Apply ssh-keysign-pwn fix

SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch

@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on AlmaLinux 10 (the symtype
+signature of struct task_struct is referenced by hundreds of
+stablelist exports), so we cannot import the field/exit_mm hunks
+as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0

SPECS/raspberrypi2.spec

@@ -60,6 +60,8 @@ Patch1101:     1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 Patch1102:     1102-rxrpc-linearize-paged-frags.patch
 ## CVE-2026-46300: Fragnesia
 Patch1103:     1103-net-skbuff-propagate-shared-frag-marker.patch 
+## CVE-2026-46333: ssh-keysign-pwn
+Patch1104:     1104-ptrace-require-cap-on-mm-less-task.patch
 
 BuildRequires: kmod, patch, bash, coreutils, tar
 BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk
@@ -243,6 +245,7 @@ glibc package.
 %patch -P 1101 -p1
 %patch -P 1102 -p1
 %patch -P 1103 -p1
+%patch -P 1104 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
@@ -549,6 +552,7 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %changelog
 * Thu May 14 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.6
 - net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300}
+- ptrace: require CAP_SYS_PTRACE when task has no mm {CVE-2026-46333}
 
 * Fri May 08 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.5
 - rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}