pkg/debug: update openssh to version 9.8p1

according to https://fosstodon.org/@musl/112711796005712271 it should "only" be a deadlock for us for more information about CVE-2024-6387 see also https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt Signed-off-by: Christoph Ostarek <christoph@zededa.com> (cherry picked from commit 4c0c966)
milan-zededa · Jul 10, 2024 · 56b2d60 · 56b2d60
1 parent 5645671
commit 56b2d60
Show file tree

Hide file tree

Showing 3 changed files with 406 additions and 4 deletions.
diff --git a/pkg/debug/Dockerfile b/pkg/debug/Dockerfile
@@ -5,13 +5,13 @@
 # to be a perfect place to put any other kind of debug info
 # into the package: see abuild/etc/abuild.conf.
 FROM lfedge/eve-alpine:cbf02c2c126f210933ec9bdb142eb080b400fd76 as build
-ENV BUILD_PKGS abuild curl tar make linux-headers patch g++ git gcc ncurses-dev autoconf
+ENV BUILD_PKGS abuild curl tar make linux-headers patch g++ git gcc gpg ncurses-dev autoconf openssl-dev zlib-dev
 # Feel free to add additional packages here, but be aware that
 # EVE's rootfs image can be no larger than 300Mb (and don't
 # forget to check on all supported architectures: e.g. arm64
 # binaries are typically larger and amd64 ones).
 # RUN apk add --no-cache gdb valgrind
-ENV PKGS openssl openssh-client openssh-server tini util-linux ca-certificates pciutils usbutils vim tcpdump perf strace iproute2-minimal curl
+ENV PKGS openssl tini util-linux ca-certificates pciutils usbutils vim tcpdump perf strace iproute2-minimal curl zlib
 
 # These packages are not available on the riscv arch, so I have no idea how
 # deliver those, but still install them on other archs.
@@ -21,6 +21,7 @@ ENV PKGS_arm64 procps tar dmidecode iptables dhcpcd tio socat
 RUN eve-alpine-deploy.sh
 
 ENV LSHW_VERSION 02.19.2
+ENV OPENSSH_VERSION 9.8p1
 
 # setting up building account
 RUN adduser -G abuild -D builder || :
@@ -64,13 +65,56 @@ ADD --keep-git-dir=true https://github.com/npat-efault/picocom.git#${PICOCOM_COM
 WORKDIR /tmp/picocom
 RUN make -j "$(getconf _NPROCESSORS_ONLN)" && strip picocom && cp picocom /out/usr/bin/
 
+WORKDIR /usr/src
+ADD https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz /usr/src
+ADD https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz.asc /usr/src
+COPY ssh/RELEASE_KEY.asc /usr/src
+RUN gpg --import RELEASE_KEY.asc || :
+RUN gpg --verify openssh-${OPENSSH_VERSION}.tar.gz.asc openssh-${OPENSSH_VERSION}.tar.gz
+RUN tar xvf openssh-${OPENSSH_VERSION}.tar.gz
+WORKDIR /usr/src/openssh-${OPENSSH_VERSION}
+RUN ./configure \
+    --prefix=/usr \
+    --sysconfdir=/etc/ssh \
+    --libexecdir=/usr/lib/ssh \
+    --mandir=/usr/share/man \
+    --with-pid-dir=/run \
+    --with-mantype=doc \
+    --disable-utmp \
+    --disable-wtmp \
+    --disable-lastlog \
+    --disable-strip \
+    --with-privsep-path=/var/empty \
+    --with-xauth=/usr/bin/xauth \
+    --with-default-path='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
+    --with-privsep-user=sshd \
+    --with-ssl-engine
+
+RUN make -j "$(getconf _NPROCESSORS_ONLN)"
+RUN make install
+RUN HARNESS_JOBS="$(getconf _NPROCESSORS_ONLN)" make tests
+
+RUN /usr/bin/install -c -m 0755 -s ssh /out/usr/bin/ssh
+RUN /usr/bin/install -c -m 0755 -s scp /out/usr/bin/scp
+RUN /usr/bin/install -c -m 0755 -s ssh-keygen /out/usr/bin/ssh-keygen
+RUN /usr/bin/install -c -m 0755 -s sshd /out/usr/sbin/sshd
+RUN /usr/bin/install -c -m 0755 -s sshd-session /out/usr/libexec/sshd-session
+RUN /usr/bin/install -c -m 4711 -s ssh-keysign /out/usr/libexec/ssh-keysign
+RUN /usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /out/usr/libexec/ssh-pkcs11-helper
+RUN /usr/bin/install -c -m 0755 -s ssh-sk-helper /out/usr/libexec/ssh-sk-helper
+RUN /usr/bin/install -c -m 0755 -s sftp /out/usr/bin/sftp
+RUN /usr/bin/install -c -m 0755 -s sftp-server /out/usr/libexec/sftp-server
+RUN mkdir -p /out/etc/ssh
+COPY ssh/* /out/etc/ssh/
+RUN mkdir -p /out/var/empty
+
 # tweaking various bit
 WORKDIR /out
 COPY ssh.sh spec.sh scripts/ ./usr/bin/
-RUN mkdir -p ./etc/ssh ./root/.ssh && chmod 0700 ./root/.ssh
+RUN mkdir -p ./etc/ssh ./root/.ssh
+RUN chmod 0700 ./root/.ssh
 RUN cp /etc/passwd /etc/group ./etc/
 RUN ln -s /run ./var/run
-RUN sed -i -e 's#AllowTcpForwarding.*$#AllowTcpForwarding yes#' ./etc/ssh/sshd_config
 
 FROM scratch
 ENTRYPOINT []