Author: oden Date: Wed Feb 7 18:28:18 2007 New Revision: 117270 Added: packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3_p2-identical-simple-dos-2.patch packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-4.5_security_fix.patch packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-CVE-2006-5051.patch Modified: packages/cooker/uClibc-openssh/current/SPECS/uClibc-openssh.spec
Log: - make it compile Added: packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3_p2-identical-simple-dos-2.patch ============================================================================== --- (empty file) +++ packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3_p2-identical-simple-dos-2.patch Wed Feb 7 18:28:18 2007 @@ -0,0 +1,119 @@ +http://bugs.gentoo.org/148228 + +taken from upstream cvs and munged a little to apply against 4.3p2 + +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v +retrieving revision 1.29 +retrieving revision 1.30 +diff -u -r1.29 -r1.30 +--- src/usr.bin/ssh/deattack.c 2006/08/03 03:34:42 1.29 ++++ src/usr.bin/ssh/deattack.c 2006/09/16 19:53:37 1.30 +@@ -30,6 +30,24 @@ + #include "crc32.h" + #include "misc.h" + ++/* ++ * CRC attack detection has a worst-case behaviour that is O(N^3) over ++ * the number of identical blocks in a packet. This behaviour can be ++ * exploited to create a limited denial of service attack. ++ * ++ * However, because we are dealing with encrypted data, identical ++ * blocks should only occur every 2^35 maximally-sized packets or so. ++ * Consequently, we can detect this DoS by looking for identical blocks ++ * in a packet. ++ * ++ * The parameter below determines how many identical blocks we will ++ * accept in a single packet, trading off between attack detection and ++ * likelihood of terminating a legitimate connection. A value of 32 ++ * corresponds to an average of 2^40 messages before an attack is ++ * misdetected ++ */ ++#define MAX_IDENTICAL 32 ++ + /* SSH Constants */ + #define SSH_MAXBLOCKS (32 * 1024) + #define SSH_BLOCKSIZE (8) +@@ -85,7 +103,7 @@ + static u_int16_t *h = (u_int16_t *) NULL; + static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; + u_int32_t i, j; +- u_int32_t l; ++ u_int32_t l, same; + u_char *c; + u_char *d; + +@@ -122,11 +140,13 @@ + if (IV) + h[HASH(IV) & (n - 1)] = HASH_IV; + +- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { ++ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { + for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; + i = (i + 1) & (n - 1)) { ++ if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE) && ++same > MAX_IDENTICAL) ++ return (DEATTACK_DOS_DETECTED); + if (h[i] == HASH_IV) { + if (!CMP(c, IV)) { + if (check_crc(c, buf, len, IV)) + return (DEATTACK_DETECTED); + else +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v +retrieving revision 1.143 +retrieving revision 1.144 +diff -u -r1.143 -r1.144 +--- src/usr.bin/ssh/packet.c 2006/08/05 08:34:04 1.143 ++++ src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 +@@ -991,9 +991,16 @@ + * (C)1998 CORE-SDI, Buenos Aires Argentina + * Ariel Futoransky([EMAIL PROTECTED]) + */ +- if (!receive_context.plaintext && +- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) +- packet_disconnect("crc32 compensation attack: network attack detected"); ++ if (!receive_context.plaintext) { ++ switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) { ++ case DEATTACK_DETECTED: ++ packet_disconnect("crc32 compensation attack: " ++ "network attack detected"); ++ case DEATTACK_DOS_DETECTED: ++ packet_disconnect("deattack denial of " ++ "service detected"); ++ } ++ } + + /* Decrypt data to incoming_packet. */ + buffer_clear(&incoming_packet); +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v +retrieving revision 1.9 +retrieving revision 1.10 +diff -u -r1.9 -r1.10 +--- src/usr.bin/ssh/deattack.h 2006/03/25 22:22:43 1.9 ++++ src/usr.bin/ssh/deattack.h 2006/09/16 19:53:37 1.10 +@@ -25,6 +25,7 @@ + /* Return codes */ + #define DEATTACK_OK 0 + #define DEATTACK_DETECTED 1 ++#define DEATTACK_DOS_DETECTED 2 + + int detect_attack(u_char *, u_int32_t); + #endif +=================================================================== +RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v +retrieving revision 1.144 +retrieving revision 1.145 +diff -u -r1.144 -r1.145 +--- src/usr.bin/ssh/packet.c 2006/09/16 19:53:37 1.144 ++++ src/usr.bin/ssh/packet.c 2006/09/19 21:14:08 1.145 +@@ -682,6 +682,9 @@ + */ + after_authentication = 1; + for (mode = 0; mode < MODE_MAX; mode++) { ++ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ ++ if (newkeys[mode] == NULL) ++ continue; + comp = &newkeys[mode]->comp; + if (comp && !comp->enabled && comp->type == COMP_DELAYED) { + packet_init_compression(); Added: packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-4.5_security_fix.patch ============================================================================== --- (empty file) +++ packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-4.5_security_fix.patch Wed Feb 7 18:28:18 2007 @@ -0,0 +1,29 @@ +--- monitor.c~ 2006-11-08 11:08:30.000000000 -0700 ++++ monitor.c 2006-11-08 11:08:30.000000000 -0700 +@@ -326,7 +326,7 @@ + + /* The first few requests do not require asynchronous access */ + while (!authenticated) { +- authenticated = monitor_read(pmonitor, mon_dispatch, &ent); ++ authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); + if (authenticated) { + if (!(ent->flags & MON_AUTHDECIDE)) + fatal("%s: unexpected authentication from %d", +@@ -1179,7 +1179,7 @@ + + verified = key_verify(key, signature, signaturelen, data, datalen); + debug3("%s: key %p signature %s", +- __func__, key, verified ? "verified" : "unverified"); ++ __func__, key, (verified == 1) ? "verified" : "unverified"); + + key_free(key); + xfree(blob); +@@ -1194,7 +1194,7 @@ + buffer_put_int(m, verified); + mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m); + +- return (verified); ++ return (verified == 1); + } + + static void Added: packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-CVE-2006-5051.patch ============================================================================== --- (empty file) +++ packages/cooker/uClibc-openssh/current/SOURCES/openssh-4.3p1-CVE-2006-5051.patch Wed Feb 7 18:28:18 2007 @@ -0,0 +1,97 @@ +----------------------------------------------------------------------------- + +Security Fixes (CVE-2006-5051) + +Index: auth.h +--- auth.h.orig 2005-07-07 03:50:20 +0200 ++++ auth.h 2006-10-01 10:05:56 +0200 +@@ -49,6 +49,7 @@ + + struct Authctxt { + int success; ++ int authenticated; /* authenticated and alarms cancelled */ + int postponed; /* authentication needs another step */ + int valid; /* user exists and is allowed to login */ + int attempt; +Index: defines.h +--- defines.h.orig 2005-08-31 18:59:49 +0200 ++++ defines.h 2006-10-01 10:05:56 +0200 +@@ -540,6 +540,11 @@ + # undef HAVE_UPDWTMPX + #endif + ++#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \ ++ defined(SYSLOG_R_SAFE_IN_SIGHAND) ++# define DO_LOG_SAFE_IN_SIGHAND ++#endif ++ + #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) + # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) + #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ +Index: log.c +--- log.c.orig 2005-03-09 10:12:48 +0100 ++++ log.c 2006-10-01 10:05:56 +0200 +@@ -130,6 +130,20 @@ + va_end(args); + } + ++void ++sigdie(const char *fmt,...) ++{ ++#ifdef DO_LOG_SAFE_IN_SIGHAND ++ va_list args; ++ ++ va_start(args, fmt); ++ do_log(SYSLOG_LEVEL_FATAL, fmt, args); ++ va_end(args); ++#endif ++ _exit(1); ++} ++ ++ + /* Log this message (information that usually should go to the log). */ + + void +Index: log.h +--- log.h.orig 2004-06-22 04:57:44 +0200 ++++ log.h 2006-10-01 10:05:56 +0200 +@@ -55,6 +55,7 @@ + + void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); + void error(const char *, ...) __attribute__((format(printf, 1, 2))); ++void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); + void logit(const char *, ...) __attribute__((format(printf, 1, 2))); + void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); + void debug(const char *, ...) __attribute__((format(printf, 1, 2))); +Index: session.c +--- session.c.orig 2005-08-31 18:59:49 +0200 ++++ session.c 2006-10-01 10:05:57 +0200 +@@ -2434,7 +2434,7 @@ + return; + called = 1; + +- if (authctxt == NULL) ++ if (authctxt == NULL || !authctxt->authenticated) + return; + #ifdef KRB5 + if (options.kerberos_ticket_cleanup && +--- sshd.c.cve-2006-5051 2005-12-23 20:59:12.000000000 -0700 ++++ sshd.c 2006-10-03 10:11:28.000000000 -0600 +@@ -312,7 +312,7 @@ + kill(pmonitor->m_pid, SIGALRM); + + /* Log error and exit. */ +- fatal("Timeout before authentication for %s", get_remote_ipaddr()); ++ sigdie("Timeout before authentication for %s", get_remote_ipaddr()); + } + + /* +@@ -1735,6 +1735,8 @@ + close(startup_pipe); + startup_pipe = -1; + } ++ ++ authctxt->authenticated = 1; + + #ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); Modified: packages/cooker/uClibc-openssh/current/SPECS/uClibc-openssh.spec ============================================================================== --- packages/cooker/uClibc-openssh/current/SPECS/uClibc-openssh.spec (original) +++ packages/cooker/uClibc-openssh/current/SPECS/uClibc-openssh.spec Wed Feb 7 18:28:18 2007 @@ -23,7 +23,7 @@ Summary: OpenSSH free Secure Shell (SSH) implementation Name: uClibc-%{realname} Version: 4.3p1 -Release: %mkrel 1 +Release: %mkrel 2 URL: http://www.openssh.com/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -33,6 +33,9 @@ Patch3: openssh-3.1p1-check-only-ssl-version.patch # (flepied) don't use killproc to avoid killing running sessions in some cases Patch5: openssh-3.6.1p1-initscript.patch +Patch11: openssh-4.3_p2-identical-simple-dos-2.patch +Patch12: openssh-4.3p1-CVE-2006-5051.patch +Patch13: openssh-4.3p1-4.5_security_fix.patch License: BSD Group: Networking/Remote access BuildRequires: groff-for-man @@ -115,6 +118,10 @@ %patch3 -p1 -b .ssl_ver %patch5 -p1 -b .initscript +%patch11 -p3 -b .cve-2006-4924_4925 +%patch12 -p0 -b .cve-2006-5051 +%patch13 -p0 -b .4.5_secfix + cp %{SOURCE2} uclibcsshd.init %build @@ -125,6 +132,7 @@ export CFLAGS="%{optflags}" uclibc ./configure \ + --host=i586-mandriva-linux-gnu \ --prefix=%{basedir}/usr \ --sysconfdir=%{_sysconfdir}/ssh \ --mandir=%{_mandir} \ @@ -134,8 +142,8 @@ --includedir=%{_includedir} \ --libexecdir=%{_libdir}/ssh \ --datadir=%{_datadir}/ssh \ - --with-ssl-dir=%{basedir}/usr \ - --with-zlib=%{basedir}/usr \ + --with-ssl-dir=%{basedir} \ + --with-zlib=%{basedir} \ --without-tcp-wrappers \ --without-pam \ --with-pid-dir=/var/run/sshd \ @@ -154,7 +162,6 @@ perl -pi -e "s|#define HAVE_SETLOGIN 1|/* undef HAVE_SETLOGIN */|;" config.h perl -pi -e "s|#define HAVE_GETGROUPLIST 1|/* undef HAVE_GETGROUPLIST */|;" config.h perl -pi -e "s|#define HAVE_FUTIMES 1|/* undef HAVE_FUTIMES */|;" config.h -perl -pi -e "s|-L\. -L|-L\. -L%{_prefix}/%{_target_cpu}-linux-uclibc/usr/lib -L|;" Makefile uclibc make
