diff options
author | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2012-10-10 12:32:29 +0000 |
---|---|---|
committer | nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2012-10-10 12:32:29 +0000 |
commit | 9c8997d54dc9df184bfcedeabf0b3c85cf5e6753 (patch) | |
tree | 46b83031a0da1b4458317413c00d13c252c72afa /package/network/services/dropbear/patches | |
parent | eecf5b17520f6b3b6ffb45ac7dca298d93b27501 (diff) |
packages: sort network related packages into package/network/
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@33688 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/network/services/dropbear/patches')
10 files changed, 367 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch new file mode 100644 index 0000000000..c1802f51e5 --- /dev/null +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -0,0 +1,91 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); +- +- /* open the file */ +- authfile = fopen(filename, "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } + if (authfile == NULL) { + goto out; + } +@@ -372,26 +376,35 @@ static int checkpubkeyperms() { + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + } + + /* file looks ok, return success */ diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch new file mode 100644 index 0000000000..55747bc4d7 --- /dev/null +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -0,0 +1,18 @@ +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -884,12 +884,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +- if ((setgid(ses.authstate.pw_gid) < 0) || ++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || + (initgroups(ses.authstate.pw_name, +- ses.authstate.pw_gid) < 0)) { ++ ses.authstate.pw_gid) < 0))) { + dropbear_exit("Error changing user group"); + } +- if (setuid(ses.authstate.pw_uid) < 0) { ++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { + dropbear_exit("Error changing user"); + } + } else { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch new file mode 100644 index 0000000000..42204aa646 --- /dev/null +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -0,0 +1,67 @@ +--- a/options.h ++++ b/options.h +@@ -38,7 +38,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -49,7 +49,7 @@ + several kB in binary size however will make the symmetrical ciphers and hashes + slower, perhaps by 50%. Recommended for small systems that aren't doing + much traffic. */ +-/*#define DROPBEAR_SMALL_CODE*/ ++#define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ + #define ENABLE_X11FWD +@@ -78,7 +78,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Encryption - at least one required. + * Protocol RFC requires 3DES and recommends AES128 for interoperability. +@@ -89,8 +89,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256 ++#define DROPBEAR_TWOFISH128*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. This adds around 1kB to binary +@@ -110,7 +110,7 @@ much traffic. */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -148,7 +148,7 @@ much traffic. */ + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -192,7 +192,7 @@ much traffic. */ + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch new file mode 100644 index 0000000000..93647a99e5 --- /dev/null +++ b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch @@ -0,0 +1,21 @@ +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) + debug_trace = 1; + break; + #endif ++ case 'o': ++ next = &dummy; ++ case 'x': ++ break; + case 'F': + case 'e': + case 'c': +@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) + #ifndef ENABLE_CLI_LOCALTCPFWD + case 'L': + #endif +- case 'o': + case 'b': + next = &dummy; + default: diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch new file mode 100644 index 0000000000..e99376333c --- /dev/null +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -0,0 +1,14 @@ +--- a/dbutil.h ++++ b/dbutil.h +@@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) ++#ifndef DROPBEAR_ASSERT_ENABLED ++#define DROPBEAR_ASSERT_ENABLED 0 ++#endif ++ ++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) + + #endif /* _DBUTIL_H_ */ diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch new file mode 100644 index 0000000000..3e0b008552 --- /dev/null +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef _OPTIONS_H_ + #define _OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /****************************************************************** + * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. diff --git a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch new file mode 100644 index 0000000000..57eb9670dc --- /dev/null +++ b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch @@ -0,0 +1,29 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac + loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ + listener.h fake-rfc2553.h + +-dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ ++dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) + dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) + dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) + dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) +@@ -77,7 +77,7 @@ STRIP=@STRIP@ + INSTALL=@INSTALL@ + CPPFLAGS=@CPPFLAGS@ + CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ +-LIBS+=@LIBS@ ++LIBS+=@CRYPTLIB@ @LIBS@ + LDFLAGS=@LDFLAGS@ + + EXEEXT=@EXEEXT@ +@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile + # multi-binary compilation. + MULTIOBJS= + ifeq ($(MULTI),1) +- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ ++ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) + CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI + endif + diff --git a/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch b/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch new file mode 100644 index 0000000000..7da435ab15 --- /dev/null +++ b/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch @@ -0,0 +1,11 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -325,7 +325,7 @@ static void addportandaddress(char* spec + myspec = m_strdup(spec); + + /* search for ':', that separates address and port */ +- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); ++ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + + if (svr_opts.ports[svr_opts.portcount] == NULL) { + /* no ':' -> the whole string specifies just a port */ diff --git a/package/network/services/dropbear/patches/400-CVE-2012-0920.patch b/package/network/services/dropbear/patches/400-CVE-2012-0920.patch new file mode 100644 index 0000000000..164909f561 --- /dev/null +++ b/package/network/services/dropbear/patches/400-CVE-2012-0920.patch @@ -0,0 +1,91 @@ + +# HG changeset patch +# User Matt Johnston <matt@ucc.asn.au> +# Date 1322947885 -28800 +# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8 +# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f +- Fix use-after-free if multiple command requests were sent. Move +the original_command into chansess struct since that makes more sense + +--- a/auth.h ++++ b/auth.h +@@ -133,7 +133,6 @@ struct PubKeyOptions { + int no_pty_flag; + /* "command=" option. */ + unsigned char * forced_command; +- unsigned char * original_command; + }; + #endif + +--- a/chansession.h ++++ b/chansession.h +@@ -69,6 +69,10 @@ struct ChanSess { + char * agentfile; + char * agentdir; + #endif ++ ++#ifdef ENABLE_SVR_PUBKEY_OPTIONS ++ char *original_command; ++#endif + }; + + struct ChildPid { +--- a/svr-authpubkeyoptions.c ++++ b/svr-authpubkeyoptions.c +@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() { + * by any 'command' public key option. */ + void svr_pubkey_set_forced_command(struct ChanSess *chansess) { + if (ses.authstate.pubkey_options) { +- ses.authstate.pubkey_options->original_command = chansess->cmd; +- if (!chansess->cmd) +- { +- ses.authstate.pubkey_options->original_command = m_strdup(""); ++ if (chansess->cmd) { ++ /* original_command takes ownership */ ++ chansess->original_command = chansess->cmd; ++ } else { ++ chansess->original_command = m_strdup(""); + } +- chansess->cmd = ses.authstate.pubkey_options->forced_command; ++ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); + #ifdef LOG_COMMANDS +- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command); ++ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); + #endif + } + } +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c + + struct ChanSess *chansess; + ++ TRACE(("new chansess %p", channel)) ++ + dropbear_assert(channel->typedata == NULL); + + chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess)); +@@ -279,6 +281,10 @@ static void closechansess(struct Channel + m_free(chansess->cmd); + m_free(chansess->term); + ++#ifdef ENABLE_SVR_PUBKEY_OPTIONS ++ m_free(chansess->original_command); ++#endif ++ + if (chansess->tty) { + /* write the utmp/wtmp login record */ + li = chansess_login_alloc(chansess); +@@ -924,10 +930,8 @@ static void execchild(void *user_data) { + } + + #ifdef ENABLE_SVR_PUBKEY_OPTIONS +- if (ses.authstate.pubkey_options && +- ses.authstate.pubkey_options->original_command) { +- addnewvar("SSH_ORIGINAL_COMMAND", +- ses.authstate.pubkey_options->original_command); ++ if (chansess->original_command) { ++ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command); + } + #endif + diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch new file mode 100644 index 0000000000..0bd3ffcc38 --- /dev/null +++ b/package/network/services/dropbear/patches/500-set-default-path.patch @@ -0,0 +1,11 @@ +--- a/options.h ++++ b/options.h +@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" ++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */ |