public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/gsi-openssh] epel9: Based on openssh-9.9p1-8.el9
@ 2026-05-30 1:18 Mattias Ellert
0 siblings, 0 replies; only message in thread
From: Mattias Ellert @ 2026-05-30 1:18 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/gsi-openssh
Branch : epel9
Commit : 5a01dd45756647c226a30cf62986368a3d463c72
Author : Mattias Ellert <mattias.ellert@physics.uu.se>
Date : 2026-05-29T10:24:41+02:00
Stats : +799/-6 in 8 file(s)
URL : https://src.fedoraproject.org/rpms/gsi-openssh/c/5a01dd45756647c226a30cf62986368a3d463c72?branch=epel9
Log:
Based on openssh-9.9p1-8.el9
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 82a26b1..6a815b1 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -24,7 +24,7 @@
%global libedit 1
%global openssh_ver 9.9p1
-%global openssh_rel 1
+%global openssh_rel 2
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -200,6 +200,21 @@ Patch1037: openssh-9.9p1-reject-cntrl-chars-in-username.patch
# upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
Patch1038: openssh-9.9p1-reject-null-char-in-url-string.patch
Patch1039: openssh-9.9p1-compat-mlkem.patch
+# https://github.com/openssh/openssh-portable/pull/649
+Patch1040: openssh-9.9p1-fill-default-options-error.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch1041: openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch1042: openssh-9.9p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1043: openssh-9.9p1-ecdsa-incomplete-application.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1044: openssh-9.9p1-authorized-keys-principles-option.patch
+# upstream 76685c9b09a66435cd2ad8373246adf1c53976d3
+# upstream 0a0ef4515361143cad21afa072319823854c1cf6
+# upstream 607bd871ec029e9aa22e632a22547250f3cae223
+# upstream 1340d3fa8e4bb122906a82159c4c9b91584d65ce
+Patch1045: openssh-9.9p1-proxyjump-username-validity-checks.patch
# This is the patch that adds GSI support
# Based on hpn_isshd-gsi.7.5p1b.patch from Globus upstream
@@ -355,9 +370,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%patch -P1002 -p1 -b .ssh-manpage
%patch -P1006 -p1 -b .negotiate-supported-algs
-
-%patch -P100 -p1 -b .coverity
-
%patch -P1007 -p1 -b .sshrsacheck
%patch -P1012 -p1 -b .evp-fips-kex
%patch -P1015 -p1 -b .pam-rhost
@@ -378,6 +390,14 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%patch -P1037 -p1 -b .reject-cntrl-chars-in-username
%patch -P1038 -p1 -b .reject-null-char-in-url-string
%patch -P1039 -p1 -b .skip-mlkem-when-na
+%patch -P1040 -p1 -b .fill-default-options-error
+%patch -P1041 -p1 -b .scp-clear-setuid
+%patch -P1042 -p1 -b .mux-askpass-check
+%patch -P1043 -p1 -b .ecdsa-incomplete-application
+%patch -P1044 -p1 -b .authorized-keys-principles-option
+%patch -P1045 -p1 -b .proxyjump-username-validity-checks
+
+%patch -P100 -p1 -b .coverity
%patch -P98 -p1 -b .gsi
%patch -P99 -p1 -b .hpn
@@ -583,6 +603,9 @@ fi
%attr(0644,root,root) %{_sysusersdir}/%{name}-server.conf
%changelog
+* Fri May 29 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.9p1-2
+- Based on openssh-9.9p1-8.el9
+
* Fri Mar 20 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.9p1-1
- Based on openssh-9.9p1-5.el9
diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch
index ffe0c69..33dbb20 100644
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@@ -159,7 +159,47 @@ diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openb
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
-@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
+@@ -749,12 +749,12 @@ match_cfg_line(Options *options, const c
+ debug2("checking match for '%s' host %s originally %s",
+ full_line, host, original_host);
+ while ((attrib = argv_next(acp, avp)) != NULL) {
+- attrib = oattrib = xstrdup(attrib);
+ /* Terminate on comment */
+ if (*attrib == '#') {
+ argv_consume(acp);
+ break;
+ }
++ attrib = oattrib = xstrdup(attrib);
+ arg = criteria = NULL;
+ this_result = 1;
+ if ((negate = (attrib[0] == '!')))
