From b0c6449a23222544b405dd6e15e7403b7903edcf Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Thu, 9 Oct 2025 16:48:49 +0800 Subject: [PATCH 1/5] [CVE]update to openssh-8.0p1-26 to #ID12IA update to openssh-8.0p1-26 for CVE-2025-26465 Project: TC2024080204 Signed-off-by: Jacob Wang --- 10000-openssh-anolis-fix-seccomp-error.patch | 26 --------- 10001-openssh-8.1p1-seccomp-nanosleep.patch | 44 -------------- openssh-8.0p1-CVE-2025-26465.patch | 57 +++++++++++++++++++ openssh-8.0p1-sw.patch | 43 -------------- ...3p1-fix-desynchronised-utimes-failed.patch | 14 ----- openssh.spec | 34 ++++------- 6 files changed, 67 insertions(+), 151 deletions(-) delete mode 100644 10000-openssh-anolis-fix-seccomp-error.patch delete mode 100644 10001-openssh-8.1p1-seccomp-nanosleep.patch create mode 100644 openssh-8.0p1-CVE-2025-26465.patch delete mode 100644 openssh-8.0p1-sw.patch delete mode 100644 openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/10000-openssh-anolis-fix-seccomp-error.patch b/10000-openssh-anolis-fix-seccomp-error.patch deleted file mode 100644 index f398ce9..0000000 --- a/10000-openssh-anolis-fix-seccomp-error.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure ---- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 -+++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 -@@ -7875,6 +7875,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; -diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac ---- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 -+++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 -@@ -882,6 +882,9 @@ - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -+ loongarch64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 -+ ;; - s390x-*) - seccomp_audit_arch=AUDIT_ARCH_S390X - ;; diff --git a/10001-openssh-8.1p1-seccomp-nanosleep.patch b/10001-openssh-8.1p1-seccomp-nanosleep.patch deleted file mode 100644 index 4ff852c..0000000 --- a/10001-openssh-8.1p1-seccomp-nanosleep.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 7e929163ed40f9ce90060a3ca6df558c3d901379 -Author: Jakub Jelen -Date: Wed Nov 13 12:57:05 2019 +0100 - - seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70b..be239767 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_nanosleep - SC_ALLOW(__NR_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep -+ SC_ALLOW(__NR_clock_nanosleep), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif - -commit 500c30eaf88f26e4a74b06717fe04afec7a7516f -Author: Jakub Jelen -Date: Wed Nov 27 11:06:55 2019 +0100 - - sandbox-seccomp: Allow clock_nanosleep on ARM - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index be239767..3ef30c9d 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_clock_nanosleep - SC_ALLOW(__NR_clock_nanosleep), - #endif -+#ifdef __NR_clock_nanosleep_time64 -+ SC_ALLOW(__NR_clock_nanosleep_time64), -+#endif -+#ifdef __NR_clock_gettime64 -+ SC_ALLOW(__NR_clock_gettime64), -+#endif - #ifdef __NR__newselect - SC_ALLOW(__NR__newselect), - #endif diff --git a/openssh-8.0p1-CVE-2025-26465.patch b/openssh-8.0p1-CVE-2025-26465.patch new file mode 100644 index 0000000..6ab2a38 --- /dev/null +++ b/openssh-8.0p1-CVE-2025-26465.patch @@ -0,0 +1,57 @@ +diff --git a/openssh-8.0p1/krl.c b/openssh-8.0p1/krl.c +index 8e2d5d5..e5b046d 100644 +--- a/openssh-8.0p1/krl.c ++++ b/openssh-8.0p1/krl.c +@@ -676,6 +676,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) + break; + case KRL_SECTION_CERT_SERIAL_BITMAP: + if (rs->lo - bitmap_start > INT_MAX) { ++ r = SSH_ERR_INVALID_FORMAT; + error("%s: insane bitmap gap", __func__); + goto out; + } +@@ -1011,6 +1012,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, + goto out; + + if ((krl = ssh_krl_init()) == NULL) { ++ r = SSH_ERR_ALLOC_FAIL; + error("%s: alloc failed", __func__); + goto out; + } +diff --git a/openssh-8.0p1/sshconnect2.c b/openssh-8.0p1/sshconnect2.c +index ce855eb..9650b24 100644 +--- a/openssh-8.0p1/sshconnect2.c ++++ b/openssh-8.0p1/sshconnect2.c +@@ -95,7 +95,7 @@ struct sockaddr *xxx_hostaddr; + static int + verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + { +- if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) == -1) ++ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey) != 0) + fatal("Host key verification failed."); + return 0; + } +@@ -767,6 +767,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + + if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) { + debug("%s: server sent unknown pkalg %s", __func__, pkalg); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { +@@ -777,6 +778,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + error("input_userauth_pk_ok: type mismatch " + "for decoded key (received %d, expected %d)", + key->type, pktype); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + +@@ -796,6 +798,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh) + SSH_FP_DEFAULT); + error("%s: server replied with unknown key: %s %s", __func__, + sshkey_type(key), fp == NULL ? "" : fp); ++ r = SSH_ERR_INVALID_FORMAT; + goto done; + } + ident = format_identity(id); diff --git a/openssh-8.0p1-sw.patch b/openssh-8.0p1-sw.patch deleted file mode 100644 index ec68163..0000000 --- a/openssh-8.0p1-sw.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d79f3b68e7eb6638a27bab8853f790d10aa88d93 Mon Sep 17 00:00:00 2001 -From: Weisson -Date: Tue, 21 Nov 2023 10:44:32 +0800 -Subject: [PATCH] Add sw build support. - -Signed-off-by: Weisson ---- - configure.ac | 3 +++ - .../ed25519-donna/ed25519-donna-portable-identify.h | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 6e57635..9e32389 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -879,6 +879,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - arm*-*) - seccomp_audit_arch=AUDIT_ARCH_ARM - ;; -+ sw_64*-*) -+ seccomp_audit_arch=AUDIT_ARCH_SW64 -+ ;; - aarch64*-*) - seccomp_audit_arch=AUDIT_ARCH_AARCH64 - ;; -diff --git a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -index 26a264c..4457e9a 100644 ---- a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -+++ b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h -@@ -79,6 +79,10 @@ - #define CPU_HPPA - #endif - -+#if defined(__sw_64__) || defined(__sw_64) || defined(_M_SW_64) -+ #define CPU_SW_64 -+#endif -+ - #if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) - #define CPU_ALPHA - #endif --- -2.31.1 - diff --git a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/openssh-8.3p1-fix-desynchronised-utimes-failed.patch deleted file mode 100644 index d522f28..0000000 --- a/openssh-8.3p1-fix-desynchronised-utimes-failed.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c ---- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 -+++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 -@@ -1431,9 +1431,7 @@ - sink(1, vect, src); - if (setimes) { - setimes = 0; -- if (utimes(vect[0], tv) < 0) -- run_err("%s: set times: %s", -- vect[0], strerror(errno)); -+ (void) utimes(vect[0], tv); - } - if (mod_flag) - (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 807fda8..8c13e06 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -67,14 +66,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.0p1 -%global openssh_rel 25 +%global openssh_rel 26 %global pam_ssh_agent_ver 0.10.3 %global pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -295,16 +294,8 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch Patch1020: openssh-8.7p1-scp-kill-switch.patch #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch - -Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch - -# Add by Anolis -# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu -Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch -# End -Patch10003: openssh-8.3p1-fix-desynchronised-utimes-failed.patch - -Patch20000: openssh-8.0p1-sw.patch +#upstream commit 0832aac79517611dd4de93ad0a83577994d9c907 +Patch1022: openssh-8.0p1-CVE-2025-26465.patch License: BSD Group: Applications/Internet @@ -397,7 +388,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} License: BSD %description @@ -553,10 +544,7 @@ popd %patch1019 -p1 -b .cve-2023-51385 %patch1020 -p1 -b .scp-kill-switch %patch1021 -p1 -b .ignore-SIGPIPE -%patch10001 -p1 -%patch10002 -p1 -%patch10003 -p1 -%patch20000 -p1 +%patch1022 -p2 -b .cve-2025-26465 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -842,12 +830,10 @@ getent passwd sshd >/dev/null || \ %endif %changelog -* Wed Aug 28 2024 Weitao Zhou - 8.0p1-25.0.1 -- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 -- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) -- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) -- add sw patch (nijie@wxiat.com) -- adapt macro `seccomp_audit_arch` to kernel-headers. (Weisson@linux.alibaba.com) +* Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 +- Fix missing invalid error code checks in OpenSSH. It prevents + a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465) + Resolves: RHEL-109228 * Tue Jun 25 2024 Stepan Broz - 8.0p1-25 - Upstream: Ignore SIGPIPE earlier in main() -- Gitee From 82fa0dce9391e271b061600717d6bf1cf6ba4dfe Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:02:21 +0800 Subject: [PATCH 2/5] seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 --- 10001-openssh-8.1p1-seccomp-nanosleep.patch | 44 +++++++++++++++++++++ openssh.spec | 11 +++++- 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 10001-openssh-8.1p1-seccomp-nanosleep.patch diff --git a/10001-openssh-8.1p1-seccomp-nanosleep.patch b/10001-openssh-8.1p1-seccomp-nanosleep.patch new file mode 100644 index 0000000..4ff852c --- /dev/null +++ b/10001-openssh-8.1p1-seccomp-nanosleep.patch @@ -0,0 +1,44 @@ +commit 7e929163ed40f9ce90060a3ca6df558c3d901379 +Author: Jakub Jelen +Date: Wed Nov 13 12:57:05 2019 +0100 + + seccomp: Allow clock_nanosleep() to make OpenSSH working with latest glibc + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index b5cda70b..be239767 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -242,6 +242,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_nanosleep + SC_ALLOW(__NR_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep ++ SC_ALLOW(__NR_clock_nanosleep), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif + +commit 500c30eaf88f26e4a74b06717fe04afec7a7516f +Author: Jakub Jelen +Date: Wed Nov 27 11:06:55 2019 +0100 + + sandbox-seccomp: Allow clock_nanosleep on ARM + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index be239767..3ef30c9d 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -245,6 +245,12 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_clock_nanosleep + SC_ALLOW(__NR_clock_nanosleep), + #endif ++#ifdef __NR_clock_nanosleep_time64 ++ SC_ALLOW(__NR_clock_nanosleep_time64), ++#endif ++#ifdef __NR_clock_gettime64 ++ SC_ALLOW(__NR_clock_gettime64), ++#endif + #ifdef __NR__newselect + SC_ALLOW(__NR__newselect), + #endif diff --git a/openssh.spec b/openssh.spec index 8c13e06..b205086 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # Do we want SELinux & Audit %if 0%{?!noselinux:1} %global WITH_SELINUX 1 @@ -73,7 +74,7 @@ Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -297,6 +298,8 @@ Patch1021: openssh-8.0p1-upstream-ignore-SIGPIPE.patch #upstream commit 0832aac79517611dd4de93ad0a83577994d9c907 Patch1022: openssh-8.0p1-CVE-2025-26465.patch +Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -388,7 +391,7 @@ Requires: openssh = %{version}-%{release} Summary: PAM module for authentication with ssh-agent Group: System Environment/Base Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel} +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{anolis_release}%{?dist}%{?rescue_rel} License: BSD %description @@ -545,6 +548,7 @@ popd %patch1020 -p1 -b .scp-kill-switch %patch1021 -p1 -b .ignore-SIGPIPE %patch1022 -p2 -b .cve-2025-26465 +%patch10001 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -830,6 +834,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Thu