7 files changed, 73 insertions, 261 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
new file mode 100644
index 0000000000..c41642ae10
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
@@ -0,0 +1,30 @@
+From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Sun, 7 Jul 2024 18:46:19 +1000
+Subject: [PATCH] Cast to sockaddr * in systemd interface.
+Fixes build with musl libx.  bz#3707.
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ openbsd-compat/port-linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 4c024c6d2..8adfec5a7 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
+                error_f("socket \"%s\": %s", path, strerror(errno));
+                goto out;
+        }
+-       if (connect(fd, &addr, sizeof(addr)) != 0) {
+       if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
+                error_f("socket \"%s\" connect: %s", path, strerror(errno));
+                goto out;
+        }
+-- 
+2.45.2
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
deleted file mode 100644
index 4925c969fe..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
+++ /dev/null
@@ -1,225 +0,0 @@
-From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Wed, 3 Apr 2024 14:40:32 +1100
-Subject: [PATCH] notify systemd on listen and reload
-Standalone implementation that does not depend on libsystemd.
-With assistance from Luca Boccassi, and feedback/testing from Colin
-Watson. bz2641
-Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
-Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
- configure.ac                |  1 +
- openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
- openbsd-compat/port-linux.h |  5 ++
- platform.c                  | 11 +++++
- platform.h                  |  1 +
- sshd.c                      |  2 +
- 6 files changed, 115 insertions(+), 2 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 82e8bb7c1..854f92b5b 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-        AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
-        AC_DEFINE([USE_BTMP])
-        AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
-+       AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
-        inet6_default_4in6=yes
-        case `uname -r` in
-        1.*|2.0.*)
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 0457e28d0..df7290246 100644
--- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
-@@ -21,16 +21,23 @@
- 
- #include "includes.h"
- 
-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
-+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
-+    defined(SYSTEMD_NOTIFY)
-+#include <sys/socket.h>
-+#include <sys/un.h>
-+
- #include <errno.h>
-+#include <inttypes.h>
- #include <stdarg.h>
- #include <string.h>
- #include <stdio.h>
- #include <stdlib.h>
-+#include <time.h>
- 
- #include "log.h"
- #include "xmalloc.h"
- #include "port-linux.h"
-+#include "misc.h"
- 
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
-@@ -310,4 +317,90 @@ oom_adjust_restore(void)
-        return;
- }
- #endif /* LINUX_OOM_ADJUST */
-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-+
-+#ifdef SYSTEMD_NOTIFY
-+
-+static void ssh_systemd_notify(const char *, ...)
-+    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
-+
-+static void
-+ssh_systemd_notify(const char *fmt, ...)
-+{
-+       char *s = NULL;
-+       const char *path;
-+       struct stat sb;
-+       struct sockaddr_un addr;
-+       int fd = -1;
-+       va_list ap;
-+
-+       if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
-+               return;
-+
-+       va_start(ap, fmt);
-+       xvasprintf(&s, fmt, ap);
-+       va_end(ap);
-+
-+       /* Only AF_UNIX is supported, with path or abstract sockets */
-+       if (path[0] != '/' && path[0] != '@') {
-+               error_f("socket \"%s\" is not compatible with AF_UNIX", path);
-+               goto out;
-+       }
-+
-+       if (path[0] == '/' && stat(path, &sb) != 0) {
-+               error_f("socket \"%s\" stat: %s", path, strerror(errno));
-+               goto out;
-+       }
-+
-+       memset(&addr, 0, sizeof(addr));
-+       addr.sun_family = AF_UNIX;
-+       if (strlcpy(addr.sun_path, path,
-+           sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
-+               error_f("socket path \"%s\" too long", path);
-+               goto out;
-+       }
-+       /* Support for abstract socket */
-+       if (addr.sun_path[0] == '@')
-+               addr.sun_path[0] = 0;
-+       if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
-+               error_f("socket \"%s\": %s", path, strerror(errno));
-+               goto out;
-+       }
-+       if (connect(fd, &addr, sizeof(addr)) != 0) {
-+               error_f("socket \"%s\" connect: %s", path, strerror(errno));
-+               goto out;
-+       }
-+       if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
-+               error_f("socket \"%s\" write: %s", path, strerror(errno));
-+               goto out;
-+       }
-+       debug_f("socket \"%s\" notified %s", path, s);
-+ out:
-+       if (fd != -1)
-+               close(fd);
-+       free(s);
-+}
-+
-+void
-+ssh_systemd_notify_ready(void)
-+{
-+       ssh_systemd_notify("READY=1");
-+}
-+
-+void
-+ssh_systemd_notify_reload(void)
-+{
-+       struct timespec now;
-+
-+       monotime_ts(&now);
-+       if (now.tv_sec < 0 || now.tv_nsec < 0) {
-+               error_f("monotime returned negative value");
-+               ssh_systemd_notify("RELOADING=1");
-+       } else {
-+               ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
-+                   ((uint64_t)now.tv_sec * 1000000ULL) +
-+                   ((uint64_t)now.tv_nsec / 1000ULL));
-+       }
-+}
-+#endif /* SYSTEMD_NOTIFY */
-+
-+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index 3c22a854d..14064f87d 100644
--- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
- void oom_adjust_setup(void);
- #endif
- 
-+#ifdef SYSTEMD_NOTIFY
-+void ssh_systemd_notify_ready(void);
-+void ssh_systemd_notify_reload(void);
-+#endif
-+
- #endif /* ! _PORT_LINUX_H */
-diff --git a/platform.c b/platform.c
-index 4fe8744ee..9cf818153 100644
--- a/platform.c
-+++ b/platform.c
-@@ -44,6 +44,14 @@ platform_pre_listen(void)
- #endif
- }
- 
-+void
-+platform_post_listen(void)
-+{
-+#ifdef SYSTEMD_NOTIFY
-+       ssh_systemd_notify_ready();
-+#endif
-+}
-+
- void
- platform_pre_fork(void)
- {
-@@ -55,6 +63,9 @@ platform_pre_fork(void)
- void
- platform_pre_restart(void)
- {
-+#ifdef SYSTEMD_NOTIFY
-+       ssh_systemd_notify_reload();
-+#endif
- #ifdef LINUX_OOM_ADJUST
-        oom_adjust_restore();
- #endif
-diff --git a/platform.h b/platform.h
-index 7fef8c983..5dec23276 100644
--- a/platform.h
-+++ b/platform.h
-@@ -21,6 +21,7 @@
- void platform_pre_listen(void);
- void platform_pre_fork(void);
- void platform_pre_restart(void);
-+void platform_post_listen(void);
- void platform_post_fork_parent(pid_t child_pid);
- void platform_post_fork_child(void);
- int  platform_privileged_uidswap(void);
-diff --git a/sshd.c b/sshd.c
-index b4f2b9742..865331b46 100644
--- a/sshd.c
-+++ b/sshd.c
-@@ -2077,6 +2077,8 @@ main(int ac, char **av)
-                ssh_signal(SIGTERM, sigterm_handler);
-                ssh_signal(SIGQUIT, sigterm_handler);
- 
-+               platform_post_listen();
-+
-                /*
-                 * Write out the pid file after the sigterm handler
-                 * is setup and the listen sockets are bound
-- 
-2.45.2
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
index 8763f30f4b..f424288e37 100644
--- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
-From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
+From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
 From: Mikko Rapeli <mikko.rapeli@linaro.org>
 Date: Mon, 11 Sep 2023 09:55:21 +0100
 Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
 Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
 ---
 regress/banner.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/regress/banner.sh b/regress/banner.sh
-index a84feb5a..de84957a 100644
+index a84feb5..de84957 100644
 --- a/regress/banner.sh
 +++ b/regress/banner.sh
 @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
 done
 
 trace "test suppress banner (-q)"
-- 
-2.34.1
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..b90cd2e69d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
+From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Mon, 15 Jul 2024 18:43:08 +0100
+Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
+The SSHAGENT_BIN was changed in [1] to SSH_BIN but
+the last one don't use the absolute path and consequently
+the function increase_datafile_size can loops forever
+if the binary not found.
