Various fixes and patches

author: Daniel Ahlberg <aliz@gentoo.org> 2003-09-18 14:46:38 +0000
committer: Daniel Ahlberg <aliz@gentoo.org> 2003-09-18 14:46:38 +0000
commit: 0333b6686235d8fb7d43f6e85eb9b4a8836a0016 (patch)
tree: 35e4822bac37c1fdb397d566813695efaa78564a /net-misc/openssh
parent: Various fixes and patches (diff)
download: gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.gz
gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.bz2
gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.zip
8 files changed, 346 insertions, 3 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index eeb48dd9673c..a8e80364401b 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-misc/openssh
 # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.48 2003/09/18 12:22:22 aliz Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.49 2003/09/18 14:46:33 aliz Exp $
+
+*openssh-3.7.1_p1-r1 (18 Sep 2003)
+
+  18 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> openssh-3.7.1_p1-r1.ebuild :
+  Removed krb4 and afs support since they are removed according to the Announcment.
+  Ebuild cleanups.
+  Added a bunch of patches from CVS. Among them a fix for CAN-2003-0682.
 
   18 Sep 2003; Daniel Ahlberg <aliz@gentoo.org> openssh-3.7.1_p1.ebuild :
   Readd X509 patch. Closing #28992.
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 71f5974ae2b1..aa6c7efb34ce 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,11 +1,12 @@
-MD5 48dad40ebd4f72aec976e35db43a69fa ChangeLog 7693
+MD5 70c2d35365d4f3d65f60e3fd6cc98c80 ChangeLog 7887
 MD5 bf8c9e2ff963deb77f7dd8adf7ad2037 openssh-3.5_p1-r1.ebuild 3932
 MD5 3c2bbd03a745c1e0b2a5e4a6e600b030 openssh-3.6.1_p2-r1.ebuild 4148
 MD5 a50daec66d75cc8248da65d91269b359 openssh-3.6.1_p2.ebuild 3948
 MD5 564d864226cf89ea6396748305042fd9 openssh-3.6.1_p2-r2.ebuild 4204
 MD5 9da5e02603f79633fe36e2337d4ae626 openssh-3.6.1_p2-r3.ebuild 4488
 MD5 b95ca58a06be4f68640911f9e64a8c95 openssh-3.7_p1.ebuild 4479
-MD5 fa152b8b69b99788d49b156f1c6efc68 openssh-3.7.1_p1-r1.ebuild 4083
+MD5 50373292e185c35f7a254ede2a90adda openssh-3.7.1_p1.ebuild 4634
+MD5 e7569bf0bb9f8a188e6c7edf9a2b32bc openssh-3.7.1_p1-r1.ebuild 4248
 MD5 f2472f97f00f203eee538d04a25acac5 files/digest-openssh-3.5_p1-r1 136
 MD5 3d26d49ccd595bca906f540f5d8b8c31 files/digest-openssh-3.6.1_p2 139
 MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r1 213
@@ -17,3 +18,7 @@ MD5 3d5afb85b45dafdd05258d53f19a0b61 files/digest-openssh-3.6.1_p2-r3 213
 MD5 2509087626bbaf1ad026899718167722 files/digest-openssh-3.7_p1 137
 MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1 214
 MD5 1830b9ef3eadf20461658be064566841 files/digest-openssh-3.7.1_p1-r1 214
+MD5 af754a7a6d850621f44547c47f0a60e8 files/openssh-3.7.1_p1-memory-bugs.patch 3497
+MD5 9cf685ee972138d53ead48ab93b89229 files/openssh-3.7.1_p1-memory-leak.patch 818
+MD5 32f5b511a168f9fb7def64603643a582 files/openssh-3.7.1_p1-connect-timeout.patch 836
+MD5 fcdec1634d390aed62b8a6a7e90c4b09 files/openssh-3.7.1_p1-double-free.patch 677
diff --git a/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1 b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1
new file mode 100644
index 000000000000..74e5e4611361
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-3.7.1_p1-r1
@@ -0,0 +1,3 @@
+MD5 f54e574e606c08ef63ebb1ab2f7689dc openssh-3.7.1p1.tar.gz 791161
+MD5 c425e65927b359382bf3618d265d45f1 openssh_3.6p1-5.se1.diff.bz2 54985
+MD5 62a83953c4a7fee0309961099c94d760 openssh-3.7.1p1+x509g2.diff.gz 125275
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch
new file mode 100644
index 000000000000..1d62b5754524
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-connect-timeout.patch
@@ -0,0 +1,28 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/sshconnect.c,v
+retrieving revision 1.147
+retrieving revision 1.148
+diff -u -r1.147 -r1.148
+--- src/usr.bin/ssh/sshconnect.c	2003/06/29 12:44:38	1.147
++++ src/usr.bin/ssh/sshconnect.c	2003/09/18 07:52:54	1.148
+@@ -13,7 +13,7 @@
+  */
+ 
+ #include "includes.h"
+-RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $");
++RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $");
+ 
+ #include <openssl/bn.h>
+ 
+@@ -267,9 +267,10 @@
+ 		optval = 0;
+ 		optlen = sizeof(optval);
+ 		if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, 
+-		    &optlen) == -1)
++		    &optlen) == -1) {
+ 		    	debug("getsockopt: %s", strerror(errno));
+ 			break;
++		}
+ 		if (optval != 0) {
+ 			errno = optval;
+ 			break;
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch
new file mode 100644
index 000000000000..f712f2a45224
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-double-free.patch
@@ -0,0 +1,24 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.18
+retrieving revision 1.19
+diff -u -r1.18 -r1.19
+--- src/usr.bin/ssh/buffer.c	2003/09/16 21:02:39	1.18
++++ src/usr.bin/ssh/buffer.c	2003/09/18 07:54:48	1.19
+@@ -12,7 +12,7 @@
+  */
+ 
+ #include "includes.h"
+-RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $");
++RCSID("$OpenBSD: buffer.c,v 1.19 2003/09/18 07:54:48 markus Exp $");
+ 
+ #include "xmalloc.h"
+ #include "buffer.h"
+@@ -39,6 +39,7 @@
+ {
+ 	if (buffer->alloc > 0) {
+ 		memset(buffer->buf, 0, buffer->alloc);
++		buffer->alloc = 0;
+ 		xfree(buffer->buf);
+ 	}
+ }
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch
new file mode 100644
index 000000000000..34004df82bba
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-bugs.patch
@@ -0,0 +1,109 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v
+retrieving revision 1.18
+retrieving revision 1.19
+diff -u -r1.18 -r1.19
+--- src/usr.bin/ssh/deattack.c	2002/03/04 17:27:39	1.18
++++ src/usr.bin/ssh/deattack.c	2003/09/18 08:49:45	1.19
+@@ -100,12 +100,12 @@
+ 
+ 	if (h == NULL) {
+ 		debug("Installing crc compensation attack detector.");
++		h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+ 		n = l;
+-		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ 	} else {
+ 		if (l > n) {
++			h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+ 			n = l;
+-			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ 		}
+ 	}
+ 
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/session.c,v
+retrieving revision 1.163
+retrieving revision 1.164
+diff -u -r1.163 -r1.164
+--- src/usr.bin/ssh/session.c	2003/08/31 13:29:05	1.163
++++ src/usr.bin/ssh/session.c	2003/09/18 08:49:45	1.164
+@@ -695,8 +695,9 @@
+ child_set_env(char ***envp, u_int *envsizep, const char *name,
+ 	const char *value)
+ {
+-	u_int i, namelen;
+ 	char **env;
++	u_int envsize;
++	u_int i, namelen;
+ 
+ 	/*
+ 	 * Find the slot where the value should be stored.  If the variable
+@@ -713,12 +714,13 @@
+ 		xfree(env[i]);
+ 	} else {
+ 		/* New variable.  Expand if necessary. */
+-		if (i >= (*envsizep) - 1) {
+-			if (*envsizep >= 1000)
+-				fatal("child_set_env: too many env vars,"
+-				    " skipping: %.100s", name);
+-			(*envsizep) += 50;
+-			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++		envsize = *envsizep;
++		if (i >= envsize - 1) {
++			if (envsize >= 1000)
++				fatal("child_set_env: too many env vars");
++			envsize += 50;
++			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++			*envsizep = envsize;
