Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2014-02-21 19:52:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2014-02-15 17:17:38.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2014-02-21 19:52:30.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Feb 18 12:56:31 UTC 2014 - [email protected] + +- openssh-6.5p1-seccomp_getuid.patch: re-enabling the seccomp sandbox + (allowing use of the getuid syscall) (bnc#864171) + +------------------------------------------------------------------- New: ---- openssh-6.5p1-seccomp_getuid.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.3k8MnW/_old 2014-02-21 19:52:31.000000000 +0100 +++ /var/tmp/diff_new_pack.3k8MnW/_new 2014-02-21 19:52:31.000000000 +0100 @@ -142,6 +142,7 @@ Patch32: openssh-6.5p1-host_ident.patch Patch33: openssh-6.5p1-sftp_homechroot.patch Patch34: openssh-6.5p1-sftp_force_permissions.patch +Patch35: openssh-6.5p1-seccomp_getuid.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -201,6 +202,7 @@ %patch32 -p2 %patch33 -p2 %patch34 -p2 +%patch35 -p2 cp %{SOURCE3} %{SOURCE4} . %build ++++++ openssh-6.5p1-seccomp_getuid.patch ++++++ # HG changeset patch # Parent d625afd0d51ac51161b25728bc2f227c098fa0fb add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter diff --git a/openssh-6.5p1/sandbox-seccomp-filter.c b/openssh-6.5p1/sandbox-seccomp-filter.c --- a/openssh-6.5p1/sandbox-seccomp-filter.c +++ b/openssh-6.5p1/sandbox-seccomp-filter.c @@ -85,16 +85,20 @@ static const struct sock_filter preauth_ offsetof(struct seccomp_data, arch)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), /* Load the syscall number for checking. */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), SC_DENY(open, EACCES), SC_ALLOW(getpid), + SC_ALLOW(getuid), +#ifdef __NR_getuid32 + SC_ALLOW(getuid32), +#endif SC_ALLOW(gettimeofday), SC_ALLOW(clock_gettime), #ifdef __NR_time /* not defined on EABI ARM */ SC_ALLOW(time), #endif SC_ALLOW(read), SC_ALLOW(write), SC_ALLOW(close), -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
