OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 18-Feb-2006 13:09:04
Branch: OPENPKG_2_5_SOLID Handle: 2006021812090300
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/openssh openssh.patch openssh.spec
Log:
Security Fixes (CVE-2006-0225)
Summary:
Revision Changes Path
1.14.2.1 +335 -0 openpkg-src/openssh/openssh.patch
1.153.2.3 +1 -1 openpkg-src/openssh/openssh.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.patch
============================================================================
$ cvs diff -u -r1.14 -r1.14.2.1 openssh.patch
--- openpkg-src/openssh/openssh.patch 1 Sep 2005 18:21:39 -0000 1.14
+++ openpkg-src/openssh/openssh.patch 18 Feb 2006 12:09:03 -0000 1.14.2.1
@@ -31,3 +31,338 @@
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " @l_openpkg_release@"
+
+-----------------------------------------------------------------------------
+
+Security Fixes (CVE-2006-0225)
+
+Index: misc.c
+--- misc.c.orig 2005-07-14 09:05:02 +0200
++++ misc.c 2006-02-18 12:51:11 +0100
+@@ -356,12 +356,15 @@
+ addargs(arglist *args, char *fmt, ...)
+ {
+ va_list ap;
+- char buf[1024];
++ char *cp;
+ u_int nalloc;
++ int r;
+
+ va_start(ap, fmt);
+- vsnprintf(buf, sizeof(buf), fmt, ap);
++ r = vasprintf(&cp, fmt, ap);
+ va_end(ap);
++ if (r == -1)
++ fatal("addargs: argument too long");
+
+ nalloc = args->nalloc;
+ if (args->list == NULL) {
+@@ -372,10 +375,44 @@
+
+ args->list = xrealloc(args->list, nalloc * sizeof(char *));
+ args->nalloc = nalloc;
+- args->list[args->num++] = xstrdup(buf);
++ args->list[args->num++] = cp;
+ args->list[args->num] = NULL;
+ }
+
++void
++replacearg(arglist *args, u_int which, char *fmt, ...)
++{
++ va_list ap;
++ char *cp;
++ int r;
++
++ va_start(ap, fmt);
++ r = vasprintf(&cp, fmt, ap);
++ va_end(ap);
++ if (r == -1)
++ fatal("replacearg: argument too long");
++
++ if (which >= args->num)
++ fatal("replacearg: tried to replace invalid arg %d >= %d",
++ which, args->num);
++ xfree(args->list[which]);
++ args->list[which] = cp;
++}
++
++void
++freeargs(arglist *args)
++{
++ u_int i;
++
++ if (args->list != NULL) {
++ for (i = 0; i < args->num; i++)
++ xfree(args->list[i]);
++ xfree(args->list);
++ args->nalloc = args->num = 0;
++ args->list = NULL;
++ }
++}
++
+ /*
+ * Expands tildes in the file name. Returns data allocated by xmalloc.
+ * Warning: this calls getpw*.
+Index: misc.h
+--- misc.h.orig 2005-07-14 09:07:21 +0200
++++ misc.h 2006-02-18 12:51:11 +0100
+@@ -36,7 +36,11 @@
+ u_int num;
+ u_int nalloc;
+ };
+-void addargs(arglist *, char *, ...) __attribute__((format(printf,
2, 3)));
++void addargs(arglist *, char *, ...)
++ __attribute__((format(printf, 2, 3)));
++void replacearg(arglist *, u_int, char *, ...)
++ __attribute__((format(printf, 3, 4)));
++void freeargs(arglist *);
+
+ /* readpass.c */
+
+Index: scp.c
+--- scp.c.orig 2005-08-02 09:07:08 +0200
++++ scp.c 2006-02-18 12:53:25 +0100
+@@ -118,6 +118,48 @@
+ exit(1);
+ }
+
++static int
++do_local_cmd(arglist *a)
++{
++ u_int i;
++ int status;
++ pid_t pid;
++
++ if (a->num == 0)
++ fatal("do_local_cmd: no arguments");
++
++ if (verbose_mode) {
++ fprintf(stderr, "Executing:");
++ for (i = 0; i < a->num; i++)
++ fprintf(stderr, " %s", a->list[i]);
++ fprintf(stderr, "\n");
++ }
++ if ((pid = fork()) == -1)
++ fatal("do_local_cmd: fork: %s", strerror(errno));
++
++ if (pid == 0) {
++ execvp(a->list[0], a->list);
++ perror(a->list[0]);
++ exit(1);
++ }
++
++ do_cmd_pid = pid;
++ signal(SIGTERM, killchild);
++ signal(SIGINT, killchild);
++ signal(SIGHUP, killchild);
++
++ while (waitpid(pid, &status, 0) == -1)
++ if (errno != EINTR)
++ fatal("do_local_cmd: waitpid: %s", strerror(errno));
++
++ do_cmd_pid = -1;
++
++ if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
++ return (-1);
++
++ return (0);
++}
++
+ /*
+ * This function executes the given command as the specified user on the
+ * given host. This returns < 0 if execution fails, and >= 0 otherwise.
This
+@@ -162,7 +204,7 @@
+ close(pin[0]);
+ close(pout[1]);
+
+- args.list[0] = ssh_program;
++ replacearg(&args, 0, "%s", ssh_program);
+ if (remuser != NULL)
+ addargs(&args, "-l%s", remuser);
+ addargs(&args, "%s", host);
+@@ -224,8 +266,9 @@
+
+ __progname = ssh_get_progname(argv[0]);
+
++ memset(&args, '\0', sizeof(args));
+ args.list = NULL;
+- addargs(&args, "ssh"); /* overwritten with ssh_program */
++ addargs(&args, "%s", ssh_program);
+ addargs(&args, "-x");
+ addargs(&args, "-oForwardAgent no");
+ addargs(&args, "-oClearAllForwardings yes");
+@@ -336,9 +379,9 @@
+ if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */
+ toremote(targ, argc, argv);
+ else {
+- tolocal(argc, argv); /* Dest is local host. */
+ if (targetshouldbedirectory)
+ verifydir(argv[argc - 1]);
++ tolocal(argc, argv); /* Dest is local host. */
+ }
+ /*
+ * Finally check the exit status of the ssh process, if one was forked
+@@ -364,6 +407,10 @@
+ {
+ int i, len;
+ char *bp, *host, *src, *suser, *thost, *tuser, *arg;
++ arglist alist;
++
++ memset(&alist, '\0', sizeof(alist));
++ alist.list = NULL;
+
+ *targ++ = 0;
+ if (*targ == 0)
+@@ -381,56 +428,48 @@
+ tuser = NULL;
+ }
+
++ if (tuser != NULL && !okname(tuser)) {
++ xfree(arg);
++ return;
++ }
++
+ for (i = 0; i < argc - 1; i++) {
+ src = colon(argv[i]);
+ if (src) { /* remote to remote */
+- static char *ssh_options =
+- "-x -o'ClearAllForwardings yes'";
++ freeargs(&alist);
++ addargs(&alist, "%s", ssh_program);
++ if (verbose_mode)
++ addargs(&alist, "-v");
++ addargs(&alist, "-x");
++ addargs(&alist, "-oClearAllForwardings yes");
++ addargs(&alist, "-n");
++
+ *src++ = 0;
+ if (*src == 0)
+ src = ".";
+ host = strrchr(argv[i], '@');
+- len = strlen(ssh_program) + strlen(argv[i]) +
+- strlen(src) + (tuser ? strlen(tuser) : 0) +
+- strlen(thost) + strlen(targ) +
+- strlen(ssh_options) + CMDNEEDS + 20;
+- bp = xmalloc(len);
++
+ if (host) {
+ *host++ = 0;
+ host = cleanhostname(host);
+ suser = argv[i];
+ if (*suser == '\0')
+ suser = pwd->pw_name;
+- else if (!okname(suser)) {
+- xfree(bp);
++ else if (!okname(suser))
+ continue;
+- }
+- if (tuser && !okname(tuser)) {
+- xfree(bp);
+- continue;
+- }
+- snprintf(bp, len,
+- "%s%s %s -n "
+- "-l %s %s %s %s '%s%s%s:%s'",
+- ssh_program, verbose_mode ? " -v" : "",
+- ssh_options, suser, host, cmd, src,
+- tuser ? tuser : "", tuser ? "@" : "",
+- thost, targ);
++ addargs(&alist, "-l");
++ addargs(&alist, "%s", suser);
+ } else {
+ host = cleanhostname(argv[i]);
+- snprintf(bp, len,
+- "exec %s%s %s -n %s "
+- "%s %s '%s%s%s:%s'",
+- ssh_program, verbose_mode ? " -v" : "",
+- ssh_options, host, cmd, src,
+- tuser ? tuser : "", tuser ? "@" : "",
+- thost, targ);
+ }
+- if (verbose_mode)
+- fprintf(stderr, "Executing: %s\n", bp);
+- if (system(bp) != 0)
++ addargs(&alist, "%s", host);
++ addargs(&alist, "%s", cmd);
++ addargs(&alist, "%s", src);
++ addargs(&alist, "%s%s%s:%s",
++ tuser ? tuser : "", tuser ? "@" : "",
++ thost, targ);
++ if (do_local_cmd(&alist) != 0)
+ errs = 1;
+- (void) xfree(bp);
+ } else { /* local to remote */
+ if (remin == -1) {
+ len = strlen(targ) + CMDNEEDS + 20;
+@@ -454,20 +493,23 @@
+ {
+ int i, len;
+ char *bp, *host, *src, *suser;
++ arglist alist;
++
++ memset(&alist, '\0', sizeof(alist));
++ alist.list = NULL;
+
+ for (i = 0; i < argc - 1; i++) {
+ if (!(src = colon(argv[i]))) { /* Local to local. */
+- len = strlen(_PATH_CP) + strlen(argv[i]) +
+- strlen(argv[argc - 1]) + 20;
+- bp = xmalloc(len);
+- (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+- iamrecursive ? " -r" : "", pflag ? " -p" : "",
+- argv[i], argv[argc - 1]);
+- if (verbose_mode)
+- fprintf(stderr, "Executing: %s\n", bp);
+- if (system(bp))
++ freeargs(&alist);
++ addargs(&alist, "%s", _PATH_CP);
++ if (iamrecursive)
++ addargs(&alist, "-r");
++ if (pflag)
++ addargs(&alist, "-p");
++ addargs(&alist, "%s", argv[i]);
++ addargs(&alist, "%s", argv[argc-1]);
++ if (do_local_cmd(&alist))
+ ++errs;
+- (void) xfree(bp);
+ continue;
+ }
+ *src++ = 0;
+Index: sftp.c
+--- sftp.c.orig 2005-08-23 00:06:56 +0200
++++ sftp.c 2006-02-18 12:52:38 +0100
+@@ -1448,8 +1448,9 @@
+ extern char *optarg;
+
+ __progname = ssh_get_progname(argv[0]);
++ memset(&args, '\0', sizeof(args));
+ args.list = NULL;
+- addargs(&args, "ssh"); /* overwritten with ssh_program */
++ addargs(&args, ssh_program);
+ addargs(&args, "-oForwardX11 no");
+ addargs(&args, "-oForwardAgent no");
+ addargs(&args, "-oClearAllForwardings yes");
+@@ -1483,6 +1484,7 @@
+ break;
+ case 'S':
+ ssh_program = optarg;
++ replacearg(&args, 0, "%s", ssh_program);
+ break;
+ case 'b':
+ if (batchmode)
+@@ -1559,7 +1561,6 @@
+ addargs(&args, "%s", host);
+ addargs(&args, "%s", (sftp_server != NULL ?
+ sftp_server : "sftp"));
+- args.list[0] = ssh_program;
+
+ if (!batchmode)
+ fprintf(stderr, "Connecting to %s...\n", host);
+@@ -1572,6 +1573,7 @@
+ fprintf(stderr, "Attaching to %s...\n", sftp_direct);
+ connect_to_server(sftp_direct, args.list, &in, &out);
+ }
++ freeargs(&args);
+
+ err = interactive_loop(in, out, file1, file2);
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.spec
============================================================================
$ cvs diff -u -r1.153.2.2 -r1.153.2.3 openssh.spec
--- openpkg-src/openssh/openssh.spec 19 Jan 2006 15:45:31 -0000
1.153.2.2
+++ openpkg-src/openssh/openssh.spec 18 Feb 2006 12:09:03 -0000
1.153.2.3
@@ -41,7 +41,7 @@
Group: Security
License: BSD
Version: %{V_base}%{V_portable}
-Release: 2.5.1
+Release: 2.5.2
# package options
%option with_fsl yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
