openssh-8.7p1-30.el9.security.0.1

- Instead of linking against libsystemd, load it dynamically in a temporary
  child process to avoid polluting actual sshd's address space with that
  library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)

SOURCES/openssh-8.7p1-rocky-systemd.patch

+diff -urpx '*.m4' -x '*.in' -x configure openssh-8.7p1-rh-systemd/configure.ac openssh-8.7p1/configure.ac
+--- openssh-8.7p1-rh-systemd/configure.ac	2023-08-28 11:56:19.955892400 +0000
++++ openssh-8.7p1/configure.ac	2023-08-28 12:29:38.678775780 +0000
+@@ -4758,21 +4758,9 @@ SYSTEMD_MSG="no"
+ AC_ARG_WITH(systemd,
+ 	[  --with-systemd          Enable systemd support],
+ 	[ if test "x$withval" != "xno" ; then
+-		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+-		if test "$PKGCONFIG" != "no"; then
+-			AC_MSG_CHECKING([for libsystemd])
+-			if $PKGCONFIG --exists libsystemd; then
+-				SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+-				SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+-				CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+-				SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+-				AC_MSG_RESULT([yes])
+-				AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+-				SYSTEMD_MSG="yes"
+-			else
+-				AC_MSG_RESULT([no])
+-			fi
+-		fi
++		AC_MSG_RESULT([yes])
++		AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
++		SYSTEMD_MSG="yes"
+ 	fi ]
+ )
+ 
+diff -urpx '*.m4' -x '*.in' -x configure openssh-8.7p1-rh-systemd/sshd.c openssh-8.7p1/sshd.c
+--- openssh-8.7p1-rh-systemd/sshd.c	2023-08-28 11:56:19.957892327 +0000
++++ openssh-8.7p1/sshd.c	2023-08-28 12:53:52.070538125 +0000
+@@ -86,7 +86,7 @@
+ #endif
+ 
+ #ifdef HAVE_SYSTEMD
+-#include <systemd/sd-daemon.h>
++#include <dlfcn.h>
+ #endif
+ 
+ #include "xmalloc.h"
+@@ -2076,7 +2076,20 @@ main(int ac, char **av)
+ 
+ #ifdef HAVE_SYSTEMD
+ 		/* Signal systemd that we are ready to accept connections */
+-		sd_notify(0, "READY=1");
++		if (!fork()) {
++			void *handle = dlopen("libsystemd.so", RTLD_LAZY);
++			if (handle) {
++				int (*sd_pid_notify)(pid_t pid, int unset_environment, const char *state);
++				*(void **)&sd_pid_notify = dlsym(handle, "sd_pid_notify");
++				if (sd_pid_notify)
++					sd_pid_notify(getppid(), 0, "READY=1");
++#if 0
++				/* Unnecessary due to fork/exit */
++				dlclose(handle);
++#endif
++			}
++			_exit(0);
++		}
+ #endif
+ 
+ 		/* Accept a connection and return in a forked child */

SPECS/openssh.spec

@@ -58,7 +58,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}
+Release: %{openssh_rel}%{?dist}.0.1
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -269,6 +269,8 @@ Patch1008: openssh-8.7p1-CVE-2023-25136.patch
 # b23fe83f06ee7e721033769cfa03ae840476d280
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 
+Patch9000: openssh-8.7p1-rocky-systemd.patch
+
 License: BSD
 Requires: /sbin/nologin
 
@@ -480,6 +482,8 @@ popd
 %patch1007 -p1 -b .sshrsacheck
 %patch1008 -p1 -b .cve-2023-25136
 
+%patch9000 -p1 -b .rocky-systemd
+
 autoreconf
 pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 autoreconf
@@ -765,6 +769,11 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Aug 28 2023 Solar Designer <solar@openwall.com> 8.7p1-30.el9.security.0.1
+- Instead of linking against libsystemd, load it dynamically in a temporary
+  child process to avoid polluting actual sshd's address space with that
+  library and its many dependencies (shortens "ldd sshd" from 28 to 20 lines)
+
 * Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-30
 - Avoid remote code execution in ssh-agent PKCS#11 support
   Resolves: CVE-2023-38408