[ptxdist] [PATCH v3] openssh: Version bump. v8.8p1 -> v8.9p1

[ptxdist] [PATCH v3] openssh: Version bump. v8.8p1 -> v8.9p1

[Christian Melki]

Security miss, integer overflow in the user auth path.
Not exploitable due to privsep.

* Update license. md5crypt removed, bcrypt relicensed.
4-Clause license removed.
* Minor spelling fixes in the license file.
* Remove configure option due to the removal of md5crypt.
* Add patch to improve detection of -fzero-call-used-regs=all on arm.
* Add rerun of autotools since patch touces m4 files.

Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
 ...n-of-fzero-call-used-regs-all-suppor.patch | 31 +++++++++++++++++++
 patches/openssh-8.9p1/autogen.sh              |  1 +
 patches/openssh-8.9p1/series                  |  4 +++
 3 files changed, 36 insertions(+)
 create mode 100644 patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
 create mode 120000 patches/openssh-8.9p1/autogen.sh
 create mode 100644 patches/openssh-8.9p1/series

diff --git a/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
new file mode 100644
index 000000000..70b075ae7
--- /dev/null
+++ b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
@@ -0,0 +1,31 @@
+From: Colin Watson <cjwatson@debian.org>
+Date: Thu, 24 Feb 2022 16:04:18 +0000
+Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
+
+GCC doesn't tell us whether this option is supported unless it runs into
+the situation where it would need to emit corresponding code.
+---
+ m4/openssh.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 4f9c3792dc17..8c33c701b8b4 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+ #include <stdlib.h>
+ #include <stdio.h>
++/* Trivial function to help test for -fzero-call-used-regs */
++void f(int n) {}
+ int main(int argc, char **argv) {
+ 	(void)argv;
+ 	/* Some math to catch -ftrapv problems in the toolchain */
+@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
+ 	float l = i * 2.1;
+ 	double m = l / 0.5;
+ 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
++	f(0);
+ 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
+ 	/*
+ 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
diff --git a/patches/openssh-8.9p1/autogen.sh b/patches/openssh-8.9p1/autogen.sh
new file mode 120000
index 000000000..9f8a4cb7d
--- /dev/null
+++ b/patches/openssh-8.9p1/autogen.sh
@@ -0,0 +1 @@
+../autogen.sh
\ No newline at end of file
diff --git a/patches/openssh-8.9p1/series b/patches/openssh-8.9p1/series
new file mode 100644
index 000000000..eb319a82b
--- /dev/null
+++ b/patches/openssh-8.9p1/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
+# 35e561a03b8e1fd58ce4b40b565cdd3f  - git-ptx-patches magic
-- 
2.32.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3] openssh: Version bump. v8.8p1 -> v8.9p1

[Roland Hieber]

On Wed, Mar 30, 2022 at 10:17:06PM +0200, Christian Melki wrote:
> Security miss, integer overflow in the user auth path.
> Not exploitable due to privsep.
> 
> * Update license. md5crypt removed, bcrypt relicensed.
> 4-Clause license removed.
> * Minor spelling fixes in the license file.
> * Remove configure option due to the removal of md5crypt.
> * Add patch to improve detection of -fzero-call-used-regs=all on arm.
> * Add rerun of autotools since patch touces m4 files.
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> ---
>  ...n-of-fzero-call-used-regs-all-suppor.patch | 31 +++++++++++++++++++
>  patches/openssh-8.9p1/autogen.sh              |  1 +
>  patches/openssh-8.9p1/series                  |  4 +++

I guess rules/openssh.make is the same as in v2?

 - Roland

>  3 files changed, 36 insertions(+)
>  create mode 100644 patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
>  create mode 120000 patches/openssh-8.9p1/autogen.sh
>  create mode 100644 patches/openssh-8.9p1/series
> 
> diff --git a/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> new file mode 100644
> index 000000000..70b075ae7
> --- /dev/null
> +++ b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> @@ -0,0 +1,31 @@
> +From: Colin Watson <cjwatson@debian.org>
> +Date: Thu, 24 Feb 2022 16:04:18 +0000
> +Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
> +
> +GCC doesn't tell us whether this option is supported unless it runs into
> +the situation where it would need to emit corresponding code.
> +---
> + m4/openssh.m4 | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/m4/openssh.m4 b/m4/openssh.m4
> +index 4f9c3792dc17..8c33c701b8b4 100644
> +--- a/m4/openssh.m4
> ++++ b/m4/openssh.m4
> +@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
> + 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
> + #include <stdlib.h>
> + #include <stdio.h>
> ++/* Trivial function to help test for -fzero-call-used-regs */
> ++void f(int n) {}
> + int main(int argc, char **argv) {
> + 	(void)argv;
> + 	/* Some math to catch -ftrapv problems in the toolchain */
> +@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
> + 	float l = i * 2.1;
> + 	double m = l / 0.5;
> + 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
> ++	f(0);
> + 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
> + 	/*
> + 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
> diff --git a/patches/openssh-8.9p1/autogen.sh b/patches/openssh-8.9p1/autogen.sh
> new file mode 120000
> index 000000000..9f8a4cb7d
> --- /dev/null
> +++ b/patches/openssh-8.9p1/autogen.sh
> @@ -0,0 +1 @@
> +../autogen.sh
> \ No newline at end of file
> diff --git a/patches/openssh-8.9p1/series b/patches/openssh-8.9p1/series
> new file mode 100644
> index 000000000..eb319a82b
> --- /dev/null
> +++ b/patches/openssh-8.9p1/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> +# 35e561a03b8e1fd58ce4b40b565cdd3f  - git-ptx-patches magic
> -- 
> 2.32.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3] openssh: Version bump. v8.8p1 -> v8.9p1