Oct 09 2025 Weitao Zhou - 8.0p1-26.0.1 +- seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 + * Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 - Fix missing invalid error code checks in OpenSSH. It prevents a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465) -- Gitee From 4074e727720819c743d6fdbf8ecdf4cec3f3df23 Mon Sep 17 00:00:00 2001 From: songmingliang Date: Fri, 22 Apr 2022 14:04:11 +0800 Subject: [PATCH 3/5] build: support loongarch64 seccomp_filter sandbox --- 10000-openssh-anolis-fix-seccomp-error.patch | 26 ++++++++++++++++++++ openssh.spec | 7 ++++++ 2 files changed, 33 insertions(+) create mode 100644 10000-openssh-anolis-fix-seccomp-error.patch diff --git a/10000-openssh-anolis-fix-seccomp-error.patch b/10000-openssh-anolis-fix-seccomp-error.patch new file mode 100644 index 0000000..f398ce9 --- /dev/null +++ b/10000-openssh-anolis-fix-seccomp-error.patch @@ -0,0 +1,26 @@ +diff -Nur openssh-8.0p1/configure openssh-8.0p1.new/configure +--- openssh-8.0p1/configure 2021-10-29 10:17:53.162420064 +0800 ++++ openssh-8.0p1.new/configure 2021-10-29 10:24:52.638846543 +0800 +@@ -7875,6 +7875,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; +diff -Nur openssh-8.0p1/configure.ac openssh-8.0p1.new/configure.ac +--- openssh-8.0p1/configure.ac 2021-10-29 10:17:49.986802431 +0800 ++++ openssh-8.0p1.new/configure.ac 2021-10-29 10:25:31.102923736 +0800 +@@ -882,6 +882,9 @@ + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; ++ loongarch64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_LOONGARCH64 ++ ;; + s390x-*) + seccomp_audit_arch=AUDIT_ARCH_S390X + ;; diff --git a/openssh.spec b/openssh.spec index b205086..4d4d22a 100644 --- a/openssh.spec +++ b/openssh.spec @@ -300,6 +300,11 @@ Patch1022: openssh-8.0p1-CVE-2025-26465.patch Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch +# Add by Anolis +# fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu +Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch +# End + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -549,6 +554,7 @@ popd %patch1021 -p1 -b .ignore-SIGPIPE %patch1022 -p2 -b .cve-2025-26465 %patch10001 -p1 +%patch10002 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -836,6 +842,7 @@ getent passwd sshd >/dev/null || \ %changelog * Thu Oct 09 2025 Weitao Zhou - 8.0p1-26.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 +- Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) * Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 - Fix missing invalid error code checks in OpenSSH. It prevents -- Gitee From 6242635ed5eaa8dc728fc7f77e882d5767a82e2f Mon Sep 17 00:00:00 2001 From: jiangyong Date: Mon, 20 Mar 2023 19:32:24 +0800 Subject: [PATCH 4/5] another case where a utimes() failure could make scp send a desynchronising error; detail: scp(1): when receiving files, scp(1) could be become desynchronised if a utimes(2) system call failed. This could allow file contents to be interpreted as file metadata and thereby permit an adversary to craft a file system that, when copied with scp(1) in a configuration that caused utimes(2) to fail (e.g. under a SELinux policy or syscall sandbox), transferred different file names and contents to the actual file system layout. upstream url: https://github.com/openssh/openssh-portable/commit/955854cafca88e0cdcd3d09ca1ad4ada465364a1 --- ...sh-8.3p1-fix-desynchronised-utimes-failed.patch | 14 ++++++++++++++ openssh.spec | 3 +++ 2 files changed, 17 insertions(+) create mode 100644 10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch diff --git a/10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch b/10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch new file mode 100644 index 0000000..d522f28 --- /dev/null +++ b/10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch @@ -0,0 +1,14 @@ +diff --color -ru openssh-8.0p1/scp.c openssh-8.0p1-new/scp.c +--- openssh-8.0p1/scp.c 2023-03-17 16:27:55.831000000 -0400 ++++ openssh-8.0p1-new/scp.c 2023-03-17 16:29:49.246000000 -0400 +@@ -1431,9 +1431,7 @@ + sink(1, vect, src); + if (setimes) { + setimes = 0; +- if (utimes(vect[0], tv) < 0) +- run_err("%s: set times: %s", +- vect[0], strerror(errno)); ++ (void) utimes(vect[0], tv); + } + if (mod_flag) + (void) chmod(vect[0], mode); diff --git a/openssh.spec b/openssh.spec index 4d4d22a..d81bcd0 100644 --- a/openssh.spec +++ b/openssh.spec @@ -304,6 +304,7 @@ Patch10001: 10001-openssh-8.1p1-seccomp-nanosleep.patch # fix error: seccomp_filter sandbox not supported on loongarch64-Anolis-linux-gnu Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch # End +Patch10003: 10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch License: BSD Group: Applications/Internet @@ -555,6 +556,7 @@ popd %patch1022 -p2 -b .cve-2025-26465 %patch10001 -p1 %patch10002 -p1 +%patch10003 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -843,6 +845,7 @@ getent passwd sshd >/dev/null || \ * Thu Oct 09 2025 Weitao Zhou - 8.0p1-26.0.1 - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) +- another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) * Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 - Fix missing invalid error code checks in OpenSSH. It prevents -- Gitee From 1354be11fa6bc187464dd95719ce8d1c26323f82 Mon Sep 17 00:00:00 2001 From: wxiat Date: Wed, 14 Jun 2023 14:44:23 +0800 Subject: [PATCH 5/5] add sw Signed-off-by: wxiat --- 10004-openssh-8.0p1-sw.patch | 43 ++++++++++++++++++++++++++++++++++++ openssh.spec | 5 +++++ 2 files changed, 48 insertions(+) create mode 100644 10004-openssh-8.0p1-sw.patch diff --git a/10004-openssh-8.0p1-sw.patch b/10004-openssh-8.0p1-sw.patch new file mode 100644 index 0000000..ec68163 --- /dev/null +++ b/10004-openssh-8.0p1-sw.patch @@ -0,0 +1,43 @@ +From d79f3b68e7eb6638a27bab8853f790d10aa88d93 Mon Sep 17 00:00:00 2001 +From: Weisson +Date: Tue, 21 Nov 2023 10:44:32 +0800 +Subject: [PATCH] Add sw build support. + +Signed-off-by: Weisson +--- + configure.ac | 3 +++ + .../ed25519-donna/ed25519-donna-portable-identify.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 6e57635..9e32389 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -879,6 +879,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + arm*-*) + seccomp_audit_arch=AUDIT_ARCH_ARM + ;; ++ sw_64*-*) ++ seccomp_audit_arch=AUDIT_ARCH_SW64 ++ ;; + aarch64*-*) + seccomp_audit_arch=AUDIT_ARCH_AARCH64 + ;; +diff --git a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h +index 26a264c..4457e9a 100644 +--- a/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h ++++ b/pam_ssh_agent_auth-0.10.3/ed25519-donna/ed25519-donna-portable-identify.h +@@ -79,6 +79,10 @@ + #define CPU_HPPA + #endif + ++#if defined(__sw_64__) || defined(__sw_64) || defined(_M_SW_64) ++ #define CPU_SW_64 ++#endif ++ + #if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) + #define CPU_ALPHA + #endif +-- +2.31.1 + diff --git a/openssh.spec b/openssh.spec index d81bcd0..2688310 100644 --- a/openssh.spec +++ b/openssh.spec @@ -306,6 +306,8 @@ Patch10002: 10000-openssh-anolis-fix-seccomp-error.patch # End Patch10003: 10003-openssh-8.3p1-fix-desynchronised-utimes-failed.patch +Patch10004: 10004-openssh-8.0p1-sw.patch + License: BSD Group: Applications/Internet Requires: /sbin/nologin @@ -557,6 +559,7 @@ popd %patch10001 -p1 %patch10002 -p1 %patch10003 -p1 +%patch10004 -p1 autoreconf pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -846,6 +849,8 @@ getent passwd sshd >/dev/null || \ - seccomp: Allow check_nanosleep to better compatibility for both glibc2.28 and glibc2.32 - Support loongarch64 seccomp_filter sandbox (xuezhixin@uniontech.com) - another case where a utimes() failure could make scp send (jiang.yong5@zte.com.cn) +- add sw patch (nijie@wxiat.com) +- adapt macro `seccomp_audit_arch` to kernel-headers. (Weisson@linux.alibaba.com) * Wed Aug 20 2025 Antonio Vieiro - 8.0p1-26 - Fix missing invalid error code checks in OpenSSH. It prevents -- Gitee