From patchwork Mon Mar 27 21:27:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 6726
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Plm9k3qbzz3xFR
	for <patchwork@web04.haj.ipfire.org>; Mon, 27 Mar 2023 21:27:22 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Plm9g6s3tz1TJ;
	Mon, 27 Mar 2023 21:27:19 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Plm9g4yqDz30K0;
	Mon, 27 Mar 2023 21:27:19 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Plm9d4shWz300f
 for <development@lists.ipfire.org>; Mon, 27 Mar 2023 21:27:17 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Plm9d2NGkzMM;
 Mon, 27 Mar 2023 21:27:17 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1679952437;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=98ajvlg8z96kx0nfaZ0zZXFRcS1y51GD8ePhH34cCyk=;
 b=VZP+di587wQ6RpgrKWZSJwCmg4YeIowgOuzJ7LEnCszT//FohIDRwiCwFM/NjBMn9ZTOLj
 /KpZ17UectwynLBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1679952437;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=98ajvlg8z96kx0nfaZ0zZXFRcS1y51GD8ePhH34cCyk=;
 b=AXtJ82hO8HsWEFz6M2hw7u7McVMdJNPn2yeavvs645hE7N6RcvhAxktQJbzpopdB0PC+Cx
 /JCqOxFZZ/uAqnNTkG7j2janCMhpYDPWD203WvFBxETD9pu6hVLzq7HKKxkXMn/ydlRgfX
 6GGt46XISv0s1G8wx+5+mJRqxEVBkpj58hdWnTo8x3+JWTyxVHdSaD9QNM//ZIKJ+Be1Qd
 Q0rrciGfEfnO6yLhqszc6l4myYg2+3B/ox7OC+n9olKHeeTEu9JEMb3VA/+xvkiOTYmUMD
 O9V3Sv+fu5WaqyEH5F196lLrqcEpZc7gi/Zd6yTv2YhfJJ6Q62iEj5nNjVwc9A==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] openssh: Update to version 9.3p1
Date: Mon, 27 Mar 2023 23:27:07 +0200
Message-Id: <20230327212709.3955444-3-adolf.belka@ipfire.org>
In-Reply-To: <20230327212709.3955444-1-adolf.belka@ipfire.org>
References: <20230327212709.3955444-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
   IPFire
- Changelog
9.3p1 (2023-03-15)
  This release fixes a number of security bugs.
    Security
	This release contains fixes for a security problem and a memory
	safety problem. The memory safety problem is not believed to be
	exploitable, but we report most network-reachable memory faults as
	security bugs.
	 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
	   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
	   8.9, a logic error prevented the constraints from being
	   communicated to the agent. This resulted in the keys being added
	   without constraints. The common cases of non-smartcard keys and
	   keys without destination constraints are unaffected. This problem
	   was reported by Luci Stanescu.
	 * ssh(1): Portable OpenSSH provides an implementation of the
	   getrrsetbyname(3) function if the standard library does not
	   provide it, for use by the VerifyHostKeyDNS feature. A
	   specifically crafted DNS response could cause this function to
	   perform an out-of-bounds read of adjacent stack data, but this
	   condition does not appear to be exploitable beyond denial-of-
	   service to the ssh(1) client.
	   The getrrsetbyname(3) replacement is only included if the system's
	   standard library lacks this function and portable OpenSSH was not
	   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
	   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
	   problem was found by the Coverity static analyzer.
    New features
	 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
	   outputting SSHFP fingerprints to allow algorithm selection. bz3493
	 * sshd(8): add a `sshd -G` option that parses and prints the
	   effective configuration without attempting to load private keys
	   and perform other checks. This allows usage of the option before
	   keys have been generated and for configuration evaluation and
	   verification by unprivileged users.
    Bugfixes
	 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
	   bz3534
	 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
	   of private keys as some systems are starting to disable RSA/SHA1
	   in libcrypto.
	 * sftp-server(8): fix a memory leak. GHPR363
	 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
	   compatibility code and simplify what's left.
	 * Fix a number of low-impact Coverity static analysis findings.
	   These include several reported via bz2687
	 * ssh_config(5), sshd_config(5): mention that some options are not
	   first-match-wins.
	 * Rework logging for the regression tests. Regression tests will now
	   capture separate logs for each ssh and sshd invocation in a test.
	 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
	   says it should; bz3532.
	 * ssh(1): ensure that there is a terminating newline when adding a
	   new entry to known_hosts; bz3529
    Portability
	 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
	   mmap(2), madvise(2) and futex(2) flags, removing some concerning
	   kernel attack surface.
	 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
	   bz3537

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/openssh                                         |  5 ++---
 ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
 2 files changed, 2 insertions(+), 16 deletions(-)
 delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch

diff --git a/lfs/openssh b/lfs/openssh
index 89f486a79..5a18edd70 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 9.2p1
+VER        = 9.3p1
 
 THISAPP    = openssh-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
+$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
 
 install : $(TARGET)
 
@@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
 	cd $(DIR_APP) && ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc/ssh \
diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
deleted file mode 100644
index 5199872d9..000000000
--- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
---- openssh-8.2p1.org/sandbox-seccomp-filter.c	2020-04-10 18:14:56.152309584 +0200
-+++ openssh-8.2p1/sandbox-seccomp-filter.c	2020-04-10 21:05:45.827921765 +0200
-@@ -253,6 +253,9 @@
- #endif
- #ifdef __NR_clock_nanosleep_time64
- 	SC_ALLOW(__NR_clock_nanosleep_time64),
-+#else
-+	/* on i586 glibc call syscall 407 which is not defined */
-+	SC_ALLOW(407),
- #endif
- #ifdef __NR_clock_gettime64
- 	SC_ALLOW(__NR_clock_gettime64),