diff options
author | Nicolas Iooss | 2020-07-19 12:41:12 +0200 |
---|---|---|
committer | Nicolas Iooss | 2020-07-19 12:41:12 +0200 |
commit | 79aa2caa6ae0cc139d61f96f540a5beef7db911a (patch) | |
tree | 19f55d84d0358c8957fddcc2fbc0294aee15eed9 | |
parent | 860352ca8c541846c01aa37a6e298007e3c79091 (diff) | |
download | aur-79aa2caa6ae0cc139d61f96f540a5beef7db911a.tar.gz |
openssh-selinux 8.3p1-3 update
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | 3122.patch | 98 | ||||
-rw-r--r-- | 67290.patch | 49 | ||||
-rw-r--r-- | PKGBUILD | 15 |
4 files changed, 168 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = openssh-selinux pkgdesc = Premier connectivity tool for remote login with the SSH protocol, with SELinux support pkgver = 8.3p1 - pkgrel = 1 + pkgrel = 3 url = https://www.openssh.com/portable.html install = install arch = x86_64 @@ -19,8 +19,8 @@ pkgbase = openssh-selinux optdepends = xorg-xauth: X11 forwarding optdepends = x11-ssh-askpass: input passphrase in X optdepends = libfido2: FIDO/U2F support - provides = openssh=8.3p1-1 - provides = selinux-openssh=8.3p1-1 + provides = openssh=8.3p1-3 + provides = selinux-openssh=8.3p1-3 conflicts = openssh conflicts = selinux-openssh backup = etc/ssh/ssh_config @@ -28,6 +28,8 @@ pkgbase = openssh-selinux backup = etc/pam.d/sshd source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz source = https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz.asc + source = 67290.patch + source = 3122.patch source = sshdgenkeys.service source = sshd.service source = sshd.conf @@ -36,6 +38,8 @@ pkgbase = openssh-selinux validpgpkeys = 59C2118ED206D927E667EBE3D3E5F56B6D920D30 sha256sums = f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2 sha256sums = SKIP + sha256sums = 3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5 + sha256sums = a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659 sha256sums = 4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7 sha256sums = e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7 sha256sums = 4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6 diff --git a/3122.patch b/3122.patch new file mode 100644 index 000000000000..0a66daddb9ff --- /dev/null +++ b/3122.patch @@ -0,0 +1,98 @@ +diff -Naur old/servconf.c new/servconf.c +--- old/servconf.c 2020-05-26 14:38:00.000000000 -1000 ++++ new/servconf.c 2020-07-16 10:14:14.076284901 -1000 +@@ -550,6 +550,7 @@ + #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ + #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) + #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */ ++#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */ + + /* Textual representation of the tokens. */ + static struct { +@@ -1259,7 +1260,7 @@ + static int + process_server_config_line_depth(ServerOptions *options, char *line, + const char *filename, int linenum, int *activep, +- struct connection_info *connectinfo, int inc_flags, int depth, ++ struct connection_info *connectinfo, int *inc_flags, int depth, + struct include_list *includes) + { + char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; +@@ -2002,7 +2003,9 @@ + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, +- (oactive ? 0 : SSHCFG_NEVERMATCH), ++ (*inc_flags & SSHCFG_MATCH_ONLY ++ ? SSHCFG_MATCH_ONLY : (oactive ++ ? 0 : SSHCFG_NEVERMATCH)), + activep, depth + 1); + } + found = 1; +@@ -2050,7 +2053,9 @@ + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, +- (oactive ? 0 : SSHCFG_NEVERMATCH), ++ (*inc_flags & SSHCFG_MATCH_ONLY ++ ? SSHCFG_MATCH_ONLY : (oactive ++ ? 0 : SSHCFG_NEVERMATCH)), + activep, depth + 1); + *activep = oactive; + TAILQ_INSERT_TAIL(includes, item, entry); +@@ -2068,11 +2073,14 @@ + if (cmdline) + fatal("Match directive not supported as a command-line " + "option"); +- value = match_cfg_line(&cp, linenum, connectinfo); ++ value = match_cfg_line(&cp, linenum, ++ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo)); + if (value < 0) + fatal("%s line %d: Bad Match condition", filename, + linenum); +- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; ++ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; ++ /* The MATCH_ONLY is applicable only until the first match block */ ++ *inc_flags &= ~SSHCFG_MATCH_ONLY; + break; + + case sPermitListen: +@@ -2375,8 +2383,10 @@ + const char *filename, int linenum, int *activep, + struct connection_info *connectinfo, struct include_list *includes) + { ++ int inc_flags = 0; ++ + return process_server_config_line_depth(options, line, filename, +- linenum, activep, connectinfo, 0, 0, includes); ++ linenum, activep, connectinfo, &inc_flags, 0, includes); + } + + +@@ -2581,14 +2591,15 @@ + if (depth < 0 || depth > SERVCONF_MAX_DEPTH) + fatal("Too many recursive configuration includes"); + +- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf)); ++ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf), ++ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : "")); + + if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) + fatal("%s: sshbuf_dup_string failed", __func__); + linenum = 1; + while ((cp = strsep(&cbuf, "\n")) != NULL) { + if (process_server_config_line_depth(options, cp, +- filename, linenum++, activep, connectinfo, flags, ++ filename, linenum++, activep, connectinfo, &flags, + depth, includes) != 0) + bad_options++; + } +@@ -2606,7 +2617,7 @@ + { + int active = connectinfo ? 0 : 1; + parse_server_config_depth(options, filename, conf, includes, +- connectinfo, 0, &active, 0); ++ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0); + } + + static const char * diff --git a/67290.patch b/67290.patch new file mode 100644 index 000000000000..15ee45eb377b --- /dev/null +++ b/67290.patch @@ -0,0 +1,49 @@ +From c514f3c0522855b4d548286eaa113e209051a6d2 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 18 Jun 2020 23:33:38 +0000 +Subject: upstream: avoid spurious "Unable to load host key" message when + +sshd can load a private key but no public counterpart; with & ok markus@ + +OpenBSD-Commit-ID: 0713cbdf9aa1ff8ac7b1f78b09ac911af510f81b +--- + authfile.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/authfile.c b/authfile.c +index 35ccf576..946f50ca 100644 +--- a/authfile.c ++++ b/authfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: authfile.c,v 1.140 2020/04/17 07:15:11 djm Exp $ */ ++/* $OpenBSD: authfile.c,v 1.141 2020/06/18 23:33:38 djm Exp $ */ + /* + * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. + * +@@ -263,7 +263,7 @@ int + sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) + { + char *pubfile = NULL; +- int r; ++ int r, oerrno; + + if (keyp != NULL) + *keyp = NULL; +@@ -283,8 +283,14 @@ sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp) + if ((r = sshkey_load_pubkey_from_private(filename, keyp)) == 0) + goto out; + ++ /* Pretend we couldn't find the key */ ++ r = SSH_ERR_SYSTEM_ERROR; ++ errno = ENOENT; ++ + out: ++ oerrno = errno; + free(pubfile); ++ errno = oerrno; + return r; + } + +-- +cgit v1.2.3 + @@ -10,7 +10,7 @@ pkgname=openssh-selinux pkgver=8.3p1 -pkgrel=1 +pkgrel=3 pkgdesc='Premier connectivity tool for remote login with the SSH protocol, with SELinux support' url='https://www.openssh.com/portable.html' license=('custom:BSD') @@ -28,6 +28,8 @@ groups=('selinux') validpgpkeys=('59C2118ED206D927E667EBE3D3E5F56B6D920D30') #source=("git://anongit.mindrot.org/openssh.git?signed#tag=V_8_2_P1" source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux}-${pkgver}.tar.gz"{,.asc} + '67290.patch' + '3122.patch' 'sshdgenkeys.service' 'sshd.service' 'sshd.conf' @@ -35,6 +37,8 @@ source=("https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname/-selinux 'glibc-2.31.patch') sha256sums=('f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2' 'SKIP' + '3ccc1c6672521782c154c89607d2c2d7a67e0f66a349260e00e28ae999ea54f5' + 'a13330ca7560b25e4defcd4bdecf28ed37b416362e13aebcb0e57164e575e659' '4031577db6416fcbaacf8a26a024ecd3939e5c10fe6a86ee3f0eea5093d533b7' 'e40f8b7c8e5e2ecf3084b3511a6c36d5b5c9f9e61f2bb13e3726c71dc7d4fbc7' '4effac1186cc62617f44385415103021f72f674f8b8e26447fc1139c670090f6' @@ -47,6 +51,15 @@ install=install prepare() { cd "${srcdir}/${pkgname/-selinux}-${pkgver}" + + # Fix FS#67290 + # From https://anongit.mindrot.org/openssh.git/patch/?id=c514f3c0522855b4d548286eaa113e209051a6d2 + patch -p1 -i ../67290.patch + + # Fix https://bugzilla.mindrot.org/show_bug.cgi?id=3122 + # Backported from https://anongit.mindrot.org/openssh.git/patch/?id=7af1e92cd289b7eaa9a683e9a6f2fddd98f37a01' + patch -p1 -i ../3122.patch + patch -p1 -i ../glibc-2.31.patch autoreconf } |