Re: [PATCH] openssh: Update to version 9.3p1

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 6019 bytes --]

As always, thank you very much!

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from version 9.2p1 to 9.3p1
> - Update of rootfile not required
> - Removal of patch as this was only required for i586 builds which are no longer done in
>    IPFire
> - Changelog
> 9.3p1 (2023-03-15)
>   This release fixes a number of security bugs.
>     Security
> 	This release contains fixes for a security problem and a memory
> 	safety problem. The memory safety problem is not believed to be
> 	exploitable, but we report most network-reachable memory faults as
> 	security bugs.
> 	 * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
> 	   per-hop destination constraints (ssh-add -h ...) added in OpenSSH
> 	   8.9, a logic error prevented the constraints from being
> 	   communicated to the agent. This resulted in the keys being added
> 	   without constraints. The common cases of non-smartcard keys and
> 	   keys without destination constraints are unaffected. This problem
> 	   was reported by Luci Stanescu.
> 	 * ssh(1): Portable OpenSSH provides an implementation of the
> 	   getrrsetbyname(3) function if the standard library does not
> 	   provide it, for use by the VerifyHostKeyDNS feature. A
> 	   specifically crafted DNS response could cause this function to
> 	   perform an out-of-bounds read of adjacent stack data, but this
> 	   condition does not appear to be exploitable beyond denial-of-
> 	   service to the ssh(1) client.
> 	   The getrrsetbyname(3) replacement is only included if the system's
> 	   standard library lacks this function and portable OpenSSH was not
> 	   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
> 	   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
> 	   problem was found by the Coverity static analyzer.
>     New features
> 	 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
> 	   outputting SSHFP fingerprints to allow algorithm selection. bz3493
> 	 * sshd(8): add a `sshd -G` option that parses and prints the
> 	   effective configuration without attempting to load private keys
> 	   and perform other checks. This allows usage of the option before
> 	   keys have been generated and for configuration evaluation and
> 	   verification by unprivileged users.
>     Bugfixes
> 	 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
> 	   bz3534
> 	 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
> 	   of private keys as some systems are starting to disable RSA/SHA1
> 	   in libcrypto.
> 	 * sftp-server(8): fix a memory leak. GHPR363
> 	 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
> 	   compatibility code and simplify what's left.
> 	 * Fix a number of low-impact Coverity static analysis findings.
> 	   These include several reported via bz2687
> 	 * ssh_config(5), sshd_config(5): mention that some options are not
> 	   first-match-wins.
> 	 * Rework logging for the regression tests. Regression tests will now
> 	   capture separate logs for each ssh and sshd invocation in a test.
> 	 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
> 	   says it should; bz3532.
> 	 * ssh(1): ensure that there is a terminating newline when adding a
> 	   new entry to known_hosts; bz3529
>     Portability
> 	 * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
> 	   mmap(2), madvise(2) and futex(2) flags, removing some concerning
> 	   kernel attack surface.
> 	 * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
> 	   bz3537
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  lfs/openssh                                         |  5 ++---
>  ...SH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch | 13 -------------
>  2 files changed, 2 insertions(+), 16 deletions(-)
>  delete mode 100644 src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> 
> diff --git a/lfs/openssh b/lfs/openssh
> index 89f486a79..5a18edd70 100644
> --- a/lfs/openssh
> +++ b/lfs/openssh
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 9.2p1
> +VER        = 9.3p1
>  
>  THISAPP    = openssh-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 8d0b5e43cb42cba105a1fe303c447a2b85151cb33ec7ed47747d75c5a61d0f07f0ee4b1020b79c13eb8de4b451c5a844a8afc7ebbbea7ffeceafc3bf59cb8d21
> +$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
>  
>  install : $(TARGET)
>  
> @@ -71,7 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	@$(PREBUILD)
>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>  	cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
> -	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
>  	cd $(DIR_APP) && ./configure \
>  		--prefix=/usr \
>  		--sysconfdir=/etc/ssh \
> diff --git a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch b/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> deleted file mode 100644
> index 5199872d9..000000000
> --- a/src/patches/OpenSSH-8.2p1_glibc-2.31_clock_nanosleep_time64.patch
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -diff -Naur openssh-8.2p1.org/sandbox-seccomp-filter.c openssh-8.2p1/sandbox-seccomp-filter.c
> ---- openssh-8.2p1.org/sandbox-seccomp-filter.c	2020-04-10 18:14:56.152309584 +0200
> -+++ openssh-8.2p1/sandbox-seccomp-filter.c	2020-04-10 21:05:45.827921765 +0200
> -@@ -253,6 +253,9 @@
> - #endif
> - #ifdef __NR_clock_nanosleep_time64
> - 	SC_ALLOW(__NR_clock_nanosleep_time64),
> -+#else
> -+	/* on i586 glibc call syscall 407 which is not defined */
> -+	SC_ALLOW(407),
> - #endif
> - #ifdef __NR_clock_gettime64
> - 	SC_ALLOW(__NR_clock_gettime64),