OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 17-Sep-2003 09:55:29
Branch: OPENPKG_1_2_SOLID HEAD Handle: 2003091708552801
Modified files:
openpkg-web news.txt
Modified files: (Branch: OPENPKG_1_2_SOLID)
openpkg-src/openssh openssh.patch openssh.spec
Log:
apply buffer.adv V2 patch plus similar extra ones
Summary:
Revision Changes Path
1.1.6.2 +225 -0 openpkg-src/openssh/openssh.patch
1.70.2.1.2.6+2 -4 openpkg-src/openssh/openssh.spec
1.6593 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.patch
============================================================================
$ cvs diff -u -r1.1.6.1 -r1.1.6.2 openssh.patch
--- openpkg-src/openssh/openssh.patch 6 Aug 2003 13:07:44 -0000 1.1.6.1
+++ openpkg-src/openssh/openssh.patch 17 Sep 2003 07:55:29 -0000 1.1.6.2
@@ -129,3 +129,228 @@
memset(passwd, 0, strlen(passwd));
xfree(passwd);
+
+http://www.openssh.com/txt/buffer.adv:
+ All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+ management errors. It is uncertain whether these errors are
+ potentially exploitable, however, we prefer to see bugs fixed
+ proactively. Other implementations sharing common origin may also
+ have these issues.
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+- buffer->alloc = 4096;
+- buffer->buf = xmalloc(buffer->alloc);
++ const u_int len = 4096;
++
++ buffer->alloc = 0;
++ buffer->buf = xmalloc(len);
++ buffer->alloc = len;
+ buffer->offset = 0;
+ buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+- memset(buffer->buf, 0, buffer->alloc);
+- xfree(buffer->buf);
++ if (buffer->alloc > 0) {
++ memset(buffer->buf, 0, buffer->alloc);
++ xfree(buffer->buf);
++ }
+ }
+
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++ u_int newlen;
+ void *p;
+
+ if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ goto restart;
+ }
+ /* Increase the size of the buffer and retry. */
+- buffer->alloc += len + 32768;
+- if (buffer->alloc > 0xa00000)
++
++ newlen = buffer->alloc + len + 32768;
++ if (newlen > 0xa00000)
+ fatal("buffer_append_space: alloc %u not supported",
+- buffer->alloc);
+- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++ newlen);
++ buffer->buf = xrealloc(buffer->buf, newlen);
++ buffer->alloc = newlen;
+ goto restart;
+ /* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
+@@ -228,12 +228,13 @@
+ if (found == -1) {
+ /* There are no free slots. Take last+1 slot and expand the array. */
+ found = channels_alloc;
+- channels_alloc += 10;
+ if (channels_alloc > 10000)
+ fatal("channel_new: internal error: channels_alloc %d "
+ "too big.", channels_alloc);
++ channels = xrealloc(channels,
++ (channels_alloc + 10) * sizeof(Channel *));
++ channels_alloc += 10;
+ debug2("channel: expanding %d", channels_alloc);
+- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ for (i = found; i < channels_alloc; i++)
+ channels[i] = NULL;
+ }
+
+
+These patches adjust (re)allocation procedures so they do not
+alter context structures unless the (re)allocation was successful.
+Otherwise the fatal cleanup functions (trigged from within the
+failing (re)allocation functions) will be confused and especially
+(for some instances) incorrectly clear (smaller than recorded) memory
+buffers with NUL bytes. This patch is based on work by Solar Designer
+<[EMAIL PROTECTED]>.
+
+Index: deattack.c
+--- deattack.c.orig 2002-03-05 02:53:05.000000000 +0100
++++ deattack.c 2003-09-17 09:30:09.000000000 +0200
+@@ -100,12 +100,12 @@
+
+ if (h == NULL) {
+ debug("Installing crc compensation attack detector.");
++ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ } else {
+ if (l > n) {
++ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ }
+ }
+
+Index: misc.c
+--- misc.c.orig 2003-08-25 03:16:21.000000000 +0200
++++ misc.c 2003-09-17 09:30:09.000000000 +0200
+@@ -308,18 +308,21 @@
+ {
+ va_list ap;
+ char buf[1024];
++ int nalloc;
+
+ va_start(ap, fmt);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+
++ nalloc = args->nalloc;
+ if (args->list == NULL) {
+- args->nalloc = 32;
++ nalloc = 32;
+ args->num = 0;
+- } else if (args->num+2 >= args->nalloc)
+- args->nalloc *= 2;
++ } else if (args->num+2 >= nalloc)
++ nalloc *= 2;
+
+- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
++ args->list = xrealloc(args->list, nalloc * sizeof(char *));
++ args->nalloc = nalloc;
+ args->list[args->num++] = xstrdup(buf);
+ args->list[args->num] = NULL;
+ }
+Index: session.c
+--- session.c.orig 2003-09-16 03:52:19.000000000 +0200
++++ session.c 2003-09-17 09:34:20.000000000 +0200
+@@ -800,6 +800,7 @@
+ {
+ u_int i, namelen;
+ char **env;
++ u_int envsize;
+
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+@@ -826,12 +827,14 @@
+ xfree(env[i]);
+ } else {
+ /* New variable. Expand if necessary. */
+- if (i >= (*envsizep) - 1) {
+- if (*envsizep >= 1000)
++ envsize = *envsizep;
++ if (i >= envsize - 1) {
++ if (envsize >= 1000)
+ fatal("child_set_env: too many env vars,"
+ " skipping: %.100s", name);
+- (*envsizep) += 50;
+- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++ envsize += 50;
++ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++ *envsizep = envsize;
+ }
+ /* Need to set the NULL pointer at end of array beyond the new slot. */
+ env[i + 1] = NULL;
+Index: ssh-agent.c
+--- ssh-agent.c.orig 2003-08-22 01:34:41.000000000 +0200
++++ ssh-agent.c 2003-09-17 09:30:09.000000000 +0200
+@@ -784,7 +784,7 @@
+ static void
+ new_socket(sock_type type, int fd)
+ {
+- u_int i, old_alloc;
++ u_int i, old_alloc, new_alloc;
+
+ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+ error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -795,25 +795,26 @@
+ for (i = 0; i < sockets_alloc; i++)
+ if (sockets[i].type == AUTH_UNUSED) {
+ sockets[i].fd = fd;
+- sockets[i].type = type;
+ buffer_init(&sockets[i].input);
+ buffer_init(&sockets[i].output);
+ buffer_init(&sockets[i].request);
++ sockets[i].type = type;
+ return;
+ }
+ old_alloc = sockets_alloc;
+- sockets_alloc += 10;
++ new_alloc = sockets_alloc + 10;
+ if (sockets)
+- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+ else
+- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+- for (i = old_alloc; i < sockets_alloc; i++)
++ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++ for (i = old_alloc; i < new_alloc; i++)
+ sockets[i].type = AUTH_UNUSED;
+- sockets[old_alloc].type = type;
++ sockets_alloc = new_alloc;
+ sockets[old_alloc].fd = fd;
+ buffer_init(&sockets[old_alloc].input);
+ buffer_init(&sockets[old_alloc].output);
+ buffer_init(&sockets[old_alloc].request);
++ sockets[old_alloc].type = type;
+ }
+
+ static int
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/openssh/openssh.spec
============================================================================
$ cvs diff -u -r1.70.2.1.2.5 -r1.70.2.1.2.6 openssh.spec
--- openpkg-src/openssh/openssh.spec 16 Sep 2003 17:52:35 -0000 1.70.2.1.2.5
+++ openpkg-src/openssh/openssh.spec 17 Sep 2003 07:55:29 -0000 1.70.2.1.2.6
@@ -38,7 +38,7 @@
Group: Security
License: BSD
Version: %{V_base}%{V_portable}
-Release: 1.2.3
+Release: 1.2.4
# package options
%option with_pam no
@@ -59,7 +59,6 @@
Source8: ssh-keyman.pod
Source9: http://chrootssh.sourceforge.net/patches/osshChroot-%{V_chroot}.diff
Patch0: openssh.patch
-Patch1: http://www.openssh.com/txt/buffer.adv
# build information
Prefix: %{l_prefix}
@@ -97,8 +96,7 @@
%prep
# unpack distribution
%setup -q
- %patch -p0 -P 0
- %patch -p0 -P 1
+ %patch -p0
# optionally apply chroot(2) patch
%if "%{with_chroot}" == "yes"
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.6592 -r1.6593 news.txt
--- openpkg-web/news.txt 17 Sep 2003 07:51:49 -0000 1.6592
+++ openpkg-web/news.txt 17 Sep 2003 07:55:28 -0000 1.6593
@@ -1,3 +1,4 @@
+17-Sep-2003: Upgraded package: P<openssh-3.5p1-1.2.4>
17-Sep-2003: Upgraded package: P<openssh-3.6.1p2-1.3.2>
17-Sep-2003: Upgraded package: P<mplayer-1.0pre1-20030917>
17-Sep-2003: Upgraded package: P<openssh-3.7.1p1-20030917>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
