import UBI openssh-8.7p1-30.el9_2

SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch

@@ -0,0 +1,17 @@
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 6be647ec..ebddf6c3 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ 		error("dlopen %s failed: %s", provider_module, dlerror());
+ 		goto fail;
+ 	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ 
+ 	p->module->handle = handle;
+ 	/* setup the pkcs11 callbacks */

SPECS/openssh.spec

@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 29
+%global openssh_rel 30
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -265,6 +265,9 @@ Patch1007: openssh-8.7p1-nohostsha1proof.patch
 # upstream 12da7823336434a403f25c7cc0c2c6aed0737a35
 # to fix 1005
 Patch1008: openssh-8.7p1-CVE-2023-25136.patch
+# upsream commit
+# b23fe83f06ee7e721033769cfa03ae840476d280
+Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -472,6 +475,7 @@ popd
 %patch1006 -p1 -b .negotiate-supported-algs
 
 %patch100 -p1 -b .coverity
+%patch1015 -p1 -b .cve-2023-38408
 
 %patch1007 -p1 -b .sshrsacheck
 %patch1008 -p1 -b .cve-2023-25136
@@ -761,6 +765,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-30
+- Avoid remote code execution in ssh-agent PKCS#11 support
+  Resolves: CVE-2023-38408
+
 * Thu Apr 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-29
 - Resolve possible self-DoS with some clients
   Resolves: rhbz#2186473