- set FD_CLOEXEC on client socket
- apply real fix for window size problem (#286181) from upstream - apply fix for the spurious failed bind from upstream - apply open handle leak in sftp fix from upstream
This commit is contained in:
Tomáš Mráz
parent
91bdf496cd
commit
2cb0e73a4e
24
openssh-4.7p1-cloexec.patch
Normal file
24
openssh-4.7p1-cloexec.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c
|
||||
--- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200
|
||||
+++ openssh-4.7p1/sshconnect.c 2008-02-05 23:14:28.000000000 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <fcntl.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct
|
||||
return sock;
|
||||
}
|
||||
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
|
||||
- if (sock < 0)
|
||||
+ if (sock < 0) {
|
||||
error("socket: %.100s", strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ fcntl(sock, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
/* Bind the socket to an alternative local IP address */
|
||||
if (options.bind_address == NULL)
|
||||
25
openssh-4.7p1-packetdefsize.patch
Normal file
25
openssh-4.7p1-packetdefsize.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Index: clientloop.c
|
||||
===================================================================
|
||||
RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v
|
||||
retrieving revision 1.170
|
||||
diff -u -p -r1.170 clientloop.c
|
||||
--- clientloop.c 28 Dec 2007 15:45:07 -0000 1.170
|
||||
+++ clientloop.c 28 Dec 2007 18:14:10 -0000
|
||||
@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha
|
||||
}
|
||||
c = channel_new("forwarded-tcpip",
|
||||
SSH_CHANNEL_CONNECTING, sock, sock, -1,
|
||||
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
|
||||
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
|
||||
originator_address, 1);
|
||||
xfree(originator_address);
|
||||
xfree(listen_address);
|
||||
@@ -1803,7 +1803,7 @@ client_request_agent(const char *request
|
||||
return NULL;
|
||||
c = channel_new("authentication agent connection",
|
||||
SSH_CHANNEL_OPEN, sock, sock, -1,
|
||||
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
|
||||
+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
|
||||
"authentication agent connection", 1);
|
||||
c->force_drain = 1;
|
||||
return c;
|
||||
@ -1,18 +0,0 @@
|
||||
Written-by: Jan Kratochvil <jkratoch@redhat.com>
|
||||
Reviewed-by: Tomas Mraz <tmraz@redhat.com>
|
||||
|
||||
diff -up openssh-4.7p1/channels.h.revert-wsize openssh-4.7p1/channels.h
|
||||
--- openssh-4.7p1/channels.h.revert-wsize 2007-06-12 15:38:54.000000000 +0200
|
||||
+++ openssh-4.7p1/channels.h 2007-09-17 23:21:32.000000000 +0200
|
||||
@@ -122,9 +122,9 @@ struct Channel {
|
||||
|
||||
/* default window/packet sizes for tcp/x11-fwd-channel */
|
||||
#define CHAN_SES_PACKET_DEFAULT (32*1024)
|
||||
-#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
|
||||
+#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
|
||||
#define CHAN_TCP_PACKET_DEFAULT (32*1024)
|
||||
-#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
|
||||
+#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
|
||||
#define CHAN_X11_PACKET_DEFAULT (16*1024)
|
||||
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
|
||||
|
||||
13
openssh-4.7p1-sftp-doclose.patch
Normal file
13
openssh-4.7p1-sftp-doclose.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Without this do_close() I get "Couldn't get handle: Failure"
|
||||
on every operation after N times through this failure path
|
||||
where N = 100 on OpenBSD and N = 200 on GNU/Linux.
|
||||
--- src/usr.bin/ssh/sftp-client.c.orig Sun Sep 16 00:55:52 2007
|
||||
+++ src/usr.bin/ssh/sftp-client.c Mon Oct 15 10:12:50 2007
|
||||
@@ -813,6 +813,7 @@ do_download(struct sftp_conn *conn, char
|
||||
if (local_fd == -1) {
|
||||
error("Couldn't open local file \"%s\" for writing: %s",
|
||||
local_path, strerror(errno));
|
||||
+ do_close(conn, handle, handle_len);
|
||||
buffer_free(&msg);
|
||||
xfree(handle);
|
||||
return(-1);
|
||||
30
openssh-4.7p1-sshd-v6only.patch
Normal file
30
openssh-4.7p1-sshd-v6only.patch
Normal file
@ -0,0 +1,30 @@
|
||||
--- sshd.c 2007-06-05 01:22:32.000000000 -0700
|
||||
+++ sshd.c.new 2007-11-17 00:07:08.000000000 -0800
|
||||
@@ -971,12 +971,27 @@
|
||||
}
|
||||
/*
|
||||
* Set socket options.
|
||||
+ */
|
||||
+
|
||||
+ /*
|
||||
* Allow local port reuse in TIME_WAIT.
|
||||
*/
|
||||
if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR,
|
||||
&on, sizeof(on)) == -1)
|
||||
error("setsockopt SO_REUSEADDR: %s", strerror(errno));
|
||||
|
||||
+#ifdef IPV6_V6ONLY
|
||||
+ if (ai->ai_family == AF_INET6) {
|
||||
+ /*
|
||||
+ * Only communicate in IPv6 over AF_INET6 sockets.
|
||||
+ */
|
||||
+ if (setsockopt(listen_sock, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
+ &on, sizeof(on)) == -1)
|
||||
+ error("setsockopt IPV6_V6ONLY: %s",
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
debug("Bind to port %s on %s.", strport, ntop);
|
||||
|
||||
/* Bind the socket to the desired port. */
|
||||
19
openssh.spec
19
openssh.spec
@ -63,7 +63,7 @@
|
||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 4.7p1
|
||||
Release: 8%{?dist}%{?rescue_rel}
|
||||
Release: 9%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
@ -95,8 +95,12 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
Patch51: openssh-4.7p1-nss-keys.patch
|
||||
Patch52: openssh-4.7p1-sftp-drain-acks.patch
|
||||
Patch53: openssh-4.7p1-revert-wsize.patch
|
||||
Patch53: openssh-4.7p1-packetdefsize.patch
|
||||
Patch54: openssh-4.7p1-gssapi-role.patch
|
||||
Patch55: openssh-4.7p1-cloexec.patch
|
||||
Patch56: openssh-4.7p1-sshd-v6only.patch
|
||||
Patch57: openssh-4.7p1-sftp-doclose.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
@ -230,8 +234,11 @@ an X11 passphrase dialog for OpenSSH.
|
||||
%patch49 -p1 -b .canohost
|
||||
%patch51 -p1 -b .nss-keys
|
||||
%patch52 -p1 -b .drain-acks
|
||||
%patch53 -p1 -b .revert-wsize
|
||||
%patch53 -p0 -b .defsize
|
||||
%patch54 -p0 -b .gssapi-role
|
||||
%patch55 -p1 -b .cloexec
|
||||
%patch56 -p0 -b .sshd-v6only
|
||||
%patch57 -p3 -b .doclose
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -482,6 +489,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 29 2008 Tomas Mraz <tmraz@redhat.com> - 4.7p1-9
|
||||
- set FD_CLOEXEC on client socket
|
||||
- apply real fix for window size problem (#286181) from upstream
|
||||
- apply fix for the spurious failed bind from upstream
|
||||
- apply open handle leak in sftp fix from upstream
|
||||
|
||||
* Tue Feb 12 2008 Dennis Gilmore <dennis@ausil.us> - 4.7p1-8
|
||||
- we build for sparcv9 now and it needs -fPIE
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user