From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 08 Apr 2022 15:37:08 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nconV-00BuM5-Cf for lore@lore.pengutronix.de; Fri, 08 Apr 2022 15:37:08 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nconT-0001Rd-Gj; Fri, 08 Apr 2022 15:37:07 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ncomP-0008Ou-0W; Fri, 08 Apr 2022 15:36:01 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1ncomP-001oS6-MU; Fri, 08 Apr 2022 15:36:00 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1ncomN-000VzM-9V; Fri, 08 Apr 2022 15:35:59 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Fri, 8 Apr 2022 15:35:59 +0200 Message-Id: <20220408133559.122920-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220330201706.1065700-1-christian.melki@t2data.com> References: <20220330201706.1065700-1-christian.melki@t2data.com> MIME-Version: 1.0 Subject: Re: [ptxdist] [APPLIED] openssh: Version bump. v8.8p1 -> v8.9p1 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Christian Melki Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as f9d34a0230b7803df4f24b09371d463c25d241f6. Michael [sent from post-receive hook] On Fri, 08 Apr 2022 15:35:59 +0200, Christian Melki wrote: > Security miss, integer overflow in the user auth path. > Not exploitable due to privsep. > > * Update license. md5crypt removed, bcrypt relicensed. > 4-Clause license removed. > * Minor spelling fixes in the license file. > * Remove configure option due to the removal of md5crypt. > * Add patch to improve detection of -fzero-call-used-regs=all on arm. > * Add rerun of autotools since patch touces m4 files. > > Signed-off-by: Christian Melki > Message-Id: <20220330201706.1065700-1-christian.melki@t2data.com> > [mol: readd lost openssh.make changes from v2] > Signed-off-by: Michael Olbrich > > diff --git a/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch > new file mode 100644 > index 000000000000..70b075ae7651 > --- /dev/null > +++ b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch > @@ -0,0 +1,31 @@ > +From: Colin Watson > +Date: Thu, 24 Feb 2022 16:04:18 +0000 > +Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support > + > +GCC doesn't tell us whether this option is supported unless it runs into > +the situation where it would need to emit corresponding code. > +--- > + m4/openssh.m4 | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/m4/openssh.m4 b/m4/openssh.m4 > +index 4f9c3792dc17..8c33c701b8b4 100644 > +--- a/m4/openssh.m4 > ++++ b/m4/openssh.m4 > +@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ > + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ > + #include > + #include > ++/* Trivial function to help test for -fzero-call-used-regs */ > ++void f(int n) {} > + int main(int argc, char **argv) { > + (void)argv; > + /* Some math to catch -ftrapv problems in the toolchain */ > +@@ -21,6 +23,7 @@ int main(int argc, char **argv) { > + float l = i * 2.1; > + double m = l / 0.5; > + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; > ++ f(0); > + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); > + /* > + * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does > diff --git a/patches/openssh-8.9p1/autogen.sh b/patches/openssh-8.9p1/autogen.sh > new file mode 120000 > index 000000000000..9f8a4cb7ddcb > --- /dev/null > +++ b/patches/openssh-8.9p1/autogen.sh > @@ -0,0 +1 @@ > +../autogen.sh > \ No newline at end of file > diff --git a/patches/openssh-8.9p1/series b/patches/openssh-8.9p1/series > new file mode 100644 > index 000000000000..eb319a82b68a > --- /dev/null > +++ b/patches/openssh-8.9p1/series > @@ -0,0 +1,4 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch > +# 35e561a03b8e1fd58ce4b40b565cdd3f - git-ptx-patches magic > diff --git a/rules/openssh.make b/rules/openssh.make > index c801d8a6a28c..8f48e426efd4 100644 > --- a/rules/openssh.make > +++ b/rules/openssh.make > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh > # > # Paths and names > # > -OPENSSH_VERSION := 8.8p1 > -OPENSSH_MD5 := 8ce5f390958baeeab635aafd0ef41453 > +OPENSSH_VERSION := 8.9p1 > +OPENSSH_MD5 := f33910174f0af52491277211e2b105bb > OPENSSH := openssh-$(OPENSSH_VERSION) > OPENSSH_SUFFIX := tar.gz > OPENSSH_URL := \ > @@ -25,8 +25,8 @@ OPENSSH_URL := \ > > OPENSSH_SOURCE := $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX) > OPENSSH_DIR := $(BUILDDIR)/$(OPENSSH) > -OPENSSH_LICENSE := BSD AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND MIT AND Beerware AND ISC > -OPENSSH_LICENSE_FILES := file://LICENCE;md5=d9d2753bdef9f19466dc7bc959114b11 > +OPENSSH_LICENSE := BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC > +OPENSSH_LICENSE_FILES := file://LICENCE;md5=8baf365614c9bdd63705f298c9afbfb9 > > # ---------------------------------------------------------------------------- > # Prepare > @@ -78,8 +78,7 @@ OPENSSH_CONF_OPT := \ > --with-privsep-user=sshd \ > --with-sandbox=$(OPENSSH_SANDBOX-y) \ > --$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \ > - --with-privsep-path=/var/run/sshd \ > - --without-md5-passwords > + --with-privsep-path=/var/run/sshd > > # ---------------------------------------------------------------------------- > # Target-Install _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de