summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/auth-log-verbosity.patch7
-rw-r--r--debian/patches/gssapi.patch23
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch44
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch47
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch33
-rw-r--r--debian/patches/series3
-rw-r--r--sandbox-seccomp-filter.c20
9 files changed, 166 insertions, 17 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 011e71d0a..c3f3645c9 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2cda04ac1f5c69710187e602043758063479c3c65 2375f99251da3754666750fe1ed63575ba909f397
3cda04ac1f5c69710187e602043758063479c3c65 3375f99251da3754666750fe1ed63575ba909f397
46fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 46fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
56fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 56fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
6openssh_7.5p1.orig.tar.gz 6openssh_7.5p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index ab93af357..6cae8eb74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:7.5p1-8) UNRELEASED; urgency=medium
3 * Drop openssh-client-ssh1, now built by a separate source package. 3 * Drop openssh-client-ssh1, now built by a separate source package.
4 * Run haveged during autopkgtests to ensure that they have enough entropy 4 * Run haveged during autopkgtests to ensure that they have enough entropy
5 for key generation (LP: #1712921). 5 for key generation (LP: #1712921).
6 * Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to
7 allow some extra syscalls for crypto cards on s390x (LP: #1686618).
6 8
7 -- Colin Watson <cjwatson@debian.org> Sun, 27 Aug 2017 23:24:58 +0100 9 -- Colin Watson <cjwatson@debian.org> Sun, 27 Aug 2017 23:24:58 +0100
8 10
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 6b5653ca7..fb3855f9a 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -18,7 +18,7 @@ diff --git a/auth-options.c b/auth-options.c
18index 57b49f7f..7eb87b35 100644 18index 57b49f7f..7eb87b35 100644
19--- a/auth-options.c 19--- a/auth-options.c
20+++ b/auth-options.c 20+++ b/auth-options.c
21@@ -59,9 +59,20 @@ int forced_tun_device = -1; 21@@ -59,8 +59,19 @@ int forced_tun_device = -1;
22 /* "principals=" option. */ 22 /* "principals=" option. */
23 char *authorized_principals = NULL; 23 char *authorized_principals = NULL;
24 24
@@ -28,17 +28,16 @@ index 57b49f7f..7eb87b35 100644
28+ 28+
29 extern ServerOptions options; 29 extern ServerOptions options;
30 30
31 void 31+void
32+auth_start_parse_options(void) 32+auth_start_parse_options(void)
33+{ 33+{
34+ logged_from_hostip = 0; 34+ logged_from_hostip = 0;
35+ logged_cert_hostip = 0; 35+ logged_cert_hostip = 0;
36+} 36+}
37+ 37+
38+void 38 void
39 auth_clear_options(void) 39 auth_clear_options(void)
40 { 40 {
41 no_agent_forwarding_flag = 0;
42@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 41@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
43 /* FALLTHROUGH */ 42 /* FALLTHROUGH */
44 case 0: 43 case 0:
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index c74926dc6..deddbcb80 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -266,10 +266,11 @@ index 6ee6116d..c6390687 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -795,99 +796,6 @@ fakepw(void) 269@@ -794,99 +795,6 @@ fakepw(void)
270 return (&fake);
270 } 271 }
271 272
272 /* 273-/*
273- * Returns the remote DNS hostname as a string. The returned string must not 274- * Returns the remote DNS hostname as a string. The returned string must not
274- * be freed. NB. this will usually trigger a DNS query the first time it is 275- * be freed. NB. this will usually trigger a DNS query the first time it is
275- * called. 276- * called.
@@ -362,10 +363,9 @@ index 6ee6116d..c6390687 100644
362- return strdup(name); 363- return strdup(name);
363-} 364-}
364- 365-
365-/* 366 /*
366 * Return the canonical name of the host in the other side of the current 367 * Return the canonical name of the host in the other side of the current
367 * connection. The host name is cached, so it is efficient to call this 368 * connection. The host name is cached, so it is efficient to call this
368 * several times.
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 1ca83577..3b5036df 100644 370index 1ca83577..3b5036df 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
@@ -875,10 +875,11 @@ index 62559ed9..0b3ae073 100644
875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
876 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 876 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
877 877
878@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 878@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
879 return (ctx->major);
879 } 880 }
880 881
881 OM_uint32 882+OM_uint32
882+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) 883+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
883+{ 884+{
884+ gss_buffer_desc gssbuf; 885+ gss_buffer_desc gssbuf;
@@ -909,7 +910,7 @@ index 62559ed9..0b3ae073 100644
909+ return(ctx->major); 910+ return(ctx->major);
910+} 911+}
911+ 912+
912+OM_uint32 913 OM_uint32
913 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 914 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
914 { 915 {
915+ if (ctx == NULL) 916+ if (ctx == NULL)
@@ -1199,10 +1200,11 @@ index 53993d67..2e27cbf9 100644
1199 1200
1200 #ifdef KRB5 1201 #ifdef KRB5
1201 extern ssh_gssapi_mech gssapi_kerberos_mech; 1202 extern ssh_gssapi_mech gssapi_kerberos_mech;
1202@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1203@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1204 return (ssh_gssapi_acquire_cred(*ctx));
1203 } 1205 }
1204 1206
1205 /* Unprivileged */ 1207+/* Unprivileged */
1206+char * 1208+char *
1207+ssh_gssapi_server_mechanisms(void) { 1209+ssh_gssapi_server_mechanisms(void) {
1208+ if (supported_oids == NULL) 1210+ if (supported_oids == NULL)
@@ -1224,10 +1226,9 @@ index 53993d67..2e27cbf9 100644
1224+ return (res); 1226+ return (res);
1225+} 1227+}
1226+ 1228+
1227+/* Unprivileged */ 1229 /* Unprivileged */
1228 void 1230 void
1229 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1231 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1230 {
1231@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1232@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1232 gss_OID_set supported; 1233 gss_OID_set supported;
1233 1234
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
new file mode 100644
index 000000000..c829abaa9
--- /dev/null
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -0,0 +1,44 @@
1From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:31:05 -0300
4Subject: Allow getuid and geteuid calls
5
6getuid and geteuid are needed when using an openssl engine that calls a
7crypto card, e.g. ICA (libica).
8Those syscalls are also needed by the distros for audit code.
9
10Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
11
12Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
14Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
15Last-Update: 2017-08-28
16
17Patch-Name: seccomp-getuid-geteuid.patch
18---
19 sandbox-seccomp-filter.c | 12 ++++++++++++
20 1 file changed, 12 insertions(+)
21
22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
23index 997b66ff..4cbaaa2e 100644
24--- a/sandbox-seccomp-filter.c
25+++ b/sandbox-seccomp-filter.c
26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
27 #ifdef __NR_getpid
28 SC_ALLOW(__NR_getpid),
29 #endif
30+#ifdef __NR_getuid
31+ SC_ALLOW(__NR_getuid),
32+#endif
33+#ifdef __NR_getuid32
34+ SC_ALLOW(__NR_getuid32),
35+#endif
36+#ifdef __NR_geteuid
37+ SC_ALLOW(__NR_geteuid),
38+#endif
39+#ifdef __NR_geteuid32
40+ SC_ALLOW(__NR_geteuid32),
41+#endif
42 #ifdef __NR_getrandom
43 SC_ALLOW(__NR_getrandom),
44 #endif
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
new file mode 100644
index 000000000..7b5ed1098
--- /dev/null
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -0,0 +1,47 @@
1From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture
5
6In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
7and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
8implementation) which calls the libraries that will communicate with the
9crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
10this is only need on s390 architecture.
11
12Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
13
14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
17Last-Update: 2017-08-28
18
19Patch-Name: seccomp-s390-flock-ipc.patch
20---
21 sandbox-seccomp-filter.c | 6 ++++++
22 1 file changed, 6 insertions(+)
23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index 2831e9d1..997b66ff 100644
26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
29 #ifdef __NR_exit_group
30 SC_ALLOW(__NR_exit_group),
31 #endif
32+#if defined(__NR_flock) && defined(__s390__)
33+ SC_ALLOW(__NR_flock),
34+#endif
35 #ifdef __NR_getpgid
36 SC_ALLOW(__NR_getpgid),
37 #endif
38@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_gettimeofday
40 SC_ALLOW(__NR_gettimeofday),
41 #endif
42+#if defined(__NR_ipc) && defined(__s390__)
43+ SC_ALLOW(__NR_ipc),
44+#endif
45 #ifdef __NR_madvise
46 SC_ALLOW(__NR_madvise),
47 #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
new file mode 100644
index 000000000..83997695e
--- /dev/null
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -0,0 +1,33 @@
1From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390)
5
6The EP11 crypto card needs to make an ioctl call, which receives an
7specific argument. This crypto card is for s390 only.
8
9Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
10
11Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
14Last-Update: 2017-08-28
15
16Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
17---
18 sandbox-seccomp-filter.c | 2 ++
19 1 file changed, 2 insertions(+)
20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index 4cbaaa2e..3833424b 100644
23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c
25@@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
29+ /* Allow ioctls for EP11 crypto card on s390 */
30+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
31 #endif
32 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
33 /*
diff --git a/debian/patches/series b/debian/patches/series
index a46f3a408..c9d79be6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,6 @@ restore-authorized_keys2.patch
28s390-missing-header.patch 28s390-missing-header.patch
29x32-syntax-error.patch 29x32-syntax-error.patch
30fix-incoming-compression-statistics.patch 30fix-incoming-compression-statistics.patch
31seccomp-s390-flock-ipc.patch
32seccomp-getuid-geteuid.patch
33seccomp-s390-ioctl-ep11-crypto.patch
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2831e9d10..3833424bf 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -166,18 +166,36 @@ static const struct sock_filter preauth_insns[] = {
166#ifdef __NR_exit_group 166#ifdef __NR_exit_group
167 SC_ALLOW(__NR_exit_group), 167 SC_ALLOW(__NR_exit_group),
168#endif 168#endif
169#if defined(__NR_flock) && defined(__s390__)
170 SC_ALLOW(__NR_flock),
171#endif
169#ifdef __NR_getpgid 172#ifdef __NR_getpgid
170 SC_ALLOW(__NR_getpgid), 173 SC_ALLOW(__NR_getpgid),
171#endif 174#endif
172#ifdef __NR_getpid 175#ifdef __NR_getpid
173 SC_ALLOW(__NR_getpid), 176 SC_ALLOW(__NR_getpid),
174#endif 177#endif
178#ifdef __NR_getuid
179 SC_ALLOW(__NR_getuid),
180#endif
181#ifdef __NR_getuid32
182 SC_ALLOW(__NR_getuid32),
183#endif
184#ifdef __NR_geteuid
185 SC_ALLOW(__NR_geteuid),
186#endif
187#ifdef __NR_geteuid32
188 SC_ALLOW(__NR_geteuid32),
189#endif
175#ifdef __NR_getrandom 190#ifdef __NR_getrandom
176 SC_ALLOW(__NR_getrandom), 191 SC_ALLOW(__NR_getrandom),
177#endif 192#endif
178#ifdef __NR_gettimeofday 193#ifdef __NR_gettimeofday
179 SC_ALLOW(__NR_gettimeofday), 194 SC_ALLOW(__NR_gettimeofday),
180#endif 195#endif
196#if defined(__NR_ipc) && defined(__s390__)
197 SC_ALLOW(__NR_ipc),
198#endif
181#ifdef __NR_madvise 199#ifdef __NR_madvise
182 SC_ALLOW(__NR_madvise), 200 SC_ALLOW(__NR_madvise),
183#endif 201#endif
@@ -231,6 +249,8 @@ static const struct sock_filter preauth_insns[] = {
231 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), 249 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
232 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), 250 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
233 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), 251 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
252 /* Allow ioctls for EP11 crypto card on s390 */
253 SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
234#endif 254#endif
235#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) 255#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
236 /* 256 /*