summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Ahlberg <aliz@gentoo.org>2003-09-18 14:46:38 +0000
committerDaniel Ahlberg <aliz@gentoo.org>2003-09-18 14:46:38 +0000
commit0333b6686235d8fb7d43f6e85eb9b4a8836a0016 (patch)
tree35e4822bac37c1fdb397d566813695efaa78564a /net-misc
parentVarious fixes and patches (diff)
downloadgentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.gz
gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.bz2
gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.zip
Various fixes and patches
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/openssh/ChangeLog9
-rw-r--r--net-misc/openssh/Manifest9
-rw-r--r--net-misc/openssh/files/digest-openssh-3.7.1_p1-r13
-rw-r--r--net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch28
-rw-r--r--net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch24
-rw-r--r--net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch109
-rw-r--r--net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch24
-rw-r--r--net-misc/openssh/openssh-3.7.1_p1-r1.ebuild143
8 files changed, 346 insertions, 3 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index eeb48dd9673c..a8e80364401b 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for net-misc/openssh
# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.48 2003/09/18 12:22:22 aliz Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.49 2003/09/18 14:46:33 aliz Exp $
+
+*openssh-3.7.1_p1-r1 (18 Sep 2003)
+
+ 18 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> openssh-3.7.1_p1-r1.ebuild :
+ Removed krb4 and afs support since they are removed according to the Announcment.
+ Ebuild cleanups.
+ Added a bunch of patches from CVS. Among them a fix for CAN-2003-0682.
18 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> openssh-3.7.1_p1.ebuild :
Readd X509 patch. Closing #28992.
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 71f5974ae2b1..aa6c7efb34ce 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,11 +1,12 @@
-MD5 48dad40ebd4f72aec976e35db43a69fa ChangeLog 7693
+MD5 70c2d35365d4f3d65f60e3fd6cc98c80 ChangeLog 7887
MD5 bf8c9e2ff963deb77f7dd8adf7ad2037 openssh-3.5_p1-r1.ebuild 3932
MD5 3c2bbd03a745c1e0b2a5e4a6e600b030 openssh-3.6.1_p2-r1.ebuild 4148
MD5 a50daec66d75cc8248da65d91269b359 openssh-3.6.1_p2.ebuild 3948
MD5 564d864226cf89ea6396748305042fd9 openssh-3.6.1_p2-r2.ebuild 4204
MD5 9da5e02603f79633fe36e2337d4ae626 openssh-3.6.1_p2-r3.ebuild 4488
MD5 b95ca58a06be4f68640911f9e64a8c95 openssh-3.7_p1.ebuild 4479
-MD5 fa152b8b69b99788d49b156f1c6efc68 openssh-3.7.1_p1-r1.ebuild 4083
+MD5 50373292e185c35f7a254ede2a90adda openssh-3.7.1_p1.ebuild 4634
+MD5 e7569bf0bb9f8a188e6c7edf9a2b32bc openssh-3.7.1_p1-r1.ebuild 4248
MD5 f2472f97f00f203eee538d04a25acac5 files/digest-openssh-3.5_p1-r1 136
MD5 3d26d49ccd595bca906f540f5d8b8c31 files/digest-openssh-3.6.1_p2 139
MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r1 213
@@ -17,3 +18,7 @@ MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r3 213
MD5 2509087626bbaf1ad026899718167722 files/digest-openssh-3.7_p1 137
MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1 214
MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1-r1 214
+MD5 af754a7a6d850621f44547c47f0a60e8 files/openssh-3.7.1_p1-memory-bugs.patch 3497
+MD5 9cf685ee972138d53ead48ab93b89229 files/openssh-3.7.1_p1-memory-leak.patch 818
+MD5 32f5b511a168f9fb7def64603643a582 files/openssh-3.7.1_p1-connect-timeout.patch 836
+MD5 fcdec1634d390aed62b8a6a7e90c4b09 files/openssh-3.7.1_p1-double-free.patch 677
diff --git a/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1
