import openssh-8.0p1-7.el8

SOURCES/openssh-7.9p1-ssh-copy-id.patch

@@ -11,6 +11,17 @@ diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh
    # implement something like getopt to avoid Solaris pain
    case "$1" in
      -i?*|-o?*|-p?*)
+@@ -185,8 +185,8 @@
+   usage
+ fi
+ 
+-# drop trailing colon
+-USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
++# don't drop trailing colon because it can be a valid ipv6 address
++USER_HOST=$(printf "%s\n" "$1")
+ # tack the hostname onto SSH_OPTS
+ SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
+ # and populate "$@" for later use (only way to get proper quoting of options)
 @@ -261,7 +262,7 @@ populate_new_ids() {
    fi
    if [ -z "$NEW_IDS" ] ; then

SOURCES/openssh-8.0p1-channel-limits.patch

@@ -0,0 +1,33 @@
+diff -up openssh-8.0p1/channels.c.channel-limits openssh-8.0p1/channels.c
+--- openssh-8.0p1/channels.c.channel-limits	2021-03-16 12:17:58.905576511 +0100
++++ openssh-8.0p1/channels.c	2021-03-16 12:17:58.925576667 +0100
+@@ -354,6 +354,7 @@ channel_new(struct ssh *ssh, char *ctype
+ 	struct ssh_channels *sc = ssh->chanctxt;
+ 	u_int i, found;
+ 	Channel *c;
++	int r;
+ 
+ 	/* Try to find a free slot where to put the new channel. */
+ 	for (i = 0; i < sc->channels_alloc; i++) {
+@@ -383,6 +384,8 @@ channel_new(struct ssh *ssh, char *ctype
+ 	    (c->output = sshbuf_new()) == NULL ||
+ 	    (c->extended = sshbuf_new()) == NULL)
+ 		fatal("%s: sshbuf_new failed", __func__);
++	if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
++		fatal("%s: sshbuf_set_max_size: %s", __func__, ssh_err(r));
+ 	c->ostate = CHAN_OUTPUT_OPEN;
+ 	c->istate = CHAN_INPUT_OPEN;
+ 	channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
+diff -up openssh-8.0p1/channels.h.channel-limits openssh-8.0p1/channels.h
+--- openssh-8.0p1/channels.h.channel-limits	2021-03-16 12:17:58.868576223 +0100
++++ openssh-8.0p1/channels.h	2021-03-16 12:17:58.907576527 +0100
+@@ -215,6 +215,9 @@ struct Channel {
+ /* Read buffer size */
+ #define CHAN_RBUF	(16*1024)
+ 
++/* Maximum channel input buffer size */
++#define CHAN_INPUT_MAX	(16*1024*1024)
++
+ /* Hard limit on number of channels */
+ #define CHANNELS_MAX_CHANNELS	(16*1024)
+ 

SOURCES/openssh-8.0p1-keygen-strip-doseol.patch

@@ -0,0 +1,12 @@
+diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
+--- openssh-8.0p1/ssh-keygen.c.strip-doseol	2021-03-18 17:41:34.472404994 +0100
++++ openssh-8.0p1/ssh-keygen.c	2021-03-18 17:41:55.255538761 +0100
+@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
+ 	while (getline(&line, &linesize, f) != -1) {
+ 		lnum++;
+ 		cp = line;
+-		cp[strcspn(cp, "\n")] = '\0';
++		cp[strcspn(cp, "\r\n")] = '\0';
+ 		/* Trim leading space and comments */
+ 		cp = line + strspn(line, " \t");
+ 		if (*cp == '#' || *cp == '\0')

SOURCES/openssh-8.0p1-pkcs11-uri.patch

@@ -1167,7 +1167,7 @@ new file mode 100644
 index 00000000..e1a7b4e0
 --- /dev/null
 +++ b/ssh-pkcs11-uri.c
-@@ -0,0 +1,421 @@
+@@ -0,0 +1,425 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -1419,6 +1419,10 @@ index 00000000..e1a7b4e0
 +void
 +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
 +{
++	if (pkcs11 == NULL) {
++		return;
++	}
++
 +	free(pkcs11->id);
 +	free(pkcs11->module_path);
 +	free(pkcs11->token);
@@ -2677,6 +2681,9 @@ index 70f06bff..59332945 100644
 +	}
 +
 +	provider_uri = pkcs11_uri_get(uri);
++	if (pin == NULL && uri->pin != NULL) {
++		pin = uri->pin;
++	}
 +	nkeys = 0;
 +	for (i = 0; i < p->module->nslots; i++) {
 +		token = &p->module->slotinfo[i].token;
@@ -2712,9 +2719,6 @@ index 70f06bff..59332945 100644
 +		    provider_uri, (unsigned long)i,
  		    token->label, token->manufacturerID, token->model,
  		    token->serialNumber, token->flags);
-+		if (pin == NULL && uri->pin != NULL) {
-+			pin = uri->pin;
-+		}
  		/*
 -		 * open session, login with pin and retrieve public
 -		 * keys (if keyp is provided)
@@ -2741,8 +2745,8 @@ index 70f06bff..59332945 100644
 +				uri->object = label;
 +			}
  		}
-+		pin = NULL; /* Will be cleaned up with URI */
  	}
++	pin = NULL; /* Will be cleaned up with URI */
  
  	/* now owned by caller */
  	*providerp = p;

SOURCES/openssh-8.0p1-preserve-pam-errors.patch

@@ -0,0 +1,44 @@
+diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
+--- openssh-8.0p1/auth-pam.c.preserve-pam-errors	2021-03-31 17:03:15.618592347 +0200
++++ openssh-8.0p1/auth-pam.c	2021-03-31 17:06:58.115220014 +0200
+@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
+ 		goto auth_fail;
+ 
+ 	if (!do_pam_account()) {
+-		sshpam_err = PAM_ACCT_EXPIRED;
++		/* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
++		 * Backward compatibility for other errors. */
++		if (sshpam_err != PAM_PERM_DENIED
++			&& sshpam_err != PAM_USER_UNKNOWN)
++			sshpam_err = PAM_ACCT_EXPIRED;
+ 		goto auth_fail;
+ 	}
+ 	if (sshpam_authctxt->force_pwchange) {
+@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
+ 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 	/* XXX - can't do much about an error here */
+-	if (sshpam_err == PAM_ACCT_EXPIRED)
+-		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
++	if (sshpam_err == PAM_PERM_DENIED
++		|| sshpam_err == PAM_USER_UNKNOWN
++		|| sshpam_err == PAM_ACCT_EXPIRED)
++		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
+ 	else if (sshpam_maxtries_reached)
+ 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
+ 	else
+@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
+ 			plen++;
+ 			free(msg);
+ 			break;
++		case PAM_USER_UNKNOWN:
++		case PAM_PERM_DENIED:
+ 		case PAM_ACCT_EXPIRED:
++			sshpam_account_status = 0;
++			/* FALLTHROUGH */
+ 		case PAM_MAXTRIES:
+-			if (type == PAM_ACCT_EXPIRED)
+-				sshpam_account_status = 0;
+ 			if (type == PAM_MAXTRIES)
+ 				sshpam_set_maxtries_reached(1);
+ 			/* FALLTHROUGH */

SOURCES/openssh-8.0p1-sftp-timespeccmp.patch

@@ -0,0 +1,16 @@
+diff -up openssh-8.0p1/sftp.c.original openssh-8.0p1/sftp.c
+--- openssh-8.0p1/sftp.c.original	2020-12-22 17:05:02.105698989 +0900
++++ openssh-8.0p1/sftp.c	2020-12-22 17:05:42.922035780 +0900
+@@ -937,7 +937,11 @@ sglob_comp(const void *aa, const void *b
+ 		return (rmul * strcmp(ap, bp));
+ 	else if (sort_flag & LS_TIME_SORT) {
+ #if defined(HAVE_STRUCT_STAT_ST_MTIM)
+-		return (rmul * timespeccmp(&as->st_mtim, &bs->st_mtim, <));
++		if (timespeccmp(&as->st_mtim, &bs->st_mtim, <)){
++			return rmul;
++		} else {
++			return -rmul;
++		}
+ #elif defined(HAVE_STRUCT_STAT_ST_MTIME)
+ 		return (rmul * NCMP(as->st_mtime, bs->st_mtime));
+ #else

SPECS/openssh.spec

@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 5
+%global openssh_rel 7
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
@@ -230,6 +230,15 @@ Patch970: openssh-8.0p1-rdomain.patch
 # Do not fail X11 forwarding if IPv6 is disabled (#1662189)
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2143
 Patch971: openssh-8.0p1-x11-without-ipv6.patch
+# Client window fix (#1913041)
+Patch972: openssh-8.0p1-channel-limits.patch
+# SFTP sort upon the modification time (#1909988)
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3248
+Patch973: openssh-8.0p1-sftp-timespeccmp.patch
+# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
+Patch974: openssh-8.0p1-keygen-strip-doseol.patch
+# sshd provides PAM an incorrect error code (#1879503)
+Patch975: openssh-8.0p1-preserve-pam-errors.patch
 
 License: BSD
 Group: Applications/Internet
@@ -448,6 +457,10 @@ popd
 %patch969 -p1 -b .keygen-sha2
 %patch970 -p1 -b .rdomain
 %patch971 -p1 -b .x11-ipv6
+%patch972 -p1 -b .channel-limits
+%patch973 -p1 -b .sftp-timespeccmp
+%patch974 -p1 -b .keygen-strip-doseol
+%patch975 -p1 -b .preserve-pam-errors
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -739,6 +752,17 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Fri Apr 09 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-7 + 0.10.3-7
+- SFTP sort upon the modification time (#1909988)
+- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
+- PIN is lost when iterating over tokens when adding pkcs11 keys to ssh-agent (#1843372)
+- ssh-agent segfaults during ssh-add -s pkcs11 (#1868996)
+- ssh-copy-id could not resolve ipv6 address ends with colon (#1933517)
+- sshd provides PAM an incorrect error code (#1879503)
+
+* Tue Mar 16 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-6 + 0.10.3-7
+- Openssh client window fix (#1913041)
+
 * Tue Mar 24 2020 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
 - Do not print "no slots" warning by default (#1744220)
 - Unbreak connecting using gssapi through proxy commands (#1749862)