New upstream release (8.0p1)

author: Colin Watson <cjwatson@debian.org> 2019-06-05 06:41:44 +0100
committer: Colin Watson <cjwatson@debian.org> 2019-06-09 22:09:07 +0100
commit: 865a97e05b6aab1619e1c8eeb33ccb8f9a9e48d3 (patch)
tree: 7bb2128eb663180bacfabca88f26d26bf0733824 /debian/patches/selinux-role.patch
parent: ba627ba172d6649919baedff5ba2789610da382a (diff)
parent: 7d50f9e5be88179325983a1f58c9d51bb58f025a (diff)
1 files changed, 49 insertions, 49 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 269a87c76..5ab339ac9 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001
+From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2018-08-24
+Last-Update: 2019-06-05
 Patch-Name: selinux-role.patch
 ---
@@ -31,7 +31,7 @@ Patch-Name: selinux-role.patch
 15 files changed, 99 insertions(+), 32 deletions(-)
 diff --git a/auth.h b/auth.h
-index 977562f0a..90802a5eb 100644
+index bf393e755..8f13bdf48 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -65,6 +65,7 @@ struct Authctxt {
@@ -43,19 +43,19 @@ index 977562f0a..90802a5eb 100644
        /* Method lists for multiple authentication */
        char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index a77742819..3035926ba 100644
+index 7417eafa4..d60e7f1f2 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
 {
        Authctxt *authctxt = ssh->authctxt;
        Authmethod *m = NULL;
-       char *user, *service, *method, *style = NULL;
+-       char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
-+       char *user, *service, *method, *style = NULL, *role = NULL;
+       char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
-        int authenticated = 0;
+        int r, authenticated = 0;
        double tstart = monotime_double();
 
-@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
        debug("userauth-request for user %s service %s method %s", user, service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
@@ -69,7 +69,7 @@ index a77742819..3035926ba 100644
 
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
-@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
                    use_privsep ? " [net]" : "");
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
@@ -77,22 +77,22 @@ index a77742819..3035926ba 100644
                if (use_privsep)
 -                       mm_inform_authserv(service, style);
 +                       mm_inform_authserv(service, style, role);
-                userauth_banner();
+                userauth_banner(ssh);
                if (auth2_setup_methods_lists(authctxt) != 0)
-                        packet_disconnect("no authentication methods enabled");
+                        ssh_packet_disconnect(ssh,
 diff --git a/monitor.c b/monitor.c
-index eabc1e89b..08fddabd7 100644
+index 0766d6ef5..5f84e880d 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *);
+@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
- int mm_answer_pwnamallow(int, struct sshbuf *);
+ int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
- int mm_answer_auth2_read_banner(int, struct sshbuf *);
+ int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
- int mm_answer_authserv(int, struct sshbuf *);
+ int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
-+int mm_answer_authrole(int, struct sshbuf *);
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
- int mm_answer_authpassword(int, struct sshbuf *);
+ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
- int mm_answer_bsdauthquery(int, struct sshbuf *);
+ int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
- int mm_answer_bsdauthrespond(int, struct sshbuf *);
+ int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index eabc1e89b..08fddabd7 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
+@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
 
        /* Allow service/style information on the auth context */
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index eabc1e89b..08fddabd7 100644
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 
 #ifdef USE_PAM
-@@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m)
+@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
        monitor_permit_authentications(1);
 
        if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -135,7 +135,7 @@ index eabc1e89b..08fddabd7 100644
 +}
 +
 +int
-+mm_answer_authrole(int sock, struct sshbuf *m)
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
 +{
 +       int r;
 +
@@ -154,7 +154,7 @@ index eabc1e89b..08fddabd7 100644
        return (0);
 }
 
-@@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
+@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -164,23 +164,23 @@ index eabc1e89b..08fddabd7 100644
        if ((r = sshbuf_put_u32(m, 1)) != 0 ||
            (r = sshbuf_put_cstring(m, s->tty)) != 0)
 diff --git a/monitor.h b/monitor.h
-index 44fbed589..8f65e684d 100644
+index 2b1a2d590..4d87284aa 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -66,6 +66,8 @@ enum monitor_reqtype {
+@@ -65,6 +65,8 @@ enum monitor_reqtype {
+ 
        MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
        MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
- 
-+       MONITOR_REQ_AUTHROLE = 154,
 +
+       MONITOR_REQ_AUTHROLE = 154,
 };
 
- struct monitor {
+ struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 1865a122a..fd4d7eb3b 100644
+index 8e4c1c1f8..6b3a6251c 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -369,10 +369,10 @@ mm_auth2_read_banner(void)
+@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
        return (banner);
 }
 
@@ -193,7 +193,7 @@ index 1865a122a..fd4d7eb3b 100644
 {
        struct sshbuf *m;
        int r;
-@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style)
+@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
        if ((m = sshbuf_new()) == NULL)
                fatal("%s: sshbuf_new failed", __func__);
        if ((r = sshbuf_put_cstring(m, service)) != 0 ||
@@ -203,7 +203,7 @@ index 1865a122a..fd4d7eb3b 100644
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
 
        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
-@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style)
+@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
        sshbuf_free(m);
 }
 
@@ -231,17 +231,17 @@ index 1865a122a..fd4d7eb3b 100644
 int
 mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 7f93144ff..79e78cc90 100644
+index 69164a8c0..3d0e32d48 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -43,7 +43,8 @@ int mm_is_monitor(void);
+@@ -44,7 +44,8 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+ int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-     const char *, u_int compat);
+     const u_char *, size_t, const char *, u_int compat);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
- struct passwd *mm_getpwnamallow(const char *);
+ struct passwd *mm_getpwnamallow(struct ssh *, const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct ssh *, char *);
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 2d0958d11..19f38637e 100644
+index ac3d9d19d..d87ea4d44 100644
 --- a/session.c
 +++ b/session.c
-@@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -375,7 +375,7 @@ index 2d0958d11..19f38637e 100644
 {
        char uidstr[32], *chroot_path, *tmp;
 
-@@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -384,7 +384,7 @@ index 2d0958d11..19f38637e 100644
 
                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index 2d0958d11..19f38637e 100644
                child_close_fds(ssh);
                do_pwchange(s);
                exit(1);
-@@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
        /* When PAM is enabled we rely on it to do the nologin check */
        if (!options.use_pam)
                do_nologin(pw);
@@ -402,8 +402,8 @@ index 2d0958d11..19f38637e 100644
        /*
         * PAM session modules in do_setusercontext may have
         * generated messages, so if this in an interactive
-@@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s)
-        ssh_tty_parse_modes(ssh, s->ttyfd);
+                sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 
        if (!use_privsep)
 -               pty_setowner(s->pw, s->tty);
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
 const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
 
 diff --git a/sshd.c b/sshd.c
-index 673db87f6..2bc6679e5 100644
+index 46870d3b5..e3e96426e 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
        reseed_prngs();
 
        /* Drop privileges */
author	Colin Watson <cjwatson@debian.org>	2019-06-05 06:41:44 +0100
committer	Colin Watson <cjwatson@debian.org>	2019-06-09 22:09:07 +0100
commit	865a97e05b6aab1619e1c8eeb33ccb8f9a9e48d3 (patch)
tree	7bb2128eb663180bacfabca88f26d26bf0733824 /debian/patches/selinux-role.patch
parent	ba627ba172d6649919baedff5ba2789610da382a (diff)
parent	7d50f9e5be88179325983a1f58c9d51bb58f025a (diff)