public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/gsi-openssh] f44: Based on openssh-10.2p1-10.fc44
@ 2026-05-30 1:18 Mattias Ellert
0 siblings, 0 replies; only message in thread
From: Mattias Ellert @ 2026-05-30 1:18 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/gsi-openssh
Branch : f44
Commit : 3f1b9c1fbdb0ccae688dfe5e17da278b9a502569
Author : Mattias Ellert <mattias.ellert@physics.uu.se>
Date : 2026-05-27T06:36:51+02:00
Stats : +672/-5 in 9 file(s)
URL : https://src.fedoraproject.org/rpms/gsi-openssh/c/3f1b9c1fbdb0ccae688dfe5e17da278b9a502569?branch=f44
Log:
Based on openssh-10.2p1-10.fc44
---
diff --git a/0052-openssh-10.2p1-pkcs11-uri.patch b/0052-openssh-10.2p1-pkcs11-uri.patch
index b486fee..881337b 100644
--- a/0052-openssh-10.2p1-pkcs11-uri.patch
+++ b/0052-openssh-10.2p1-pkcs11-uri.patch
@@ -30,7 +30,7 @@ diff --git a/Makefile.in b/Makefile.in
index 20d134c02..f8cbd545d 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -112,12 +112,12 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o misc-agent.o auditstub.o
@@ -39,6 +39,12 @@ index 20d134c02..f8cbd545d 100644
SKOBJS= ssh-sk-client.o
+ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+- sshconnect.o sshconnect2.o mux.o $(P11OBJS) $(SKOBJS)
++ sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o ssh-pkcs11-uri.o $(SKOBJS)
+
+ SSHDOBJS=sshd.o \
+ platform-listen.o \
@@ -161,11 +161,11 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS)
SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS)
diff --git a/0054-openssh-9.9p1-scp-clear-setuid.patch b/0054-openssh-9.9p1-scp-clear-setuid.patch
new file mode 100644
index 0000000..1a848a1
--- /dev/null
+++ b/0054-openssh-9.9p1-scp-clear-setuid.patch
@@ -0,0 +1,15 @@
+diff --color -ruNp a/scp.c b/scp.c
+--- a/scp.c 2026-04-07 15:54:11.193730842 +0200
++++ b/scp.c 2026-04-07 15:55:52.529425481 +0200
+@@ -1705,8 +1705,10 @@ sink(int argc, char **argv, const char *
+
+ setimes = targisdir = 0;
+ mask = umask(0);
+- if (!pflag)
++ if (!pflag) {
++ mask |= 07000;
+ (void) umask(mask);
++ }
+ if (argc != 1) {
+ run_err("ambiguous target");
+ exit(1);
diff --git a/0055-openssh-9.9p1-mux-askpass-check.patch b/0055-openssh-9.9p1-mux-askpass-check.patch
new file mode 100644
index 0000000..2176243
--- /dev/null
+++ b/0055-openssh-9.9p1-mux-askpass-check.patch
@@ -0,0 +1,20 @@
+diff --color -ruNp a/mux.c b/mux.c
+--- a/mux.c 2024-09-20 00:20:48.000000000 +0200
++++ b/mux.c 2026-04-09 15:02:36.016198814 +0200
+@@ -1137,6 +1137,16 @@ mux_master_process_proxy(struct ssh *ssh
+
+ debug_f("channel %d: proxy request", c->self);
+
++ if (options.control_master == SSHCTL_MASTER_ASK ||
++ options.control_master == SSHCTL_MASTER_AUTO_ASK) {
++ if (!ask_permission("Allow multiplex proxy connection?")) {
++ debug2_f("proxy refused by user");
++ reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
++ "Permission denied");
++ return 0;
++ }
++ }
++
+ c->mux_rcb = channel_proxy_downstream;
+ if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
+ (r = sshbuf_put_u32(reply, rid)) != 0)
diff --git a/0056-openssh-9.9p1-ecdsa-incomplete-application.patch b/0056-openssh-9.9p1-ecdsa-incomplete-application.patch
new file mode 100644
index 0000000..3b93ca4
--- /dev/null
+++ b/0056-openssh-9.9p1-ecdsa-incomplete-application.patch
@@ -0,0 +1,103 @@
+diff --color -ruNp a/auth2-hostbased.c b/auth2-hostbased.c
+--- a/auth2-hostbased.c 2026-04-09 13:22:28.114045749 +0200
++++ b/auth2-hostbased.c 2026-04-09 14:34:44.876393822 +0200
+@@ -96,9 +96,10 @@ userauth_hostbased(struct ssh *ssh, cons
+ error_f("cannot decode key: %s", pkalg);
+ goto done;
+ }
+- if (key->type != pktype) {
+- error_f("type mismatch for decoded key "
+- "(received %d, expected %d)", key->type, pktype);
++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++ error_f("key type mismatch for decoded key "
++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ goto done;
+ }
+ if (match_pattern_list(pkalg, options.hostbased_accepted_algos, 0) != 1) {
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c 2026-04-09 13:22:28.157194118 +0200
++++ b/auth2-pubkey.c 2026-04-09 14:35:48.997689347 +0200
+@@ -152,9 +152,10 @@ userauth_pubkey(struct ssh *ssh, const c
+ error_f("cannot decode key: %s", pkalg);
+ goto done;
+ }
+- if (key->type != pktype) {
+- error_f("type mismatch for decoded key "
+- "(received %d, expected %d)", key->type, pktype);
++ if (key->type != pktype || (sshkey_type_plain(pktype) == KEY_ECDSA &&
++ sshkey_ecdsa_nid_from_name(pkalg) != key->ecdsa_nid)) {
++ error_f("key type mismatch for decoded key "
++ "(received %s, expected %s)", sshkey_ssh_name(key), pkalg);
+ goto done;
+ }
+ if (auth2_key_already_used(authctxt, key)) {
+diff --color -ruNp a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c 2026-04-09 13:22:28.193412553 +0200
++++ b/sshconnect2.c 2026-04-09 14:42:37.644945762 +0200
+@@ -91,6 +91,7 @@ extern Options options;
+ static char *xxx_host;
+ static struct sockaddr *xxx_hostaddr;
+ static const struct ssh_conn_info *xxx_conn_info;
++static int key_type_allowed(struct sshkey *, const char *);
+
+ static int
+ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+@@ -100,6 +101,10 @@ verify_host_key_callback(struct sshkey *
+ if ((r = sshkey_check_rsa_length(hostkey,
+ options.required_rsa_size)) != 0)
+ fatal_r(r, "Bad server host key");
++ if (!key_type_allowed(hostkey, options.hostkeyalgorithms)) {
++ fatal("Server host key %s not in HostKeyAlgorithms",
++ sshkey_ssh_name(hostkey));
++ }
+ if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+ xxx_conn_info) != 0)
+ fatal("Host key verification failed.");
+@@ -1776,34 +1781,37 @@ load_identity_file(Identity *id)
+ }
+
+ static int
+-key_type_allowed_by_config(struct sshkey *key)
++key_type_allowed(struct sshkey *key, const char *allowlist)
+ {
+- if (match_pattern_list(sshkey_ssh_name(key),
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list(sshkey_ssh_name(key), allowlist, 0) == 1)
+ return 1;
+
+ /* RSA keys/certs might be allowed by alternate signature types */
+ switch (key->type) {
+ case KEY_RSA:
+- if (match_pattern_list("rsa-sha2-512",
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list("rsa-sha2-512", allowlist, 0) == 1)
+ return 1;
+- if (match_pattern_list("rsa-sha2-256",
+- options.pubkey_accepted_algos, 0) == 1)
++ if (match_pattern_list("rsa-sha2-256", allowlist, 0) == 1)
+ return 1;
+ break;
+ case KEY_RSA_CERT:
+ if (match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+- options.pubkey_accepted_algos, 0) == 1)
++ allowlist, 0) == 1)
+ return 1;
+ if (match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+- options.pubkey_accepted_algos, 0) == 1)
++ allowlist, 0) == 1)
+ return 1;
+ break;
+ }
+ return 0;
+ }
+
++static int
++key_type_allowed_by_config(struct sshkey *key)
++{
++ return key_type_allowed(key, options.pubkey_accepted_algos);
++}
++
+ /* obtain a list of keys from the agent */
+ static int
+ get_agent_identities(struct ssh *ssh, int *agent_fdp,
diff --git a/0057-openssh-9.9p1-authorized-keys-principles-option.patch b/0057-openssh-9.9p1-authorized-keys-principles-option.patch
new file mode 100644
index 0000000..9bdd199
--- /dev/null
+++ b/0057-openssh-9.9p1-authorized-keys-principles-option.patch
@@ -0,0 +1,45 @@
+diff --color -ruNp a/auth2-pubkeyfile.c b/auth2-pubkeyfile.c
+--- a/auth2-pubkeyfile.c 2024-09-20 00:20:48.000000000 +0200
++++ b/auth2-pubkeyfile.c 2026-04-09 14:38:41.697178612 +0200
+@@ -50,6 +50,7 @@
+ #include "authfile.h"
+ #include "match.h"
+ #include "ssherr.h"
++#include "xmalloc.h"
+
+ int
+ auth_authorise_keyopts(struct passwd *pw, struct sshauthopt *opts,
+@@ -146,20 +147,23 @@ auth_authorise_keyopts(struct passwd *pw
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+- char *result;
++ char *list, *olist, *entry;
+ u_int i;
+
+- /* XXX percent_expand() sequences for authorized_principals? */
+-
+- for (i = 0; i < cert->nprincipals; i++) {
+- if ((result = match_list(cert->principals[i],
+- principal_list, NULL)) != NULL) {
+- debug3("matched principal from key options \"%.100s\"",
+- result);
+- free(result);
+- return 1;
++ olist = list = xstrdup(principal_list);
++ for (;;) {
++ if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
++ break;
++ for (i = 0; i < cert->nprincipals; i++) {
++ if (strcmp(entry, cert->principals[i]) == 0) {
++ debug3("matched principal from key i"
++ "options \"%.100s\"", entry);
++ free(olist);
++ return 1;
++ }
+ }
+ }
++ free(olist);
+ return 0;
+ }
+
diff --git a/0058-openssh-10.2p1-proxyjump-username-validity-checks.patch b/0058-openssh-10.2p1-proxyjump-username-validity-checks.patch
new file mode 100644
index 0000000..abfa3c4
--- /dev/null
+++ b/0058-openssh-10.2p1-proxyjump-username-validity-checks.patch
@@ -0,0 +1,422 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c 2026-04-10 15:42:50.693725820 +0200
++++ b/readconf.c 2026-04-10 15:49:57.441110287 +0200
+@@ -1533,9 +1533,6 @@ parse_char_array:
+
+ case oProxyCommand:
+ charptr = &options->proxy_command;
+- /* Ignore ProxyCommand if ProxyJump already specified */
+- if (options->jump_host != NULL)
+- charptr = &options->jump_host; /* Skip below */
+ parse_command:
+ if (str == NULL) {
+ error("%.200s line %d: Missing argument.",
+@@ -1556,7 +1553,7 @@ parse_command:
+ }
+ len = strspn(str, WHITESPACE "=");
+ /* XXX use argv? */
+- if (parse_jump(str + len, options, *activep) == -1) {
++ if (parse_jump(str + len, options, cmdline, *activep) == -1) {
+ error("%.200s line %d: Invalid ProxyJump \"%s\"",
+ filename, linenum, str + len);
+ goto out;
+@@ -3370,65 +3367,116 @@ parse_forward(struct Forward *fwd, const
