From ebe74a263db3899367e12d936f908cdfdee7ec15 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 15 Jun 2011 22:59:36 +0000 Subject: Wed Jun 15 22:59:36 UTC 2011 --- core/openssh/PKGBUILD | 31 +++++-- core/openssh/authfile.c.patch | 198 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+), 8 deletions(-) create mode 100644 core/openssh/authfile.c.patch (limited to 'core') diff --git a/core/openssh/PKGBUILD b/core/openssh/PKGBUILD index e0f866502..0520c9b7f 100644 --- a/core/openssh/PKGBUILD +++ b/core/openssh/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 123290 2011-05-09 17:45:14Z bisson $ +# $Id: PKGBUILD 127348 2011-06-13 11:08:41Z bisson $ # Maintainer: Gaetan Bisson # Contributor: Aaron Griffin # Contributor: judd pkgname=openssh pkgver=5.8p2 -pkgrel=6 +pkgrel=7 pkgdesc='Free version of the SSH connectivity tools' arch=('i686' 'x86_64') license=('custom:BSD') @@ -13,10 +13,12 @@ url='http://www.openssh.org/portable.html' backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd' 'etc/conf.d/sshd') depends=('tcp_wrappers' 'krb5' 'openssl' 'libedit') source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz" + 'authfile.c.patch' 'sshd.confd' 'sshd.pam' 'sshd') sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5' + '3669cb5ca6149f69015df5ce8e60b82c540eb0a4' 'ec102deb69cad7d14f406289d2fc11fee6eddbdd' '660092c57bde28bed82078f74011f95fc51c2293' '6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5') @@ -24,11 +26,24 @@ sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5' build() { cd "${srcdir}/${pkgname}-${pkgver}" - ./configure --prefix=/usr --libexecdir=/usr/lib/ssh \ - --sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=nobody \ - --with-md5-passwords --with-pam --with-mantype=man --mandir=/usr/share/man \ - --with-xauth=/usr/bin/xauth --with-kerberos5=/usr --with-ssl-engine \ - --with-libedit=/usr/lib --disable-strip # stripping is done by makepkg + patch -p1 -i ../authfile.c.patch # fix FS#24693 using http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95 + + ./configure \ + --prefix=/usr \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --with-tcp-wrappers \ + --with-privsep-user=nobody \ + --with-md5-passwords \ + --with-pam \ + --with-mantype=man \ + --mandir=/usr/share/man \ + --with-xauth=/usr/bin/xauth \ + --with-kerberos5=/usr \ + --with-ssl-engine \ + --with-libedit=/usr/lib \ + --disable-strip # stripping is done by makepkg + make } @@ -52,5 +67,5 @@ package() { # PAM is a common, standard feature to have sed -i -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ -e '/^#UsePAM no$/c UsePAM yes' \ - "$pkgdir"/etc/ssh/sshd_config + "${pkgdir}"/etc/ssh/sshd_config } diff --git a/core/openssh/authfile.c.patch b/core/openssh/authfile.c.patch new file mode 100644 index 000000000..6c18fe807 --- /dev/null +++ b/core/openssh/authfile.c.patch @@ -0,0 +1,198 @@ +diff -aur old/authfile.c new/authfile.c +--- old/authfile.c 2011-06-12 02:21:52.262338254 +0200 ++++ new/authfile.c 2011-06-12 02:13:43.051467269 +0200 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */ ++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -69,6 +69,8 @@ + #include "misc.h" + #include "atomicio.h" + ++#define MAX_KEY_FILE_SIZE (1024 * 1024) ++ + /* Version identification string for SSH v1 identity files. */ + static const char authfile_id_string[] = + "SSH PRIVATE KEY FILE FORMAT 1.1\n"; +@@ -312,12 +314,12 @@ + return pub; + } + +-/* Load the contents of a key file into a buffer */ +-static int ++/* Load a key from a fd into a buffer */ ++int + key_load_file(int fd, const char *filename, Buffer *blob) + { ++ u_char buf[1024]; + size_t len; +- u_char *cp; + struct stat st; + + if (fstat(fd, &st) < 0) { +@@ -325,30 +327,45 @@ + filename == NULL ? "" : filename, + filename == NULL ? "" : " ", + strerror(errno)); +- close(fd); + return 0; + } +- if (st.st_size > 1*1024*1024) { ++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && ++ st.st_size > MAX_KEY_FILE_SIZE) { ++ toobig: + error("%s: key file %.200s%stoo large", __func__, + filename == NULL ? "" : filename, + filename == NULL ? "" : " "); +- close(fd); + return 0; + } +- len = (size_t)st.st_size; /* truncated */ +- + buffer_init(blob); +- cp = buffer_append_space(blob, len); +- +- if (atomicio(read, fd, cp, len) != len) { +- debug("%s: read from key file %.200s%sfailed: %.100s", __func__, +- filename == NULL ? "" : filename, +- filename == NULL ? "" : " ", +- strerror(errno)); ++ for (;;) { ++ if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) { ++ if (errno == EPIPE) ++ break; ++ debug("%s: read from key file %.200s%sfailed: %.100s", ++ __func__, filename == NULL ? "" : filename, ++ filename == NULL ? "" : " ", strerror(errno)); ++ buffer_clear(blob); ++ bzero(buf, sizeof(buf)); ++ return 0; ++ } ++ buffer_append(blob, buf, len); ++ if (buffer_len(blob) > MAX_KEY_FILE_SIZE) { ++ buffer_clear(blob); ++ bzero(buf, sizeof(buf)); ++ goto toobig; ++ } ++ } ++ bzero(buf, sizeof(buf)); ++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 && ++ st.st_size != buffer_len(blob)) { ++ debug("%s: key file %.200s%schanged size while reading", ++ __func__, filename == NULL ? "" : filename, ++ filename == NULL ? "" : " "); + buffer_clear(blob); +- close(fd); + return 0; + } ++ + return 1; + } + +@@ -606,7 +623,7 @@ + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("Permissions 0%3.3o for '%s' are too open.", + (u_int)st.st_mode & 0777, filename); +- error("It is recommended that your private key files are NOT accessible by others."); ++ error("It is required that your private key files are NOT accessible by others."); + error("This private key will be ignored."); + return 0; + } +@@ -626,6 +643,7 @@ + case KEY_UNSPEC: + return key_parse_private_pem(blob, type, passphrase, commentp); + default: ++ error("%s: cannot parse key type %d", __func__, type); + break; + } + return NULL; +@@ -670,11 +688,38 @@ + } + + Key * ++key_parse_private(Buffer *buffer, const char *filename, ++ const char *passphrase, char **commentp) ++{ ++ Key *pub, *prv; ++ Buffer pubcopy; ++ ++ buffer_init(&pubcopy); ++ buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer)); ++ /* it's a SSH v1 key if the public key part is readable */ ++ pub = key_parse_public_rsa1(&pubcopy, commentp); ++ buffer_free(&pubcopy); ++ if (pub == NULL) { ++ prv = key_parse_private_type(buffer, KEY_UNSPEC, ++ passphrase, NULL); ++ /* use the filename as a comment for PEM */ ++ if (commentp && prv) ++ *commentp = xstrdup(filename); ++ } else { ++ key_free(pub); ++ /* key_parse_public_rsa1() has already loaded the comment */ ++ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase, ++ NULL); ++ } ++ return prv; ++} ++ ++Key * + key_load_private(const char *filename, const char *passphrase, + char **commentp) + { +- Key *pub, *prv; +- Buffer buffer, pubcopy; ++ Key *prv; ++ Buffer buffer; + int fd; + + fd = open(filename, O_RDONLY); +@@ -697,23 +742,7 @@ + } + close(fd); + +- buffer_init(&pubcopy); +- buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer)); +- /* it's a SSH v1 key if the public key part is readable */ +- pub = key_parse_public_rsa1(&pubcopy, commentp); +- buffer_free(&pubcopy); +- if (pub == NULL) { +- prv = key_parse_private_type(&buffer, KEY_UNSPEC, +- passphrase, NULL); +- /* use the filename as a comment for PEM */ +- if (commentp && prv) +- *commentp = xstrdup(filename); +- } else { +- key_free(pub); +- /* key_parse_public_rsa1() has already loaded the comment */ +- prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase, +- NULL); +- } ++ prv = key_parse_private(&buffer, filename, passphrase, commentp); + buffer_free(&buffer); + return prv; + } +@@ -737,13 +766,19 @@ + case '\0': + continue; + } ++ /* Abort loading if this looks like a private key */ ++ if (strncmp(cp, "-----BEGIN", 10) == 0) ++ break; + /* Skip leading whitespace. */ + for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) + ; + if (*cp) { + if (key_read(k, &cp) == 1) { +- if (commentp) +- *commentp=xstrdup(filename); ++ cp[strcspn(cp, "\r\n")] = '\0'; ++ if (commentp) { ++ *commentp = xstrdup(*cp ? ++ cp : filename); ++ } + fclose(f); + return 1; + } -- cgit v1.2.3-54-g00ecf