summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorNicolas Iooss2020-07-19 12:41:12 +0200
committerNicolas Iooss2020-07-19 12:41:12 +0200
commit79aa2caa6ae0cc139d61f96f540a5beef7db911a (patch)
tree19f55d84d0358c8957fddcc2fbc0294aee15eed9
parent860352ca8c541846c01aa37a6e298007e3c79091 (diff)
downloadaur-79aa2caa6ae0cc139d61f96f540a5beef7db911a.tar.gz
openssh-selinux 8.3p1-3 update
-rw-r--r--.SRCINFO10
-rw-r--r--3122.patch98
-rw-r--r--67290.patch49
-rw-r--r--PKGBUILD15
4 files changed, 168 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 994b162ce5a0..046958c8ae67 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
pkgbase = openssh-selinux
pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support
pkgver = 8.3p1
- pkgrel = 1
+ pkgrel = 3
url = https://www.openssh.com/portable.html
install = install
arch = x86_64
@@ -19,8 +19,8 @@ pkgbase = openssh-selinux
optdepends = xorg-xauth: X11 forwarding
optdepends = x11-ssh-askpass: input passphrase in X
optdepends = libfido2: FIDO/U2F support
- provides = openssh=8.3p1-1
- provides = selinux-openssh=8.3p1-1
+ provides = openssh=8.3p1-3
+ provides = selinux-openssh=8.3p1-3
conflicts = openssh
conflicts = selinux-openssh
backup = etc/ssh/ssh_config
@@ -28,6 +28,8 @@ pkgbase = openssh-selinux
backup = etc/pam.d/sshd
source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz.asc
+ source = 67290.patch
+ source = 3122.patch
source = sshdgenkeys.service
source = sshd.service
source = sshd.conf
@@ -36,6 +38,8 @@ pkgbase = openssh-selinux
validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30
sha256sums = f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2
sha256sums = SKIP
+ sha256sums = 3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5
+ sha256sums = a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659
sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7
sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7
sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6
diff --git a/3122.patch b/3122.patch
new file mode 100644
index 000000000000..0a66daddb9ff
--- /dev/null
+++ b/3122.patch
@@ -0,0 +1,98 @@
+diff -Naur old/servconf.c new/servconf.c
+--- old/servconf.c 2020-05-26 14:38:00.000000000 -1000
++++ new/servconf.c 2020-07-16 10:14:14.076284901 -1000
+@@ -550,6 +550,7 @@
+ #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
+ #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
+ #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
++#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
+
+ /* Textual representation of the tokens. */
+ static struct {
+@@ -1259,7 +1260,7 @@
+ static int
+ process_server_config_line_depth(ServerOptions *options, char *line,
+ const char *filename, int linenum, int *activep,
+- struct connection_info *connectinfo, int inc_flags, int depth,
++ struct connection_info *connectinfo, int *inc_flags, int depth,
+ struct include_list *includes)
+ {
+ char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
+@@ -2002,7 +2003,9 @@
+ parse_server_config_depth(options,
+ item->filename, item->contents,
+ includes, connectinfo,
+- (oactive ? 0 : SSHCFG_NEVERMATCH),
++ (*inc_flags & SSHCFG_MATCH_ONLY
++ ? SSHCFG_MATCH_ONLY : (oactive
++ ? 0 : SSHCFG_NEVERMATCH)),
+ activep, depth + 1);
+ }
+ found = 1;
+@@ -2050,7 +2053,9 @@
+ parse_server_config_depth(options,
+ item->filename, item->contents,
+ includes, connectinfo,
+- (oactive ? 0 : SSHCFG_NEVERMATCH),
++ (*inc_flags & SSHCFG_MATCH_ONLY
++ ? SSHCFG_MATCH_ONLY : (oactive
++ ? 0 : SSHCFG_NEVERMATCH)),
+ activep, depth + 1);
+ *activep = oactive;
+ TAILQ_INSERT_TAIL(includes, item, entry);
+@@ -2068,11 +2073,14 @@
+ if (cmdline)
+ fatal("Match directive not supported as a command-line "
+ "option");
+- value = match_cfg_line(&cp, linenum, connectinfo);
++ value = match_cfg_line(&cp, linenum,
++ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
+ if (value < 0)
+ fatal("%s line %d: Bad Match condition", filename,
+ linenum);
+- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
++ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
++ /* The MATCH_ONLY is applicable only until the first match block */
++ *inc_flags &= ~SSHCFG_MATCH_ONLY;
+ break;
+
+ case sPermitListen:
+@@ -2375,8 +2383,10 @@
+ const char *filename, int linenum, int *activep,
+ struct connection_info *connectinfo, struct include_list *includes)
+ {
++ int inc_flags = 0;
++
+ return process_server_config_line_depth(options, line, filename,
+- linenum, activep, connectinfo, 0, 0, includes);
++ linenum, activep, connectinfo, &inc_flags, 0, includes);
+ }
+
+
+@@ -2581,14 +2591,15 @@
+ if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
+ fatal("Too many recursive configuration includes");
+
+- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
++ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
++ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
+
+ if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
+ fatal("%s: sshbuf_dup_string failed", __func__);
+ linenum = 1;
+ while ((cp = strsep(&cbuf, "\n")) != NULL) {
+ if (process_server_config_line_depth(options, cp,
+- filename, linenum++, activep, connectinfo, flags,
++ filename, linenum++, activep, connectinfo, &flags,
+ depth, includes) != 0)
+ bad_options++;
+ }
+@@ -2606,7 +2617,7 @@
+ {
+ int active = connectinfo ? 0 : 1;
+ parse_server_config_depth(options, filename, conf, includes,
+- connectinfo, 0, &active, 0);
++ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
+ }
+
+ static const char *
diff --git a/67290.patch b/67290.patch
new file mode 100644
index 000000000000..15ee45eb377b
--- /dev/null
+++ b/67290.patch
@@ -0,0 +1,49 @@
+From c514f3c0522855b4d548286eaa113e209051a6d2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 18 Jun 2020 23:33:38 +0000
+Subject: upstream: avoid spurious "Unable to load host key" message when
+
+sshd can load a private key but no public counterpart; with & ok markus@
+
+OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b
+---
+ authfile.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/authfile.c b/authfile.c
+index 35ccf576..946f50ca 100644
+--- a/authfile.c
++++ b/authfile.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.140 2020/04/17 07:15:11 djm Exp $ */
++/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */
+ /*
+ * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
+ *
+@@ -263,7 +263,7 @@ int
+ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
+ {
+ char *pubfile = NULL;
+- int r;
++ int r, oerrno;
+
+ if (keyp != NULL)
+ *keyp = NULL;
+@@ -283,8 +283,14 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
+ if ((r = sshkey_load_pubkey_from_private(filename, keyp)) == 0)
+ goto out;
+
++ /* Pretend we couldn't find the key */
++ r = SSH_ERR_SYSTEM_ERROR;
++ errno = ENOENT;
++
+ out:
++ oerrno = errno;
+ free(pubfile);
++ errno = oerrno;
+ return r;
+ }
+
+--
+cgit v1.2.3
+
diff --git a/PKGBUILD b/PKGBUILD
index d9dc3b7b8219..e45427a5c952 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,7 +10,7 @@
pkgname=openssh-selinux
pkgver=8.3p1
-pkgrel=1
+pkgrel=3
pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support'
url='https://www.openssh.com/portable.html'
license=('custom:BSD')
@@ -28,6 +28,8 @@ groups=('selinux')
validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30')
#source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1"
source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc}
+ '67290.patch'
+ '3122.patch'
'sshdgenkeys.service'
'sshd.service'
'sshd.conf'
@@ -35,6 +37,8 @@ source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux
'glibc-2.31.patch')
sha256sums=('f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2'
'SKIP'
+ '3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5'
+ 'a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659'
'4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7'
'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7'
'4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6'
@@ -47,6 +51,15 @@ install=install
prepare() {
cd "${srcdir}/${pkgname/-selinux}-${pkgver}"
+
+ # Fix FS#67290
+ # From https://anongit.mindrot.org/openssh.git/patch/?id=c514f3c0522855b4d548286eaa113e209051a6d2
+ patch -p1 -i ../67290.patch
+
+ # Fix https://bugzilla.mindrot.org/show_bug.cgi?id=3122
+ # Backported from https://anongit.mindrot.org/openssh.git/patch/?id=7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01'
+ patch -p1 -i ../3122.patch
+
patch -p1 -i ../glibc-2.31.patch
autoreconf
}