[packages/openssh] Rel 2; upstream 'Don't trust closefrom() on Linux.'. Should fix problems with closefrom in chroot.

Tue Nov 16 20:46:43 CET 2021

commit e24ec364a8a89d209b87a0ffbe00d8a046d4a9e6
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Nov 16 20:44:34 2021 +0100

    Rel 2; upstream 'Don't trust closefrom() on Linux.'. Should fix problems with closefrom in chroot.

 closefrom.patch | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 openssh.spec    |  6 +++---
 2 files changed, 60 insertions(+), 3 deletions(-)
---

diff --git a/openssh.spec b/openssh.spec
index bacae21..e991060 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -37,7 +37,7 @@ Summary(ru.UTF-8):	OpenSSH - свободная реализация прото
 Summary(uk.UTF-8):	OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:		openssh
 Version:	8.8p1
-Release:	1
+Release:	2
 Epoch:		2
 License:	BSD
 Group:		Applications/Networking
@@ -68,7 +68,7 @@ Patch8:		ldap-helper-sigpipe.patch
 # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
 # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
 Patch9:		%{name}-5.2p1-hpn13v6.diff
-
+Patch10:	closefrom.patch
 Patch11:	%{name}-chroot.patch
 
 Patch13:	%{name}-skip-interop-tests.patch
@@ -550,7 +550,7 @@ openldap-a.
 %patch8 -p1
 
 %{?with_hpn:%patch9 -p1}
-
+%patch10 -p1
 %patch11 -p1
 
 %patch13 -p1
diff --git a/closefrom.patch b/closefrom.patch
new file mode 100644
index 0000000..760e2cd
--- /dev/null
+++ b/closefrom.patch
@@ -0,0 +1,57 @@
+commit 10b899a15c88eb40eb5f73cd0fa84ef0966f79c9
+Author: Darren Tucker <dtucker at dtucker.net>
+Date:   Wed Nov 10 12:34:25 2021 +1100
+
+    Don't trust closefrom() on Linux.
+    
+    glibc's closefrom implementation does not work in a chroot when the kernel
+    does not have close_range.  It tries to read from /proc/self/fd and when
+    that fails dies with an assertion of sorts.  Instead, call close_range
+    ourselves from our compat code and fall back if that fails.  bz#3349,
+    with william.wilson at canonical.com and fweimer at redhat.com.
+
+diff --git a/configure.ac b/configure.ac
+index 165b391f..cd4cadec 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -839,6 +839,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
+ 	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
+ 	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
++	AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
+ 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
+ 		[Work around problematic Linux PAM modules handling of PAM_TTY])
+ 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
+@@ -1820,6 +1821,7 @@ AC_CHECK_FUNCS([ \
+ 	cap_rights_limit \
+ 	clock \
+ 	closefrom \
++	close_range \
+ 	dirfd \
+ 	endgrent \
+ 	err \
+diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
+index 8fadca2d..08b7da69 100644
+--- a/openbsd-compat/bsd-closefrom.c
++++ b/openbsd-compat/bsd-closefrom.c
+@@ -16,7 +16,7 @@
+ 
+ #include "includes.h"
+ 
+-#ifndef HAVE_CLOSEFROM
++#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -130,6 +130,11 @@ closefrom(int lowfd)
+     DIR *dirp;
+     int len;
+ 
++#ifdef HAVE_CLOSE_RANGE
++	if (close_range(lowfd, INT_MAX, 0) == 0)
++		return;
++#endif
++
+     /* Check for a /proc/$$/fd directory. */
+     len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
+     if (len > 0 && (size_t)len < sizeof(fdpath) && (dirp = opendir(fdpath))) {
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/openssh.git/commitdiff/e24ec364a8a89d209b87a0ffbe00d8a046d4a9e6