new file mode 100644
index 000000000000..74e5e4611361
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1
@@ -0,0 +1,3 @@
+MD5 f54e574e606c08ef63ebb1ab2f7689dc openssh-3.7.1p1.tar.gz 791161
+MD5 c425e65927b359382bf3618d265d45f1 openssh_3.6p1-5.se1.diff.bz2 54985
+MD5 62a83953c4a7fee0309961099c94d760 openssh-3.7.1p1+x509g2.diff.gz 125275
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch
new file mode 100644
index 000000000000..1d62b5754524
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch
@@ -0,0 +1,28 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/sshconnect.c,v
+retrieving revision 1.147
+retrieving revision 1.148
+diff -u -r1.147 -r1.148
+--- src/usr.bin/ssh/sshconnect.c 2003/06/29 12:44:38 1.147
++++ src/usr.bin/ssh/sshconnect.c 2003/09/18 07:52:54 1.148
+@@ -13,7 +13,7 @@
+ */
+
+ #include "includes.h"
+-RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $");
++RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $");
+
+ #include <openssl/bn.h>
+
+@@ -267,9 +267,10 @@
+ optval = 0;
+ optlen = sizeof(optval);
+ if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval,
+- &optlen) == -1)
++ &optlen) == -1) {
+ debug("getsockopt: %s", strerror(errno));
+ break;
++ }
+ if (optval != 0) {
+ errno = optval;
+ break;
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch
new file mode 100644
index 000000000000..f712f2a45224
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch
@@ -0,0 +1,24 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.18
+retrieving revision 1.19
+diff -u -r1.18 -r1.19
+--- src/usr.bin/ssh/buffer.c 2003/09/16 21:02:39 1.18
++++ src/usr.bin/ssh/buffer.c 2003/09/18 07:54:48 1.19
+@@ -12,7 +12,7 @@
+ */
+
+ #include "includes.h"
+-RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $");
++RCSID("$OpenBSD: buffer.c,v 1.19 2003/09/18 07:54:48 markus Exp $");
+
+ #include "xmalloc.h"
+ #include "buffer.h"
+@@ -39,6 +39,7 @@
+ {
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
++ buffer->alloc = 0;
+ xfree(buffer->buf);
+ }
+ }
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch
new file mode 100644
index 000000000000..34004df82bba
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch
@@ -0,0 +1,109 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v
+retrieving revision 1.18
+retrieving revision 1.19
+diff -u -r1.18 -r1.19
+--- src/usr.bin/ssh/deattack.c 2002/03/04 17:27:39 1.18
++++ src/usr.bin/ssh/deattack.c 2003/09/18 08:49:45 1.19
+@@ -100,12 +100,12 @@
+
+ if (h == NULL) {
+ debug("Installing crc compensation attack detector.");
++ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ } else {
+ if (l > n) {
++ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ }
+ }
+
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/session.c,v
+retrieving revision 1.163
+retrieving revision 1.164
+diff -u -r1.163 -r1.164
+--- src/usr.bin/ssh/session.c 2003/08/31 13:29:05 1.163
++++ src/usr.bin/ssh/session.c 2003/09/18 08:49:45 1.164
+@@ -695,8 +695,9 @@
+ child_set_env(char ***envp, u_int *envsizep, const char *name,
+ const char *value)
+ {
+- u_int i, namelen;
+ char **env;
++ u_int envsize;
++ u_int i, namelen;
+
+ /*
+ * Find the slot where the value should be stored. If the variable
+@@ -713,12 +714,13 @@
+ xfree(env[i]);
+ } else {
+ /* New variable. Expand if necessary. */
+- if (i >= (*envsizep) - 1) {
+- if (*envsizep >= 1000)
+- fatal("child_set_env: too many env vars,"
+- " skipping: %.100s", name);
+- (*envsizep) += 50;
+- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++ envsize = *envsizep;
