Whitelist /usr/lib64/ for PKCS#11 modules

This commit is contained in:
Jakub Jelen 2017-01-03 10:43:15 +01:00
parent 6cf9b8e61b
commit 58f79a27c3
2 changed files with 27 additions and 0 deletions

View File

@ -0,0 +1,24 @@
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
@@ -129,7 +129,7 @@ that may be added using the
option to
.Xr ssh-add 1 .
The default is to allow loading PKCS#11 libraries from
-.Dq /usr/lib/*,/usr/local/lib/* .
+.Dq /usr/lib*/*,/usr/local/lib*/* .
PKCS#11 libraries that do not match the whitelist will be refused.
See PATTERNS in
.Xr ssh_config 5
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
@@ -89,7 +89,7 @@
#endif
#ifndef DEFAULT_PKCS11_WHITELIST
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
#endif
typedef enum {

View File

@ -227,6 +227,8 @@ Patch942: openssh-7.2p2-chroot-capabilities.patch
Patch944: openssh-7.3p1-x11-max-displays.patch Patch944: openssh-7.3p1-x11-max-displays.patch
# Temporary workaround for upstream (#2641) # Temporary workaround for upstream (#2641)
Patch945: openssh-7.4p1-daemon.patch Patch945: openssh-7.4p1-daemon.patch
# Whitelist /usr/lib*/ as planed upstream to prevent breakage
Patch946: openssh-7.4p1-pkcs11-whitelist.patch
License: BSD License: BSD
@ -461,6 +463,7 @@ popd
%patch942 -p1 -b .chroot-cap %patch942 -p1 -b .chroot-cap
%patch944 -p1 -b .x11max %patch944 -p1 -b .x11max
%patch945 -p1 -b .daemon %patch945 -p1 -b .daemon
%patch946 -p1 -b .pkcs11-whitelist
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race