Wed Jun 15 22:59:36 UTC 2011

author: root <root@rshg047.dnsready.net> 2011-06-15 22:59:36 +0000
committer: root <root@rshg047.dnsready.net> 2011-06-15 22:59:36 +0000
commit: ebe74a263db3899367e12d936f908cdfdee7ec15 (patch)
tree: 48d62da97d7807b3d380c3902a21ae98340b0ea6 /core/openssh
parent: ba3afb3907fc927bd08713613d4a30a9479c715c (diff)
2 files changed, 221 insertions, 8 deletions
diff --git a/core/openssh/PKGBUILD b/core/openssh/PKGBUILD
index e0f866502..0520c9b7f 100644
--- a/core/openssh/PKGBUILD
+++ b/core/openssh/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 123290 2011-05-09 17:45:14Z bisson $
+# $Id: PKGBUILD 127348 2011-06-13 11:08:41Z bisson $
 # Maintainer: Gaetan Bisson <bisson@archlinux.org>
 # Contributor: Aaron Griffin <aaron@archlinux.org>
 # Contributor: judd <jvinet@zeroflux.org>
 
 pkgname=openssh
 pkgver=5.8p2
-pkgrel=6
+pkgrel=7
 pkgdesc='Free version of the SSH connectivity tools'
 arch=('i686' 'x86_64')
 license=('custom:BSD')
@@ -13,10 +13,12 @@ url='http://www.openssh.org/portable.html'
 backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd')
 depends=('tcp_wrappers' 'krb5' 'openssl' 'libedit')
 source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"
+        'authfile.c.patch'
         'sshd.confd'
         'sshd.pam'
         'sshd')
 sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
+          '3669cb5ca6149f69015df5ce8e60b82c540eb0a4'
           'ec102deb69cad7d14f406289d2fc11fee6eddbdd'
           '660092c57bde28bed82078f74011f95fc51c2293'
           '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5')
@@ -24,11 +26,24 @@ sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
 build() {
 	cd "${srcdir}/${pkgname}-${pkgver}"
 
-	./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
-		--sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=nobody \
-		--with-md5-passwords --with-pam --with-mantype=man --mandir=/usr/share/man \
-		--with-xauth=/usr/bin/xauth --with-kerberos5=/usr --with-ssl-engine \
-		--with-libedit=/usr/lib --disable-strip # stripping is done by makepkg
+	patch -p1 -i ../authfile.c.patch # fix FS#24693 using http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95
+
+	./configure \
+		--prefix=/usr \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--with-tcp-wrappers \
+		--with-privsep-user=nobody \
+		--with-md5-passwords \
+		--with-pam \
+		--with-mantype=man \
+		--mandir=/usr/share/man \
+		--with-xauth=/usr/bin/xauth \
+		--with-kerberos5=/usr \
+		--with-ssl-engine \
+		--with-libedit=/usr/lib \
+		--disable-strip # stripping is done by makepkg
+
 	make
 }
 
@@ -52,5 +67,5 @@ package() {
 	# PAM is a common, standard feature to have
 	sed -i	-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
 		-e '/^#UsePAM no$/c UsePAM yes' \
-		"$pkgdir"/etc/ssh/sshd_config
+		"${pkgdir}"/etc/ssh/sshd_config
 }
diff --git a/core/openssh/authfile.c.patch b/core/openssh/authfile.c.patch
new file mode 100644
index 000000000..6c18fe807
--- /dev/null
+++ b/core/openssh/authfile.c.patch
@@ -0,0 +1,198 @@
+diff -aur old/authfile.c new/authfile.c
+--- old/authfile.c	2011-06-12 02:21:52.262338254 +0200
++++ new/authfile.c	2011-06-12 02:13:43.051467269 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */
++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -69,6 +69,8 @@
+ #include "misc.h"
+ #include "atomicio.h"
+ 
++#define MAX_KEY_FILE_SIZE	(1024 * 1024)
++
+ /* Version identification string for SSH v1 identity files. */
+ static const char authfile_id_string[] =
+     "SSH PRIVATE KEY FILE FORMAT 1.1\n";
+@@ -312,12 +314,12 @@
+ 	return pub;
+ }
+ 
+-/* Load the contents of a key file into a buffer */
+-static int
++/* Load a key from a fd into a buffer */
++int
+ key_load_file(int fd, const char *filename, Buffer *blob)
+ {
++	u_char buf[1024];
+ 	size_t len;
+-	u_char *cp;
+ 	struct stat st;
+ 
+ 	if (fstat(fd, &st) < 0) {
+@@ -325,30 +327,45 @@
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ",
+ 		    strerror(errno));
+-		close(fd);
+ 		return 0;
+ 	}
+-	if (st.st_size > 1*1024*1024) {
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size > MAX_KEY_FILE_SIZE) {
++ toobig:
+ 		error("%s: key file %.200s%stoo large", __func__,
+ 		    filename == NULL ? "" : filename,
+ 		    filename == NULL ? "" : " ");
+-		close(fd);
+ 		return 0;
+ 	}
+-	len = (size_t)st.st_size;		/* truncated */
+-
+ 	buffer_init(blob);
+-	cp = buffer_append_space(blob, len);
+-
+-	if (atomicio(read, fd, cp, len) != len) {
+-		debug("%s: read from key file %.200s%sfailed: %.100s", __func__,
+-		    filename == NULL ? "" : filename,
+-		    filename == NULL ? "" : " ",
+-		    strerror(errno));
++	for (;;) {
++		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
++			if (errno == EPIPE)
++				break;
++			debug("%s: read from key file %.200s%sfailed: %.100s",
++			    __func__, filename == NULL ? "" : filename,
++			    filename == NULL ? "" : " ", strerror(errno));
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			return 0;
++		}
++		buffer_append(blob, buf, len);
++		if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
++			buffer_clear(blob);
++			bzero(buf, sizeof(buf));
++			goto toobig;
++		}
++	}
++	bzero(buf, sizeof(buf));
++	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++	    st.st_size != buffer_len(blob)) {
++		debug("%s: key file %.200s%schanged size while reading",
++		    __func__, filename == NULL ? "" : filename,
++		    filename == NULL ? "" : " ");
+ 		buffer_clear(blob);
+-		close(fd);
+ 		return 0;
+ 	}
++
+ 	return 1;
+ }
+ 
+@@ -606,7 +623,7 @@
+ 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ 		error("Permissions 0%3.3o for '%s' are too open.",
+ 		    (u_int)st.st_mode & 0777, filename);
+-		error("It is recommended that your private key files are NOT accessible by others.");
++		error("It is required that your private key files are NOT accessible by others.");
+ 		error("This private key will be ignored.");
+ 		return 0;
+ 	}
+@@ -626,6 +643,7 @@
+ 	case KEY_UNSPEC:
+ 		return key_parse_private_pem(blob, type, passphrase, commentp);
+ 	default:
++		error("%s: cannot parse key type %d", __func__, type);
+ 		break;
+ 	}
+ 	return NULL;
+@@ -670,11 +688,38 @@
+ }
+ 
+ Key *
++key_parse_private(Buffer *buffer, const char *filename,
++    const char *passphrase, char **commentp)
++{
++	Key *pub, *prv;
++	Buffer pubcopy;
++
++	buffer_init(&pubcopy);
++	buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer));
++	/* it's a SSH v1 key if the public key part is readable */
++	pub = key_parse_public_rsa1(&pubcopy, commentp);
++	buffer_free(&pubcopy);
++	if (pub == NULL) {
++		prv = key_parse_private_type(buffer, KEY_UNSPEC,
++		    passphrase, NULL);
++		/* use the filename as a comment for PEM */
++		if (commentp && prv)
++			*commentp = xstrdup(filename);
++	} else {
++		key_free(pub);
++		/* key_parse_public_rsa1() has already loaded the comment */
++		prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
++		    NULL);
++	}
++	return prv;
++}
++
++Key *
+ key_load_private(const char *filename, const char *passphrase,
+     char **commentp)
+ {
+-	Key *pub, *prv;
+-	Buffer buffer, pubcopy;
++	Key *prv;
++	Buffer buffer;
+ 	int fd;
+ 
+ 	fd = open(filename, O_RDONLY);
+@@ -697,23 +742,7 @@
+ 	}
+ 	close(fd);
+ 
+-	buffer_init(&pubcopy);
+-	buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer));
+-	/* it's a SSH v1 key if the public key part is readable */
+-	pub = key_parse_public_rsa1(&pubcopy, commentp);
+-	buffer_free(&pubcopy);
+-	if (pub == NULL) {
+-		prv = key_parse_private_type(&buffer, KEY_UNSPEC,
+-		    passphrase, NULL);
+-		/* use the filename as a comment for PEM */
+-		if (commentp && prv)
+-			*commentp = xstrdup(filename);
+-	} else {
+-		key_free(pub);
+-		/* key_parse_public_rsa1() has already loaded the comment */
+-		prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase,
+-		    NULL);
+-	}
++	prv = key_parse_private(&buffer, filename, passphrase, commentp);
+ 	buffer_free(&buffer);
+ 	return prv;
+ }
+@@ -737,13 +766,19 @@
+ 			case '\0':
+ 				continue;
+ 			}
++			/* Abort loading if this looks like a private key */
++			if (strncmp(cp, "-----BEGIN", 10) == 0)
++				break;
+ 			/* Skip leading whitespace. */
+ 			for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+ 				;
+ 			if (*cp) {
+ 				if (key_read(k, &cp) == 1) {
+-					if (commentp)
+-						*commentp=xstrdup(filename);
++					cp[strcspn(cp, "\r\n")] = '\0';
++					if (commentp) {
++						*commentp = xstrdup(*cp ?
++						    cp : filename);
++					}
+ 					fclose(f);
+ 					return 1;
+ 				}
author	root <root@rshg047.dnsready.net>	2011-06-15 22:59:36 +0000
committer	root <root@rshg047.dnsready.net>	2011-06-15 22:59:36 +0000
commit	ebe74a263db3899367e12d936f908cdfdee7ec15 (patch)
tree	48d62da97d7807b3d380c3902a21ae98340b0ea6 /core/openssh
parent	ba3afb3907fc927bd08713613d4a30a9479c715c (diff)