[Christian Melki]

On 4/4/22 12:45 PM, Roland Hieber wrote:
> On Wed, Mar 30, 2022 at 10:17:06PM +0200, Christian Melki wrote:
>> Security miss, integer overflow in the user auth path.
>> Not exploitable due to privsep.
>>
>> * Update license. md5crypt removed, bcrypt relicensed.
>> 4-Clause license removed.
>> * Minor spelling fixes in the license file.
>> * Remove configure option due to the removal of md5crypt.
>> * Add patch to improve detection of -fzero-call-used-regs=all on arm.
>> * Add rerun of autotools since patch touces m4 files.
>>
>> Signed-off-by: Christian Melki <christian.melki@t2data.com>
>> ---
>>   ...n-of-fzero-call-used-regs-all-suppor.patch | 31 +++++++++++++++++++
>>   patches/openssh-8.9p1/autogen.sh              |  1 +
>>   patches/openssh-8.9p1/series                  |  4 +++
> 
> I guess rules/openssh.make is the same as in v2?
> 
>   - Roland
> 

Yes, the only addition in v3 being the regeneration of autoconf stuff 
due to touching m4 files. Hence the last comment.
I missed that one in v2 after I added the patch.

I haven't been able to reproduce the actual error Mol triggered, but the 
fix seems to target precisely that issue, so I was hoping it fixed his 
build errors on ARM.

>>   3 files changed, 36 insertions(+)
>>   create mode 100644 patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
>>   create mode 120000 patches/openssh-8.9p1/autogen.sh
>>   create mode 100644 patches/openssh-8.9p1/series
>>
>> diff --git a/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
>> new file mode 100644
>> index 000000000..70b075ae7
>> --- /dev/null
>> +++ b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
>> @@ -0,0 +1,31 @@
>> +From: Colin Watson <cjwatson@debian.org>
>> +Date: Thu, 24 Feb 2022 16:04:18 +0000
>> +Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
>> +
>> +GCC doesn't tell us whether this option is supported unless it runs into
>> +the situation where it would need to emit corresponding code.
>> +---
>> + m4/openssh.m4 | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/m4/openssh.m4 b/m4/openssh.m4
>> +index 4f9c3792dc17..8c33c701b8b4 100644
>> +--- a/m4/openssh.m4
>> ++++ b/m4/openssh.m4
>> +@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
>> + 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
>> + #include <stdlib.h>
>> + #include <stdio.h>
>> ++/* Trivial function to help test for -fzero-call-used-regs */
>> ++void f(int n) {}
>> + int main(int argc, char **argv) {
>> + 	(void)argv;
>> + 	/* Some math to catch -ftrapv problems in the toolchain */
>> +@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
>> + 	float l = i * 2.1;
>> + 	double m = l / 0.5;
>> + 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
>> ++	f(0);
>> + 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
>> + 	/*
>> + 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
>> diff --git a/patches/openssh-8.9p1/autogen.sh b/patches/openssh-8.9p1/autogen.sh
>> new file mode 120000
>> index 000000000..9f8a4cb7d
>> --- /dev/null
>> +++ b/patches/openssh-8.9p1/autogen.sh
>> @@ -0,0 +1 @@
>> +../autogen.sh
>> \ No newline at end of file
>> diff --git a/patches/openssh-8.9p1/series b/patches/openssh-8.9p1/series
>> new file mode 100644
>> index 000000000..eb319a82b
>> --- /dev/null
>> +++ b/patches/openssh-8.9p1/series
>> @@ -0,0 +1,4 @@
>> +# generated by git-ptx-patches
>> +#tag:base --start-number 1
>> +0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
>> +# 35e561a03b8e1fd58ce4b40b565cdd3f  - git-ptx-patches magic
>> -- 
>> 2.32.0
>>
>>
>> _______________________________________________
>> ptxdist mailing list
>> ptxdist@pengutronix.de
>> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>>
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] openssh: Version bump. v8.8p1 -> v8.9p1

[Michael Olbrich]

Thanks, applied as f9d34a0230b7803df4f24b09371d463c25d241f6.

