1 files changed, 43 insertions, 0 deletions

diff --git a/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
new file mode 100644
index 000000000000..bf3889265b77
--- /dev/null
+++ b/security/openssh-portable/files/patch-FreeBSD-caph_cache_tzdata
@@ -0,0 +1,43 @@
+commit fc3c19a9fceeea48a9259ac3833a125804342c0e
+Author: Ed Maste <emaste@FreeBSD.org>
+Date:   Sat Oct 6 21:32:55 2018 +0000
+
+    sshd: address capsicum issues
+    
+    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
+      capability mode.
+    * Cache timezone data via caph_cache_tzdata() as we cannot access the
+      timezone file.
+    * Reverse resolve hostname before entering capability mode.
+    
+    PR:             231172
+    Submitted by:   naito.yuichiro@gmail.com
+    Reviewed by:    cem, des
+    Approved by:    re (rgrimes)
+    MFC after:      3 weeks
+    Differential Revision:  https://reviews.freebsd.org/D17128
+
+Notes:
+    svn path=/head/; revision=339216
+
+diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
+index 5f41d526292b..f728abd18250 100644
+--- sandbox-capsicum.c
++++ sandbox-capsicum.c
+@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <capsicum_helpers.h>
+ 
+ #include "log.h"
+ #include "monitor.h"
+@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
+ 	struct rlimit rl_zero;
+ 	cap_rights_t rights;
+ 
++	caph_cache_tzdata();
++
+ 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ 
+ 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)