+ }
+
+ int
+-parse_jump(const char *s, Options *o, int active)
++ssh_valid_hostname(const char *s)
+ {
+- char *orig, *sdup, *cp;
+- char *host = NULL, *user = NULL;
+- int r, ret = -1, port = -1, first;
++ size_t i;
+
+- active &= o->proxy_command == NULL && o->jump_host == NULL;
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL ||
++ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++ return 0;
++ }
++ return 1;
++}
+
+- orig = sdup = xstrdup(s);
++int
++ssh_valid_ruser(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (iscntrl((u_char)s[i]))
++ return 0;
++ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++ return 0;
++ /* Disallow '-' after whitespace */
++ if (isspace((u_char)s[i]) && s[i + 1] == '-')
++ return 0;
++ /* Disallow \ in last position */
++ if (s[i] == '\\' && s[i + 1] == '\0')
++ return 0;
++ }
++ return 1;
++}
++
++int
++parse_jump(const char *s, Options *o, int strict, int active)
++{
++ char *orig = NULL, *sdup = NULL, *cp;
++ char *tmp_user = NULL, *tmp_host = NULL, *host = NULL, *user = NULL;
++ int r, ret = -1, tmp_port = -1, port = -1, first = 1;
++
++ if (strcasecmp(s, "none") == 0) {
++ if (active && o->jump_host == NULL) {
++ o->jump_host = xstrdup("none");
++ o->jump_port = 0;
++ }
++ return 0;
++ }
+
+- /* Remove comment and trailing whitespace */
++ orig = xstrdup(s);
+ if ((cp = strchr(orig, '#')) != NULL)
+ *cp = '\0';
+ rtrim(orig);
+
+- first = active;
++ active &= o->proxy_command == NULL && o->jump_host == NULL;
++ sdup = xstrdup(orig);
+ do {
+- if (strcasecmp(s, "none") == 0)
+- break;
++ /* Work backwards through string */
+ if ((cp = strrchr(sdup, ',')) == NULL)
+ cp = sdup; /* last */
+ else
+ *cp++ = '\0';
+
+- if (first) {
+- /* First argument and configuration is active */
+- r = parse_ssh_uri(cp, &user, &host, &port);
+- if (r == -1 || (r == 1 &&
+- parse_user_host_port(cp, &user, &host, &port) != 0))
++ r = parse_ssh_uri(cp, &tmp_user, &tmp_host, &tmp_port);
++ if (r == -1 || (r == 1 && parse_user_host_port(cp,
++ &tmp_user, &tmp_host, &tmp_port) != 0))
++ goto out; /* error already logged */
++ if (strict) {
++ if (!ssh_valid_hostname(tmp_host)) {
++ error_f("invalid hostname \"%s\"", tmp_host);
+ goto out;
+- } else {
+- /* Subsequent argument or inactive configuration */
+- r = parse_ssh_uri(cp, NULL, NULL, NULL);
+- if (r == -1 || (r == 1 &&
+- parse_user_host_port(cp, NULL, NULL, NULL) != 0))
++ }
++ if (tmp_user != NULL && !ssh_valid_ruser(tmp_user)) {
++ error_f("invalid username \"%s\"", tmp_user);
+ goto out;
++ }
++ }
++ if (first) {
++ user = tmp_user;
++ host = tmp_host;
++ port = tmp_port;
++ tmp_user = tmp_host = NULL; /* transferred */
+ }
+ first = 0; /* only check syntax for subsequent hosts */
++ free(tmp_user);
++ free(tmp_host);
++ tmp_user = tmp_host = NULL;
++ tmp_port = -1;
+ } while (cp != sdup);
++
+ /* success */
+ if (active) {
+- if (strcasecmp(s, "none") == 0) {
+- o->jump_host = xstrdup("none");
+- o->jump_port = 0;
+- } else {
+- o->jump_user = user;
+- o->jump_host = host;
+- o->jump_port = port;
+- o->proxy_command = xstrdup("none");
+- user = host = NULL;
+- if ((cp = strrchr(s, ',')) != NULL && cp != s) {
+- o->jump_extra = xstrdup(s);
+- o->jump_extra[cp - s] = '\0';
+- }
++ o->jump_user = user;
++ o->jump_host = host;
++ o->jump_port = port;
++ o->proxy_command = xstrdup("none");
++ user = host = NULL; /* transferred */
++ if (orig != NULL && (cp = strrchr(orig, ',')) != NULL) {
++ o->jump_extra = xstrdup(orig);
++ o->jump_extra[cp - orig] = '\0';
+ }
+ }
+ ret = 0;
+ out:
+ free(orig);
++ free(sdup);
++ free(tmp_user);
++ free(tmp_host);
+ free(user);
+ free(host);
+ return ret;
+diff --color -ruNp a/readconf.h b/readconf.h
+--- a/readconf.h 2026-04-17 13:52:45.432820710 +0200
++++ b/readconf.h 2026-04-17 14:01:38.171138431 +0200
+@@ -252,7 +252,9 @@ int process_config_line(Options *, stru
+ int read_config_file(const char *, struct passwd *, const char *,
+ const char *, const char *, Options *, int, int *);
+ int parse_forward(struct Forward *, const char *, int, int);
+-int parse_jump(const char *, Options *, int);
++int ssh_valid_hostname(const char *);
++int ssh_valid_ruser(const char *);
++int parse_jump(const char *, Options *, int, int);
+ int parse_ssh_uri(const char *, char **, char **, int *);
+ int default_ssh_port(void);
+ int option_clear_or_none(const char *);
+diff --color -ruNp a/regress/Makefile b/regress/Makefile
+--- a/regress/Makefile 2026-04-17 13:52:46.227654470 +0200
++++ b/regress/Makefile 2026-04-17 14:02:02.805629106 +0200
+@@ -114,7 +114,8 @@ LTESTS= connect \
+ agent-pkcs11-cert \
+ penalty \
+ penalty-expire \
+- connect-bigconf
++ connect-bigconf \
++ proxyjump
+
+ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
+ INTEROP_TESTS+= dropbear-ciphers dropbear-kex dropbear-server
+ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
+ INTEROP_TESTS+= dropbear-ciphers dropbear-kex
+diff --color -ruNp a/regress/proxyjump.sh b/regress/proxyjump.sh
+--- a/regress/proxyjump.sh 1970-01-01 01:00:00.000000000 +0100
++++ b/regress/proxyjump.sh 2026-04-10 16:07:55.225958206 +0200
+@@ -0,0 +1,102 @@
++# $OpenBSD: proxyjump.sh,v 1.1 2026/03/30 07:19:02 djm Exp $
++# Placed in the Public Domain.
++
++tid="proxyjump"
++
++# Parsing tests
++verbose "basic parsing"
++for jspec in \
++ "jump1" \
++ "user@jump1" \
++ "jump1:2222" \
++ "user@jump1:2222" \
++ "jump1,jump2" \
++ "user1@jump1:2221,user2@jump2:2222" \
++ "ssh://user@host:2223" \
++ ; do
++ case "$jspec" in
++ "jump1") expected="jump1" ;;
++ "user@jump1") expected="user@jump1" ;;
++ "jump1:2222") expected="jump1:2222" ;;
++ "user@jump1:2222") expected="user@jump1:2222" ;;
++ "jump1,jump2") expected="jump1,jump2" ;;
++ "user1@jump1:2221,user2@jump2:2222")
++ expected="user1@jump1:2221,user2@jump2:2222" ;;
++ "ssh://user@host:2223") expected="user@host:2223" ;;
++ esac
++ f=`${SSH} -GF /dev/null -oProxyJump="$jspec" somehost | \
++ awk '/^proxyjump /{print $2}'`
++ if [ "$f" != "$expected" ]; then
++ fail "ProxyJump $jspec: expected $expected, got $f"
++ fi
++ f=`${SSH} -GF /dev/null -J "$jspec" somehost | \
++ awk '/^proxyjump /{print $2}'`
++ if [ "$f" != "$expected" ]; then
++ fail "ssh -J $jspec: expected $expected, got $f"
++ fi
++done
++
++verbose "precedence"
++f=`${SSH} -GF /dev/null -oProxyJump=none -oProxyJump=jump1 somehost | \
++ grep "^proxyjump "`