+@@ -793,7 +793,7 @@ match_cfg_line(Options *options, const c
+ debug3("%.200s line %d: %smatched '%s'",
+ filename, linenum,
+ this_result ? "" : "not ", oattrib);
+- continue;
++ goto next;
+ }
+
+ /* Keep this list in sync with below */
+@@ -863,7 +863,7 @@ match_cfg_line(Options *options, const c
+ debug3("%.200s line %d: skipped exec "
+ "\"%.100s\"", filename, linenum, cmd);
+ free(cmd);
+- continue;
++ goto next;
+ }
+ r = execute_in_shell(cmd);
+ if (r == -1) {
+@@ -887,6 +887,7 @@ match_cfg_line(Options *options, const c
+ criteria == NULL ? "" : " \"",
+ criteria == NULL ? "" : criteria,
+ criteria == NULL ? "" : "\"");
++next:
+ free(criteria);
+ free(oattrib);
+ oattrib = attrib = NULL;
+@@ -1847,6 +1848,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
@@ -170,7 +210,109 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
-@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
+@@ -1104,12 +1104,12 @@ match_cfg_line(const char *full_line, in
+ }
+
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+- attrib = xstrdup(oattrib);
+ /* Terminate on comment */
+- if (*attrib == '#') {
++ if (*oattrib == '#') {
+ argv_consume(acp); /* mark all arguments consumed */
+ break;
+ }
++ attrib = xstrdup(oattrib);
+ arg = NULL;
+ attributes++;
+ /* Criterion "all" has no argument and must appear alone */
+@@ -1131,13 +1131,13 @@ match_cfg_line(const char *full_line, in
+ if (strcasecmp(attrib, "invalid-user") == 0) {
+ if (ci == NULL) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->user_invalid == 0)
+ result = 0;
+ else
+ debug("matched invalid-user at line %d", line);
+- continue;
++ goto next;
+ }
+
+ /* Keep this list in sync with below */
+@@ -1163,7 +1163,7 @@ match_cfg_line(const char *full_line, in
+ if (strcasecmp(attrib, "user") == 0) {
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->user == NULL)
+ match_test_missing_fatal("User", "user");
+@@ -1175,7 +1175,7 @@ match_cfg_line(const char *full_line, in
+ } else if (strcasecmp(attrib, "group") == 0) {
+ if (ci == NULL || (ci->test && ci->user == NULL)) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->user == NULL)
+ match_test_missing_fatal("Group", "user");
+@@ -1189,7 +1189,7 @@ match_cfg_line(const char *full_line, in
+ } else if (strcasecmp(attrib, "host") == 0) {
+ if (ci == NULL || (ci->test && ci->host == NULL)) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->host == NULL)
+ match_test_missing_fatal("Host", "host");
+@@ -1204,7 +1204,7 @@ match_cfg_line(const char *full_line, in
+ fatal("Invalid Match address argument "
+ "'%s' at line %d", arg, line);
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->address == NULL)
+ match_test_missing_fatal("Address", "addr");
+@@ -1228,7 +1228,7 @@ match_cfg_line(const char *full_line, in
+ "argument '%s' at line %d", arg,
+ line);
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->laddress == NULL)
+ match_test_missing_fatal("LocalAddress",
+@@ -1256,7 +1256,7 @@ match_cfg_line(const char *full_line, in
+ }
+ if (ci == NULL || (ci->test && ci->lport == -1)) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->lport == 0)
+ match_test_missing_fatal("LocalPort", "lport");
+@@ -1270,7 +1270,7 @@ match_cfg_line(const char *full_line, in
+ } else if (strcasecmp(attrib, "rdomain") == 0) {
+ if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
+ result = 0;
+- continue;
++ goto next;
+ }
+ if (ci->rdomain == NULL)
+ match_test_missing_fatal("RDomain", "rdomain");
+@@ -1284,6 +1284,7 @@ match_cfg_line(const char *full_line, in
+ result = -1;
+ goto out;
+ }
++next:
+ free(attrib);
+ attrib = NULL;
+ }
+@@ -1638,8 +1639,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@@ -246,3 +388,22 @@ diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
+diff -up openssh-9.9p1/sshd.c.coverity openssh-9.9p1/sshd.c
+--- openssh-9.9p1/sshd.c.coverity 2026-04-08 15:19:20.480015568 +0200
++++ openssh-9.9p1/sshd.c 2026-04-08 15:22:10.938328556 +0200
+@@ -1069,6 +1069,7 @@ server_accept_loop(int *sock_in, int *so
+ send_rexec_state(config_s[0], cfg);
+ close(config_s[0]);
+ free(pfd);
++ free(startup_pollfd);
+ return;
+ }
+
+@@ -1101,6 +1102,7 @@ server_accept_loop(int *sock_in, int *so
+ log_stderr);
+ close(config_s[0]);
+ free(pfd);
++ free(startup_pollfd);
+ return;
+ }
+
diff --git a/openssh-9.9p1-authorized-keys-principles-option.patch b/openssh-9.9p1-authorized-keys-principles-option.patch
new file mode 100644
index 0000000..9bdd199
--- /dev/null
+++ b/openssh-9.9p1-authorized-keys-principles-option.patch
@@ -0,0 +1,45 @@
+diff --color -ruNp a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
+--- a/auth2-pubkeyfile.c 2024-09-20 00:20:48.000000000 +0200
++++ b/auth2-pubkeyfile.c 2026-04-09 14:38:41.697178612 +0200
+@@ -50,6 +50,7 @@
+ #include "authfile.h"
+ #include "match.h"
+ #include "ssherr.h"
++#include "xmalloc.h"
+
+ int
+ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
+@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+- char *result;
++ char *list, *olist, *entry;
+ u_int i;
+
+- /* XXX percent_expand() sequences for authorized_principals? */
+-
+- for (i = 0; i < cert->nprincipals; i++) {
+- if ((result = match_list(cert->principals[i],
+- principal_list, NULL)) != NULL) {
+- debug3("matched principal from key options \"%.100s\"",
+- result);
+- free(result);
+- return 1;
++ olist = list = xstrdup(principal_list);
++ for (;;) {
++ if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
++ break;
++ for (i = 0; i < cert->nprincipals; i++) {
++ if (strcmp(entry, cert->principals[i]) == 0) {
++ debug3("matched principal from key i"
++ "options \"%.100s\"", entry);
++ free(olist);
++ return 1;
++ }
+ }
+ }
++ free(olist);
+ return 0;
+ }
+
diff --git a/openssh-9.9p1-ecdsa-incomplete-application.patch b/openssh-9.9p1-ecdsa-incomplete-application.patch
new file mode 100644
index 0000000..3b93ca4
--- /dev/null
+++ b/openssh-9.9p1-ecdsa-incomplete-application.patch
@@ -0,0 +1,103 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c 2026-04-09 13:22:28.114045749 +0200
++++ b/auth2-hostbased.c 2026-04-09 14:34:44.876393822 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons
+ error_f("cannot decode key: %s", pkalg);
+ goto done;
+ }
+- if (key->type != pktype) {
+- error_f("type mismatch for decoded key "
+- "(received %d, expected %d)", key->type, pktype);
++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++ error_f("key type mismatch for decoded key "
++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ goto done;
+ }
+ if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c 2026-04-09 13:22:28.157194118 +0200
++++ b/auth2-pubkey.c 2026-04-09 14:35:48.997689347 +0200
+@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c
+ error_f("cannot decode key: %s", pkalg);
+ goto done;
+ }
+- if (key->type != pktype) {
+- error_f("type mismatch for decoded key "
+- "(received %d, expected %d)", key->type, pktype);