+ 		}
+ 		/* Need to set the NULL pointer at end of array beyond the new slot. */
+ 		env[i + 1] = NULL;
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/ssh-agent.c,v
+retrieving revision 1.111
+retrieving revision 1.112
+diff -u -r1.111 -r1.112
+--- src/usr.bin/ssh/ssh-agent.c	2003/06/12 19:12:03	1.111
++++ src/usr.bin/ssh/ssh-agent.c	2003/09/18 08:49:45	1.112
+@@ -780,7 +780,7 @@
+ static void
+ new_socket(sock_type type, int fd)
+ {
+-	u_int i, old_alloc;
++	u_int i, old_alloc, new_alloc;
+ 
+ 	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+ 		error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -791,25 +791,26 @@
+ 	for (i = 0; i < sockets_alloc; i++)
+ 		if (sockets[i].type == AUTH_UNUSED) {
+ 			sockets[i].fd = fd;
+-			sockets[i].type = type;
+ 			buffer_init(&sockets[i].input);
+ 			buffer_init(&sockets[i].output);
+ 			buffer_init(&sockets[i].request);
++			sockets[i].type = type;
+ 			return;
+ 		}
+ 	old_alloc = sockets_alloc;
+-	sockets_alloc += 10;
++	new_alloc = sockets_alloc + 10;
+ 	if (sockets)
+-		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+ 	else
+-		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+-	for (i = old_alloc; i < sockets_alloc; i++)
++		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++	for (i = old_alloc; i < new_alloc; i++)
+ 		sockets[i].type = AUTH_UNUSED;
+-	sockets[old_alloc].type = type;
++	sockets_alloc = new_alloc;
+ 	sockets[old_alloc].fd = fd;
+ 	buffer_init(&sockets[old_alloc].input);
+ 	buffer_init(&sockets[old_alloc].output);
+ 	buffer_init(&sockets[old_alloc].request);
++	sockets[old_alloc].type = type;
+ }
+ 
+ static int
diff --git a/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch
new file mode 100644
index 000000000000..62695d6deff3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-3.7.1_p1-memory-leak.patch
@@ -0,0 +1,24 @@
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/authfile.c,v
+retrieving revision 1.54
+retrieving revision 1.55
+diff -u -r1.54 -r1.55
+--- src/usr.bin/ssh/authfile.c	2003/05/24 09:30:39	1.54
++++ src/usr.bin/ssh/authfile.c	2003/09/18 07:56:05	1.55
+@@ -36,7 +36,7 @@
+  */
+ 
+ #include "includes.h"
+-RCSID("$OpenBSD: authfile.c,v 1.54 2003/05/24 09:30:39 djm Exp $");
++RCSID("$OpenBSD: authfile.c,v 1.55 2003/09/18 07:56:05 markus Exp $");
+ 
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
+@@ -143,6 +143,7 @@
+ 	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ 	if (fd < 0) {
+ 		error("open %s failed: %s.", filename, strerror(errno));
++		buffer_free(&encrypted);
+ 		return 0;
+ 	}
+ 	if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) !=
diff --git a/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild
new file mode 100644
index 000000000000..7868716bfff4
--- /dev/null
+++ b/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.7.1_p1-r1.ebuild,v 1.1 2003/09/18 14:46:33 aliz Exp $
+
+inherit eutils flag-o-matic ccc
+[ `use kerberos` ] && append-flags -I/usr/include/gssapi
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH=${PARCH}+x509g2.diff.gz
+
+S=${WORKDIR}/${PARCH}
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+IUSE="ipv6 static pam tcpd kerberos skey selinux X509"
+SRC_URI="ftp://ftp.openbsd.org/pub/unix/OpenBSD/OpenSSH/portable/${PARCH}.tar.gz
+	selinux? ( http://lostlogicx.com/gentoo/openssh_3.6p1-5.se1.diff.bz2 )
+	X509? ( http://roumenpetrov.info/openssh/x509g2/${X509_PATCH} )"
+
+# openssh recognizes when openssl has been slightly upgraded and refuses to run.
+# This new rev will use the new openssl.
+RDEPEND="virtual/glibc
+	pam? ( >=sys-libs/pam-0.73
+		>=sys-apps/shadow-4.0.2-r2 )
+	kerberos? ( app-crypt/mit-krb5 )
+	selinux? ( sys-apps/selinux-small )
+	skey? ( app-admin/skey )
+	>=dev-libs/openssl-0.9.6d
+	sys-libs/zlib
+	>=sys-apps/sed-4"
+
+DEPEND="${RDEPEND}
+	dev-lang/perl
+	sys-apps/groff
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )"
+
+SLOT="0"
+LICENSE="as-is"
+KEYWORDS="~x86 ~ppc ~sparc ~alpha ~mips ~hppa ~arm ~amd64 ~ia64"
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz ; cd ${S}
+
+	epatch ${FILESDIR}/${P}-connect-timeout.patch
+	epatch ${FILESDIR}/${P}-double-free.patch
+	epatch ${FILESDIR}/${P}-memory-leak.patch
+	epatch ${FILESDIR}/${P}-memory-bugs.patch
+
+	use selinux && epatch ${DISTDIR}/openssh_3.6p1-5.se1.diff.bz2
+	use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch
+	use X509 && epatch ${DISTDIR}/${X509_PATCH}
+
+	use skey && {
+		# prevent the conftest from violating the sandbox
+		sed -i 's#skey_keyinfo("")#"true"#g' configure
+	}
+}
+
+src_compile() {
+	local myconf
+
+	myconf="\
+		$( use_with tcpd tcp-wrappers ) \
+		$( use_with kerberos kerberos5 ) \
+		$( use_with pam ) \
+		$( use_with skey )"
+
+	use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+	use skey && {
+		# make sure .sbss is large enough
+		use alpha && append-ldflags -mlarge-data
+	}
+
+	use selinux && append-flags "-DWITH_SELINUX"
+
+	./configure \
+		--prefix=/usr \
+		--sysconfdir=/etc/ssh \
+		--mandir=/usr/share/man \
+		--libexecdir=/usr/lib/misc \
+		--datadir=/usr/share/openssh \
+		--disable-suid-ssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--host=${CHOST} ${myconf} || die "bad configure"
+
+	use static && {
+		# statically link to libcrypto -- good for the boot cd
+		sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile
+	}
+
+	use selinux && {
+		#add -lsecure
+		sed -i "s:LIBS=\(.*\):LIBS=\1 -lsecure:" Makefile
+	}
+
+	emake || die "compile problem"
+}
+
+src_install() {
+	make install-files DESTDIR=${D} || die
+	chmod 600 ${D}/etc/ssh/sshd_config
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+	insinto /etc/pam.d  ; newins ${FILESDIR}/sshd.pam sshd
+	exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd
+	keepdir /var/empty/.keep
+}
+
+pkg_preinst() {
+	userdel sshd 2> /dev/null
+	if ! groupmod sshd; then
+		groupadd -g 90 sshd 2> /dev/null || \
+			die "Failed to create sshd group"
+	fi
+	useradd -u 22 -g sshd -s /dev/null -d /var/empty -c "sshd" sshd || \
+		die "Failed to create sshd user"
+}
+
+pkg_postinst() {
+	# empty dir for the new priv separation auth chroot..
+	install -d -m0755 -o root -g root ${ROOT}/var/empty
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "restart sshd: '/etc/init.d/sshd restart'."
+	ewarn
+	einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+	einfo "functionality, but please ensure that you do not explicitly disable"
+	einfo "this in your configuration as disabling it opens security holes"
+	einfo
+	einfo "This revision has removed your sshd user id and replaced it with a"
+	einfo "new one with UID 22.  If you have any scripts or programs that"
+	einfo "that referenced the old UID directly, you will need to update them."
+	einfo
+	use pam >/dev/null 2>&1 && {
+		einfo "Please be aware users need a valid shell in /etc/passwd"
+		einfo "in order to be allowed to login."
+		einfo
+	}
+}
author	Daniel Ahlberg <aliz@gentoo.org>	2003-09-18 14:46:38 +0000
committer	Daniel Ahlberg <aliz@gentoo.org>	2003-09-18 14:46:38 +0000
commit	0333b6686235d8fb7d43f6e85eb9b4a8836a0016 (patch)
tree	35e4822bac37c1fdb397d566813695efaa78564a /net-misc/openssh
parent	Various fixes and patches (diff)
download	gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.gz gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.tar.bz2 gentoo-2-0333b6686235d8fb7d43f6e85eb9b4a8836a0016.zip