++if [ -n "$f" ]; then
++ fail "ProxyJump=none first did not win"
++fi
++f=`${SSH} -GF /dev/null -oProxyJump=jump -oProxyCommand=foo somehost | \
++ grep "^proxyjump "`
++if [ "$f" != "proxyjump jump" ]; then
++ fail "ProxyJump first did not win over ProxyCommand"
++fi
++f=`${SSH} -GF /dev/null -oProxyCommand=foo -oProxyJump=jump somehost | \
++ grep "^proxycommand "`
++if [ "$f" != "proxycommand foo" ]; then
++ fail "ProxyCommand first did not win over ProxyJump"
++fi
++
++verbose "command-line -J invalid characters"
++cp $OBJ/ssh_config $OBJ/ssh_config.orig
++for jspec in \
++ "host;with;semicolon" \
++ "host'with'quote" \
++ "host\`with\`backtick" \
++ "host\$with\$dollar" \
++ "host(with)brace" \
++ "user;with;semicolon@host" \
++ "user'with'quote@host" \
++ "user\`with\`backtick@host" \
++ "user(with)brace@host" ; do
++ ${SSH} -GF /dev/null -J "$jspec" somehost >/dev/null 2>&1
++ if [ $? -ne 255 ]; then
++ fail "ssh -J \"$jspec\" was not rejected"
++ fi
++ ${SSH} -GF /dev/null -oProxyJump="$jspec" somehost >/dev/null 2>&1
++ if [ $? -ne 255 ]; then
++ fail "ssh -oProxyJump=\"$jspec\" was not rejected"
++ fi
++done
++# Special characters should be accepted in the config though.
++echo "ProxyJump user;with;semicolon@host;with;semicolon" >> $OBJ/ssh_config
++f=`${SSH} -GF $OBJ/ssh_config somehost | grep "^proxyjump "`
++if [ "$f" != "proxyjump user;with;semicolon@host;with;semicolon" ]; then
++ fail "ProxyJump did not allow special characters in config: $f"
++fi
++
++verbose "functional test"
++# Use different names to avoid the loop detection in ssh.c
++grep -iv HostKeyAlias $OBJ/ssh_config.orig > $OBJ/ssh_config
++cat << _EOF >> $OBJ/ssh_config
++Host jump-host
++ HostkeyAlias jump-host
++Host target-host
++ HostkeyAlias target-host
++_EOF
++cp $OBJ/known_hosts $OBJ/known_hosts.orig
++sed 's/^[^ ]* /jump-host /' < $OBJ/known_hosts.orig > $OBJ/known_hosts
++sed 's/^[^ ]* /target-host /' < $OBJ/known_hosts.orig >> $OBJ/known_hosts
++start_sshd
++
++verbose "functional ProxyJump"
++res=`${REAL_SSH} -F $OBJ/ssh_config -J jump-host target-host echo "SUCCESS" 2>/dev/null`
++if [ "$res" != "SUCCESS" ]; then
++ fail "functional test failed: expected SUCCESS, got $res"
++fi
+diff --color -ruNp a/ssh.c b/ssh.c
+--- a/ssh.c 2026-04-17 14:40:11.131541424 +0200
++++ b/ssh.c 2026-04-17 14:42:16.295560116 +0200
+@@ -643,43 +643,6 @@ ssh_conn_info_free(struct ssh_conn_info
+ free(cinfo);
+ }
+
+-static int
+-valid_hostname(const char *s)
+-{
+- size_t i;
+-
+- if (*s == '-')
+- return 0;
+- for (i = 0; s[i] != 0; i++) {
+- if (strchr("'`\"$\\;&<>|(){},", s[i]) != NULL ||
+- isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+- return 0;
+- }
+- return 1;
+-}
+-
+-static int
+-valid_ruser(const char *s)
+-{
+- size_t i;
+-
+- if (*s == '-')
+- return 0;
+- for (i = 0; s[i] != 0; i++) {
+- if (iscntrl((u_char)s[i]))
+- return 0;
+- if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+- return 0;
+- /* Disallow '-' after whitespace */
+- if (isspace((u_char)s[i]) && s[i + 1] == '-')
+- return 0;
+- /* Disallow \ in last position */
+- if (s[i] == '\\' && s[i + 1] == '\0')
+- return 0;
+- }
+- return 1;
+-}
+-
+ /*
+ * Main program for the ssh client.
