diff options
Diffstat (limited to 'core')
| -rw-r--r-- | core/curl/PKGBUILD | 8 | ||||
| -rw-r--r-- | core/krb5/PKGBUILD | 5 | ||||
| -rw-r--r-- | core/openssh/PKGBUILD | 6 | ||||
| -rw-r--r-- | core/openssh/sshd.pam | 17 | ||||
| -rw-r--r-- | core/openssl/Fix-IV-check-and-padding-removal.patch | 72 | ||||
| -rw-r--r-- | core/openssl/PKGBUILD | 17 |
6 files changed, 98 insertions, 27 deletions
diff --git a/core/curl/PKGBUILD b/core/curl/PKGBUILD index 6dc1f85a8..1c0f41e45 100644 --- a/core/curl/PKGBUILD +++ b/core/curl/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 171938 2012-11-24 17:37:34Z dreisner $ +# $Id: PKGBUILD 177786 2013-02-08 18:18:03Z dreisner $ # Maintainer: Dave Reisner <dreisner@archlinux.org> # Contributor: Angel Velasquez <angvp@archlinux.org> # Contributor: Eric Belanger <eric@archlinux.org> @@ -6,7 +6,7 @@ # Contributor: Daniel J Griffiths <ghost1227@archlinux.us> pkgname=curl -pkgver=7.28.1 +pkgver=7.29.0 pkgrel=1 pkgdesc="An URL retrieval utility and library" arch=('i686' 'x86_64') @@ -16,8 +16,8 @@ depends=('ca-certificates' 'libssh2' 'openssl' 'zlib') options=('!libtool') source=("http://curl.haxx.se/download/$pkgname-$pkgver.tar.gz"{,.asc} curlbuild.h) -md5sums=('252ef351c0fc307b2d8ea1ee31542072' - 'e3cea743ef286f5aff1f1d27137e9828' +md5sums=('4f57d3b4a3963038bd5e04dbff385390' + '6283fbb36933cf8720acc34c43169f1d' '751bd433ede935c8fae727377625a8ae') ptrsize=$(cpp <<<'__SIZEOF_POINTER__' | sed '/^#/d') diff --git a/core/krb5/PKGBUILD b/core/krb5/PKGBUILD index 1562d2bb3..e0ba10939 100644 --- a/core/krb5/PKGBUILD +++ b/core/krb5/PKGBUILD @@ -1,9 +1,9 @@ -# $Id: PKGBUILD 174452 2013-01-04 16:47:52Z stephane $ +# $Id: PKGBUILD 177775 2013-02-08 11:19:11Z stephane $ # Maintainer: Stéphane Gaudreault <stephane@archlinux.org> pkgname=krb5 pkgver=1.11 -pkgrel=2 +pkgrel=3 pkgdesc="The Kerberos network authentication system" arch=('i686' 'x86_64') url="http://web.mit.edu/kerberos/" @@ -48,6 +48,7 @@ build() { export CFLAGS+=" -fPIC -fno-strict-aliasing -fstack-protector-all" export CPPFLAGS+=" -I/usr/include/et" ./configure --prefix=/usr \ + --sysconfdir=/etc \ --mandir=/usr/share/man \ --localstatedir=/var/lib \ --enable-shared \ diff --git a/core/openssh/PKGBUILD b/core/openssh/PKGBUILD index a02ad3953..5de4fb195 100644 --- a/core/openssh/PKGBUILD +++ b/core/openssh/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 171552 2012-11-19 03:55:36Z bisson $ +# $Id: PKGBUILD 177604 2013-02-08 03:12:11Z bisson $ # Maintainer: Gaetan Bisson <bisson@archlinux.org> # Contributor: Aaron Griffin <aaron@archlinux.org> # Contributor: judd <jvinet@zeroflux.org> pkgname=openssh pkgver=6.1p1 -pkgrel=4 +pkgrel=5 pkgdesc='Free version of the SSH connectivity tools' url='http://www.openssh.org/portable.html' license=('custom:BSD') @@ -30,7 +30,7 @@ sha1sums=('751c92c912310c3aa9cadc113e14458f843fc7b3' 'f9af4a442b804ab661cec0edb25dd76dee16d8d2' 'e12fa910b26a5634e5a6ac39ce1399a132cf6796' 'ec102deb69cad7d14f406289d2fc11fee6eddbdd' - '659e3ee95c269014783ff8b318c6f50bf7496fbd' + 'd93dca5ebda4610ff7647187f8928a3de28703f3' '1488d4ed33cf3037accf4b0e1c7a7e90b6a097c7') backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd') diff --git a/core/openssh/sshd.pam b/core/openssh/sshd.pam index aeef8be27..7ecef084d 100644 --- a/core/openssh/sshd.pam +++ b/core/openssh/sshd.pam @@ -1,13 +1,6 @@ #%PAM-1.0 -#auth required pam_securetty.so #Disable remote root -auth required pam_unix.so -auth required pam_env.so -account required pam_nologin.so -account required pam_unix.so -account required pam_time.so -password required pam_unix.so -session required pam_unix_session.so -session required pam_limits.so -session optional pam_loginuid.so --session optional pam_ck_connector.so nox11 --session optional pam_systemd.so +#auth required pam_securetty.so #disable remote root +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/core/openssl/Fix-IV-check-and-padding-removal.patch b/core/openssl/Fix-IV-check-and-padding-removal.patch new file mode 100644 index 000000000..321791251 --- /dev/null +++ b/core/openssl/Fix-IV-check-and-padding-removal.patch @@ -0,0 +1,72 @@ +From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <steve@openssl.org> +Date: Thu, 7 Feb 2013 21:06:37 +0000 +Subject: [PATCH] Fix IV check and padding removal. + +Fix the calculation that checks there is enough room in a record +after removing padding and optional explicit IV. (by Steve) + +For AEAD remove the correct number of padding bytes (by Andy) +--- + ssl/s3_cbc.c | 33 ++++++++++++--------------------- + 1 file changed, 12 insertions(+), 21 deletions(-) + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index ce77acd..0f60507 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -139,31 +139,22 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned mac_size) + { + unsigned padding_length, good, to_check, i; +- const char has_explicit_iv = +- s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION; +- const unsigned overhead = 1 /* padding length byte */ + +- mac_size + +- (has_explicit_iv ? block_size : 0); +- +- /* These lengths are all public so we can test them in non-constant +- * time. */ +- if (overhead > rec->length) +- return 0; +- +- /* We can always safely skip the explicit IV. We check at the beginning +- * of this function that the record has at least enough space for the +- * IV, MAC and padding length byte. (These can be checked in +- * non-constant time because it's all public information.) So, if the +- * padding was invalid, then we didn't change |rec->length| and this is +- * safe. If the padding was valid then we know that we have at least +- * overhead+padding_length bytes of space and so this is still safe +- * because overhead accounts for the explicit IV. */ +- if (has_explicit_iv) ++ const unsigned overhead = 1 /* padding length byte */ + mac_size; ++ /* Check if version requires explicit IV */ ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) + { ++ /* These lengths are all public so we can test them in ++ * non-constant time. ++ */ ++ if (overhead + block_size > rec->length) ++ return 0; ++ /* We can now safely skip explicit IV */ + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } ++ else if (overhead > rec->length) ++ return 0; + + padding_length = rec->data[rec->length-1]; + +@@ -190,7 +181,7 @@ int tls1_cbc_remove_padding(const SSL* s, + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ +- rec->length -= padding_length; ++ rec->length -= padding_length + 1; + return 1; + } + +-- +1.8.1.2 + diff --git a/core/openssl/PKGBUILD b/core/openssl/PKGBUILD index 29fd88509..4671cf21b 100644 --- a/core/openssl/PKGBUILD +++ b/core/openssl/PKGBUILD @@ -1,8 +1,8 @@ -# $Id: PKGBUILD 158833 2012-05-11 23:33:03Z pierre $ +# $Id: PKGBUILD 177772 2013-02-08 10:29:25Z pierre $ # Maintainer: Pierre Schmitz <pierre@archlinux.de> pkgname=openssl -_ver=1.0.1c +_ver=1.0.1d # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver @@ -19,12 +19,14 @@ source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz" "https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz.asc" 'fix-manpages.patch' 'no-rpath.patch' - 'ca-dir.patch') -md5sums=('ae412727c8c15b67880aef7bd2999b2e' - 'a3d90bc42253def61cd1c4237f1ce5f7' + 'ca-dir.patch' + 'Fix-IV-check-and-padding-removal.patch') +md5sums=('b92fc634f0f1f31a67ed4175adc5ba33' + 'f06c54781073ef57c01b593adf377759' '5bbc0655bda2af95bc8eb568963ce8ba' 'dc78d3d06baffc16217519242ce92478' - '3bf51be3a1bbd262be46dc619f92aa90') + '3bf51be3a1bbd262be46dc619f92aa90' + 'b92ec62a1f3e7fdc65481afff709cd8b') build() { cd $srcdir/$pkgname-$_ver @@ -44,6 +46,9 @@ build() { patch -p0 -i $srcdir/no-rpath.patch # set ca dir to /etc/ssl by default patch -p0 -i $srcdir/ca-dir.patch + # https://rt.openssl.org/Ticket/Display.html?id=2975 + patch -p1 -i $srcdir/Fix-IV-check-and-padding-removal.patch + # mark stack as non-executable: http://bugs.archlinux.org/task/12434 # workaround for PR#2771: OPENSSL_NO_TLS1_2_CLIENT ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ |