Fix the handling of Port directives after Include

Closes: #962035 LP: #1876320
author: Colin Watson <cjwatson@debian.org> 2020-06-07 13:15:05 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-06-07 13:19:51 +0100
commit: a37608b8084ff62336307f901c9139c2441c11d6 (patch)
tree: 9c2954130816d1c042d6d7bec9aa31ecd26706d4 /debian
parent: 58c1c4c51fb50edd0080d9483a1012fd2069c9cb (diff)
parent: 877a000e9474ed5e32029f434dbec4de2fb1696f (diff)
4 files changed, 72 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 033091076..0e68bd57c 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-39b8d128ef980a410bb1ea0ee80e95ac9fff59c3
+877a000e9474ed5e32029f434dbec4de2fb1696f
-39b8d128ef980a410bb1ea0ee80e95ac9fff59c3
+877a000e9474ed5e32029f434dbec4de2fb1696f
 202f5a676221c244cd450086c334c2b59f339e86
 202f5a676221c244cd450086c334c2b59f339e86
 openssh_8.3p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 9ac2ca4b0..7ceb917bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -80,6 +80,8 @@ openssh (1:8.3p1-1) UNRELEASED; urgency=medium
    - Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
      was published.
  * Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.
+  * Apply upstream patch to fix the handling of Port directives after
+    Include (closes: #962035, LP: #1876320).
 -- Colin Watson <cjwatson@debian.org>  Sun, 07 Jun 2020 10:25:54 +0100
diff --git a/debian/patches/avoid-extra-ports.patch b/debian/patches/avoid-extra-ports.patch
new file mode 100644
index 000000000..d8df325ac
--- /dev/null
+++ b/debian/patches/avoid-extra-ports.patch
@@ -0,0 +1,67 @@
+From 877a000e9474ed5e32029f434dbec4de2fb1696f Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 27 May 2020 21:59:11 +0000
+Subject: upstream: Do not call process_queued_listen_addrs() for every
+included file from sshd_config; patch from Jakub Jelen
+OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=0a9a611619b0a1fecd0195ec86a9885f5d681c84
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3169
+Bug-Debian: https://bugs.debian.org/962035
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1876320
+Last-Update: 2020-06-07
+Patch-Name: avoid-extra-ports.patch
+---
+ servconf.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/servconf.c b/servconf.c
+index c290e9786..5f3336365 100644
+--- a/servconf.c
+++ b/servconf.c
+@@ -1,5 +1,5 @@
+ 
+-/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.364 2020/05/27 21:59:11 djm Exp $ */
+ /*
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+  *                    All rights reserved
+@@ -75,8 +75,8 @@ static void add_listen_addr(ServerOptions *, const char *,
+     const char *, int);
+ static void add_one_listen_addr(ServerOptions *, const char *,
+     const char *, int);
+-void parse_server_config_depth(ServerOptions *options, const char *filename,
+-    struct sshbuf *conf, struct include_list *includes,
+static void parse_server_config_depth(ServerOptions *options,
+    const char *filename, struct sshbuf *conf, struct include_list *includes,
+     struct connection_info *connectinfo, int flags, int *activep, int depth);
+ 
+ /* Use of privilege separation or not */
+@@ -2623,7 +2623,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ #undef M_CP_STRARRAYOPT
+ 
+ #define SERVCONF_MAX_DEPTH     16
+-void
+static void
+ parse_server_config_depth(ServerOptions *options, const char *filename,
+     struct sshbuf *conf, struct include_list *includes,
+     struct connection_info *connectinfo, int flags, int *activep, int depth)
+@@ -2649,7 +2649,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
+        if (bad_options > 0)
+                fatal("%s: terminating, %d bad configuration options",
+                    filename, bad_options);
+-       process_queued_listen_addrs(options);
+ }
+ 
+ void
+@@ -2660,6 +2659,7 @@ parse_server_config(ServerOptions *options, const char *filename,
+        int active = connectinfo ? 0 : 1;
+        parse_server_config_depth(options, filename, conf, includes,
+            connectinfo, 0, &active, 0);
+       process_queued_listen_addrs(options);
+ }
+ 
+ static const char *
diff --git a/debian/patches/series b/debian/patches/series
index 8c1046a74..9abd84350 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ debian-config.patch
 restore-authorized_keys2.patch
 conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
+avoid-extra-ports.patch
author	Colin Watson <cjwatson@debian.org>	2020-06-07 13:15:05 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-06-07 13:19:51 +0100
commit	a37608b8084ff62336307f901c9139c2441c11d6 (patch)
tree	9c2954130816d1c042d6d7bec9aa31ecd26706d4 /debian
parent	58c1c4c51fb50edd0080d9483a1012fd2069c9cb (diff)
parent	877a000e9474ed5e32029f434dbec4de2fb1696f (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 033091076..0e68bd57c 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	39b8d128ef980a410bb1ea0ee80e95ac9fff59c3	2	877a000e9474ed5e32029f434dbec4de2fb1696f
3	39b8d128ef980a410bb1ea0ee80e95ac9fff59c3	3	877a000e9474ed5e32029f434dbec4de2fb1696f
4	202f5a676221c244cd450086c334c2b59f339e86	4	202f5a676221c244cd450086c334c2b59f339e86
5	202f5a676221c244cd450086c334c2b59f339e86	5	202f5a676221c244cd450086c334c2b59f339e86
6	openssh_8.3p1.orig.tar.gz	6	openssh_8.3p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 9ac2ca4b0..7ceb917bb 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -80,6 +80,8 @@ openssh (1:8.3p1-1) UNRELEASED; urgency=medium
80	- Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732	80	- Enable SHA2-based GSSAPI key exchange methods by default as RFC 8732
81	was published.	81	was published.
82	* Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.	82	* Use AUTOPKGTEST_TMP rather than the deprecated ADTTMP.
		83	* Apply upstream patch to fix the handling of Port directives after
		84	Include (closes: #962035, LP: #1876320).
83		85
84	-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:25:54 +0100	86	-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:25:54 +0100
85		87


diff --git a/debian/patches/avoid-extra-ports.patch b/debian/patches/avoid-extra-ports.patch new file mode 100644 index 000000000..d8df325ac --- /dev/null +++ b/debian/patches/avoid-extra-ports.patch
@@ -0,0 +1,67 @@
		1	From 877a000e9474ed5e32029f434dbec4de2fb1696f Mon Sep 17 00:00:00 2001
		2	From: "djm@openbsd.org" <djm@openbsd.org>
		3	Date: Wed, 27 May 2020 21:59:11 +0000
		4	Subject: upstream: Do not call process_queued_listen_addrs() for every
		5
		6	included file from sshd_config; patch from Jakub Jelen
		7
		8	OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
		9
		10	Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=0a9a611619b0a1fecd0195ec86a9885f5d681c84
		11	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3169
		12	Bug-Debian: https://bugs.debian.org/962035
		13	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1876320
		14	Last-Update: 2020-06-07
		15
		16	Patch-Name: avoid-extra-ports.patch
		17	---
		18	servconf.c \| 10 +++++-----
		19	1 file changed, 5 insertions(+), 5 deletions(-)
		20
		21	diff --git a/servconf.c b/servconf.c
		22	index c290e9786..5f3336365 100644
		23	--- a/servconf.c
		24	+++ b/servconf.c
		25	@@ -1,5 +1,5 @@
		26
		27	-/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
		28	+/* $OpenBSD: servconf.c,v 1.364 2020/05/27 21:59:11 djm Exp $ */
		29	/*
		30	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
		31	* All rights reserved
		32	@@ -75,8 +75,8 @@ static void add_listen_addr(ServerOptions , const char ,
		33	const char *, int);
		34	static void add_one_listen_addr(ServerOptions , const char ,
		35	const char *, int);
		36	-void parse_server_config_depth(ServerOptions options, const char filename,
		37	- struct sshbuf conf, struct include_list includes,
		38	+static void parse_server_config_depth(ServerOptions *options,
		39	+ const char filename, struct sshbuf conf, struct include_list *includes,
		40	struct connection_info connectinfo, int flags, int activep, int depth);
		41
		42	/* Use of privilege separation or not */
		43	@@ -2623,7 +2623,7 @@ copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
		44	#undef M_CP_STRARRAYOPT
		45
		46	#define SERVCONF_MAX_DEPTH 16
		47	-void
		48	+static void
		49	parse_server_config_depth(ServerOptions options, const char filename,
		50	struct sshbuf conf, struct include_list includes,
		51	struct connection_info connectinfo, int flags, int activep, int depth)
		52	@@ -2649,7 +2649,6 @@ parse_server_config_depth(ServerOptions options, const char filename,
		53	if (bad_options > 0)
		54	fatal("%s: terminating, %d bad configuration options",
		55	filename, bad_options);
		56	- process_queued_listen_addrs(options);
		57	}
		58
		59	void
		60	@@ -2660,6 +2659,7 @@ parse_server_config(ServerOptions options, const char filename,
		61	int active = connectinfo ? 0 : 1;
		62	parse_server_config_depth(options, filename, conf, includes,
		63	connectinfo, 0, &active, 0);
		64	+ process_queued_listen_addrs(options);
		65	}
		66
		67	static const char *


diff --git a/debian/patches/series b/debian/patches/series index 8c1046a74..9abd84350 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -23,3 +23,4 @@ debian-config.patch
23	restore-authorized_keys2.patch	23	restore-authorized_keys2.patch
24	conch-old-privkey-format.patch	24	conch-old-privkey-format.patch
25	revert-ipqos-defaults.patch	25	revert-ipqos-defaults.patch
		26	avoid-extra-ports.patch