+[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/test-exec.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 7afc2807..175f554b 100644
+--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
+@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
+ fi
+ 
+ # Path to sshd must be absolute for rexec
+case "$SSH" in
+/*) ;;
+*) SSH=`which $SSH` ;;
+esac
+
+ case "$SSHD" in
+ /*) ;;
+ *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
deleted file mode 100644
index 3e7c707100..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Description: fix signal handler race condition
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497
-CVE: CVE-2024-6387
-Upstream-Status: Backport
-https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc
-Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
--- a/log.c
-+++ b/log.c
-@@ -452,12 +452,14 @@ void
- sshsigdie(const char *file, const char *func, int line, int showfunc,
-     LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#if 0
-        va_list args;
- 
-        va_start(args, fmt);
-        sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
-            suffix, fmt, args);
-        va_end(args);
-+#endif
-        _exit(1);
- }
- 
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index b2244d725a..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
 #!/bin/sh
+export TEST_SSH_SSH=ssh
 export TEST_SHELL=sh
 export SKIP_UNIT=1
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
index 4680d12be5..9554b4783f 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://volatiles.99_sshd \
           file://run-ptest \
           file://sshd_check_keys \
+           file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
-           file://0001-notify-systemd-on-listen-and-reload.patch \
+           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
-           file://CVE-2024-6387.patch \
           "
-SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"
+SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"
 CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
@@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1"
 PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
 FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
 FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
 FILES:${PN}-sftp = "${bindir}/sftp"

diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 0000000000..c41642ae10 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-Cast-to-sockaddr-in-systemd-interface.patch
@@ -0,0 +1,30 @@
		1	From a3068c6edb81c0b0b9a2ced82e8632c79314e409 Mon Sep 17 00:00:00 2001
		2	From: Darren Tucker <dtucker@dtucker.net>
		3	Date: Sun, 7 Jul 2024 18:46:19 +1000
		4	Subject: [PATCH] Cast to sockaddr * in systemd interface.
		5
		6	Fixes build with musl libx. bz#3707.
		7
		8	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8b664df75966e5aed8dabea00b8838303d3488b8]
		9
		10	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
		11	---
		12	openbsd-compat/port-linux.c \| 2 +-
		13	1 file changed, 1 insertion(+), 1 deletion(-)
		14
		15	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
		16	index 4c024c6d2..8adfec5a7 100644
		17	--- a/openbsd-compat/port-linux.c
		18	+++ b/openbsd-compat/port-linux.c
		19	@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
		20	error_f("socket \"%s\": %s", path, strerror(errno));
		21	goto out;
		22	}
		23	- if (connect(fd, &addr, sizeof(addr)) != 0) {
		24	+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
		25	error_f("socket \"%s\" connect: %s", path, strerror(errno));
		26	goto out;
		27	}
		28	--
		29	2.45.2
		30


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch deleted file mode 100644 index 4925c969fe..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch +++ /dev/null
@@ -1,225 +0,0 @@
1	From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
2	From: Damien Miller <djm@mindrot.org>
3	Date: Wed, 3 Apr 2024 14:40:32 +1100
4	Subject: [PATCH] notify systemd on listen and reload
5
6	Standalone implementation that does not depend on libsystemd.
7	With assistance from Luca Boccassi, and feedback/testing from Colin
8	Watson. bz2641
9
10	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
11
12	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
13	---
14	configure.ac \| 1 +
15	openbsd-compat/port-linux.c \| 97 ++++++++++++++++++++++++++++++++++++-
16	openbsd-compat/port-linux.h \| 5 ++
17	platform.c \| 11 +++++
18	platform.h \| 1 +
19	sshd.c \| 2 +
20	6 files changed, 115 insertions(+), 2 deletions(-)
21
22	diff --git a/configure.ac b/configure.ac
23	index 82e8bb7c1..854f92b5b 100644
24	--- a/configure.ac
25	+++ b/configure.ac
26	@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
27	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
28	AC_DEFINE([USE_BTMP])
29	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
30	+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
31	inet6_default_4in6=yes
32	case `uname -r` in
33	1.\|2.0.)
34	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
35	index 0457e28d0..df7290246 100644
36	--- a/openbsd-compat/port-linux.c
37	+++ b/openbsd-compat/port-linux.c
38	@@ -21,16 +21,23 @@
39
40	#include "includes.h"
41
42	-#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST)
43	+#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST) \|\| \
44	+ defined(SYSTEMD_NOTIFY)
45	+#include <sys/socket.h>
46	+#include <sys/un.h>
47	+
48	#include <errno.h>
49	+#include <inttypes.h>
50	#include <stdarg.h>
51	#include <string.h>
52	#include <stdio.h>
53	#include <stdlib.h>
54	+#include <time.h>
55
56	#include "log.h"
57	#include "xmalloc.h"
58	#include "port-linux.h"
59	+#include "misc.h"
60
61	#ifdef WITH_SELINUX
62	#include <selinux/selinux.h>
63	@@ -310,4 +317,90 @@ oom_adjust_restore(void)
64	return;
65	}
66	#endif /* LINUX_OOM_ADJUST */
67	-#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST */
68	+
69	+#ifdef SYSTEMD_NOTIFY
70	+
71	+static void ssh_systemd_notify(const char *, ...)
72	+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
73	+
74	+static void
75	+ssh_systemd_notify(const char *fmt, ...)
76	+{
77	+ char *s = NULL;
78	+ const char *path;
79	+ struct stat sb;
80	+ struct sockaddr_un addr;
81	+ int fd = -1;
82	+ va_list ap;
83	+
84	+ if ((path = getenv("NOTIFY_SOCKET")) == NULL \|\| strlen(path) == 0)
85	+ return;
86	+
87	+ va_start(ap, fmt);
88	+ xvasprintf(&s, fmt, ap);
89	+ va_end(ap);
90	+
91	+ /* Only AF_UNIX is supported, with path or abstract sockets */
92	+ if (path[0] != '/' && path[0] != '@') {
93	+ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
94	+ goto out;
95	+ }
96	+
97	+ if (path[0] == '/' && stat(path, &sb) != 0) {
98	+ error_f("socket \"%s\" stat: %s", path, strerror(errno));
99	+ goto out;
100	+ }
101	+
102	+ memset(&addr, 0, sizeof(addr));
103	+ addr.sun_family = AF_UNIX;
104	+ if (strlcpy(addr.sun_path, path,
105	+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
106	+ error_f("socket path \"%s\" too long", path);
107	+ goto out;
108	+ }
109	+ /* Support for abstract socket */
110	+ if (addr.sun_path[0] == '@')
111	+ addr.sun_path[0] = 0;
112	+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
113	+ error_f("socket \"%s\": %s", path, strerror(errno));
114	+ goto out;
115	+ }
116	+ if (connect(fd, &addr, sizeof(addr)) != 0) {
117	+ error_f("socket \"%s\" connect: %s", path, strerror(errno));
118	+ goto out;
119	+ }
120	+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
121	+ error_f("socket \"%s\" write: %s", path, strerror(errno));
122	+ goto out;
123	+ }
124	+ debug_f("socket \"%s\" notified %s", path, s);
125	+ out:
126	+ if (fd != -1)
127	+ close(fd);
128	+ free(s);
129	+}
130	+
131	+void
132	+ssh_systemd_notify_ready(void)
133	+{
134	+ ssh_systemd_notify("READY=1");
135	+}
136	+
137	+void
138	+ssh_systemd_notify_reload(void)
139	+{
140	+ struct timespec now;
141	+
142	+ monotime_ts(&now);
143	+ if (now.tv_sec < 0 \|\| now.tv_nsec < 0) {
144	+ error_f("monotime returned negative value");
145	+ ssh_systemd_notify("RELOADING=1");
146	+ } else {
147	+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
148	+ ((uint64_t)now.tv_sec * 1000000ULL) +
149	+ ((uint64_t)now.tv_nsec / 1000ULL));
150	+ }
151	+}
152	+#endif /* SYSTEMD_NOTIFY */
153	+
154	+#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST \|\| SYSTEMD_NOTIFY */
155	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
156	index 3c22a854d..14064f87d 100644
157	--- a/openbsd-compat/port-linux.h
158	+++ b/openbsd-compat/port-linux.h
159	@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
160	void oom_adjust_setup(void);
161	#endif
162
163	+#ifdef SYSTEMD_NOTIFY
164	+void ssh_systemd_notify_ready(void);
