diff options
Diffstat (limited to 'package/dropbear')
-rw-r--r-- | package/dropbear/Makefile | 114 | ||||
-rw-r--r-- | package/dropbear/files/dropbear.config | 5 | ||||
-rwxr-xr-x | package/dropbear/files/dropbear.init | 191 | ||||
-rw-r--r-- | package/dropbear/patches/100-pubkey_path.patch | 91 | ||||
-rw-r--r-- | package/dropbear/patches/110-change_user.patch | 18 | ||||
-rw-r--r-- | package/dropbear/patches/120-openwrt_options.patch | 67 | ||||
-rw-r--r-- | package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch | 21 | ||||
-rw-r--r-- | package/dropbear/patches/140-disable_assert.patch | 14 | ||||
-rw-r--r-- | package/dropbear/patches/150-dbconvert_standalone.patch | 14 | ||||
-rw-r--r-- | package/dropbear/patches/200-lcrypt_bsdfix.patch | 29 | ||||
-rw-r--r-- | package/dropbear/patches/300-ipv6_addr_port_split.patch | 11 | ||||
-rw-r--r-- | package/dropbear/patches/400-CVE-2012-0920.patch | 91 | ||||
-rw-r--r-- | package/dropbear/patches/500-set-default-path.patch | 11 |
13 files changed, 0 insertions, 677 deletions
diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile deleted file mode 100644 index 63cf86e147..0000000000 --- a/package/dropbear/Makefile +++ /dev/null @@ -1,114 +0,0 @@ -# -# Copyright (C) 2006-2012 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=dropbear -PKG_VERSION:=2011.54 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:= \ - http://matt.ucc.asn.au/dropbear/releases/ \ - http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ -PKG_MD5SUM:=c627ffe09570fad7aa94d8eac2b9320c - -PKG_BUILD_PARALLEL:=1 - -include $(INCLUDE_DIR)/package.mk - -define Package/dropbear/Default - URL:=http://matt.ucc.asn.au/dropbear/ -endef - -define Package/dropbear - $(call Package/dropbear/Default) - SECTION:=net - CATEGORY:=Base system - TITLE:=Small SSH2 client/server -endef - -define Package/dropbear/description - A small SSH2 server/client designed for small memory environments. -endef - -define Package/dropbear/conffiles -/etc/dropbear/dropbear_rsa_host_key -/etc/dropbear/dropbear_dss_host_key -/etc/config/dropbear -endef - -define Package/dropbearconvert - $(call Package/dropbear/Default) - SECTION:=utils - CATEGORY:=Utilities - TITLE:=Utility for converting SSH keys -endef - -CONFIGURE_ARGS += \ - --with-shared \ - --disable-pam \ - --enable-openpty \ - --enable-syslog \ - $(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \ - --disable-lastlog \ - --disable-utmp \ - --disable-utmpx \ - --disable-wtmp \ - --disable-wtmpx \ - --disable-loginfunc \ - --disable-pututline \ - --disable-pututxline \ - --disable-zlib \ - --enable-bundled-libtom - -TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections - -define Build/Configure - $(SED) 's,^/\* #define PKG_MULTI.*,#define PKG_MULTI,g' $(PKG_BUILD_DIR)/options.h - $(SED) 's,^#define DO_HOST_LOOKUP,/* & */,g' $(PKG_BUILD_DIR)/options.h - $(call Build/Configure/Default) -endef - -define Build/Compile - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - $(TARGET_CONFIGURE_OPTS) \ - LD="$(TARGET_CC)" \ - PROGRAMS="dropbear dbclient dropbearkey scp" \ - MULTI=1 SCPPROGRESS=1 - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - $(TARGET_CONFIGURE_OPTS) \ - LD="$(TARGET_CC)" \ - PROGRAMS="dropbearconvert" -endef - -define Package/dropbear/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear - $(INSTALL_DIR) $(1)/usr/bin - ln -sf ../sbin/dropbear $(1)/usr/bin/scp - ln -sf ../sbin/dropbear $(1)/usr/bin/ssh - ln -sf ../sbin/dropbear $(1)/usr/bin/dbclient - ln -sf ../sbin/dropbear $(1)/usr/bin/dropbearkey - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DATA) ./files/dropbear.config $(1)/etc/config/dropbear - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear - $(INSTALL_DIR) $(1)/usr/lib/opkg/info - $(INSTALL_DIR) $(1)/etc/dropbear - touch $(1)/etc/dropbear/dropbear_rsa_host_key - touch $(1)/etc/dropbear/dropbear_dss_host_key -endef - -define Package/dropbearconvert/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearconvert $(1)/usr/bin/dropbearconvert -endef - -$(eval $(call BuildPackage,dropbear)) -$(eval $(call BuildPackage,dropbearconvert)) diff --git a/package/dropbear/files/dropbear.config b/package/dropbear/files/dropbear.config deleted file mode 100644 index 2139ba0bbe..0000000000 --- a/package/dropbear/files/dropbear.config +++ /dev/null @@ -1,5 +0,0 @@ -config dropbear - option PasswordAuth 'on' - option RootPasswordAuth 'on' - option Port '22' -# option BannerFile '/etc/banner' diff --git a/package/dropbear/files/dropbear.init b/package/dropbear/files/dropbear.init deleted file mode 100755 index c909d28965..0000000000 --- a/package/dropbear/files/dropbear.init +++ /dev/null @@ -1,191 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2006-2010 OpenWrt.org -# Copyright (C) 2006 Carlos Sobrinho - -START=50 -STOP=50 - -SERVICE_USE_PID=1 - -NAME=dropbear -PROG=/usr/sbin/dropbear -PIDCOUNT=0 -EXTRA_COMMANDS="killclients" -EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself" - -dropbear_start() -{ - append_ports() - { - local ifname="$1" - local port="$2" - - grep -qs "^ *$ifname:" /proc/net/dev || { - append args "-p $port" - return - } - - for addr in $( - ifconfig "$ifname" | sed -ne ' - /addr: *fe[89ab][0-9a-f]:/d - s/.* addr: *\([0-9a-f:\.]*\).*/\1/p - ' - ); do - append args "-p $addr:$port" - done - } - - - local section="$1" - - # check if section is enabled (default) - local enabled - config_get_bool enabled "${section}" enable 1 - [ "${enabled}" -eq 0 ] && return 1 - - # verbose parameter - local verbosed - config_get_bool verbosed "${section}" verbose 0 - - # increase pid file count to handle multiple instances correctly - PIDCOUNT="$(( ${PIDCOUNT} + 1))" - - # prepare parameters (initialise with pid file) - local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid" - local args="-P $pid_file" - local val - # A) password authentication - config_get_bool val "${section}" PasswordAuth 1 - [ "${val}" -eq 0 ] && append args "-s" - # B) listen interface and port - local port - local interface - config_get interface "${section}" Interface - config_get interface "${interface}" ifname "$interface" - config_get port "${section}" Port 22 - append_ports "$interface" "$port" - # C) banner file - config_get val "${section}" BannerFile - [ -f "${val}" ] && append args "-b ${val}" - # D) gatewayports - config_get_bool val "${section}" GatewayPorts 0 - [ "${val}" -eq 1 ] && append args "-a" - # E) root password authentication - config_get_bool val "${section}" RootPasswordAuth 1 - [ "${val}" -eq 0 ] && append args "-g" - # F) root login - config_get_bool val "${section}" RootLogin 1 - [ "${val}" -eq 0 ] && append args "-w" - # G) host keys - config_get val "${section}" rsakeyfile - [ -f "${val}" ] && append args "-r ${val}" - config_get val "${section}" dsskeyfile - [ -f "${val}" ] && append args "-d ${val}" - - # execute program and return its exit code - [ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}" - SERVICE_PID_FILE="$pid_file" service_start ${PROG} ${args} -} - -keygen() -{ - for keytype in rsa dss; do - # check for keys - key=dropbear/dropbear_${keytype}_host_key - [ -f /tmp/$key -o -s /etc/$key ] || { - # generate missing keys - mkdir -p /tmp/dropbear - [ -x /usr/bin/dropbearkey ] && { - /usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start - } & - exit 0 - } - done - - lock /tmp/.switch2jffs - mkdir -p /etc/dropbear - mv /tmp/dropbear/dropbear_* /etc/dropbear/ - lock -u /tmp/.switch2jffs - chown root /etc/dropbear - chmod 0700 /etc/dropbear -} - -start() -{ - [ -s /etc/dropbear/dropbear_rsa_host_key -a \ - -s /etc/dropbear/dropbear_dss_host_key ] || keygen - - include /lib/network - scan_interfaces - config_load "${NAME}" - config_foreach dropbear_start dropbear -} - -stop() -{ - local pid_file pid_files - - pid_files=`ls /var/run/${NAME}.*.pid 2>/dev/null` - - [ -z "$pid_files" ] && return 1 - - for pid_file in $pid_files; do - SERVICE_PID_FILE="$pid_file" service_stop ${PROG} && { - rm -f ${pid_file} - } - done -} - -killclients() -{ - local ignore='' - local server - local pid - - # if this script is run from inside a client session, then ignore that session - pid="$$" - while [ "${pid}" -ne 0 ] - do - # get parent process id - pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"` - [ "${pid}" -eq 0 ] && break - - # check if client connection - grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && { - append ignore "${pid}" - break - } - done - - # get all server pids that should be ignored - for server in `cat /var/run/${NAME}.*.pid` - do - append ignore "${server}" - done - - # get all running pids and kill client connections - local skip - for pid in `pidof "${NAME}"` - do - # check if correct program, otherwise process next pid - grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || { - continue - } - - # check if pid should be ignored (servers, ourself) - skip=0 - for server in ${ignore} - do - if [ "${pid}" == "${server}" ] - then - skip=1 - break - fi - done - [ "${skip}" -ne 0 ] && continue - - # kill process - echo "${initscript}: Killing ${pid}..." - kill -KILL ${pid} - done -} diff --git a/package/dropbear/patches/100-pubkey_path.patch b/package/dropbear/patches/100-pubkey_path.patch deleted file mode 100644 index c1802f51e5..0000000000 --- a/package/dropbear/patches/100-pubkey_path.patch +++ /dev/null @@ -1,91 +0,0 @@ ---- a/svr-authpubkey.c -+++ b/svr-authpubkey.c -@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al - goto out; - } - -- /* we don't need to check pw and pw_dir for validity, since -- * its been done in checkpubkeyperms. */ -- len = strlen(ses.authstate.pw_dir); -- /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -- ses.authstate.pw_dir); -- -- /* open the file */ -- authfile = fopen(filename, "r"); -+ if (ses.authstate.pw_uid != 0) { -+ /* we don't need to check pw and pw_dir for validity, since -+ * its been done in checkpubkeyperms. */ -+ len = strlen(ses.authstate.pw_dir); -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ filename = m_malloc(len + 22); -+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -+ ses.authstate.pw_dir); -+ -+ /* open the file */ -+ authfile = fopen(filename, "r"); -+ } else { -+ authfile = fopen("/etc/dropbear/authorized_keys","r"); -+ } - if (authfile == NULL) { - goto out; - } -@@ -372,26 +376,35 @@ static int checkpubkeyperms() { - goto out; - } - -- /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- strncpy(filename, ses.authstate.pw_dir, len+1); -- -- /* check ~ */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -- -- /* check ~/.ssh */ -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -- -- /* now check ~/.ssh/authorized_keys */ -- strncat(filename, "/authorized_keys", 16); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -+ if (ses.authstate.pw_uid == 0) { -+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ } else { -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ filename = m_malloc(len + 22); -+ strncpy(filename, ses.authstate.pw_dir, len+1); -+ -+ /* check ~ */ -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ -+ /* check ~/.ssh */ -+ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ -+ /* now check ~/.ssh/authorized_keys */ -+ strncat(filename, "/authorized_keys", 16); -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } - } - - /* file looks ok, return success */ diff --git a/package/dropbear/patches/110-change_user.patch b/package/dropbear/patches/110-change_user.patch deleted file mode 100644 index 55747bc4d7..0000000000 --- a/package/dropbear/patches/110-change_user.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/svr-chansession.c -+++ b/svr-chansession.c -@@ -884,12 +884,12 @@ static void execchild(void *user_data) { - /* We can only change uid/gid as root ... */ - if (getuid() == 0) { - -- if ((setgid(ses.authstate.pw_gid) < 0) || -+ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || - (initgroups(ses.authstate.pw_name, -- ses.authstate.pw_gid) < 0)) { -+ ses.authstate.pw_gid) < 0))) { - dropbear_exit("Error changing user group"); - } -- if (setuid(ses.authstate.pw_uid) < 0) { -+ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { - dropbear_exit("Error changing user"); - } - } else { diff --git a/package/dropbear/patches/120-openwrt_options.patch b/package/dropbear/patches/120-openwrt_options.patch deleted file mode 100644 index 42204aa646..0000000000 --- a/package/dropbear/patches/120-openwrt_options.patch +++ /dev/null @@ -1,67 +0,0 @@ ---- a/options.h -+++ b/options.h -@@ -38,7 +38,7 @@ - * Both of these flags can be defined at once, don't compile without at least - * one of them. */ - #define NON_INETD_MODE --#define INETD_MODE -+/*#define INETD_MODE*/ - - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting -@@ -49,7 +49,7 @@ - several kB in binary size however will make the symmetrical ciphers and hashes - slower, perhaps by 50%. Recommended for small systems that aren't doing - much traffic. */ --/*#define DROPBEAR_SMALL_CODE*/ -+#define DROPBEAR_SMALL_CODE - - /* Enable X11 Forwarding - server only */ - #define ENABLE_X11FWD -@@ -78,7 +78,7 @@ much traffic. */ - - /* Enable "Netcat mode" option. This will forward standard input/output - * to a remote TCP-forwarded connection */ --#define ENABLE_CLI_NETCAT -+/*#define ENABLE_CLI_NETCAT*/ - - /* Encryption - at least one required. - * Protocol RFC requires 3DES and recommends AES128 for interoperability. -@@ -89,8 +89,8 @@ much traffic. */ - #define DROPBEAR_AES256 - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ - /*#define DROPBEAR_BLOWFISH*/ --#define DROPBEAR_TWOFISH256 --#define DROPBEAR_TWOFISH128 -+/*#define DROPBEAR_TWOFISH256 -+#define DROPBEAR_TWOFISH128*/ - - /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary -@@ -110,7 +110,7 @@ much traffic. */ - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, - * which are not the standard form. */ - #define DROPBEAR_SHA1_HMAC --#define DROPBEAR_SHA1_96_HMAC -+/*#define DROPBEAR_SHA1_96_HMAC*/ - #define DROPBEAR_MD5_HMAC - - /* Hostkey/public key algorithms - at least one required, these are used -@@ -148,7 +148,7 @@ much traffic. */ - - /* Whether to print the message of the day (MOTD). This doesn't add much code - * size */ --#define DO_MOTD -+/*#define DO_MOTD*/ - - /* The MOTD file path */ - #ifndef MOTD_FILENAME -@@ -192,7 +192,7 @@ much traffic. */ - * note that it will be provided for all "hidden" client-interactive - * style prompts - if you want something more sophisticated, use - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ - - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of - * a helper program for the ssh client. The helper program should be diff --git a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch deleted file mode 100644 index 93647a99e5..0000000000 --- a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/cli-runopts.c -+++ b/cli-runopts.c -@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) - debug_trace = 1; - break; - #endif -+ case 'o': -+ next = &dummy; -+ case 'x': -+ break; - case 'F': - case 'e': - case 'c': -@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) - #ifndef ENABLE_CLI_LOCALTCPFWD - case 'L': - #endif -- case 'o': - case 'b': - next = &dummy; - default: diff --git a/package/dropbear/patches/140-disable_assert.patch b/package/dropbear/patches/140-disable_assert.patch deleted file mode 100644 index e99376333c..0000000000 --- a/package/dropbear/patches/140-disable_assert.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/dbutil.h -+++ b/dbutil.h -@@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig - #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} - - /* Dropbear assertion */ --#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) -+#ifndef DROPBEAR_ASSERT_ENABLED -+#define DROPBEAR_ASSERT_ENABLED 0 -+#endif -+ -+#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) - - #endif /* _DBUTIL_H_ */ diff --git a/package/dropbear/patches/150-dbconvert_standalone.patch b/package/dropbear/patches/150-dbconvert_standalone.patch deleted file mode 100644 index 3e0b008552..0000000000 --- a/package/dropbear/patches/150-dbconvert_standalone.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/options.h -+++ b/options.h -@@ -5,6 +5,11 @@ - #ifndef _OPTIONS_H_ - #define _OPTIONS_H_ - -+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) -+#define DROPBEAR_SERVER -+#define DROPBEAR_CLIENT -+#endif -+ - /****************************************************************** - * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" - * parts are to allow for commandline -DDROPBEAR_XXX options etc. diff --git a/package/dropbear/patches/200-lcrypt_bsdfix.patch b/package/dropbear/patches/200-lcrypt_bsdfix.patch deleted file mode 100644 index 57eb9670dc..0000000000 --- a/package/dropbear/patches/200-lcrypt_bsdfix.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/Makefile.in -+++ b/Makefile.in -@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac - loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ - listener.h fake-rfc2553.h - --dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ -+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) - dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) - dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) - dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) -@@ -77,7 +77,7 @@ STRIP=@STRIP@ - INSTALL=@INSTALL@ - CPPFLAGS=@CPPFLAGS@ - CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ --LIBS+=@LIBS@ -+LIBS+=@CRYPTLIB@ @LIBS@ - LDFLAGS=@LDFLAGS@ - - EXEEXT=@EXEEXT@ -@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile - # multi-binary compilation. - MULTIOBJS= - ifeq ($(MULTI),1) -- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ -+ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) - CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI - endif - diff --git a/package/dropbear/patches/300-ipv6_addr_port_split.patch b/package/dropbear/patches/300-ipv6_addr_port_split.patch deleted file mode 100644 index 7da435ab15..0000000000 --- a/package/dropbear/patches/300-ipv6_addr_port_split.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -325,7 +325,7 @@ static void addportandaddress(char* spec - myspec = m_strdup(spec); - - /* search for ':', that separates address and port */ -- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); -+ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); - - if (svr_opts.ports[svr_opts.portcount] == NULL) { - /* no ':' -> the whole string specifies just a port */ diff --git a/package/dropbear/patches/400-CVE-2012-0920.patch b/package/dropbear/patches/400-CVE-2012-0920.patch deleted file mode 100644 index 164909f561..0000000000 --- a/package/dropbear/patches/400-CVE-2012-0920.patch +++ /dev/null @@ -1,91 +0,0 @@ - -# HG changeset patch -# User Matt Johnston <matt@ucc.asn.au> -# Date 1322947885 -28800 -# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8 -# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f -- Fix use-after-free if multiple command requests were sent. Move -the original_command into chansess struct since that makes more sense - ---- a/auth.h -+++ b/auth.h -@@ -133,7 +133,6 @@ struct PubKeyOptions { - int no_pty_flag; - /* "command=" option. */ - unsigned char * forced_command; -- unsigned char * original_command; - }; - #endif - ---- a/chansession.h -+++ b/chansession.h -@@ -69,6 +69,10 @@ struct ChanSess { - char * agentfile; - char * agentdir; - #endif -+ -+#ifdef ENABLE_SVR_PUBKEY_OPTIONS -+ char *original_command; -+#endif - }; - - struct ChildPid { ---- a/svr-authpubkeyoptions.c -+++ b/svr-authpubkeyoptions.c -@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() { - * by any 'command' public key option. */ - void svr_pubkey_set_forced_command(struct ChanSess *chansess) { - if (ses.authstate.pubkey_options) { -- ses.authstate.pubkey_options->original_command = chansess->cmd; -- if (!chansess->cmd) -- { -- ses.authstate.pubkey_options->original_command = m_strdup(""); -+ if (chansess->cmd) { -+ /* original_command takes ownership */ -+ chansess->original_command = chansess->cmd; -+ } else { -+ chansess->original_command = m_strdup(""); - } -- chansess->cmd = ses.authstate.pubkey_options->forced_command; -+ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); - #ifdef LOG_COMMANDS -- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command); -+ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); - #endif - } - } ---- a/svr-chansession.c -+++ b/svr-chansession.c -@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c - - struct ChanSess *chansess; - -+ TRACE(("new chansess %p", channel)) -+ - dropbear_assert(channel->typedata == NULL); - - chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess)); -@@ -279,6 +281,10 @@ static void closechansess(struct Channel - m_free(chansess->cmd); - m_free(chansess->term); - -+#ifdef ENABLE_SVR_PUBKEY_OPTIONS -+ m_free(chansess->original_command); -+#endif -+ - if (chansess->tty) { - /* write the utmp/wtmp login record */ - li = chansess_login_alloc(chansess); -@@ -924,10 +930,8 @@ static void execchild(void *user_data) { - } - - #ifdef ENABLE_SVR_PUBKEY_OPTIONS -- if (ses.authstate.pubkey_options && -- ses.authstate.pubkey_options->original_command) { -- addnewvar("SSH_ORIGINAL_COMMAND", -- ses.authstate.pubkey_options->original_command); -+ if (chansess->original_command) { -+ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command); - } - #endif - diff --git a/package/dropbear/patches/500-set-default-path.patch b/package/dropbear/patches/500-set-default-path.patch deleted file mode 100644 index 0bd3ffcc38..0000000000 --- a/package/dropbear/patches/500-set-default-path.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/options.h -+++ b/options.h -@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa - #define DEFAULT_IDLE_TIMEOUT 0 - - /* The default path. This will often get replaced by the shell */ --#define DEFAULT_PATH "/usr/bin:/bin" -+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" - - /* Some other defines (that mostly should be left alone) are defined - * in sysoptions.h */ |