Rel 2; upstream 'Don't trust closefrom() on Linux.'. Should fix problems with closefr...

diff --git a/closefrom.patch b/closefrom.patch
new file mode 100644 (file)
index 0000000..760e2cd
--- /dev/null
+++ b/closefrom.patch
@@ -0,0 +1,57 @@
+commit 10b899a15c88eb40eb5f73cd0fa84ef0966f79c9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Nov 10 12:34:25 2021 +1100
+
+    Don't trust closefrom() on Linux.
+    
+    glibc's closefrom implementation does not work in a chroot when the kernel
+    does not have close_range.  It tries to read from /proc/self/fd and when
+    that fails dies with an assertion of sorts.  Instead, call close_range
+    ourselves from our compat code and fall back if that fails.  bz#3349,
+    with william.wilson at canonical.com and fweimer at redhat.com.
+
+diff --git a/configure.ac b/configure.ac
+index 165b391f..cd4cadec 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -839,6 +839,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+       dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
+       dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
+       CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
++      AC_DEFINE([BROKEN_CLOSEFROM], [1], [broken in chroots on older kernels])
+       AC_DEFINE([PAM_TTY_KLUDGE], [1],
+               [Work around problematic Linux PAM modules handling of PAM_TTY])
+       AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
+@@ -1820,6 +1821,7 @@ AC_CHECK_FUNCS([ \
+       cap_rights_limit \
+       clock \
+       closefrom \
++      close_range \
+       dirfd \
+       endgrent \
+       err \
+diff --git a/openbsd-compat/bsd-closefrom.c b/openbsd-compat/bsd-closefrom.c
+index 8fadca2d..08b7da69 100644
+--- a/openbsd-compat/bsd-closefrom.c
++++ b/openbsd-compat/bsd-closefrom.c
+@@ -16,7 +16,7 @@
+ 
+ #include "includes.h"
+ 
+-#ifndef HAVE_CLOSEFROM
++#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
+@@ -130,6 +130,11 @@ closefrom(int lowfd)
+     DIR *dirp;
+     int len;
+ 
++#ifdef HAVE_CLOSE_RANGE
++      if (close_range(lowfd, INT_MAX, 0) == 0)
++              return;
++#endif
++
+     /* Check for a /proc/$$/fd directory. */
+     len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
+     if (len > 0 && (size_t)len < sizeof(fdpath) && (dirp = opendir(fdpath))) {

diff --git a/openssh.spec b/openssh.spec
index bacae21325d3dbc1a34a039225406188e141fc56..e9910603a66cf2b963c60b0540d04a59d5b72711 100644 (file)
--- a/openssh.spec
+++ b/openssh.spec
@@ -37,7 +37,7 @@ Summary(ru.UTF-8):    OpenSSH - свободная реализация прото
 Summary(uk.UTF-8):     OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
 Name:          openssh
 Version:       8.8p1
-Release:       1
+Release:       2
 Epoch:         2
 License:       BSD
 Group:         Applications/Networking
@@ -68,7 +68,7 @@ Patch8:               ldap-helper-sigpipe.patch
 # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
 # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
 Patch9:                %{name}-5.2p1-hpn13v6.diff
-
+Patch10:       closefrom.patch
 Patch11:       %{name}-chroot.patch
 
 Patch13:       %{name}-skip-interop-tests.patch
@@ -550,7 +550,7 @@ openldap-a.
 %patch8 -p1
 
 %{?with_hpn:%patch9 -p1}
-
+%patch10 -p1
 %patch11 -p1
 
 %patch13 -p1