++ if (i >= envsize - 1) {
++ if (envsize >= 1000)
++ fatal("child_set_env: too many env vars");
++ envsize += 50;
++ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++ *envsizep = envsize;
+ }
+ /* Need to set the NULL pointer at end of array beyond the new slot. */
+ env[i + 1] = NULL;
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/ssh-agent.c,v
+retrieving revision 1.111
+retrieving revision 1.112
+diff -u -r1.111 -r1.112
+--- src/usr.bin/ssh/ssh-agent.c 2003/06/12 19:12:03 1.111
++++ src/usr.bin/ssh/ssh-agent.c 2003/09/18 08:49:45 1.112
+@@ -780,7 +780,7 @@
+ static void
+ new_socket(sock_type type, int fd)
+ {
+- u_int i, old_alloc;
++ u_int i, old_alloc, new_alloc;
+
+ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+ error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -791,25 +791,26 @@
+ for (i = 0; i < sockets_alloc; i++)
+ if (sockets[i].type == AUTH_UNUSED) {
+ sockets[i].fd = fd;
+- sockets[i].type = type;
+ buffer_init(&sockets[i].input);
+ buffer_init(&sockets[i].output);
+ buffer_init(&sockets[i].request);
++ sockets[i].type = type;
+ return;
+ }
+ old_alloc = sockets_alloc;
+- sockets_alloc += 10;
++ new_alloc = sockets_alloc + 10;
+ if (sockets)
+- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+ else
+- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+- for (i = old_alloc; i < sockets_alloc; i++)
++ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++ for (i = old_alloc; i < new_alloc; i++)
+ sockets[i].type = AUTH_UNUSED;
+- sockets[old_alloc].type = type;
++ sockets_alloc = new_alloc;
+ sockets[old_alloc].fd = fd;
+ buffer_init(&sockets[old_alloc].input);
+ buffer_init(&sockets[old_alloc].output);
+ buffer_init(&sockets[old_alloc].request);
++ sockets[old_alloc].type = type;
+ }
+
+ static int
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch
new file mode 100644
index 000000000000..62695d6deff3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch
@@ -0,0 +1,24 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/authfile.c,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- src/usr.bin/ssh/authfile.c 2003/05/24 09:30:39 1.54
++++ src/usr.bin/ssh/authfile.c 2003/09/18 07:56:05 1.55
+@@ -36,7 +36,7 @@
+ */
+
+ #include "includes.h"
+-RCSID("$OpenBSD: authfile.c,v 1.54 2003/05/24 09:30:39 djm Exp $");
++RCSID("$OpenBSD: authfile.c,v 1.55 2003/09/18 07:56:05 markus Exp $");
+
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+@@ -143,6 +143,7 @@
+ fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ if (fd < 0) {
+ error("open %s failed: %s.", filename, strerror(errno));
++ buffer_free(&encrypted);
+ return 0;
+ }
+ if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
diff --git a/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild
new file mode 100644
index 000000000000..7868716bfff4
--- /dev/null
+++ b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild,v 1.1 2003/09/18 14:46:33 aliz Exp $
+
+inherit eutils flag-o-matic ccc
+[ `use kerberos` ] && append-flags -I/usr/include/gssapi
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH=${PARCH}+x509g2.diff.gz
+
+S=${WORKDIR}/${PARCH}
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+IUSE="ipv6 static pam tcpd kerberos skey selinux X509"
+SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz
+ selinux? ( http://lostlogicx.com/gentoo/openssh_3.6p1-5.se1.diff.bz2 )
+ X509? ( http://roumenpetrov.info/openssh/x509g2/${X509_PATCH} )"
+
+# openssh recognizes when openssl has been slightly upgraded and refuses to run.
+# This new rev will use the new openssl.