165	+void ssh_systemd_notify_reload(void);
166	+#endif
167	+
168	#endif /* ! _PORT_LINUX_H */
169	diff --git a/platform.c b/platform.c
170	index 4fe8744ee..9cf818153 100644
171	--- a/platform.c
172	+++ b/platform.c
173	@@ -44,6 +44,14 @@ platform_pre_listen(void)
174	#endif
175	}
176
177	+void
178	+platform_post_listen(void)
179	+{
180	+#ifdef SYSTEMD_NOTIFY
181	+ ssh_systemd_notify_ready();
182	+#endif
183	+}
184	+
185	void
186	platform_pre_fork(void)
187	{
188	@@ -55,6 +63,9 @@ platform_pre_fork(void)
189	void
190	platform_pre_restart(void)
191	{
192	+#ifdef SYSTEMD_NOTIFY
193	+ ssh_systemd_notify_reload();
194	+#endif
195	#ifdef LINUX_OOM_ADJUST
196	oom_adjust_restore();
197	#endif
198	diff --git a/platform.h b/platform.h
199	index 7fef8c983..5dec23276 100644
200	--- a/platform.h
201	+++ b/platform.h
202	@@ -21,6 +21,7 @@
203	void platform_pre_listen(void);
204	void platform_pre_fork(void);
205	void platform_pre_restart(void);
206	+void platform_post_listen(void);
207	void platform_post_fork_parent(pid_t child_pid);
208	void platform_post_fork_child(void);
209	int platform_privileged_uidswap(void);
210	diff --git a/sshd.c b/sshd.c
211	index b4f2b9742..865331b46 100644
212	--- a/sshd.c
213	+++ b/sshd.c
214	@@ -2077,6 +2077,8 @@ main(int ac, char **av)
215	ssh_signal(SIGTERM, sigterm_handler);
216	ssh_signal(SIGQUIT, sigterm_handler);
217
218	+ platform_post_listen();
219	+
220	/*
221	* Write out the pid file after the sigterm handler
222	* is setup and the listen sockets are bound
223	--
224	2.45.2
225


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch index 8763f30f4b..f424288e37 100644 --- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
1	From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001	1	From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
2	From: Mikko Rapeli <mikko.rapeli@linaro.org>	2	From: Mikko Rapeli <mikko.rapeli@linaro.org>
3	Date: Mon, 11 Sep 2023 09:55:21 +0100	3	Date: Mon, 11 Sep 2023 09:55:21 +0100
4	Subject: [PATCH] regress/banner.sh: log input and output files on error	4	Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
37	Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]	37	Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
38		38
39	Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>	39	Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
		40	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
40	---	41	---
41	regress/banner.sh \| 4 +++-	42	regress/banner.sh \| 4 +++-
42	1 file changed, 3 insertions(+), 1 deletion(-)	43	1 file changed, 3 insertions(+), 1 deletion(-)
43		44
44	diff --git a/regress/banner.sh b/regress/banner.sh	45	diff --git a/regress/banner.sh b/regress/banner.sh
45	index a84feb5a..de84957a 100644	46	index a84feb5..de84957 100644
46	--- a/regress/banner.sh	47	--- a/regress/banner.sh
47	+++ b/regress/banner.sh	48	+++ b/regress/banner.sh
48	@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do	49	@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
56	done	57	done
57		58
58	trace "test suppress banner (-q)"	59	trace "test suppress banner (-q)"
59	--
60	2.34.1
61


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch new file mode 100644 index 0000000000..b90cd2e69d --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
		1	From fb762172fb678fe29327b667f8fe7380962a4540 Mon Sep 17 00:00:00 2001
		2	From: Jose Quaresma <jose.quaresma@foundries.io>
		3	Date: Mon, 15 Jul 2024 18:43:08 +0100
		4	Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
		5
		6	The SSHAGENT_BIN was changed in [1] to SSH_BIN but
		7	the last one don't use the absolute path and consequently
		8	the function increase_datafile_size can loops forever
		9	if the binary not found.
		10
		11	[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
		12
		13	Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
		14
		15	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
		16	---
		17	regress/test-exec.sh \| 5 +++++
		18	1 file changed, 5 insertions(+)
		19
		20	diff --git a/regress/test-exec.sh b/regress/test-exec.sh
		21	index 7afc2807..175f554b 100644
		22	--- a/regress/test-exec.sh
		23	+++ b/regress/test-exec.sh
		24	@@ -175,6 +175,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
		25	fi
		26
		27	# Path to sshd must be absolute for rexec
		28	+case "$SSH" in
		29	+/*) ;;
		30	+*) SSH=`which $SSH` ;;
		31	+esac
		32	+
		33	case "$SSHD" in
		34	/*) ;;
		35	*) SSHD=`which $SSHD` ;;


diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch deleted file mode 100644 index 3e7c707100..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch +++ /dev/null
@@ -1,27 +0,0 @@
1	Description: fix signal handler race condition
2	Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070497
3
4	CVE: CVE-2024-6387
5
6	Upstream-Status: Backport
7	https://git.launchpad.net/ubuntu/+source/openssh/commit/?h=applied/ubuntu/jammy-devel&id=b059bcfa928df4ff2d103ae2e8f4e3136ee03efc
8
9	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
10
11	--- a/log.c
12	+++ b/log.c
13	@@ -452,12 +452,14 @@ void
14	sshsigdie(const char file, const char func, int line, int showfunc,
15	LogLevel level, const char suffix, const char fmt, ...)
16	{
17	+#if 0
18	va_list args;
19
20	va_start(args, fmt);
21	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
22	suffix, fmt, args);
23	va_end(args);
24	+#endif
25	_exit(1);
26	}
27


diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index b2244d725a..c9100f9f37 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	export TEST_SSH_SSH=ssh
3	export TEST_SHELL=sh	4	export TEST_SHELL=sh
4	export SKIP_UNIT=1	5	export SKIP_UNIT=1
5		6


diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb index 4680d12be5..9554b4783f 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -23,11 +23,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
23	file://volatiles.99_sshd \	23	file://volatiles.99_sshd \
24	file://run-ptest \	24	file://run-ptest \
25	file://sshd_check_keys \	25	file://sshd_check_keys \
		26	file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
26	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \	27	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
27	file://0001-notify-systemd-on-listen-and-reload.patch \	28	file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
28	file://CVE-2024-6387.patch \
29	"	29	"
30	SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"	30	SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"
31		31
32	CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."	32	CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
33		33
@@ -195,7 +195,7 @@ ALLOW_EMPTY:${PN} = "1"
195	PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"	195	PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
196	FILES:${PN}-scp = "${bindir}/scp.${BPN}"	196	FILES:${PN}-scp = "${bindir}/scp.${BPN}"
197	FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"	197	FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
198	FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"	198	FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
199	FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"	199	FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
200	FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"	200	FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
201	FILES:${PN}-sftp = "${bindir}/sftp"	201	FILES:${PN}-sftp = "${bindir}/sftp"