Michael

[sent from post-receive hook]

On Fri, 08 Apr 2022 15:35:59 +0200, Christian Melki <christian.melki@t2data.com> wrote:
> Security miss, integer overflow in the user auth path.
> Not exploitable due to privsep.
> 
> * Update license. md5crypt removed, bcrypt relicensed.
> 4-Clause license removed.
> * Minor spelling fixes in the license file.
> * Remove configure option due to the removal of md5crypt.
> * Add patch to improve detection of -fzero-call-used-regs=all on arm.
> * Add rerun of autotools since patch touces m4 files.
> 
> Signed-off-by: Christian Melki <christian.melki@t2data.com>
> Message-Id: <20220330201706.1065700-1-christian.melki@t2data.com>
> [mol: readd lost openssh.make changes from v2]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> new file mode 100644
> index 000000000000..70b075ae7651
> --- /dev/null
> +++ b/patches/openssh-8.9p1/0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> @@ -0,0 +1,31 @@
> +From: Colin Watson <cjwatson@debian.org>
> +Date: Thu, 24 Feb 2022 16:04:18 +0000
> +Subject: [PATCH] Improve detection of -fzero-call-used-regs=all support
> +
> +GCC doesn't tell us whether this option is supported unless it runs into
> +the situation where it would need to emit corresponding code.
> +---
> + m4/openssh.m4 | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/m4/openssh.m4 b/m4/openssh.m4
> +index 4f9c3792dc17..8c33c701b8b4 100644
> +--- a/m4/openssh.m4
> ++++ b/m4/openssh.m4
> +@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
> + 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
> + #include <stdlib.h>
> + #include <stdio.h>
> ++/* Trivial function to help test for -fzero-call-used-regs */
> ++void f(int n) {}
> + int main(int argc, char **argv) {
> + 	(void)argv;
> + 	/* Some math to catch -ftrapv problems in the toolchain */
> +@@ -21,6 +23,7 @@ int main(int argc, char **argv) {
> + 	float l = i * 2.1;
> + 	double m = l / 0.5;
> + 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
> ++	f(0);
> + 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
> + 	/*
> + 	 * Test fallthrough behaviour.  clang 10's -Wimplicit-fallthrough does
> diff --git a/patches/openssh-8.9p1/autogen.sh b/patches/openssh-8.9p1/autogen.sh
> new file mode 120000
> index 000000000000..9f8a4cb7ddcb
> --- /dev/null
> +++ b/patches/openssh-8.9p1/autogen.sh
> @@ -0,0 +1 @@
> +../autogen.sh
> \ No newline at end of file
> diff --git a/patches/openssh-8.9p1/series b/patches/openssh-8.9p1/series
> new file mode 100644
> index 000000000000..eb319a82b68a
> --- /dev/null
> +++ b/patches/openssh-8.9p1/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-Improve-detection-of-fzero-call-used-regs-all-suppor.patch
> +# 35e561a03b8e1fd58ce4b40b565cdd3f  - git-ptx-patches magic
> diff --git a/rules/openssh.make b/rules/openssh.make
> index c801d8a6a28c..8f48e426efd4 100644
> --- a/rules/openssh.make
> +++ b/rules/openssh.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_OPENSSH) += openssh
>  #
>  # Paths and names
>  #
> -OPENSSH_VERSION	:= 8.8p1
> -OPENSSH_MD5	:= 8ce5f390958baeeab635aafd0ef41453
> +OPENSSH_VERSION	:= 8.9p1
> +OPENSSH_MD5	:= f33910174f0af52491277211e2b105bb
>  OPENSSH		:= openssh-$(OPENSSH_VERSION)
>  OPENSSH_SUFFIX	:= tar.gz
>  OPENSSH_URL	:= \
> @@ -25,8 +25,8 @@ OPENSSH_URL	:= \
>  
>  OPENSSH_SOURCE	:= $(SRCDIR)/$(OPENSSH).$(OPENSSH_SUFFIX)
>  OPENSSH_DIR	:= $(BUILDDIR)/$(OPENSSH)
> -OPENSSH_LICENSE	:= BSD AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND MIT AND Beerware AND ISC
> -OPENSSH_LICENSE_FILES := file://LICENCE;md5=d9d2753bdef9f19466dc7bc959114b11
> +OPENSSH_LICENSE	:= BSD AND BSD-2-Clause AND BSD-3-Clause AND MIT AND Beerware AND ISC
> +OPENSSH_LICENSE_FILES := file://LICENCE;md5=8baf365614c9bdd63705f298c9afbfb9
>  
>  # ----------------------------------------------------------------------------
>  # Prepare
> @@ -78,8 +78,7 @@ OPENSSH_CONF_OPT	:= \
>  	--with-privsep-user=sshd \
>  	--with-sandbox=$(OPENSSH_SANDBOX-y) \
>  	--$(call ptx/wwo, PTXCONF_GLOBAL_SELINUX)-selinux \
> -	--with-privsep-path=/var/run/sshd \
> -	--without-md5-passwords
> +	--with-privsep-path=/var/run/sshd
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de