From 76b570ae7cb0550ba5c3023b8b6ba5dce7e5098f Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Oct 2024 13:38:05 +0200
Subject: [PATCH] Allow duplicate Subsystem directive

Resolves: RHEL-47112
---
 openssh-8.7p1-allow-duplicate-subsystem.patch | 32 +++++++++++++++++++
 openssh.spec                                  |  5 +++
 2 files changed, 37 insertions(+)
 create mode 100644 openssh-8.7p1-allow-duplicate-subsystem.patch

diff --git a/openssh-8.7p1-allow-duplicate-subsystem.patch b/openssh-8.7p1-allow-duplicate-subsystem.patch
new file mode 100644
index 0000000..22fe73b
--- /dev/null
+++ b/openssh-8.7p1-allow-duplicate-subsystem.patch
@@ -0,0 +1,32 @@
+diff --git a/servconf.c b/servconf.c
+index e16f9e90fc71..a3779a9d86ee 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1942,13 +1942,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 			fatal("%s line %d: %s missing argument.",
+ 			    filename, linenum, keyword);
+ 		if (!*activep) {
+-			arg = argv_next(&ac, &av);
++			argv_consume(&ac);
++			break;
++		}
++		found = 0;
++		for (i = 0; i < options->num_subsystems; i++) {
++			if (strcmp(arg, options->subsystem_name[i]) == 0) {
++				found = 1;
++				break;
++			}
++		}
++		if (found) {
++			debug("%s line %d: Subsystem '%s' already defined.",
++			    filename, linenum, arg);
++			argv_consume(&ac);
+ 			break;
+ 		}
+-		for (i = 0; i < options->num_subsystems; i++)
+-			if (strcmp(arg, options->subsystem_name[i]) == 0)
+-				fatal("%s line %d: Subsystem '%s' "
+-				    "already defined.", filename, linenum, arg);
+ 		options->subsystem_name[options->num_subsystems] = xstrdup(arg);
+ 		arg = argv_next(&ac, &av);
+ 		if (!arg || *arg == '\0')
diff --git a/openssh.spec b/openssh.spec
index 0b4918e..2595256 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -295,6 +295,8 @@ Patch1020: openssh-8.7p1-sigpipe.patch
 Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
 Patch1022: openssh-8.7p1-redhat-help.patch
 Patch1023: openssh-8.7p1-openssl-log.patch
+#upstream commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b
+Patch1024: openssh-8.7p1-allow-duplicate-subsystem.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -523,6 +525,7 @@ popd
 %patch1021 -p1 -b .cve-2024-6387
 %patch1022 -p1 -b .redhat-help
 %patch1023 -p1 -b .openssl-log
+%patch1024 -p1 -b .allow-dup-subsystem
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -815,6 +818,8 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-33809
 - Provide details on crypto error instead of "error in libcrypto"
   Resolves: RHEL-52293
+- Allow duplicate Subsystem directive
+  Resolves: RHEL-47112
 
 * Tue Jul 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-43
 - Possible remote code execution due to a race condition (CVE-2024-6409)