aboutsummaryrefslogtreecommitdiffstats
path: root/package/dropbear/patches
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2012-10-10 12:32:29 +0000
committerFelix Fietkau <nbd@openwrt.org>2012-10-10 12:32:29 +0000
commit405e21d16731b2764ab82aaaadcf36a813b105f7 (patch)
treec6f9a8402389a5081519b91ce62c4a8cafcb8917 /package/dropbear/patches
parentd0ec348ded6f715b43b396b06ccb10599b37969d (diff)
downloadupstream-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.gz
upstream-405e21d16731b2764ab82aaaadcf36a813b105f7.tar.bz2
upstream-405e21d16731b2764ab82aaaadcf36a813b105f7.zip
packages: sort network related packages into package/network/
SVN-Revision: 33688
Diffstat (limited to 'package/dropbear/patches')
-rw-r--r--package/dropbear/patches/100-pubkey_path.patch91
-rw-r--r--package/dropbear/patches/110-change_user.patch18
-rw-r--r--package/dropbear/patches/120-openwrt_options.patch67
-rw-r--r--package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch21
-rw-r--r--package/dropbear/patches/140-disable_assert.patch14
-rw-r--r--package/dropbear/patches/150-dbconvert_standalone.patch14
-rw-r--r--package/dropbear/patches/200-lcrypt_bsdfix.patch29
-rw-r--r--package/dropbear/patches/300-ipv6_addr_port_split.patch11
-rw-r--r--package/dropbear/patches/400-CVE-2012-0920.patch91
-rw-r--r--package/dropbear/patches/500-set-default-path.patch11
10 files changed, 0 insertions, 367 deletions
diff --git a/package/dropbear/patches/100-pubkey_path.patch b/package/dropbear/patches/100-pubkey_path.patch
deleted file mode 100644
index c1802f51e5..0000000000
--- a/package/dropbear/patches/100-pubkey_path.patch
+++ /dev/null
@@ -1,91 +0,0 @@
---- a/svr-authpubkey.c
-+++ b/svr-authpubkey.c
-@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al
- goto out;
- }
-
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw_dir);
-- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw_dir);
--
-- /* open the file */
-- authfile = fopen(filename, "r");
-+ if (ses.authstate.pw_uid != 0) {
-+ /* we don't need to check pw and pw_dir for validity, since
-+ * its been done in checkpubkeyperms. */
-+ len = strlen(ses.authstate.pw_dir);
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ filename = m_malloc(len + 22);
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+ ses.authstate.pw_dir);
-+
-+ /* open the file */
-+ authfile = fopen(filename, "r");
-+ } else {
-+ authfile = fopen("/etc/dropbear/authorized_keys","r");
-+ }
- if (authfile == NULL) {
- goto out;
- }
-@@ -372,26 +376,35 @@ static int checkpubkeyperms() {
- goto out;
- }
-
-- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- strncpy(filename, ses.authstate.pw_dir, len+1);
--
-- /* check ~ */
-- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-- goto out;
-- }
--
-- /* check ~/.ssh */
-- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-- goto out;
-- }
--
-- /* now check ~/.ssh/authorized_keys */
-- strncat(filename, "/authorized_keys", 16);
-- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-- goto out;
-+ if (ses.authstate.pw_uid == 0) {
-+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ } else {
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ filename = m_malloc(len + 22);
-+ strncpy(filename, ses.authstate.pw_dir, len+1);
-+
-+ /* check ~ */
-+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+
-+ /* check ~/.ssh */
-+ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+
-+ /* now check ~/.ssh/authorized_keys */
-+ strncat(filename, "/authorized_keys", 16);
-+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
- }
-
- /* file looks ok, return success */
diff --git a/package/dropbear/patches/110-change_user.patch b/package/dropbear/patches/110-change_user.patch
deleted file mode 100644
index 55747bc4d7..0000000000
--- a/package/dropbear/patches/110-change_user.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/svr-chansession.c
-+++ b/svr-chansession.c
-@@ -884,12 +884,12 @@ static void execchild(void *user_data) {
- /* We can only change uid/gid as root ... */
- if (getuid() == 0) {
-
-- if ((setgid(ses.authstate.pw_gid) < 0) ||
-+ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
- (initgroups(ses.authstate.pw_name,
-- ses.authstate.pw_gid) < 0)) {
-+ ses.authstate.pw_gid) < 0))) {
- dropbear_exit("Error changing user group");
- }
-- if (setuid(ses.authstate.pw_uid) < 0) {
-+ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
- dropbear_exit("Error changing user");
- }
- } else {
diff --git a/package/dropbear/patches/120-openwrt_options.patch b/package/dropbear/patches/120-openwrt_options.patch
deleted file mode 100644
index 42204aa646..0000000000
--- a/package/dropbear/patches/120-openwrt_options.patch
+++ /dev/null
@@ -1,67 +0,0 @@
---- a/options.h
-+++ b/options.h
-@@ -38,7 +38,7 @@
- * Both of these flags can be defined at once, don't compile without at least
- * one of them. */
- #define NON_INETD_MODE
--#define INETD_MODE
-+/*#define INETD_MODE*/
-
- /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
-@@ -49,7 +49,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
--/*#define DROPBEAR_SMALL_CODE*/
-+#define DROPBEAR_SMALL_CODE
-
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
-@@ -78,7 +78,7 @@ much traffic. */
-
- /* Enable "Netcat mode" option. This will forward standard input/output
- * to a remote TCP-forwarded connection */
--#define ENABLE_CLI_NETCAT
-+/*#define ENABLE_CLI_NETCAT*/
-
- /* Encryption - at least one required.
- * Protocol RFC requires 3DES and recommends AES128 for interoperability.
-@@ -89,8 +89,8 @@ much traffic. */
- #define DROPBEAR_AES256
- /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
- /*#define DROPBEAR_BLOWFISH*/
--#define DROPBEAR_TWOFISH256
--#define DROPBEAR_TWOFISH128
-+/*#define DROPBEAR_TWOFISH256
-+#define DROPBEAR_TWOFISH128*/
-
- /* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. This adds around 1kB to binary
-@@ -110,7 +110,7 @@ much traffic. */
- * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
- * which are not the standard form. */
- #define DROPBEAR_SHA1_HMAC
--#define DROPBEAR_SHA1_96_HMAC
-+/*#define DROPBEAR_SHA1_96_HMAC*/
- #define DROPBEAR_MD5_HMAC
-
- /* Hostkey/public key algorithms - at least one required, these are used
-@@ -148,7 +148,7 @@ much traffic. */
-
- /* Whether to print the message of the day (MOTD). This doesn't add much code
- * size */
--#define DO_MOTD
-+/*#define DO_MOTD*/
-
- /* The MOTD file path */
- #ifndef MOTD_FILENAME
-@@ -192,7 +192,7 @@ much traffic. */
- * note that it will be provided for all "hidden" client-interactive
- * style prompts - if you want something more sophisticated, use
- * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
--#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
-+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
-
- /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
- * a helper program for the ssh client. The helper program should be
diff --git a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
deleted file mode 100644
index 93647a99e5..0000000000
--- a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
+++ /dev/null
@@ -1,21 +0,0 @@
---- a/cli-runopts.c
-+++ b/cli-runopts.c
-@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv)
- debug_trace = 1;
- break;
- #endif
-+ case 'o':
-+ next = &dummy;
-+ case 'x':
-+ break;
- case 'F':
- case 'e':
- case 'c':
-@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv)
- #ifndef ENABLE_CLI_LOCALTCPFWD
- case 'L':
- #endif
-- case 'o':
- case 'b':
- next = &dummy;
- default:
diff --git a/package/dropbear/patches/140-disable_assert.patch b/package/dropbear/patches/140-disable_assert.patch
deleted file mode 100644
index e99376333c..0000000000
--- a/package/dropbear/patches/140-disable_assert.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/dbutil.h
-+++ b/dbutil.h
-@@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig
- #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
-
- /* Dropbear assertion */
--#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
-+#ifndef DROPBEAR_ASSERT_ENABLED
-+#define DROPBEAR_ASSERT_ENABLED 0
-+#endif
-+
-+#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
-
- #endif /* _DBUTIL_H_ */
diff --git a/package/dropbear/patches/150-dbconvert_standalone.patch b/package/dropbear/patches/150-dbconvert_standalone.patch
deleted file mode 100644
index 3e0b008552..0000000000
--- a/package/dropbear/patches/150-dbconvert_standalone.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/options.h
-+++ b/options.h
-@@ -5,6 +5,11 @@
- #ifndef _OPTIONS_H_
- #define _OPTIONS_H_
-
-+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
-+#define DROPBEAR_SERVER
-+#define DROPBEAR_CLIENT
-+#endif
-+
- /******************************************************************
- * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
- * parts are to allow for commandline -DDROPBEAR_XXX options etc.
diff --git a/package/dropbear/patches/200-lcrypt_bsdfix.patch b/package/dropbear/patches/200-lcrypt_bsdfix.patch
deleted file mode 100644
index 57eb9670dc..0000000000
--- a/package/dropbear/patches/200-lcrypt_bsdfix.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac
- loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \
- listener.h fake-rfc2553.h
-
--dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@
-+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
- dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
- dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS)
- dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS)
-@@ -77,7 +77,7 @@ STRIP=@STRIP@
- INSTALL=@INSTALL@
- CPPFLAGS=@CPPFLAGS@
- CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@
--LIBS+=@LIBS@
-+LIBS+=@CRYPTLIB@ @LIBS@
- LDFLAGS=@LDFLAGS@
-
- EXEEXT=@EXEEXT@
-@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile
- # multi-binary compilation.
- MULTIOBJS=
- ifeq ($(MULTI),1)
-- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@
-+ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs)))
- CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI
- endif
-
diff --git a/package/dropbear/patches/300-ipv6_addr_port_split.patch b/package/dropbear/patches/300-ipv6_addr_port_split.patch
deleted file mode 100644
index 7da435ab15..0000000000
--- a/package/dropbear/patches/300-ipv6_addr_port_split.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -325,7 +325,7 @@ static void addportandaddress(char* spec
- myspec = m_strdup(spec);
-
- /* search for ':', that separates address and port */
-- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
-+ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':');
-
- if (svr_opts.ports[svr_opts.portcount] == NULL) {
- /* no ':' -> the whole string specifies just a port */
diff --git a/package/dropbear/patches/400-CVE-2012-0920.patch b/package/dropbear/patches/400-CVE-2012-0920.patch
deleted file mode 100644
index 164909f561..0000000000
--- a/package/dropbear/patches/400-CVE-2012-0920.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-
-# HG changeset patch
-# User Matt Johnston <matt@ucc.asn.au>
-# Date 1322947885 -28800
-# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
-# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
-- Fix use-after-free if multiple command requests were sent. Move
-the original_command into chansess struct since that makes more sense
-
---- a/auth.h
-+++ b/auth.h
-@@ -133,7 +133,6 @@ struct PubKeyOptions {
- int no_pty_flag;
- /* "command=" option. */
- unsigned char * forced_command;
-- unsigned char * original_command;
- };
- #endif
-
---- a/chansession.h
-+++ b/chansession.h
-@@ -69,6 +69,10 @@ struct ChanSess {
- char * agentfile;
- char * agentdir;
- #endif
-+
-+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
-+ char *original_command;
-+#endif
- };
-
- struct ChildPid {
---- a/svr-authpubkeyoptions.c
-+++ b/svr-authpubkeyoptions.c
-@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() {
- * by any 'command' public key option. */
- void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
- if (ses.authstate.pubkey_options) {
-- ses.authstate.pubkey_options->original_command = chansess->cmd;
-- if (!chansess->cmd)
-- {
-- ses.authstate.pubkey_options->original_command = m_strdup("");
-+ if (chansess->cmd) {
-+ /* original_command takes ownership */
-+ chansess->original_command = chansess->cmd;
-+ } else {
-+ chansess->original_command = m_strdup("");
- }
-- chansess->cmd = ses.authstate.pubkey_options->forced_command;
-+ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
- #ifdef LOG_COMMANDS
-- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
-+ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
- #endif
- }
- }
---- a/svr-chansession.c
-+++ b/svr-chansession.c
-@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c
-
- struct ChanSess *chansess;
-
-+ TRACE(("new chansess %p", channel))
-+
- dropbear_assert(channel->typedata == NULL);
-
- chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
-@@ -279,6 +281,10 @@ static void closechansess(struct Channel
- m_free(chansess->cmd);
- m_free(chansess->term);
-
-+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
-+ m_free(chansess->original_command);
-+#endif
-+
- if (chansess->tty) {
- /* write the utmp/wtmp login record */
- li = chansess_login_alloc(chansess);
-@@ -924,10 +930,8 @@ static void execchild(void *user_data) {
- }
-
- #ifdef ENABLE_SVR_PUBKEY_OPTIONS
-- if (ses.authstate.pubkey_options &&
-- ses.authstate.pubkey_options->original_command) {
-- addnewvar("SSH_ORIGINAL_COMMAND",
-- ses.authstate.pubkey_options->original_command);
-+ if (chansess->original_command) {
-+ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
- }
- #endif
-
diff --git a/package/dropbear/patches/500-set-default-path.patch b/package/dropbear/patches/500-set-default-path.patch
deleted file mode 100644
index 0bd3ffcc38..0000000000
--- a/package/dropbear/patches/500-set-default-path.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/options.h
-+++ b/options.h
-@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa
- #define DEFAULT_IDLE_TIMEOUT 0
-
- /* The default path. This will often get replaced by the shell */
--#define DEFAULT_PATH "/usr/bin:/bin"
-+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin"
-
- /* Some other defines (that mostly should be left alone) are defined
- * in sysoptions.h */