diff -Nru openssh-7.5p1/debian/agent-launch openssh-7.5p1/debian/agent-launch --- openssh-7.5p1/debian/agent-launch 2017-04-02 12:19:45.000000000 +0000 +++ openssh-7.5p1/debian/agent-launch 2017-06-18 16:51:53.000000000 +0000 @@ -11,7 +11,7 @@ if [ -z "$SSH_AUTH_SOCK" ] && grep -s -q '^use-ssh-agent$' /etc/X11/Xsession.options; then S="$XDG_RUNTIME_DIR/openssh_agent" dbus-update-activation-environment --verbose --systemd SSH_AUTH_SOCK=$S SSH_AGENT_LAUNCHER=openssh - if type initctl >/dev/null 2>&1; then + if [ "$UPSTART_SESSION" ] && type initctl >/dev/null 2>&1; then initctl set-env --global SSH_AUTH_SOCK=$S fi exec ssh-agent -D -a $S @@ -19,7 +19,7 @@ elif [ "$1" = stop ]; then if [ "$SSH_AGENT_LAUNCHER" = openssh ]; then dbus-update-activation-environment --systemd SSH_AUTH_SOCK= - if type initctl >/dev/null 2>&1; then + if [ "$UPSTART_SESSION" ] && type initctl >/dev/null 2>&1; then initctl unset-env --global SSH_AUTH_SOCK fi fi diff -Nru openssh-7.5p1/debian/changelog openssh-7.5p1/debian/changelog --- openssh-7.5p1/debian/changelog 2017-05-22 12:15:10.000000000 +0000 +++ openssh-7.5p1/debian/changelog 2017-07-28 13:13:46.000000000 +0000 @@ -1,3 +1,32 @@ +openssh (1:7.5p1-5ubuntu1) artful; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Cherrypick updated patchset to open up sandbox, when openssl engine calls + into OpenCryptoki for hardware accelerated encryption. LP: #1686618 + + -- Dimitri John Ledkov Fri, 28 Jul 2017 14:13:11 +0100 + +openssh (1:7.5p1-5) unstable; urgency=medium + + * Upload to unstable. + * Fix syntax error in debian/copyright. + + -- Colin Watson Sun, 18 Jun 2017 12:08:42 +0100 + +openssh (1:7.5p1-4) experimental; urgency=medium + + * Drop README.Debian section on privilege separation, as it's no longer + optional. + * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set + (LP: #1689299). + * Fix incoming compression statistics (thanks, Russell Coker; closes: + #797964). + * Relicense debian/* under a two-clause BSD licence for bidirectional + compatibility with upstream, with permission from Matthew Vernon and + others. + + -- Colin Watson Tue, 06 Jun 2017 15:17:58 +0100 + openssh (1:7.5p1-3ubuntu1) artful; urgency=medium * On s390x, allow geteuid syscall in the sandbox, to allow openssh @@ -107,6 +136,13 @@ -- Colin Watson Sun, 02 Apr 2017 02:58:01 +0100 +openssh (1:7.4p1-11) unstable; urgency=medium + + * Fix incoming compression statistics (thanks, Russell Coker; closes: + #797964). + + -- Colin Watson Tue, 06 Jun 2017 15:03:48 +0100 + openssh (1:7.4p1-10) unstable; urgency=medium * Move privilege separation directory and PID file from /var/run/ to /run/ @@ -4794,3 +4830,4 @@ * Initial release -- Dan Brosemer Wed, 27 Oct 1999 19:39:46 -0500 + diff -Nru openssh-7.5p1/debian/copyright openssh-7.5p1/debian/copyright --- openssh-7.5p1/debian/copyright 2017-04-02 12:19:45.000000000 +0000 +++ openssh-7.5p1/debian/copyright 2017-06-18 16:51:53.000000000 +0000 @@ -241,27 +241,23 @@ Files: debian/* Copyright: Matthew Vernon, Colin Watson -License: GPL-2 with OpenSSH-linking exception - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - . - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - . - In addition, as a special exception, Matthew Vernon gives permission - to link the code of the Debian patch with any version of the OpenSSH - code which is distributed under a license identical to that listed in - the included Copyright file, and distribute linked combinations - including the two. You must obey the GNU General Public License in - all respects for all of the code used other than OpenSSH. If you - modify this file, you may extend this exception to your version of the - file, but you are not obligated to do so. If you do not wish to do - so, delete this exception statement from your version. + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff -Nru openssh-7.5p1/debian/.git-dpm openssh-7.5p1/debian/.git-dpm --- openssh-7.5p1/debian/.git-dpm 2017-04-02 12:19:46.000000000 +0000 +++ openssh-7.5p1/debian/.git-dpm 2017-06-18 16:51:53.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -93563703c3acd94883e89baa7fcbf666318e2704 -93563703c3acd94883e89baa7fcbf666318e2704 +6111c39a4ae8f1c62a9312a5f8d8b23adb5f727a +6111c39a4ae8f1c62a9312a5f8d8b23adb5f727a 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 openssh_7.5p1.orig.tar.gz diff -Nru openssh-7.5p1/debian/patches/0001-Allow-flock-and-ipc-syscall-for-s390-architecture.patch openssh-7.5p1/debian/patches/0001-Allow-flock-and-ipc-syscall-for-s390-architecture.patch --- openssh-7.5p1/debian/patches/0001-Allow-flock-and-ipc-syscall-for-s390-architecture.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.5p1/debian/patches/0001-Allow-flock-and-ipc-syscall-for-s390-architecture.patch 2017-07-28 13:11:35.000000000 +0000 @@ -0,0 +1,43 @@ +From 94f10edd9cc888dba2a21d99e1a9133b7794a651 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 9 May 2017 14:27:13 -0300 +Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture + +In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock +and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 +implementation) which calls the libraries that will communicate with the +crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, +this is only need on s390 architecture. + +Signed-off-by: Eduardo Barretto +--- + sandbox-seccomp-filter.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index ca75cc7..6e7de31 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_exit_group + SC_ALLOW(__NR_exit_group), + #endif ++#if defined(__NR_flock) && defined(__s390__) ++ SC_ALLOW(__NR_flock), ++#endif + #ifdef __NR_getpgid + SC_ALLOW(__NR_getpgid), + #endif +@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_gettimeofday + SC_ALLOW(__NR_gettimeofday), + #endif ++#if defined(__NR_ipc) && defined(__s390__) ++ SC_ALLOW(__NR_ipc), ++#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif +-- +2.7.4 + diff -Nru openssh-7.5p1/debian/patches/0001-Permit-geteuid-syscall-for-Linux-on-s390.patch openssh-7.5p1/debian/patches/0001-Permit-geteuid-syscall-for-Linux-on-s390.patch --- openssh-7.5p1/debian/patches/0001-Permit-geteuid-syscall-for-Linux-on-s390.patch 2017-05-22 12:13:43.000000000 +0000 +++ openssh-7.5p1/debian/patches/0001-Permit-geteuid-syscall-for-Linux-on-s390.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -From 4f81cc234e744c774ff1545347e2af4cc0760539 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Tue, 9 May 2017 11:53:07 +0200 -Subject: [PATCH] Permit geteuid syscall for Linux on s390 - -The geteuid syscall is used by libica during shared lib initialization. -So when openssl with ibmca engine and libica is used by openssh, this -syscall causes a signal 31 issued by sandbox-seccomp filter. - -Added a rule which allows the geteuid syscall the s390 platform. - -Signed-off-by: Harald Freudenberger ---- - sandbox-seccomp-filter.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index ca75cc7..21cc080 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -233,6 +233,10 @@ static const struct sock_filter preauth_insns[] = { - SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), - SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), - #endif -+#if defined(__NR_geteuid) && defined(__s390__) -+ /* Allow geteuid for ICA crypto card on s390 */ -+ SC_ALLOW(__NR_geteuid), -+#endif - #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) - /* - * On Linux x32, the clock_gettime VDSO falls back to the --- -2.7.4 - diff -Nru openssh-7.5p1/debian/patches/0002-Allow-getuid-and-geteuid-calls.patch openssh-7.5p1/debian/patches/0002-Allow-getuid-and-geteuid-calls.patch --- openssh-7.5p1/debian/patches/0002-Allow-getuid-and-geteuid-calls.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.5p1/debian/patches/0002-Allow-getuid-and-geteuid-calls.patch 2017-07-28 13:11:41.000000000 +0000 @@ -0,0 +1,40 @@ +From f9b4659d9a048ad886d1447d9512199f78ddd4eb Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 9 May 2017 14:27:14 -0300 +Subject: [PATCH 2/3] Allow getuid and geteuid calls + +getuid and geteuid are needed when using an openssl engine that calls a +crypto card, e.g. ICA (libica). +Those syscalls are also needed by the distros for audit code. + +Signed-off-by: Eduardo Barretto +--- + sandbox-seccomp-filter.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 6e7de31..e86aa2c 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getpid + SC_ALLOW(__NR_getpid), + #endif ++#ifdef __NR_getuid ++ SC_ALLOW(__NR_getuid), ++#endif ++#ifdef __NR_getuid32 ++ SC_ALLOW(__NR_getuid32), ++#endif ++#ifdef __NR_geteuid ++ SC_ALLOW(__NR_geteuid), ++#endif ++#ifdef __NR_geteuid32 ++ SC_ALLOW(__NR_geteuid32), ++#endif + #ifdef __NR_getrandom + SC_ALLOW(__NR_getrandom), + #endif +-- +2.7.4 + diff -Nru openssh-7.5p1/debian/patches/0003-Enable-specific-ioctl-call-for-EP11-crypto-card-s390.patch openssh-7.5p1/debian/patches/0003-Enable-specific-ioctl-call-for-EP11-crypto-card-s390.patch --- openssh-7.5p1/debian/patches/0003-Enable-specific-ioctl-call-for-EP11-crypto-card-s390.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.5p1/debian/patches/0003-Enable-specific-ioctl-call-for-EP11-crypto-card-s390.patch 2017-07-28 13:11:47.000000000 +0000 @@ -0,0 +1,29 @@ +From 0400ddd8d588c2e7729d4dcb8869e882cb047573 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 9 May 2017 14:27:15 -0300 +Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390) + +The EP11 crypto card needs to make an ioctl call, which receives an +specific argument. This crypto card is for s390 only. + +Signed-off-by: Eduardo Barretto +--- + sandbox-seccomp-filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e86aa2c..98062f1 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = { + SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), ++ /* Allow ioctls for EP11 crypto card on s390 */ ++ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), + #endif + #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) + /* +-- +2.7.4 + diff -Nru openssh-7.5p1/debian/patches/fix-incoming-compression-statistics.patch openssh-7.5p1/debian/patches/fix-incoming-compression-statistics.patch --- openssh-7.5p1/debian/patches/fix-incoming-compression-statistics.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssh-7.5p1/debian/patches/fix-incoming-compression-statistics.patch 2017-06-18 11:04:39.000000000 +0000 @@ -0,0 +1,27 @@ +From 6111c39a4ae8f1c62a9312a5f8d8b23adb5f727a Mon Sep 17 00:00:00 2001 +From: Russell Coker +Date: Tue, 6 Jun 2017 15:00:20 +0100 +Subject: Fix incoming compression statistics + +Bug-Debian: https://bugs.debian.org/797964 +Forwarded: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-June/036077.html +Last-Update: 2017-06-06 + +Patch-Name: fix-incoming-compression-statistics.patch +--- + packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/packet.c b/packet.c +index 2f3a2ec7..6492b66f 100644 +--- a/packet.c ++++ b/packet.c +@@ -606,7 +606,7 @@ ssh_packet_close(struct ssh *ssh) + deflateEnd(stream); + } + if (state->compression_in_started) { +- z_streamp stream = &state->compression_out_stream; ++ z_streamp stream = &state->compression_in_stream; + debug("compress incoming: " + "raw data %llu, compressed %llu, factor %.2f", + (unsigned long long)stream->total_out, diff -Nru openssh-7.5p1/debian/patches/series openssh-7.5p1/debian/patches/series --- openssh-7.5p1/debian/patches/series 2017-05-22 12:13:43.000000000 +0000 +++ openssh-7.5p1/debian/patches/series 2017-07-28 13:11:47.000000000 +0000 @@ -29,4 +29,7 @@ restore-authorized_keys2.patch s390-missing-header.patch x32-syntax-error.patch -0001-Permit-geteuid-syscall-for-Linux-on-s390.patch +fix-incoming-compression-statistics.patch +0001-Allow-flock-and-ipc-syscall-for-s390-architecture.patch +0002-Allow-getuid-and-geteuid-calls.patch +0003-Enable-specific-ioctl-call-for-EP11-crypto-card-s390.patch diff -Nru openssh-7.5p1/debian/README.Debian openssh-7.5p1/debian/README.Debian --- openssh-7.5p1/debian/README.Debian 2017-04-02 12:19:45.000000000 +0000 +++ openssh-7.5p1/debian/README.Debian 2017-06-18 16:51:53.000000000 +0000 @@ -4,17 +4,6 @@ UPGRADE ISSUES ============== -Privilege Separation --------------------- - -As of 3.3, openssh has employed privilege separation to reduce the -quantity of code that runs as root, thereby reducing the impact of -some security holes in sshd. This now also works properly with PAM. - -Privilege separation is turned on by default, so, if you decide you -want it turned off, you need to add "UsePrivilegeSeparation no" to -/etc/ssh/sshd_config. - PermitRootLogin ---------------