++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++ error_f("key type mismatch for decoded key "
++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ goto done;
+ }
+ if (auth2_key_already_used(authctxt, key)) {
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c 2026-04-09 13:22:28.193412553 +0200
++++ b/sshconnect2.c 2026-04-09 14:42:37.644945762 +0200
+@@ -91,6 +91,7 @@ extern Options options;
+ static char *xxx_host;
+ static struct sockaddr *xxx_hostaddr;
+ static const struct ssh_conn_info *xxx_conn_info;
++static int key_type_allowed(struct sshkey *, const char *);
+
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *
+ if ((r = sshkey_check_rsa_length(hostkey,
+ options.required_rsa_size)) != 0)
+ fatal_r(r, "Bad server host key");
++ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
++ fatal("Server host key %s not in HostKeyAlgorithms",
++ sshkey_ssh_name(hostkey));
++ }
+ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+ xxx_conn_info) != 0)
+ fatal("Host key verification failed.");
+@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id)
+ }
+
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
++key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+- if (match_pattern_list(sshkey_ssh_name(key),
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ return 1;
+
+ /* RSA keys/certs might be allowed by alternate signature types */
+ switch (key->type) {
+ case KEY_RSA:
+- if (match_pattern_list("rsa-sha2-512",
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ return 1;
+- if (match_pattern_list("rsa-sha2-256",
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ return 1;
+ break;
+ case KEY_RSA_CERT:
+ if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+- options.pubkey_accepted_algos, 0) == 1)
++ allowlist, 0) == 1)
+ return 1;
+ if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+- options.pubkey_accepted_algos, 0) == 1)
++ allowlist, 0) == 1)
+ return 1;
+ break;
+ }
+ return 0;
+ }
+
++static int
++key_type_allowed_by_config(struct sshkey *key)
++{
++ return key_type_allowed(key, options.pubkey_accepted_algos);
++}
++
+ /* obtain a list of keys from the agent */
+ static int
+ get_agent_identities(struct ssh *ssh, int *agent_fdp,
diff --git a/openssh-9.9p1-fill-default-options-error.patch b/openssh-9.9p1-fill-default-options-error.patch
new file mode 100644
index 0000000..4b80504
--- /dev/null
+++ b/openssh-9.9p1-fill-default-options-error.patch
@@ -0,0 +1,24 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c 2026-04-02 15:36:49.624394836 +0200
++++ b/readconf.c 2026-04-02 15:43:15.115047190 +0200
+@@ -2779,7 +2779,7 @@ fill_default_options(Options * options)
+ {
+ char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
+- int ret = 0, r;
++ int ret = 0;
+
+ if (options->forward_agent == -1)
+ options->forward_agent = 0;
+@@ -2989,9 +2989,9 @@ fill_default_options(Options * options)
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
+ do { \
+- if ((r = kex_assemble_names(&options->what, \
++ if ((ret = kex_assemble_names(&options->what, \
+ defaults, all)) != 0) { \
+- error_fr(r, "%s", #what); \
++ error_fr(ret, "%s", #what); \
+ goto fail; \
+ } \
+ } while (0)
diff --git a/openssh-9.9p1-mux-askpass-check.patch b/openssh-9.9p1-mux-askpass-check.patch
new file mode 100644
index 0000000..2176243
--- /dev/null
+++ b/openssh-9.9p1-mux-askpass-check.patch
@@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c 2024-09-20 00:20:48.000000000 +0200
++++ b/mux.c 2026-04-09 15:02:36.016198814 +0200
+@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh
+
+ debug_f("channel %d: proxy request", c->self);
+
++ if (options.control_master == SSHCTL_MASTER_ASK ||
++ options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++ if (!ask_permission("Allow multiplex proxy connection?")) {
++ debug2_f("proxy refused by user");
++ reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++ "Permission denied");
++ return 0;
++ }
++ }
++
+ c->mux_rcb = channel_proxy_downstream;
+ if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ (r = sshbuf_put_u32(reply, rid)) != 0)
diff --git a/openssh-9.9p1-proxyjump-username-validity-checks.patch b/openssh-9.9p1-proxyjump-username-validity-checks.patch
new file mode 100644
index 0000000..c6ee415
--- /dev/null
+++ b/openssh-9.9p1-proxyjump-username-validity-checks.patch
@@ -0,0 +1,402 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c 2026-04-10 15:42:50.693725820 +0200
++++ b/readconf.c 2026-04-10 15:49:57.441110287 +0200
+@@ -1533,9 +1533,6 @@ parse_char_array:
+
+ case oProxyCommand:
+ charptr = &options->proxy_command;
+- /* Ignore ProxyCommand if ProxyJump already specified */
+- if (options->jump_host != NULL)
+- charptr = &options->jump_host; /* Skip below */
+ parse_command:
+ if (str == NULL) {
+ error("%.200s line %d: Missing argument.",
+@@ -1556,7 +1553,7 @@ parse_command:
+ }
+ len = strspn(str, WHITESPACE "=");
+ /* XXX use argv? */
+- if (parse_jump(str + len, options, *activep) == -1) {
++ if (parse_jump(str + len, options, cmdline, *activep) == -1) {
+ error("%.200s line %d: Invalid ProxyJump \"%s\"",
+ filename, linenum, str + len);
+ goto out;
+@@ -3370,65 +3367,116 @@ parse_forward(struct Forward *fwd, const
+ }
+
+ int
+-parse_jump(const char *s, Options *o, int active)
++ssh_valid_hostname(const char *s)
+ {
+- char *orig, *sdup, *cp;
+- char *host = NULL, *user = NULL;
+- int r, ret = -1, port = -1, first;
++ size_t i;
+
+- active &= o->proxy_command == NULL && o->jump_host == NULL;
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL ||
++ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++ return 0;
++ }
++ return 1;
++}
+
+- orig = sdup = xstrdup(s);
++int
++ssh_valid_ruser(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (iscntrl((u_char)s[i]))
++ return 0;
++ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++ return 0;
++ /* Disallow '-' after whitespace */
++ if (isspace((u_char)s[i]) && s[i + 1] == '-')
++ return 0;
++ /* Disallow \ in last position */
++ if (s[i] == '\\' && s[i + 1] == '\0')
++ return 0;
++ }
++ return 1;
++}
++
++int
++parse_jump(const char *s, Options *o, int strict, int active)
++{
++ char *orig = NULL, *sdup = NULL, *cp;
++ char *tmp_user = NULL, *tmp_host = NULL, *host = NULL, *user = NULL;
++ int r, ret = -1, tmp_port = -1, port = -1, first = 1;
++
++ if (strcasecmp(s, "none") == 0) {
++ if (active && o->jump_host == NULL) {
++ o->jump_host = xstrdup("none");
++ o->jump_port = 0;
++ }
++ return 0;
++ }
+
+- /* Remove comment and trailing whitespace */
++ orig = xstrdup(s);
+ if ((cp = strchr(orig, '#')) != NULL)
+ *cp = '\0';
+ rtrim(orig);
+
+- first = active;
++ active &= o->proxy_command == NULL && o->jump_host == NULL;
++ sdup = xstrdup(orig);
+ do {
+- if (strcasecmp(s, "none") == 0)
+- break;
++ /* Work backwards through string */
+ if ((cp = strrchr(sdup, ',')) == NULL)
+ cp = sdup; /* last */
+ else
+ *cp++ = '\0';
+
+- if (first) {
+- /* First argument and configuration is active */
+- r = parse_ssh_uri(cp, &user, &host, &port);
+- if (r == -1 || (r == 1 &&
+- parse_user_host_port(cp, &user, &host, &port) != 0))
++ r = parse_ssh_uri(cp, &tmp_user, &tmp_host, &tmp_port);
++ if (r == -1 || (r == 1 && parse_user_host_port(cp,
++ &tmp_user, &tmp_host, &tmp_port) != 0))
++ goto out; /* error already logged */
++ if (strict) {
++ if (!ssh_valid_hostname(tmp_host)) {
++ error_f("invalid hostname \"%s\"", tmp_host);
+ goto out;
+- } else {
+- /* Subsequent argument or inactive configuration */
+- r = parse_ssh_uri(cp, NULL, NULL, NULL);
+- if (r == -1 || (r == 1 &&
+- parse_user_host_port(cp, NULL, NULL, NULL) != 0))
++ }
++ if (tmp_user != NULL && !ssh_valid_ruser(tmp_user)) {
++ error_f("invalid username \"%s\"", tmp_user);
+ goto out;
++ }
++ }
++ if (first) {
++ user = tmp_user;
++ host = tmp_host;
++ port = tmp_port;
++ tmp_user = tmp_host = NULL; /* transferred */
+ }
+ first = 0; /* only check syntax for subsequent hosts */
++ free(tmp_user);
++ free(tmp_host);
++ tmp_user = tmp_host = NULL;
++ tmp_port = -1;
+ } while (cp != sdup);
++
+ /* success */
+ if (active) {
+- if (strcasecmp(s, "none") == 0) {
+- o->jump_host = xstrdup("none");
+- o->jump_port = 0;
+- } else {
+- o->jump_user = user;
+- o->jump_host = host;
+- o->jump_port = port;
+- o->proxy_command = xstrdup("none");
+- user = host = NULL;
+- if ((cp = strrchr(s, ',')) != NULL && cp != s) {
+- o->jump_extra = xstrdup(s);
+- o->jump_extra[cp - s] = '\0';
+- }
++ o->jump_user = user;
++ o->jump_host = host;
++ o->jump_port = port;
++ o->proxy_command = xstrdup("none");
++ user = host = NULL; /* transferred */
++ if (orig != NULL && (cp = strrchr(orig, ',')) != NULL) {
++ o->jump_extra = xstrdup(orig);
++ o->jump_extra[cp - orig] = '\0';
+ }
+ }
+ ret = 0;
+ out:
+ free(orig);
++ free(sdup);
++ free(tmp_user);
++ free(tmp_host);
+ free(user);
+ free(host);
+ return ret;
+diff --color -ruNp a/readconf.h b/readconf.h
+--- a/readconf.h 2026-04-10 15:42:50.470697714 +0200
++++ b/readconf.h 2026-04-10 15:49:57.442110306 +0200
+@@ -249,7 +249,9 @@ int process_config_line(Options *, stru
+ int read_config_file(const char *, struct passwd *, const char *,
+ const char *, Options *, int, int *);
+ int parse_forward(struct Forward *, const char *, int, int);
+-int parse_jump(const char *, Options *, int);
++int ssh_valid_hostname(const char *);
++int ssh_valid_ruser(const char *);
++int parse_jump(const char *, Options *, int, int);
+ int parse_ssh_uri(const char *, char **, char **, int *);
+ int default_ssh_port(void);
+ int option_clear_or_none(const char *);
+diff --color -ruNp a/regress/Makefile b/regress/Makefile
+--- a/regress/Makefile 2026-04-10 15:42:50.533815702 +0200
++++ b/regress/Makefile 2026-04-10 16:07:30.566094450 +0200
+@@ -111,7 +111,8 @@ LTESTS= connect \
+ agent-pkcs11-restrict \
+ agent-pkcs11-cert \
+ penalty \
+- penalty-expire
++ penalty-expire \
++ proxyjump
+
+ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
+ INTEROP_TESTS+= dropbear-ciphers dropbear-kex
+diff --color -ruNp a/regress/proxyjump.sh b/regress/proxyjump.sh
+--- a/regress/proxyjump.sh 1970-01-01 01:00:00.000000000 +0100
++++ b/regress/proxyjump.sh 2026-04-10 16:07:55.225958206 +0200
+@@ -0,0 +1,102 @@
++# $OpenBSD: proxyjump.sh,v 1.1 2026/03/30 07:19:02 djm Exp $
++# Placed in the Public Domain.
++
++tid="proxyjump"
++
++# Parsing tests
++verbose "basic parsing"
++for jspec in \
++ "jump1" \
++ "user@jump1" \
++ "jump1:2222" \
++ "user@jump1:2222" \
++ "jump1,jump2" \
++ "user1@jump1:2221,user2@jump2:2222" \
++ "ssh://user@host:2223" \
++ ; do
++ case "$jspec" in
++ "jump1") expected="jump1" ;;
++ "user@jump1") expected="user@jump1" ;;
++ "jump1:2222") expected="jump1:2222" ;;
++ "user@jump1:2222") expected="user@jump1:2222" ;;
++ "jump1,jump2") expected="jump1,jump2" ;;
++ "user1@jump1:2221,user2@jump2:2222")
++ expected="user1@jump1:2221,user2@jump2:2222" ;;
++ "ssh://user@host:2223") expected="user@host:2223" ;;
++ esac
++ f=`${SSH} -GF /dev/null -oProxyJump="$jspec" somehost | \
++ awk '/^proxyjump /{print $2}'`
++ if [ "$f" != "$expected" ]; then
++ fail "ProxyJump $jspec: expected $expected, got $f"
++ fi
++ f=`${SSH} -GF /dev/null -J "$jspec" somehost | \
++ awk '/^proxyjump /{print $2}'`
++ if [ "$f" != "$expected" ]; then
++ fail "ssh -J $jspec: expected $expected, got $f"
++ fi
++done
++
++verbose "precedence"
++f=`${SSH} -GF /dev/null -oProxyJump=none -oProxyJump=jump1 somehost | \
++ grep "^proxyjump "`
++if [ -n "$f" ]; then
++ fail "ProxyJump=none first did not win"
++fi
++f=`${SSH} -GF /dev/null -oProxyJump=jump -oProxyCommand=foo somehost | \
++ grep "^proxyjump "`
++if [ "$f" != "proxyjump jump" ]; then
++ fail "ProxyJump first did not win over ProxyCommand"
++fi
++f=`${SSH} -GF /dev/null -oProxyCommand=foo -oProxyJump=jump somehost | \
++ grep "^proxycommand "`
++if [ "$f" != "proxycommand foo" ]; then
++ fail "ProxyCommand first did not win over ProxyJump"
++fi
++
++verbose "command-line -J invalid characters"
++cp $OBJ/ssh_config $OBJ/ssh_config.orig
++for jspec in \
++ "host;with;semicolon" \
++ "host'with'quote" \
++ "host\`with\`backtick" \
++ "host\$with\$dollar" \
++ "host(with)brace" \
++ "user;with;semicolon@host" \
++ "user'with'quote@host" \
++ "user\`with\`backtick@host" \
++ "user(with)brace@host" ; do
++ ${SSH} -GF /dev/null -J "$jspec" somehost >/dev/null 2>&1
++ if [ $? -ne 255 ]; then
++ fail "ssh -J \"$jspec\" was not rejected"
++ fi
++ ${SSH} -GF /dev/null -oProxyJump="$jspec" somehost >/dev/null 2>&1
++ if [ $? -ne 255 ]; then
++ fail "ssh -oProxyJump=\"$jspec\" was not rejected"
++ fi
++done
++# Special characters should be accepted in the config though.
++echo "ProxyJump user;with;semicolon@host;with;semicolon" >> $OBJ/ssh_config
++f=`${SSH} -GF $OBJ/ssh_config somehost | grep "^proxyjump "`
++if [ "$f" != "proxyjump user;with;semicolon@host;with;semicolon" ]; then
++ fail "ProxyJump did not allow special characters in config: $f"
++fi
++
++verbose "functional test"
++# Use different names to avoid the loop detection in ssh.c
++grep -iv HostKeyAlias $OBJ/ssh_config.orig > $OBJ/ssh_config
++cat << _EOF >> $OBJ/ssh_config
++Host jump-host
++ HostkeyAlias jump-host
++Host target-host
++ HostkeyAlias target-host
++_EOF
++cp $OBJ/known_hosts $OBJ/known_hosts.orig
++sed 's/^[^ ]* /jump-host /' < $OBJ/known_hosts.orig > $OBJ/known_hosts
++sed 's/^[^ ]* /target-host /' < $OBJ/known_hosts.orig >> $OBJ/known_hosts
++start_sshd
++
++verbose "functional ProxyJump"
++res=`${REAL_SSH} -F $OBJ/ssh_config -J jump-host target-host echo "SUCCESS" 2>/dev/null`
++if [ "$res" != "SUCCESS" ]; then
++ fail "functional test failed: expected SUCCESS, got $res"
++fi
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c 2026-04-10 15:42:50.657913189 +0200
++++ b/ssh.c 2026-04-10 16:04:07.489047966 +0200
+@@ -639,43 +639,6 @@ ssh_conn_info_free(struct ssh_conn_info
+ free(cinfo);
+ }
+
+-static int
+-valid_hostname(const char *s)
+-{
+- size_t i;
+-
+- if (*s == '-')
+- return 0;
+- for (i = 0; s[i] != 0; i++) {
+- if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+- isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+- return 0;
+- }
+- return 1;
+-}
+-
+-static int
+-valid_ruser(const char *s)
+-{
+- size_t i;
+-
+- if (*s == '-')
+- return 0;
+- for (i = 0; s[i] != 0; i++) {
+- if (iscntrl((u_char)s[i]))
+- return 0;
+- if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+- return 0;
+- /* Disallow '-' after whitespace */
+- if (isspace((u_char)s[i]) && s[i + 1] == '-')
+- return 0;
+- /* Disallow \ in last position */
+- if (s[i] == '\\' && s[i + 1] == '\0')
+- return 0;
+- }
+- return 1;
+-}
+-
+ /*
+ * Main program for the ssh client.
+ */
+@@ -931,9 +894,9 @@ main(int ac, char **av)
+ }
+ if (options.proxy_command != NULL)
+ fatal("Cannot specify -J with ProxyCommand");
+- if (parse_jump(optarg, &options, 1) == -1)
++ if (parse_jump(optarg, &options, 1, 1) == -1)
++
+ fatal("Invalid -J argument");
+- options.proxy_command = xstrdup("none");
+ break;
+ case 't':
+ if (options.request_tty == REQUEST_TTY_YES)
+@@ -1183,10 +1146,15 @@ main(int ac, char **av)
+ if (!host)
+ usage();
+
+- if (!valid_hostname(host))
+- fatal("hostname contains invalid characters");
+- if (options.user != NULL && !valid_ruser(options.user))
++ /*
++ * Validate commandline-specified values that end up in %tokens
++ * before they are used in config parsing.
++ */
++ if (options.user != NULL && !ssh_valid_ruser(options.user))
+ fatal("remote username contains invalid characters");
++ if (!ssh_valid_hostname(host))
++ fatal("hostname contains invalid characters");
++
+ options.host_arg = xstrdup(host);
+
+ /* Initialize the command to execute on remote host. */
+@@ -1347,7 +1315,8 @@ main(int ac, char **av)
+ sshbin = "ssh";
+
+ /* Consistency check */
+- if (options.proxy_command != NULL)
++ if (options.proxy_command != NULL &&
++ strcasecmp(options.proxy_command, "none") != 0)
+ fatal("inconsistent options: ProxyCommand+ProxyJump");
+ /* Never use FD passing for ProxyJump */
+ options.proxy_use_fdpass = 0;
+@@ -1467,7 +1436,7 @@ main(int ac, char **av)
+ cinfo->jmphost = xstrdup(options.jump_host == NULL ?
+ "" : options.jump_host);
+
+- if (user_on_commandline && !valid_ruser(options.user))
++ if (user_on_commandline && !ssh_valid_ruser(options.user))
+ fatal("remote username contains invalid characters");
+
+ cinfo->conn_hash_hex = ssh_connection_hash(cinfo->thishost,
diff --git a/openssh-9.9p1-scp-clear-setuid.patch b/openssh-9.9p1-scp-clear-setuid.patch
new file mode 100644
index 0000000..1a848a1
--- /dev/null
+++ b/openssh-9.9p1-scp-clear-setuid.patch
@@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c 2026-04-07 15:54:11.193730842 +0200
++++ b/scp.c 2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+
+ setimes = targisdir = 0;
+ mask = umask(0);
+- if (!pflag)
++ if (!pflag) {
++ mask |= 07000;
+ (void) umask(mask);
++ }
+ if (argc != 1) {
+ run_err("ambiguous target");
+ exit(1);
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-30 1:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-30 1:18 [rpms/gsi-openssh] epel9: Based on openssh-9.9p1-8.el9 Mattias Ellert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox