jjelen pushed to openssh (f22). "Update audit patch after rebase with more sanity checks"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 13:52:45 UTC 2015
>From 12cf3e4d35a8c822d236760a4a9729e94663d7c3 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen at redhat.com>
Date: Thu, 26 Mar 2015 09:44:58 +0100
Subject: Update audit patch after rebase with more sanity checks
diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch
index 735c9c7..4cff7ad 100644
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@@ -1717,7 +1717,7 @@ diff -up openssh-6.8p1/packet.c.audit openssh-6.8p1/packet.c
if ((r = cipher_cleanup(cc)) != 0)
return r;
enc = &state->newkeys[mode]->enc;
-@@ -2263,6 +2275,73 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2263,6 +2275,75 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
@@ -1774,10 +1774,12 @@ diff -up openssh-6.8p1/packet.c.audit openssh-6.8p1/packet.c
+packet_destroy_all(int audit_it, int privsep)
+{
+ if (audit_it)
-+ audit_it = packet_state_has_keys (active_state->state) ||
-+ packet_state_has_keys (backup_state->state);
-+ packet_destroy_state(active_state->state);
-+ packet_destroy_state(backup_state->state);
++ audit_it = (active_state != NULL && packet_state_has_keys(active_state->state))
++ || (backup_state != NULL && packet_state_has_keys(backup_state->state));
++ if (active_state != NULL)
++ packet_destroy_state(active_state->state);
++ if (backup_state != NULL)
++ packet_destroy_state(backup_state->state);
+ if (audit_it) {
+#ifdef SSH_AUDIT_EVENTS
+ if (privsep)
@@ -2162,14 +2164,16 @@ diff -up openssh-6.8p1/sshd.c.audit openssh-6.8p1/sshd.c
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
-@@ -759,6 +811,10 @@ privsep_postauth(Authctxt *authctxt)
+@@ -759,6 +811,12 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
-+ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_OUT]);
-+ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_IN]);
-+ audit_session_key_free_body(2, getpid(), getuid());
-+ packet_destroy_all(0, 0);
++ if (*pmonitor->m_pkex != NULL ){
++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_OUT]);
++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_IN]);
++ audit_session_key_free_body(2, getpid(), getuid());
++ packet_destroy_all(0, 0);
++ }
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
@@ -2224,7 +2228,7 @@ diff -up openssh-6.8p1/sshd.c.audit openssh-6.8p1/sshd.c
/* Destroy the private and public keys. No longer. */
- destroy_sensitive_data();
-+ destroy_sensitive_data(0);
++ destroy_sensitive_data(1);
if (use_privsep)
mm_ssh1_session_id(session_id);
diff --git a/openssh.spec b/openssh.spec
index db821f2..67e5341 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -439,8 +439,7 @@ popd
%patch926 -p1 -b .sftp-force-mode
%patch927 -p1 -b .bz1204646
-# audit patch needs more care
-#%patch200 -p1 -b .audit
+%patch200 -p1 -b .audit
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f22&id=12cf3e4d35a8c822d236760a4a9729e94663d7c3
More information about the scm-commits
mailing list