Whitelist /usr/lib64/ for PKCS#11 modules
This commit is contained in:
parent
6cf9b8e61b
commit
58f79a27c3
24
openssh-7.4p1-pkcs11-whitelist.patch
Normal file
24
openssh-7.4p1-pkcs11-whitelist.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up openssh-7.4p1/ssh-agent.1.pkcs11-whitelist openssh-7.4p1/ssh-agent.1
|
||||||
|
--- openssh-7.4p1/ssh-agent.1.pkcs11-whitelist 2017-01-03 10:41:01.916331710 +0100
|
||||||
|
+++ openssh-7.4p1/ssh-agent.1 2017-01-03 10:40:06.549366029 +0100
|
||||||
|
@@ -129,7 +129,7 @@ that may be added using the
|
||||||
|
option to
|
||||||
|
.Xr ssh-add 1 .
|
||||||
|
The default is to allow loading PKCS#11 libraries from
|
||||||
|
-.Dq /usr/lib/*,/usr/local/lib/* .
|
||||||
|
+.Dq /usr/lib*/*,/usr/local/lib*/* .
|
||||||
|
PKCS#11 libraries that do not match the whitelist will be refused.
|
||||||
|
See PATTERNS in
|
||||||
|
.Xr ssh_config 5
|
||||||
|
diff -up openssh-7.4p1/ssh-agent.c.pkcs11-whitelist openssh-7.4p1/ssh-agent.c
|
||||||
|
--- openssh-7.4p1/ssh-agent.c.pkcs11-whitelist 2017-01-03 10:41:09.324327118 +0100
|
||||||
|
+++ openssh-7.4p1/ssh-agent.c 2017-01-03 10:40:21.212356939 +0100
|
||||||
|
@@ -89,7 +89,7 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef DEFAULT_PKCS11_WHITELIST
|
||||||
|
-# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
|
||||||
|
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib*/*,/usr/local/lib*/*"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef enum {
|
@ -227,6 +227,8 @@ Patch942: openssh-7.2p2-chroot-capabilities.patch
|
|||||||
Patch944: openssh-7.3p1-x11-max-displays.patch
|
Patch944: openssh-7.3p1-x11-max-displays.patch
|
||||||
# Temporary workaround for upstream (#2641)
|
# Temporary workaround for upstream (#2641)
|
||||||
Patch945: openssh-7.4p1-daemon.patch
|
Patch945: openssh-7.4p1-daemon.patch
|
||||||
|
# Whitelist /usr/lib*/ as planed upstream to prevent breakage
|
||||||
|
Patch946: openssh-7.4p1-pkcs11-whitelist.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -461,6 +463,7 @@ popd
|
|||||||
%patch942 -p1 -b .chroot-cap
|
%patch942 -p1 -b .chroot-cap
|
||||||
%patch944 -p1 -b .x11max
|
%patch944 -p1 -b .x11max
|
||||||
%patch945 -p1 -b .daemon
|
%patch945 -p1 -b .daemon
|
||||||
|
%patch946 -p1 -b .pkcs11-whitelist
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
Loading…
Reference in New Issue
Block a user