aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Weiss <luca@z3ntu.xyz>2019-10-04 21:33:48 +0200
committerJakub Jirutka <jakub@jirutka.cz>2019-10-14 16:58:39 +0200
commitb06c902e1640a479d74788b5831c0360737ecd5f (patch)
tree2d5e68193fddf88c21cba69452cc0bc414113c99
parenta8034aa3511680d7996e46d4cb0656d4d32df01d (diff)
downloadaports-b06c902e1640a479d74788b5831c0360737ecd5f.tar.bz2
aports-b06c902e1640a479d74788b5831c0360737ecd5f.tar.xz
main/openssh: fix login on old kernels with openssl 1.1.1d
See - https://github.com/openssl/openssl/issues/9984 - https://github.com/openssh/openssh-portable/pull/149 - https://gitlab.com/postmarketOS/pmaports/issues/367 Closes GH-11780
-rw-r--r--main/openssh/0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch37
-rw-r--r--main/openssh/APKBUILD4
2 files changed, 40 insertions, 1 deletions
diff --git a/main/openssh/0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch b/main/openssh/0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch
new file mode 100644
index 0000000000..f7527a1a44
--- /dev/null
+++ b/main/openssh/0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch
@@ -0,0 +1,37 @@
+From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lonnie@abelbeck.com>
+Date: Tue, 1 Oct 2019 09:05:09 -0500
+Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
+
+New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
+in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
+---
+
+Source: https://github.com/openssh/openssh-portable/commit/3ef92a657444f172b61f92d5da66d94fa8265602
+
+ sandbox-seccomp-filter.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 840c5232..39dc289e 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_stat64
+ SC_DENY(__NR_stat64, EACCES),
+ #endif
++#ifdef __NR_shmget
++ SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++ SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++ SC_DENY(__NR_shmdt, EACCES),
++#endif
+
+ /* Syscalls to permit */
+ #ifdef __NR_brk
+--
+2.23.0
+
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index e9f4bf24be..c0822aa950 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
pkgname=openssh
pkgver=7.9_p1
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=5
+pkgrel=6
pkgdesc="Port of OpenBSD's free SSH release"
url="https://www.openssh.org/portable.html"
arch="all"
@@ -39,6 +39,7 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta
bsd-compatible-realpath.patch
sftp-interactive.patch
disable-forwarding-by-default.patch
+ 0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch
sshd.initd
sshd.confd
@@ -215,5 +216,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch
+64d3905875248e537a81369456e5b0b3f53492d1502e21fedc926d57ca69e82ea3c2bdc8c6ebbf4d87f7cb11c32166acfe1aa62ad832ed0073b7c49c9c669a2f 0001-Deny-non-fatal-shmget-shmat-shmdt-in-preauth-privsep.patch
8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8 sshd.initd
ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd"