From edaf6c0fb436ba3c8daea56eefb7c8db76b8465c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 20 Jul 2023 12:10:35 +0200
Subject: [PATCH] Avoid remote code execution in ssh-agent PKCS#11 support

Resolves: CVE-2023-38408
---
 openssh.spec | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/openssh.spec b/openssh.spec
index be72146..aa68685 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 33
+%global openssh_rel 34
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -279,6 +279,9 @@ Patch1013: openssh-8.7p1-man-hostkeyalgos.patch
 # b98a42afb69d60891eb0488935990df6ee571c4
 # a00f59a645072e5f5a8d207af15916a7b23e2642
 Patch1014: openssh-8.7p1-UTC-time-parse.patch
+# upsream commit
+# b23fe83f06ee7e721033769cfa03ae840476d280
+Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -497,6 +500,7 @@ popd
 
 %patch1013 -p1 -b .man-hostkeyalgos
 %patch1014 -p1 -b .utc_parse
+%patch1015 -p1 -b .cve-2023-38408
 
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -783,6 +787,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-34
+- Avoid remote code execution in ssh-agent PKCS#11 support
+  Resolves: CVE-2023-38408
+
 * Tue Jun 13 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-33
 - Allow specifying validity interval in UTC
   Resolves: rhbz#2115043