From 3131004032c9a572d39d3c1faa0b1744a54656f9 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Tue, 19 Jan 2010 09:07:39 +0000 Subject: [PATCH] set FD_CLOEXEC on accepted socket --- openssh-5.1p1-cloexec.patch | 35 +++++++++++++++++++++++------------ openssh.spec | 7 +++++-- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/openssh-5.1p1-cloexec.patch b/openssh-5.1p1-cloexec.patch index 37a22a7..e9fa4d1 100644 --- a/openssh-5.1p1-cloexec.patch +++ b/openssh-5.1p1-cloexec.patch @@ -1,6 +1,6 @@ -diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c ---- openssh-5.1p1/channels.c.cloexec 2008-12-11 22:24:49.000000000 +0100 -+++ openssh-5.1p1/channels.c 2008-12-11 22:29:52.000000000 +0100 +diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c +--- openssh-5.3p1/channels.c.cloexec 2010-01-19 09:26:50.000000000 +0100 ++++ openssh-5.3p1/channels.c 2010-01-19 09:26:51.000000000 +0100 @@ -60,6 +60,7 @@ #include #include @@ -28,10 +28,10 @@ diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c c->rfd = rfd; c->wfd = wfd; c->sock = (rfd == wfd) ? rfd : -1; -diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c ---- openssh-5.1p1/sshconnect2.c.cloexec 2008-12-11 22:24:49.000000000 +0100 -+++ openssh-5.1p1/sshconnect2.c 2008-12-11 22:24:49.000000000 +0100 -@@ -38,6 +38,7 @@ +diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c +--- openssh-5.3p1/sshconnect2.c.cloexec 2010-01-19 09:26:50.000000000 +0100 ++++ openssh-5.3p1/sshconnect2.c 2010-01-19 09:26:51.000000000 +0100 +@@ -39,6 +39,7 @@ #include #include #include @@ -39,7 +39,7 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) #include #endif -@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i +@@ -1512,6 +1513,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i return -1; } if (pid == 0) { @@ -47,9 +47,9 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c permanently_drop_suid(getuid()); close(from[0]); if (dup2(from[1], STDOUT_FILENO) < 0) -diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c ---- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200 -+++ openssh-5.1p1/sshconnect.c 2008-12-11 22:24:49.000000000 +0100 +diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c +--- openssh-5.3p1/sshconnect.c.cloexec 2009-06-21 10:53:53.000000000 +0200 ++++ openssh-5.3p1/sshconnect.c 2010-01-19 09:26:51.000000000 +0100 @@ -38,6 +38,7 @@ #include #include @@ -58,7 +58,7 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c #include "xmalloc.h" #include "key.h" -@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct +@@ -191,8 +192,11 @@ ssh_create_socket(int privileged, struct return sock; } sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); @@ -71,3 +71,14 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL) +diff -up openssh-5.3p1/sshd.c.cloexec openssh-5.3p1/sshd.c +--- openssh-5.3p1/sshd.c.cloexec 2010-01-19 09:43:45.000000000 +0100 ++++ openssh-5.3p1/sshd.c 2010-01-19 09:47:04.000000000 +0100 +@@ -1105,6 +1105,7 @@ server_accept_loop(int *sock_in, int *so + error("accept: %.100s", strerror(errno)); + continue; + } ++ fcntl(*newsock, F_SETFD, FD_CLOEXEC); + if (unset_nonblock(*newsock) == -1) { + close(*newsock); + continue; diff --git a/openssh.spec b/openssh.spec index f9bb23c..820e81f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -69,7 +69,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 15%{?dist}%{?rescue_rel} +Release: 16%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -525,6 +525,9 @@ fi %endif %changelog +* Tue Jan 19 2010 Jan F. Chadima - 5.3p1-16 +- set FD_CLOEXEC on accepted socket (#541809) + * Fri Jan 8 2010 Jan F. Chadima - 5.3p1-15 - replaced define by global in macros @@ -1144,7 +1147,7 @@ fi - update to 3.6.1p2 * Wed Jun 04 2003 Elliot Lee -- rebuilt +6 rebuilt * Mon Mar 24 2003 Florian La Roche - add patch for getsockopt() call to work on bigendian 64bit archs