+ */
+@@ -937,9 +900,8 @@ main(int ac, char **av)
+ }
+ if (options.proxy_command != NULL)
+ fatal("Cannot specify -J with ProxyCommand");
+- if (parse_jump(optarg, &options, 1) == -1)
++ if (parse_jump(optarg, &options, 1, 1) == -1)
+ fatal("Invalid -J argument");
+- options.proxy_command = xstrdup("none");
+ break;
+ case 't':
+ if (options.request_tty == REQUEST_TTY_YES)
+@@ -1189,8 +1151,15 @@ main(int ac, char **av)
+ if (!host)
+ usage();
+
+- if (!valid_hostname(host))
++ /*
++ * Validate commandline-specified values that end up in %tokens
++ * before they are used in config parsing.
++ */
++ if (options.user != NULL && !ssh_valid_ruser(options.user))
++ fatal("remote username contains invalid characters");
++ if (!ssh_valid_hostname(host))
+ fatal("hostname contains invalid characters");
++
+ options.host_arg = xstrdup(host);
+
+ /* Initialize the command to execute on remote host. */
+@@ -1360,7 +1329,8 @@ main(int ac, char **av)
+ sshbin = "ssh";
+
+ /* Consistency check */
+- if (options.proxy_command != NULL)
++ if (options.proxy_command != NULL &&
++ strcasecmp(options.proxy_command, "none") != 0)
+ fatal("inconsistent options: ProxyCommand+ProxyJump");
+ /* Never use FD passing for ProxyJump */
+ options.proxy_use_fdpass = 0;
+@@ -1503,7 +1473,7 @@ main(int ac, char **av)
+ * via configuration (i.e. not expanded) are not subject to validation.
+ */
+ if ((user_on_commandline || user_expanded) &&
+- !valid_ruser(options.user))
++ !ssh_valid_ruser(options.user))
+ fatal("remote username contains invalid characters");
+
+ /* Now User is expanded, store it and calculate hash. */
+diff --color -ruNp a/regress/percent.sh b/regress/percent.sh
+--- a/regress/percent.sh 2025-10-10 04:38:31.000000000 +0200
++++ b/regress/percent.sh 2026-04-17 15:58:15.426971800 +0200
+@@ -140,7 +140,7 @@ done
+ FOO=bar
+ export FOO
+ for i in controlpath identityagent forwardagent localforward remoteforward \
+- user setenv userknownhostsfile; do
++ setenv userknownhostsfile; do
+ verbose $tid $i dollar
+ trial $i '${FOO}' $FOO
+ done
+@@ -175,7 +175,7 @@ ${SSH} -F $OBJ/ssh_proxy -G "${FOO}@some
+
+ # Literal control characters in config is acceptable
+ verbose $tid user control-literal
+-trial user "$FOO" "$FOO"
++#trial user "$FOO" "$FOO"
+
+ # Control characters expanded from config aren't.
+ ${SSH} -F $OBJ/ssh_proxy -G '-oUser=${FOO}' somehost && \
diff --git a/0059-openssh-10.2p1-downgrade-useless-error-debug.patch b/0059-openssh-10.2p1-downgrade-useless-error-debug.patch
new file mode 100644
index 0000000..58833d2
--- /dev/null
+++ b/0059-openssh-10.2p1-downgrade-useless-error-debug.patch
@@ -0,0 +1,38 @@
+From 607f337637f2077b34a9f6f96fc24237255fe175 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 9 Oct 2025 23:25:23 +0000
+Subject: [PATCH] upstream: downgrade a useless error() -> debug()
+
+OpenBSD-Commit-ID: 5b0c9bcddb324f8bed2c8e8ffe9c92d263adc2d9
+---
+ ssh-pkcs11.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index c8817947395a..5e956208bb72 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11.c,v 1.73 2025/10/08 21:02:16 djm Exp $ */
++/* $OpenBSD: ssh-pkcs11.c,v 1.74 2025/10/09 23:25:23 djm Exp $ */
+ /*
+ * Copyright (c) 2010 Markus Friedl. All rights reserved.
+ * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -1486,7 +1486,7 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
+ case CKC_X_509:
+ if (pkcs11_fetch_x509_pubkey(p, slotidx, &obj,
+ &key, &label) != 0) {
+- error("failed to fetch key");
++ debug_f("failed to fetch key");
+ continue;
+ }
+ break;
+@@ -1613,7 +1613,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
+ }
+
+ if (key == NULL) {
+- error("failed to fetch key");
++ debug_f("failed to fetch key");
+ continue;
+ }
+ note_key(p, slotidx, __func__, key);
diff --git a/2001-openssh-10.2p1-hpn-18.8.0.patch b/2001-openssh-10.2p1-hpn-18.8.0.patch
index 134f98b..3c82648 100644
--- a/2001-openssh-10.2p1-hpn-18.8.0.patch
+++ b/2001-openssh-10.2p1-hpn-18.8.0.patch
@@ -9610,8 +9610,8 @@ diff -Nur openssh-10.2p1.orig/Makefile.in openssh-10.2p1/Makefile.in
SKOBJS= ssh-sk-client.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-- sshconnect.o sshconnect2.o mux.o $(P11OBJS) $(SKOBJS)
-+ sshconnect.o sshconnect2.o mux.o cipher-switch.o $(P11OBJS) $(SKOBJS)
+- sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o ssh-pkcs11-uri.o $(SKOBJS)
++ sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o ssh-pkcs11-uri.o cipher-switch.o $(SKOBJS)
SSHDOBJS=sshd.o \
platform-listen.o \
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 0e26558..7879e89 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -28,7 +28,7 @@
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
Version: %{openssh_ver}
-Release: 1%{?dist}
+Release: 2%{?dist}
Provides: gsissh = %{version}-%{release}
Obsoletes: gsissh < 5.8p2-2
URL: http://www.openssh.com/portable.html
@@ -158,6 +158,21 @@ Patch0051: 0051-openssh-7.3p1-x11-max-displays.patch
Patch0052: 0052-openssh-10.2p1-pkcs11-uri.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2423900
Patch0053: 0053-openssh-10.2p1-pam-auth.patch
+# upstream 487e8ac146f7d6616f65c125d5edb210519b833a
+Patch0054: 0054-openssh-9.9p1-scp-clear-setuid.patch
+# upstream c805b97b67c774e0bf922ffb29dfbcda9d7b5add
+Patch0055: 0055-openssh-9.9p1-mux-askpass-check.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch0056: 0056-openssh-9.9p1-ecdsa-incomplete-application.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch0057: 0057-openssh-9.9p1-authorized-keys-principles-option.patch
+# upstream 76685c9b09a66435cd2ad8373246adf1c53976d3
+# upstream 0a0ef4515361143cad21afa072319823854c1cf6
+# upstream 607bd871ec029e9aa22e632a22547250f3cae223
+# upstream 1340d3fa8e4bb122906a82159c4c9b91584d65ce
+Patch0058: 0058-openssh-10.2p1-proxyjump-username-validity-checks.patch
+# upstream 607f337637f2077b34a9f6f96fc24237255fe175
+Patch0059: 0059-openssh-10.2p1-downgrade-useless-error-debug.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
Patch1000: 1000-openssh-6.7p1-coverity.patch
@@ -169,7 +184,7 @@ Patch2000: 2000-openssh-10.2p1-gsissh.patch
# Based on https://github.com/rapier1/hpn-ssh/ tag: hpn-18.8.0
Patch2001: 2001-openssh-10.2p1-hpn-18.8.0.patch
-License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
+License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
Requires: /sbin/nologin
Requires: openssl-libs >= 3.5.0
@@ -493,6 +508,9 @@ fi
%ghost %attr(0644,root,root) %{_localstatedir}/lib/.gsissh-host-keys-migration
%changelog
+* Tue May 26 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 10.2p1-2
+- Based on openssh-10.2p1-10.fc44
+
* Wed Mar 18 2026 Mattias Ellert <mattias.ellert@physics.uu.se> - 10.2p1-1
- Based on openssh-10.2p1-6.fc44
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-30 1:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-30 1:18 [rpms/gsi-openssh] f44: Based on openssh-10.2p1-10.fc44 Mattias Ellert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox