Resolve memory management issues after rebase
Related: RHEL-60564
This commit is contained in:
Dmitry Belyavskiy
parent
384febcdc2
commit
ebf2d5fd08
@ -1,106 +0,0 @@
|
|||||||
diff --color -ruNp a/audit-linux.c b/audit-linux.c
|
|
||||||
--- a/audit-linux.c 2024-05-09 12:38:08.843017319 +0200
|
|
||||||
+++ b/audit-linux.c 2024-05-09 12:47:05.162267634 +0200
|
|
||||||
@@ -52,7 +52,7 @@ extern u_int utmp_len;
|
|
||||||
const char *audit_username(void);
|
|
||||||
|
|
||||||
static void
|
|
||||||
-linux_audit_user_logxxx(int uid, const char *username,
|
|
||||||
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
|
|
||||||
const char *ip, const char *ttyn, int success, int event)
|
|
||||||
{
|
|
||||||
int audit_fd, rc, saved_errno;
|
|
||||||
@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
|
|
||||||
}
|
|
||||||
rc = audit_log_acct_message(audit_fd, event,
|
|
||||||
NULL, "login", username ? username : "(unknown)",
|
|
||||||
- username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
|
||||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
|
||||||
saved_errno = errno;
|
|
||||||
close(audit_fd);
|
|
||||||
|
|
||||||
@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
|
|
||||||
{
|
|
||||||
if (!user_login_count++)
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_LOGIN);
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_START);
|
|
||||||
return 0;
|
|
||||||
@@ -193,10 +195,12 @@ void
|
|
||||||
audit_end_command(struct ssh *ssh, int handle, const char *command)
|
|
||||||
{
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_END);
|
|
||||||
if (user_login_count && !--user_login_count)
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_LOGOUT);
|
|
||||||
}
|
|
||||||
@@ -211,19 +215,27 @@ void
|
|
||||||
audit_session_open(struct logininfo *li)
|
|
||||||
{
|
|
||||||
if (!user_login_count++)
|
|
||||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
|
||||||
+ options.use_dns ? li->hostname : NULL,
|
|
||||||
+ options.use_dns ? NULL : li->hostname,
|
|
||||||
li->line, 1, AUDIT_USER_LOGIN);
|
|
||||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
|
||||||
+ options.use_dns ? li->hostname : NULL,
|
|
||||||
+ options.use_dns ? NULL : li->hostname,
|
|
||||||
li->line, 1, AUDIT_USER_START);
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
audit_session_close(struct logininfo *li)
|
|
||||||
{
|
|
||||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
|
||||||
+ options.use_dns ? li->hostname : NULL,
|
|
||||||
+ options.use_dns ? NULL : li->hostname,
|
|
||||||
li->line, 1, AUDIT_USER_END);
|
|
||||||
if (user_login_count && !--user_login_count)
|
|
||||||
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL,
|
|
||||||
+ options.use_dns ? li->hostname : NULL,
|
|
||||||
+ options.use_dns ? NULL : li->hostname,
|
|
||||||
li->line, 1, AUDIT_USER_LOGOUT);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
|
||||||
linux_audit_user_auth(-1, audit_username(),
|
|
||||||
ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
|
||||||
linux_audit_user_logxxx(-1, audit_username(),
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
|
||||||
break;
|
|
||||||
case SSH_AUTH_FAIL_PASSWD:
|
|
||||||
@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
|
||||||
if (user_login_count) {
|
|
||||||
while (user_login_count--)
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_END);
|
|
||||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh),
|
|
||||||
"ssh", 1, AUDIT_USER_LOGOUT);
|
|
||||||
}
|
|
||||||
@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
|
||||||
case SSH_CONNECTION_ABANDON:
|
|
||||||
case SSH_INVALID_USER:
|
|
||||||
linux_audit_user_logxxx(-1, audit_username(),
|
|
||||||
+ options.use_dns ? remote_hostname(ssh) : NULL,
|
|
||||||
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
@ -52,9 +52,27 @@ diff -up openssh-9.0p1/audit.h.patch openssh-9.0p1/audit.h
|
|||||||
void audit_key(struct ssh *, int, int *, const struct sshkey *);
|
void audit_key(struct ssh *, int, int *, const struct sshkey *);
|
||||||
void audit_unsupported(struct ssh *, int);
|
void audit_unsupported(struct ssh *, int);
|
||||||
void audit_kex(struct ssh *, int, char *, char *, char *, char *);
|
void audit_kex(struct ssh *, int, char *, char *, char *, char *);
|
||||||
diff -up openssh-9.0p1/audit-linux.c.patch openssh-9.0p1/audit-linux.c
|
diff -up openssh-9.9p1/audit-linux.c.xxx openssh-9.9p1/audit-linux.c
|
||||||
--- openssh-9.0p1/audit-linux.c.patch 2022-10-24 15:02:16.544858331 +0200
|
--- openssh-9.9p1/audit-linux.c.xxx 2024-10-15 11:49:48.092151974 +0200
|
||||||
+++ openssh-9.0p1/audit-linux.c 2022-10-24 15:21:58.165303951 +0200
|
+++ openssh-9.9p1/audit-linux.c 2024-10-15 12:08:17.179158343 +0200
|
||||||
|
@@ -52,7 +52,7 @@ extern u_int utmp_len;
|
||||||
|
const char *audit_username(void);
|
||||||
|
|
||||||
|
static void
|
||||||
|
-linux_audit_user_logxxx(int uid, const char *username,
|
||||||
|
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
|
||||||
|
const char *ip, const char *ttyn, int success, int event)
|
||||||
|
{
|
||||||
|
int audit_fd, rc, saved_errno;
|
||||||
|
@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
|
||||||
|
}
|
||||||
|
rc = audit_log_acct_message(audit_fd, event,
|
||||||
|
NULL, "login", username ? username : "(unknown)",
|
||||||
|
- username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||||
|
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||||
|
saved_errno = errno;
|
||||||
|
close(audit_fd);
|
||||||
|
|
||||||
@@ -137,10 +137,12 @@ fatal_report:
|
@@ -137,10 +137,12 @@ fatal_report:
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -117,3 +135,112 @@ diff -up openssh-9.0p1/audit-linux.c.patch openssh-9.0p1/audit-linux.c
|
|||||||
out:
|
out:
|
||||||
saved_errno = errno;
|
saved_errno = errno;
|
||||||
audit_close(audit_fd);
|
audit_close(audit_fd);
|
||||||
|
@@ -179,26 +211,34 @@ audit_connection_from(const char *host,
|
||||||
|
int
|
||||||
|
audit_run_command(struct ssh *ssh, const char *command)
|
||||||
|
{
|
||||||
|
+ char * audit_hostname = options.use_dns ? remote_hostname(ssh) : NULL;
|
||||||
|
if (!user_login_count++)
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_LOGIN);
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_START);
|
||||||
|
+ free(audit_hostname);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
audit_end_command(struct ssh *ssh, int handle, const char *command)
|
||||||
|
{
|
||||||
|
+ char * audit_hostname = options.use_dns ? remote_hostname(ssh) : NULL;
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_END);
|
||||||
|
if (user_login_count && !--user_login_count)
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
|
+ free(audit_hostname);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -211,31 +251,41 @@ void
|
||||||
|
audit_session_open(struct logininfo *li)
|
||||||
|
{
|
||||||
|
if (!user_login_count++)
|
||||||
|
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
|
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||||
|
+ options.use_dns ? li->hostname : NULL,
|
||||||
|
+ options.use_dns ? NULL : li->hostname,
|
||||||
|
li->line, 1, AUDIT_USER_LOGIN);
|
||||||
|
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
|
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||||
|
+ options.use_dns ? li->hostname : NULL,
|
||||||
|
+ options.use_dns ? NULL : li->hostname,
|
||||||
|
li->line, 1, AUDIT_USER_START);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
audit_session_close(struct logininfo *li)
|
||||||
|
{
|
||||||
|
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
|
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||||
|
+ options.use_dns ? li->hostname : NULL,
|
||||||
|
+ options.use_dns ? NULL : li->hostname,
|
||||||
|
li->line, 1, AUDIT_USER_END);
|
||||||
|
if (user_login_count && !--user_login_count)
|
||||||
|
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
|
+ linux_audit_user_logxxx(li->uid, NULL,
|
||||||
|
+ options.use_dns ? li->hostname : NULL,
|
||||||
|
+ options.use_dns ? NULL : li->hostname,
|
||||||
|
li->line, 1, AUDIT_USER_LOGOUT);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
audit_event(struct ssh *ssh, ssh_audit_event_t event)
|
||||||
|
{
|
||||||
|
+ char * audit_hostname = options.use_dns ? remote_hostname(ssh) : NULL;
|
||||||
|
+
|
||||||
|
switch(event) {
|
||||||
|
case SSH_NOLOGIN:
|
||||||
|
case SSH_LOGIN_ROOT_DENIED:
|
||||||
|
linux_audit_user_auth(-1, audit_username(),
|
||||||
|
ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||||
|
- linux_audit_user_logxxx(-1, audit_username(),
|
||||||
|
+ linux_audit_user_logxxx(-1, audit_username(), audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||||
|
break;
|
||||||
|
case SSH_AUTH_FAIL_PASSWD:
|
||||||
|
@@ -255,9 +305,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||||
|
if (user_login_count) {
|
||||||
|
while (user_login_count--)
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_END);
|
||||||
|
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh),
|
||||||
|
"ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
|
}
|
||||||
|
@@ -266,12 +318,14 @@ audit_event(struct ssh *ssh, ssh_audit_e
|
||||||
|
case SSH_CONNECTION_ABANDON:
|
||||||
|
case SSH_INVALID_USER:
|
||||||
|
linux_audit_user_logxxx(-1, audit_username(),
|
||||||
|
+ audit_hostname,
|
||||||
|
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
debug("%s: unhandled event %d", __func__, event);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ free(audit_hostname);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
|||||||
@ -39,7 +39,7 @@
|
|||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
%global openssh_ver 9.9p1
|
%global openssh_ver 9.9p1
|
||||||
%global openssh_rel 1
|
%global openssh_rel 2
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -77,8 +77,6 @@ Patch200: openssh-7.6p1-audit.patch
|
|||||||
Patch201: openssh-7.1p2-audit-race-condition.patch
|
Patch201: openssh-7.1p2-audit-race-condition.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2049947
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2049947
|
||||||
Patch202: openssh-9.0p1-audit-log.patch
|
Patch202: openssh-9.0p1-audit-log.patch
|
||||||
# Correctly audit hostname and IP address
|
|
||||||
Patch203: openssh-8.7p1-audit-hostname.patch
|
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||||
Patch400: openssh-7.8p1-role-mls.patch
|
Patch400: openssh-7.8p1-role-mls.patch
|
||||||
@ -367,7 +365,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
|||||||
%patch -P 200 -p1 -b .audit
|
%patch -P 200 -p1 -b .audit
|
||||||
%patch -P 201 -p1 -b .audit-race
|
%patch -P 201 -p1 -b .audit-race
|
||||||
%patch -P 202 -p1 -b .audit-log
|
%patch -P 202 -p1 -b .audit-log
|
||||||
%patch -P 203 -p1 -b .audit-hostname
|
|
||||||
%patch -P 700 -p1 -b .fips
|
%patch -P 700 -p1 -b .fips
|
||||||
|
|
||||||
%patch -P 1002 -p1 -b .ssh-manpage
|
%patch -P 1002 -p1 -b .ssh-manpage
|
||||||
@ -657,6 +654,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 15 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-2
|
||||||
|
- Resolve memory management issues after rebase
|
||||||
|
Related: RHEL-60564
|
||||||
|
|
||||||
* Thu Oct 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-1
|
* Thu Oct 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-1
|
||||||
- Update to OpenSSH 9.9p1
|
- Update to OpenSSH 9.9p1
|
||||||
Resolves: RHEL-60564
|
Resolves: RHEL-60564
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user