		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
- 		goto fail;
- 	}
+ 	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
+ 		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
 -	p = xcalloc(1, sizeof(*p));
 -	p->name = xstrdup(provider_id);
 -	p->handle = handle;
--- a/openssh-9.3p1-upstream-cve-2023-38408.patch
+++ b/openssh-9.3p1-upstream-cve-2023-38408.patch
@ -1,130 +0,0 @@
-diff --git a/ssh-agent.c b/ssh-agent.c
-index 618bb198..8ea831f4 100644
-diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c
--- openssh-9.3p1/ssh-agent.c.cve	2023-07-21 15:38:13.237276580 +0200
-+++ openssh-9.3p1/ssh-agent.c	2023-07-21 15:41:30.269943569 +0200
-@@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];
- /* Pattern-list of allowed PKCS#11/Security key paths */
- static char *allowed_providers;
- 
-+/*
-+ * Allows PKCS11 providers or SK keys that use non-internal providers to
-+ * be added over a remote connection (identified by session-bind@openssh.com).
-+ */
-+static int remote_add_provider;
-+
- /* locking */
- #define LOCK_SIZE	32
- #define LOCK_SALT_SIZE	16
-@@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)
- 		if (strcasecmp(sk_provider, "internal") == 0) {
- 			debug_f("internal provider");
- 		} else {
-+			if (e->nsession_ids != 0 && !remote_add_provider) {
-+				verbose("failed add of SK provider \"%.100s\": "
-+				    "remote addition of providers is disabled",
-+				    sk_provider);
-+				goto out;
-+			}
- 			if (realpath(sk_provider, canonical_provider) == NULL) {
- 				verbose("failed provider \"%.100s\": "
- 				    "realpath: %s", sk_provider,
-@@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e)
- 
- #ifdef ENABLE_PKCS11
- static char *
-sanitize_pkcs11_provider(const char *provider)
-+sanitize_pkcs11_provider(SocketEntry *e, const char *provider)
- {
- 	struct pkcs11_uri *uri = NULL;
- 	char *sane_uri, *module_path = NULL; /* default path */
-@@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro
- 		module_path = strdup(provider); /* simple path */
- 
- 	if (module_path != NULL) { /* do not validate default NULL path in URI */
-+		if (e->nsession_ids != 0 && !remote_add_provider) {
-+			verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
-+			    "providers is disabled", provider);
-+			return NULL;
-+		}
- 		if (realpath(module_path, canonical_provider) == NULL) {
- 			verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",
- 			    module_path, strerror(errno));
-@@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e
- 		goto send;
- 	}
- 
-	sane_uri = sanitize_pkcs11_provider(provider);
-+	sane_uri = sanitize_pkcs11_provider(e, provider);
- 	if (sane_uri == NULL)
- 		goto send;
- 
-@@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry
- 	}
- 	free(pin);
- 
-	sane_uri = sanitize_pkcs11_provider(provider);
-+	sane_uri = sanitize_pkcs11_provider(e, provider);
- 	if (sane_uri == NULL)
- 		goto send;
- 
-@@ -2108,7 +2125,9 @@ main(int ac, char **av)
- 			break;
- 		case 'O':
- 			if (strcmp(optarg, "no-restrict-websafe") == 0)
-				restrict_websafe  = 0;
-+				restrict_websafe = 0;
-+			else if (strcmp(optarg, "allow-remote-pkcs11") == 0)
-+				remote_add_provider = 1;
- 			else
- 				fatal("Unknown -O option");
- 			break;
-diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
-index 6be647ec..ebddf6c3 100644
--- a/ssh-pkcs11.c
-+++ b/ssh-pkcs11.c
-@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
- 		error("dlopen %s failed: %s", provider_module, dlerror());
- 		goto fail;
- 	}
-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
-		goto fail;
-	}
-+	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
-+		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
- 
- 	p->module->handle = handle;
- 	/* setup the pkcs11 callbacks */
--- a/ssh-agent.1	2023-03-15 22:28:19.000000000 +0100
-+++ b/ssh-agent.1	2023-07-19 21:39:17.981406432 +0200
-@@ -107,9 +107,27 @@
- .It Fl O Ar option
- Specify an option when starting
- .Nm .
-Currently only one option is supported:
-+Currently two options are supported:
-+.Cm allow-remote-pkcs11
-+and
- .Cm no-restrict-websafe .
-This instructs
-+.Pp
-+The
-+.Cm allow-remote-pkcs11
-+option allows clients of a forwarded
-+.Nm
-+to load PKCS#11 or FIDO provider libraries.
-+By default only local clients may perform this operation.
-+Note that signalling that a
-+.Nm
-+client remote is performed by
-+.Xr ssh 1 ,
-+and use of other tools to forward access to the agent socket may circumvent
-+this restriction.
-+.Pp
-+The
-+.Cm no-restrict-websafe ,
-+instructs
- .Nm
- to permit signatures using FIDO keys that might be web authentication
- requests.
--- a/openssh-9.3p1.tar.gz
+++ b/openssh-9.3p1.tar.gz
--- a/openssh-9.3p1.tar.gz.asc
+++ b/openssh-9.3p1.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
-YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
-iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
-OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
-EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
-ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
-ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
-CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
-jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
-f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
-NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
-k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
-=deVJ
-----END PGP SIGNATURE-----
--- a/openssh-9.3p2.tar.gz
+++ b/openssh-9.3p2.tar.gz
--- a/openssh-9.3p2.tar.gz.asc
+++ b/openssh-9.3p2.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
+YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
+pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
+8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
+jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
+8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
+PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
+iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
+kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
+LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
+VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
+jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
+=yVD2
+-----END PGP SIGNATURE-----
--- a/openssh.spec
+++ b/openssh.spec
@ -6,10 +6,10 @@
 %{?no_gtk2:%global gtk2 0}

 %global sshd_uid    74
-%global openssh_release 3
+%global openssh_release 1

 Name:           openssh
-Version:        9.3p1
+Version:        9.3p2
 Release:        %{openssh_release}
 URL:            http://www.openssh.com/portable.html
 License:        BSD
@ -86,7 +86,6 @@ Patch57:        openssh-8.7p1-minrsabits.patch
 Patch58:        openssh-8.7p1-ibmca.patch
 Patch60:        openssh-8.7p1-ssh-manpage.patch
 Patch61:        openssh-8.7p1-negotiate-supported-algs.patch
-Patch65:        openssh-9.3p1-upstream-cve-2023-38408.patch
 Patch66:        bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
 Patch67:        bugfix-openssh-add-option-check-username-splash.patch
 Patch68:        feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
@ -231,7 +230,6 @@ popd
 %patch58 -p1 -b .ibmca
 %patch60 -p1 -b .ssh-manpage
 %patch61 -p1 -b .negotiate-supported-algs
-%patch65 -p1 -b .cve-2023-38408
 %patch1 -p1 -b .audit
 %patch2 -p1 -b .audit-race
 %patch0 -p1 -b .coverity
@ -455,6 +453,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*

 %changelog
+* Wed Jan 24 2024 renmingshuai<renmingshuai@huawei.com> - 9.3p2-1
+- Type:update
+- CVE:NA
+- SUG:NA
+- DESC:update to 9.3p2
+
 * Tue Dec 26 2023 renmingshuai<renmingshuai@huawei.com> - 9.3p1-3
 - Type:CVE
 - CVE:CVE-2023-48795,CVE-2023-51385