- set FD_CLOEXEC on channel sockets (#475866)

- adjust summary - adjust nss-keys patch so it is applicable without selinux patches (#470859)
2008-12-11 21:48:41 +00:00 · 2008-12-11 21:48:41 +00:00 · 9e5c6ecd02
commit 9e5c6ecd02
parent b9a07ad737
3 changed files with 77 additions and 45 deletions
--- a/openssh-5.1p1-cloexec.patch
+++ b/openssh-5.1p1-cloexec.patch
@ -1,6 +1,36 @@
 diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
 --- openssh-5.1p1/channels.c.cloexec	2008-12-11 22:24:49.000000000 +0100
 +++ openssh-5.1p1/channels.c	2008-12-11 22:29:52.000000000 +0100
@@ -60,6 +60,7 @@
 #include <termios.h>
 #include <unistd.h>
 #include <stdarg.h>
 +#include <fcntl.h>
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@@ -230,6 +231,18 @@ channel_register_fds(Channel *c, int rfd
 	/* XXX set close-on-exec -markus */
 +	if (rfd != -1) {
 +		fcntl(rfd, F_SETFD, FD_CLOEXEC);
 +	}
 +
 +	if (wfd != -1 && wfd != rfd) {
 +		fcntl(wfd, F_SETFD, FD_CLOEXEC);
 +	}
 +
 +	if (efd != -1 && efd != rfd && efd != wfd) {
 +		fcntl(efd, F_SETFD, FD_CLOEXEC);
 +	}
 +
 	c->rfd = rfd;
 	c->wfd = wfd;
 	c->sock = (rfd == wfd) ? rfd : -1;
 diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
--- openssh-5.1p1/sshconnect2.c.cloexec	2008-07-23 15:21:23.000000000 +0200
+--- openssh-5.1p1/sshconnect2.c.cloexec	2008-12-11 22:24:49.000000000 +0100
-+++ openssh-5.1p1/sshconnect2.c	2008-07-23 15:23:19.000000000 +0200
+++ openssh-5.1p1/sshconnect2.c	2008-12-11 22:24:49.000000000 +0100
@@ -38,6 +38,7 @@
 #include <stdio.h>
 #include <string.h>
@ -19,7 +49,7 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
 		if (dup2(from[1], STDOUT_FILENO) < 0)
 diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
 --- openssh-5.1p1/sshconnect.c.cloexec	2008-07-02 14:34:30.000000000 +0200
-+++ openssh-5.1p1/sshconnect.c	2008-07-23 15:21:23.000000000 +0200
+++ openssh-5.1p1/sshconnect.c	2008-12-11 22:24:49.000000000 +0100
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
--- a/openssh-5.1p1-nss-keys.patch
+++ b/openssh-5.1p1-nss-keys.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
 --- openssh-5.1p1/key.c.nss-keys	2008-07-11 09:35:09.000000000 +0200
-+++ openssh-5.1p1/key.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/key.c	2008-11-18 19:11:41.000000000 +0100
@@ -96,6 +96,54 @@ key_new(int type)
 	return k;
 }
@ -78,7 +78,7 @@ diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
 diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
 --- openssh-5.1p1/ssh-dss.c.nss-keys	2006-11-07 13:14:42.000000000 +0100
-+++ openssh-5.1p1/ssh-dss.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh-dss.c	2008-11-18 19:11:41.000000000 +0100
@@ -39,6 +39,10 @@
 #include "log.h"
 #include "key.h"
@ -138,7 +138,7 @@ diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
 			*lenp = SIGBLOB_LEN;
 diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
 --- openssh-5.1p1/ssh-agent.c.nss-keys	2008-07-04 15:10:49.000000000 +0200
-+++ openssh-5.1p1/ssh-agent.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh-agent.c	2008-11-18 19:11:41.000000000 +0100
@@ -80,6 +80,10 @@
 #include "scard.h"
 #endif
@ -283,7 +283,7 @@ diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
 		error("Unknown message %d", type);
 diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
 --- openssh-5.1p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200
-+++ openssh-5.1p1/authfd.h	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/authfd.h	2008-11-18 19:11:41.000000000 +0100
@@ -49,6 +49,12 @@
 #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@ -307,10 +307,10 @@ diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
 int
 ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
 diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
--- openssh-5.1p1/configure.ac.nss-keys	2008-07-23 19:16:00.000000000 +0200
+--- openssh-5.1p1/configure.ac.nss-keys	2008-11-18 19:11:41.000000000 +0100
-+++ openssh-5.1p1/configure.ac	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/configure.ac	2008-11-18 19:12:38.000000000 +0100
-@@ -3328,6 +3328,20 @@ AC_ARG_WITH(linux-audit,
+@@ -3436,6 +3436,20 @@ AC_ARG_WITH(kerberos5,
- 	fi ]
+ 	]
 )
 +# Check whether user wants NSS support
@ -327,20 +327,20 @@ diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
 +	])
 +AC_SUBST(LIBNSS)
 +
- # Check whether user wants Kerberos 5 support
+ # Looking for programs, paths and files
- KRB5_MSG="no"
+ 
- AC_ARG_WITH(kerberos5,
+ PRIVSEP_PATH=/var/empty
-@@ -4157,6 +4171,7 @@ echo "                   OSF SIA support
+@@ -4163,6 +4177,7 @@ echo "              TCP Wrappers support
- echo "                 KerberosV support: $KRB5_MSG"
+ echo "              MD5 password support: $MD5_MSG"
- echo "                   SELinux support: $SELINUX_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
- echo "               Linux audit support: $LINUX_AUDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
 +echo "                       NSS support: $LIBNSS_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff -up /dev/null openssh-5.1p1/README.nss
--- /dev/null	2008-07-15 11:15:04.125063641 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
-+++ openssh-5.1p1/README.nss	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/README.nss	2008-11-18 19:11:41.000000000 +0100
@@ -0,0 +1,36 @@
 +How to use NSS tokens with OpenSSH?
 +
@ -380,7 +380,7 @@ diff -up /dev/null openssh-5.1p1/README.nss
 +	$ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
 diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
 --- openssh-5.1p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.1p1/authfd.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/authfd.c	2008-11-18 19:11:41.000000000 +0100
@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
 	return decode_reply(type);
 }
@ -429,7 +429,7 @@ diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
  * by normal applications.
 diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
 --- openssh-5.1p1/readconf.h.nss-keys	2008-06-29 16:04:03.000000000 +0200
-+++ openssh-5.1p1/readconf.h	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/readconf.h	2008-11-18 19:11:41.000000000 +0100
@@ -84,6 +84,8 @@ typedef struct {
 	char   *preferred_authentications;
 	char   *bind_address;	/* local socket address for connection to sshd */
@ -440,8 +440,8 @@ diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
 	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
 diff -up /dev/null openssh-5.1p1/nsskeys.c
--- /dev/null	2008-07-15 11:15:04.125063641 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
-+++ openssh-5.1p1/nsskeys.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/nsskeys.c	2008-11-18 19:11:41.000000000 +0100
@@ -0,0 +1,327 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@ -772,7 +772,7 @@ diff -up /dev/null openssh-5.1p1/nsskeys.c
 +#endif /* HAVE_LIBNSS */
 diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
 --- openssh-5.1p1/ssh.c.nss-keys	2008-07-04 04:53:50.000000000 +0200
-+++ openssh-5.1p1/ssh.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh.c	2008-11-18 19:11:41.000000000 +0100
@@ -104,6 +104,9 @@
 #ifdef SMARTCARD
 #include "scard.h"
@ -825,8 +825,8 @@ diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
 		fatal("load_public_identity_files: getpwuid failed");
 	pwname = xstrdup(pw->pw_name);
 diff -up /dev/null openssh-5.1p1/nsskeys.h
--- /dev/null	2008-07-15 11:15:04.125063641 +0200
+--- /dev/null	2008-11-17 17:51:52.160001870 +0100
-+++ openssh-5.1p1/nsskeys.h	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/nsskeys.h	2008-11-18 19:11:41.000000000 +0100
@@ -0,0 +1,39 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@ -869,7 +869,7 @@ diff -up /dev/null openssh-5.1p1/nsskeys.h
 +#endif
 diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
 --- openssh-5.1p1/Makefile.in.nss-keys	2008-07-08 16:21:12.000000000 +0200
-+++ openssh-5.1p1/Makefile.in	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/Makefile.in	2008-11-18 19:11:41.000000000 +0100
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@ -881,7 +881,7 @@ diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o
 diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
 --- openssh-5.1p1/key.h.nss-keys	2008-06-12 20:40:35.000000000 +0200
-+++ openssh-5.1p1/key.h	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/key.h	2008-11-18 19:11:41.000000000 +0100
@@ -29,11 +29,17 @@
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@ -933,7 +933,7 @@ diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
 int		 key_equal(const Key *, const Key *);
 diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
 --- openssh-5.1p1/ssh-add.c.nss-keys	2008-02-28 09:13:52.000000000 +0100
-+++ openssh-5.1p1/ssh-add.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh-add.c	2008-11-18 19:11:41.000000000 +0100
@@ -44,6 +44,14 @@
 #include <openssl/evp.h>
 #include "openbsd-compat/openssl-compat.h"
@ -1162,7 +1162,7 @@ diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
 		struct passwd *pw;
 diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
 --- openssh-5.1p1/ssh-rsa.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.1p1/ssh-rsa.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh-rsa.c	2008-11-18 19:11:41.000000000 +0100
@@ -32,6 +32,10 @@
 #include "compat.h"
 #include "ssh.h"
@ -1235,7 +1235,7 @@ diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
 	buffer_put_cstring(&b, "ssh-rsa");
 diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
 --- openssh-5.1p1/ssh-keygen.c.nss-keys	2008-07-14 03:28:29.000000000 +0200
-+++ openssh-5.1p1/ssh-keygen.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/ssh-keygen.c	2008-11-18 19:11:41.000000000 +0100
@@ -53,6 +53,11 @@
 #include "scard.h"
 #endif
@ -1339,7 +1339,7 @@ diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
 		if (download)
 diff -up openssh-5.1p1/readconf.c.nss-keys openssh-5.1p1/readconf.c
 --- openssh-5.1p1/readconf.c.nss-keys	2008-06-29 16:04:03.000000000 +0200
-+++ openssh-5.1p1/readconf.c	2008-07-23 19:16:00.000000000 +0200
+++ openssh-5.1p1/readconf.c	2008-11-18 19:11:41.000000000 +0100
@@ -124,6 +124,7 @@ typedef enum {
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
--- a/openssh.spec
+++ b/openssh.spec
@ -60,10 +60,10 @@
 %define libedit 0
 %endif
-Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
+Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.1p1
-Release: 3%{?dist}%{?rescue_rel}
+Release: 4%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -148,12 +148,12 @@ BuildRequires: audit-libs >= 1.0.8
 BuildRequires: xauth
 %package clients
-Summary: The OpenSSH client applications
+Summary: An open source SSH client applications
 Requires: openssh = %{version}-%{release}
 Group: Applications/Internet
 %package server
-Summary: The OpenSSH server daemon
+Summary: An open source SSH server daemon
 Group: System Environment/Daemons
 Requires: openssh = %{version}-%{release}
 Requires(post): chkconfig >= 0.9, /sbin/service
@ -175,8 +175,7 @@ untrusted hosts over an insecure network. X11 connections and
 arbitrary TCP/IP ports can also be forwarded over the secure channel.
 OpenSSH is OpenBSD's version of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
+it up to date in terms of security and features.
 all patented algorithms to separate libraries.
 This package includes the core files necessary for both the OpenSSH
 client and server. To make this package useful, you should also
@ -186,14 +185,12 @@ install openssh-clients, openssh-server, or both.
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package includes
 the clients necessary to make encrypted connections to SSH servers.
 You'll also need to install the openssh package on OpenSSH clients.
 %description server
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
-securely connect to your SSH server. You also need to have the openssh
+securely connect to your SSH server.
 package installed.
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
@ -482,6 +479,11 @@ fi
 %endif
 %changelog
 * Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4
 - set FD_CLOEXEC on channel sockets (#475866)
 - adjust summary
 - adjust nss-keys patch so it is applicable without selinux patches (#470859)
 * Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-3
 - fix compatibility with some servers (#466818)