diff --git a/openssh-4.7p1-cloexec.patch b/openssh-4.7p1-cloexec.patch new file mode 100644 index 0000000..23d2746 --- /dev/null +++ b/openssh-4.7p1-cloexec.patch @@ -0,0 +1,24 @@ +diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c +--- openssh-4.7p1/sshconnect.c.cloexec 2006-10-23 19:02:24.000000000 +0200 ++++ openssh-4.7p1/sshconnect.c 2008-02-05 23:14:28.000000000 +0100 +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "xmalloc.h" + #include "key.h" +@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct + return sock; + } + sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); +- if (sock < 0) ++ if (sock < 0) { + error("socket: %.100s", strerror(errno)); ++ return -1; ++ } ++ fcntl(sock, F_SETFD, FD_CLOEXEC); + + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL) diff --git a/openssh-4.7p1-packetdefsize.patch b/openssh-4.7p1-packetdefsize.patch new file mode 100644 index 0000000..391cbe6 --- /dev/null +++ b/openssh-4.7p1-packetdefsize.patch @@ -0,0 +1,25 @@ +Index: clientloop.c +=================================================================== +RCS file: /usr/local/src/security/openssh/cvs/openssh/clientloop.c,v +retrieving revision 1.170 +diff -u -p -r1.170 clientloop.c +--- clientloop.c 28 Dec 2007 15:45:07 -0000 1.170 ++++ clientloop.c 28 Dec 2007 18:14:10 -0000 +@@ -1745,7 +1745,7 @@ client_request_forwarded_tcpip(const cha + } + c = channel_new("forwarded-tcpip", + SSH_CHANNEL_CONNECTING, sock, sock, -1, +- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, ++ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, + originator_address, 1); + xfree(originator_address); + xfree(listen_address); +@@ -1803,7 +1803,7 @@ client_request_agent(const char *request + return NULL; + c = channel_new("authentication agent connection", + SSH_CHANNEL_OPEN, sock, sock, -1, +- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0, ++ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, + "authentication agent connection", 1); + c->force_drain = 1; + return c; diff --git a/openssh-4.7p1-revert-wsize.patch b/openssh-4.7p1-revert-wsize.patch deleted file mode 100644 index 3cd3b7b..0000000 --- a/openssh-4.7p1-revert-wsize.patch +++ /dev/null @@ -1,18 +0,0 @@ -Written-by: Jan Kratochvil -Reviewed-by: Tomas Mraz - -diff -up openssh-4.7p1/channels.h.revert-wsize openssh-4.7p1/channels.h ---- openssh-4.7p1/channels.h.revert-wsize 2007-06-12 15:38:54.000000000 +0200 -+++ openssh-4.7p1/channels.h 2007-09-17 23:21:32.000000000 +0200 -@@ -122,9 +122,9 @@ struct Channel { - - /* default window/packet sizes for tcp/x11-fwd-channel */ - #define CHAN_SES_PACKET_DEFAULT (32*1024) --#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT) -+#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT) - #define CHAN_TCP_PACKET_DEFAULT (32*1024) --#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT) -+#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT) - #define CHAN_X11_PACKET_DEFAULT (16*1024) - #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT) - diff --git a/openssh-4.7p1-sftp-doclose.patch b/openssh-4.7p1-sftp-doclose.patch new file mode 100644 index 0000000..821b241 --- /dev/null +++ b/openssh-4.7p1-sftp-doclose.patch @@ -0,0 +1,13 @@ +Without this do_close() I get "Couldn't get handle: Failure" +on every operation after N times through this failure path +where N = 100 on OpenBSD and N = 200 on GNU/Linux. +--- src/usr.bin/ssh/sftp-client.c.orig Sun Sep 16 00:55:52 2007 ++++ src/usr.bin/ssh/sftp-client.c Mon Oct 15 10:12:50 2007 +@@ -813,6 +813,7 @@ do_download(struct sftp_conn *conn, char + if (local_fd == -1) { + error("Couldn't open local file \"%s\" for writing: %s", + local_path, strerror(errno)); ++ do_close(conn, handle, handle_len); + buffer_free(&msg); + xfree(handle); + return(-1); diff --git a/openssh-4.7p1-sshd-v6only.patch b/openssh-4.7p1-sshd-v6only.patch new file mode 100644 index 0000000..1f71cea --- /dev/null +++ b/openssh-4.7p1-sshd-v6only.patch @@ -0,0 +1,30 @@ +--- sshd.c 2007-06-05 01:22:32.000000000 -0700 ++++ sshd.c.new 2007-11-17 00:07:08.000000000 -0800 +@@ -971,12 +971,27 @@ + } + /* + * Set socket options. ++ */ ++ ++ /* + * Allow local port reuse in TIME_WAIT. + */ + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, + &on, sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); + ++#ifdef IPV6_V6ONLY ++ if (ai->ai_family == AF_INET6) { ++ /* ++ * Only communicate in IPv6 over AF_INET6 sockets. ++ */ ++ if (setsockopt(listen_sock, IPPROTO_IPV6, IPV6_V6ONLY, ++ &on, sizeof(on)) == -1) ++ error("setsockopt IPV6_V6ONLY: %s", ++ strerror(errno)); ++ } ++#endif ++ + debug("Bind to port %s on %s.", strport, ntop); + + /* Bind the socket to the desired port. */ diff --git a/openssh.spec b/openssh.spec index b281db5..644bd84 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: The OpenSSH implementation of SSH protocol versions 1 and 2 Name: openssh Version: 4.7p1 -Release: 8%{?dist}%{?rescue_rel} +Release: 9%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -95,8 +95,12 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch Patch49: openssh-4.3p2-gssapi-canohost.patch Patch51: openssh-4.7p1-nss-keys.patch Patch52: openssh-4.7p1-sftp-drain-acks.patch -Patch53: openssh-4.7p1-revert-wsize.patch +Patch53: openssh-4.7p1-packetdefsize.patch Patch54: openssh-4.7p1-gssapi-role.patch +Patch55: openssh-4.7p1-cloexec.patch +Patch56: openssh-4.7p1-sshd-v6only.patch +Patch57: openssh-4.7p1-sftp-doclose.patch + License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -230,8 +234,11 @@ an X11 passphrase dialog for OpenSSH. %patch49 -p1 -b .canohost %patch51 -p1 -b .nss-keys %patch52 -p1 -b .drain-acks -%patch53 -p1 -b .revert-wsize +%patch53 -p0 -b .defsize %patch54 -p0 -b .gssapi-role +%patch55 -p1 -b .cloexec +%patch56 -p0 -b .sshd-v6only +%patch57 -p3 -b .doclose autoreconf @@ -482,6 +489,12 @@ fi %endif %changelog +* Fri Feb 29 2008 Tomas Mraz - 4.7p1-9 +- set FD_CLOEXEC on client socket +- apply real fix for window size problem (#286181) from upstream +- apply fix for the spurious failed bind from upstream +- apply open handle leak in sftp fix from upstream + * Tue Feb 12 2008 Dennis Gilmore - 4.7p1-8 - we build for sparcv9 now and it needs -fPIE