+RDEPEND="virtual/glibc
+ pam? ( >=sys-libs/pam-0.73
+ >=sys-apps/shadow-4.0.2-r2 )
+ kerberos? ( app-crypt/mit-krb5 )
+ selinux? ( sys-apps/selinux-small )
+ skey? ( app-admin/skey )
+ >=dev-libs/openssl-0.9.6d
+ sys-libs/zlib
+ >=sys-apps/sed-4"
+
+DEPEND="${RDEPEND}
+ dev-lang/perl
+ sys-apps/groff
+ tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"
+
+SLOT="0"
+LICENSE="as-is"
+KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~arm ~amd64 ~ia64"
+
+src_unpack() {
+ unpack ${PARCH}.tar.gz ; cd ${S}
+
+ epatch ${FILESDIR}/${P}-connect-timeout.patch
+ epatch ${FILESDIR}/${P}-double-free.patch
+ epatch ${FILESDIR}/${P}-memory-leak.patch
+ epatch ${FILESDIR}/${P}-memory-bugs.patch
+
+ use selinux && epatch ${DISTDIR}/openssh_3.6p1-5.se1.diff.bz2
+ use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch
+ use X509 && epatch ${DISTDIR}/${X509_PATCH}
+
+ use skey && {
+ # prevent the conftest from violating the sandbox
+ sed -i 's#skey_keyinfo("")#"true"#g' configure
+ }
+}
+
+src_compile() {
+ local myconf
+
+ myconf="\
+ $( use_with tcpd tcp-wrappers ) \
+ $( use_with kerberos kerberos5 ) \
+ $( use_with pam ) \
+ $( use_with skey )"
+
+ use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+ use skey && {
+ # make sure .sbss is large enough
+ use alpha && append-ldflags -mlarge-data
+ }
+
+ use selinux && append-flags "-DWITH_SELINUX"
+
+ ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc/ssh \
+ --mandir=/usr/share/man \
+ --libexecdir=/usr/lib/misc \
+ --datadir=/usr/share/openssh \
+ --disable-suid-ssh \
+ --with-privsep-path=/var/empty \
+ --with-privsep-user=sshd \
+ --with-md5-passwords \
+ --host=${CHOST} ${myconf} || die "bad configure"
+
+ use static && {
+ # statically link to libcrypto -- good for the boot cd
+ sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile
+ }
+
+ use selinux && {
+ #add -lsecure
+ sed -i "s:LIBS=\(.*\):LIBS=\1 -lsecure:" Makefile
+ }
+
+ emake || die "compile problem"
+}
+
+src_install() {
+ make install-files DESTDIR=${D} || die
+ chmod 600 ${D}/etc/ssh/sshd_config
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+ insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd
+ exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd
+ keepdir /var/empty/.keep
+}
+
+pkg_preinst() {
+ userdel sshd 2> /dev/null
+ if ! groupmod sshd; then
+ groupadd -g 90 sshd 2> /dev/null || \
+ die "Failed to create sshd group"
+ fi
+ useradd -u 22 -g sshd -s /dev/null -d /var/empty -c "sshd" sshd || \
+ die "Failed to create sshd user"
+}
+
+pkg_postinst() {
+ # empty dir for the new priv separation auth chroot..
+ install -d -m0755 -o root -g root ${ROOT}/var/empty
+
+ ewarn "Remember to merge your config files in /etc/ssh/ and then"
+ ewarn "restart sshd: '/etc/init.d/sshd restart'."
+ ewarn
+ einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+ einfo "functionality, but please ensure that you do not explicitly disable"
+ einfo "this in your configuration as disabling it opens security holes"
+ einfo
+ einfo "This revision has removed your sshd user id and replaced it with a"
+ einfo "new one with UID 22. If you have any scripts or programs that"
+ einfo "that referenced the old UID directly, you will need to update them."
+ einfo
+ use pam >/dev/null 2>&1 && {
+ einfo "Please be aware users need a valid shell in /etc/passwd"
+ einfo "in order to be allowed to login."
+ einfo
+ }
+}