head 1.25; access; symbols OPENPKG_E1_MP_HEAD:1.18 OPENPKG_E1_MP:1.18 OPENPKG_E1_MP_2_STABLE:1.16.2.1 OPENPKG_E1_FP:1.16.2.1 OPENPKG_2_STABLE_MP:1.19 OPENPKG_2_STABLE_20061018:1.16.2.1 OPENPKG_2_STABLE_20060622:1.16 OPENPKG_2_STABLE:1.16.0.2 OPENPKG_2_STABLE_BP:1.16 OPENPKG_2_5_RELEASE:1.14 OPENPKG_2_5_SOLID:1.14.0.2 OPENPKG_2_5_SOLID_BP:1.14 OPENPKG_2_4_RELEASE:1.13 OPENPKG_2_4_SOLID:1.13.0.2 OPENPKG_2_4_SOLID_BP:1.13 OPENPKG_CW_FP:1.13 OPENPKG_2_3_RELEASE:1.12 OPENPKG_2_3_SOLID:1.12.0.2 OPENPKG_2_3_SOLID_BP:1.12 OPENPKG_2_2_RELEASE:1.11 OPENPKG_2_2_SOLID:1.11.0.2 OPENPKG_2_2_SOLID_BP:1.11 OPENPKG_2_1_RELEASE:1.10 OPENPKG_2_1_SOLID:1.10.0.2 OPENPKG_2_1_SOLID_BP:1.10 OPENPKG_2_0_RELEASE:1.7 OPENPKG_2_0_SOLID:1.7.0.2 OPENPKG_2_0_SOLID_BP:1.7 OPENPKG_1_3_RELEASE:1.1 OPENPKG_1_3_SOLID:1.1.0.8 OPENPKG_1_3_SOLID_BP:1.1 OPENPKG_1_2_SOLID:1.1.0.6 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.4 OPENPKG_1_STABLE_BP:1.1 OPENPKG_1_0_SOLID:1.1.0.2; locks; strict; comment @# @; 1.25 date 2009.10.02.11.17.28; author rse; state Exp; branches; next 1.24; commitid Xk4IjVbjJ3Tu3X5u; 1.24 date 2009.02.25.11.30.07; author rse; state Exp; branches; next 1.23; commitid bjaokXKw9Z0haODt; 1.23 date 2008.07.22.06.40.10; author rse; state Exp; branches; next 1.22; commitid wzX0cmZIEkegzLbt; 1.22 date 2008.03.31.07.00.50; author rse; state Exp; branches; next 1.21; commitid AkgVggnP8MUxjfXs; 1.21 date 2007.09.05.06.48.39; author rse; state Exp; branches; next 1.20; commitid WXY9IaCSoN1TVvws; 1.20 date 2007.08.30.17.49.39; author rse; state Exp; branches; next 1.19; commitid heRpYhhMLG0CMNvs; 1.19 date 2007.03.10.08.35.34; author rse; state Exp; branches; next 1.18; commitid jNQ0JCZue7Iihw9s; 1.18 date 2006.11.08.08.03.37; author rse; state Exp; branches; next 1.17; commitid rZGOJbUJEEXr1QTr; 1.17 date 2006.09.28.06.26.20; author rse; state Exp; branches; next 1.16; commitid ewMY8OERO6cONyOr; 1.16 date 2006.02.11.08.29.38; author rse; state Exp; branches 1.16.2.1; next 1.15; commitid jPhEN94SBe8uQ8lr; 1.15 date 2006.02.01.18.49.18; author rse; state Exp; branches; next 1.14; commitid xrZO6IobC2NZAUjr; 1.14 date 2005.09.01.18.21.39; author rse; state Exp; branches 1.14.2.1; next 1.13; 1.13 date 2005.03.09.19.03.13; author rse; state Exp; branches 1.13.2.1; next 1.12; 1.12 date 2004.12.27.19.01.49; author rse; state Exp; branches 1.12.2.1; next 1.11; 1.11 date 2004.08.17.18.01.27; author rse; state Exp; branches; next 1.10; 1.10 date 2004.04.19.19.28.55; author rse; state Exp; branches; next 1.9; 1.9 date 2004.03.12.11.39.56; author rse; state Exp; branches; next 1.8; 1.8 date 2004.02.24.19.36.27; author rse; state Exp; branches; next 1.7; 1.7 date 2003.12.23.21.14.54; author rse; state Exp; branches; next 1.6; 1.6 date 2003.12.23.20.48.40; author rse; state Exp; branches; next 1.5; 1.5 date 2003.12.04.10.38.52; author ms; state Exp; branches; next 1.4; 1.4 date 2003.09.27.11.14.43; author rse; state Exp; branches; next 1.3; 1.3 date 2003.09.23.18.11.52; author rse; state dead; branches; next 1.2; 1.2 date 2003.09.17.07.43.52; author rse; state Exp; branches; next 1.1; 1.1 date 2002.03.07.15.22.41; author rse; state dead; branches 1.1.2.1 1.1.6.1 1.1.8.1; next ; 1.16.2.1 date 2006.09.29.06.46.19; author rse; state Exp; branches; next 1.16.2.2; commitid VGQpsUXdDfQESGOr; 1.16.2.2 date 2006.11.08.08.58.49; author rse; state Exp; branches; next 1.16.2.3; commitid L8ZKn0WyVOQpkQTr; 1.16.2.3 date 2007.03.18.23.32.08; author thl; state Exp; branches; next ; commitid j886gsownDQWXCas; 1.14.2.1 date 2006.02.18.12.09.03; author rse; state Exp; branches; next 1.14.2.2; commitid MPSoGklUnFcOP3mr; 1.14.2.2 date 2006.02.20.13.38.30; author rse; state Exp; branches; next 1.14.2.3; commitid EbH2mtH3YXGvgkmr; 1.14.2.3 date 2006.10.01.08.24.21; author rse; state Exp; branches; next ; commitid 6QyQEJyyDLMjmXOr; 1.13.2.1 date 2005.09.06.13.09.39; author rse; state Exp; branches; next 1.13.2.2; 1.13.2.2 date 2006.02.18.12.11.27; author rse; state Exp; branches; next 1.13.2.3; commitid KtkGSoaHltWCQ3mr; 1.13.2.3 date 2006.02.20.13.42.42; author rse; state Exp; branches; next ; commitid HaiHUv2notIWhkmr; 1.12.2.1 date 2006.02.18.12.19.50; author rse; state Exp; branches; next 1.12.2.2; commitid UnN5kSGZsiPuT3mr; 1.12.2.2 date 2006.02.20.13.47.37; author rse; state Exp; branches; next ; commitid CW5YGtnPEPbCjkmr; 1.1.2.1 date 2002.03.07.15.22.41; author rse; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2002.06.26.20.18.05; author rse; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2002.07.10.09.59.10; author rse; state Exp; branches; next ; 1.1.6.1 date 2003.08.06.13.07.44; author thl; state Exp; branches; next 1.1.6.2; 1.1.6.2 date 2003.09.17.07.55.29; author rse; state Exp; branches; next ; 1.1.8.1 date 2003.09.17.07.51.50; author rse; state Exp; branches; next ; desc @@ 1.25 log @upgrading package: openssh 5.2p1 -> 5.3p1 @ text @Index: Makefile.in --- Makefile.in.orig 2009-08-28 02:47:38 +0200 +++ Makefile.in 2009-10-02 13:09:48 +0200 @@@@ -234,7 +234,7 @@@@ -rm -rf autom4te.cache (cd scard && $(MAKE) -f Makefile.in distprep) -install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config +install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files Index: auth-pam.h --- auth-pam.h.orig 2004-09-11 14:17:26 +0200 +++ auth-pam.h 2009-10-02 13:09:48 +0200 @@@@ -28,7 +28,7 @@@@ #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname +# define SSHD_PAM_SERVICE "openssh" #endif void start_pam(Authctxt *); Index: version.h --- version.h.orig 2009-07-05 23:13:04 +0200 +++ version.h 2009-10-02 13:09:48 +0200 @@@@ -3,4 +3,4 @@@@ #define SSH_VERSION "OpenSSH_5.3" #define SSH_PORTABLE "p1" -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " @@l_openpkg_release@@" @ 1.24 log @upgrading package: openssh 5.1p1 -> 5.2p1 @ text @d2 3 a4 3 --- Makefile.in.orig 2008-11-05 06:20:46 +0100 +++ Makefile.in 2009-02-25 11:19:48 +0100 @@@@ -232,7 +232,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2009-02-25 11:19:48 +0100 d26 2 a27 2 --- version.h.orig 2009-02-23 01:09:26 +0100 +++ version.h 2009-02-25 11:19:48 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_5.2" @ 1.23 log @upgrading package: openssh 5.0p1 -> 5.1p1 @ text @d2 2 a3 2 --- Makefile.in.orig 2008-07-08 16:21:12 +0200 +++ Makefile.in 2008-07-22 08:30:25 +0200 d15 1 a15 1 +++ auth-pam.h 2008-07-22 08:30:25 +0200 d26 2 a27 2 --- version.h.orig 2008-07-21 10:21:06 +0200 +++ version.h 2008-07-22 08:30:25 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_5.1" @ 1.22 log @upgrading package: openssh 4.7p1 -> 4.9p1 @ text @d2 3 a4 3 --- Makefile.in.orig 2008-03-13 02:41:31 +0100 +++ Makefile.in 2008-03-31 08:36:38 +0200 @@@@ -231,7 +231,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2008-03-31 08:36:38 +0200 d26 2 a27 2 --- version.h.orig 2008-03-27 01:18:13 +0100 +++ version.h 2008-03-31 08:36:38 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.9" @ 1.21 log @upgrading package: openssh 4.6p1 -> 4.7p1 @ text @d2 2 a3 2 --- Makefile.in.orig 2007-06-11 06:01:42 +0200 +++ Makefile.in 2007-09-05 08:39:34 +0200 d15 1 a15 1 +++ auth-pam.h 2007-09-05 08:39:34 +0200 d26 2 a27 2 --- version.h.orig 2007-08-15 11:14:52 +0200 +++ version.h 2007-09-05 08:39:34 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.7" @ 1.20 log @apply a backported upstream patch (via FreeBSD ports) @ text @d2 3 a4 3 --- Makefile.in.orig 2006-10-23 23:44:47 +0200 +++ Makefile.in 2007-03-10 09:30:35 +0100 @@@@ -234,7 +234,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2007-03-10 09:30:35 +0100 d26 2 a27 2 --- version.h.orig 2007-03-06 11:21:37 +0100 +++ version.h 2007-03-10 09:30:35 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.6" a33 34 ----------------------------------------------------------------------------- Bugfix (backported from OpenBSD): Move C/R -> kbdint special case to after the defaults have been loaded, which makes "ChallengeResponse" default to yes again. This was broken by the "Match" changes and not fixed properly subsequently. Index: servconf.c --- servconf.c.orig 2007-08-30 11:50:17 -0300 +++ servconf.c 2007-08-30 11:50:38 -0300 @@@@ -1387,8 +1387,4 @@@@ if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); - - /* challenge-response is implemented via keyboard interactive */ - if (options->challenge_response_authentication == 1) - options->kbd_interactive_authentication = 1; } Index: sshd.c --- sshd.c.orig 2007-08-30 11:50:30 -0300 +++ sshd.c 2007-08-30 11:51:42 -0300 @@@@ -1421,6 +1421,10 @@@@ /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); + /* challenge-response is implemented via keyboard interactive */ + if (options.challenge_response_authentication) + options.kbd_interactive_authentication = 1; + /* set default channel AF */ channel_set_af(options.address_family); @ 1.19 log @upgrading package: openssh 4.5p1 -> 4.6p1 @ text @d34 34 @ 1.18 log @upgrading package: openssh 4.4p1 -> 4.5p1 @ text @d3 1 a3 1 +++ Makefile.in 2006-11-08 08:59:53 +0100 d15 1 a15 1 +++ auth-pam.h 2006-11-08 08:59:53 +0100 d26 2 a27 2 --- version.h.orig 2006-11-07 13:16:08 +0100 +++ version.h 2006-11-08 08:59:53 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.5" @ 1.17 log @upgrading package: openssh 4.3p2 -> 4.4p1 @ text @d2 3 a4 3 --- Makefile.in.orig 2006-09-12 13:54:10 +0200 +++ Makefile.in 2006-09-28 08:00:38 +0200 @@@@ -233,7 +233,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2006-09-28 08:00:38 +0200 d26 2 a27 2 --- version.h.orig 2006-08-30 03:09:01 +0200 +++ version.h 2006-09-28 08:00:38 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.4" @ 1.16 log @upgrading package: openssh 4.3p1 -> 4.3p2 @ text @d2 3 a4 3 --- Makefile.in.orig 2006-01-01 09:47:05 +0100 +++ Makefile.in 2006-02-11 09:25:19 +0100 @@@@ -230,7 +230,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2006-02-11 09:25:19 +0100 d26 2 a27 2 --- version.h.orig 2006-02-11 01:00:45 +0100 +++ version.h 2006-02-11 09:25:19 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.3" d31 1 a31 1 #define SSH_PORTABLE "p2" @ 1.16.2.1 log @MFC: security fixed version @ text @d2 3 a4 3 --- Makefile.in.orig 2006-09-12 13:54:10 +0200 +++ Makefile.in 2006-09-28 08:00:38 +0200 @@@@ -233,7 +233,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2006-09-28 08:00:38 +0200 d26 2 a27 2 --- version.h.orig 2006-08-30 03:09:01 +0200 +++ version.h 2006-09-28 08:00:38 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.4" d31 1 a31 1 #define SSH_PORTABLE "p1" @ 1.16.2.2 log @MFC: security fixed version plus HPN patch related packaging fixes @ text @d2 3 a4 3 --- Makefile.in.orig 2006-10-23 23:44:47 +0200 +++ Makefile.in 2006-11-08 08:59:53 +0100 @@@@ -234,7 +234,7 @@@@ d15 1 a15 1 +++ auth-pam.h 2006-11-08 08:59:53 +0100 d26 2 a27 2 --- version.h.orig 2006-11-07 13:16:08 +0100 +++ version.h 2006-11-08 08:59:53 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.5" @ 1.16.2.3 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d3 1 a3 1 +++ Makefile.in 2007-03-10 09:30:35 +0100 d15 1 a15 1 +++ auth-pam.h 2007-03-10 09:30:35 +0100 d26 2 a27 2 --- version.h.orig 2007-03-06 11:21:37 +0100 +++ version.h 2007-03-10 09:30:35 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.6" @ 1.15 log @upgrading package: openssh 4.2p1 -> 4.3p1 @ text @d3 1 a3 1 +++ Makefile.in 2006-02-01 19:39:50 +0100 d15 1 a15 1 +++ auth-pam.h 2006-02-01 19:39:50 +0100 d26 2 a27 2 --- version.h.orig 2006-02-01 12:27:31 +0100 +++ version.h 2006-02-01 19:39:50 +0100 d31 1 a31 1 #define SSH_PORTABLE "p1" @ 1.14 log @upgrading package: openssh 4.1p1 -> 4.2p1 @ text @d2 2 a3 2 --- Makefile.in.orig 2005-05-29 09:22:29 +0200 +++ Makefile.in 2005-09-01 20:04:23 +0200 d15 1 a15 1 +++ auth-pam.h 2005-09-01 20:04:23 +0200 d26 2 a27 2 --- version.h.orig 2005-08-31 11:47:07 +0200 +++ version.h 2005-09-01 20:04:23 +0200 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.2" @ 1.14.2.1 log @Security Fixes (CVE-2006-0225) @ text @a33 335 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-0225) Index: misc.c --- misc.c.orig 2005-07-14 09:05:02 +0200 +++ misc.c 2006-02-18 12:51:11 +0100 @@@@ -356,12 +356,15 @@@@ addargs(arglist *args, char *fmt, ...) { va_list ap; - char buf[1024]; + char *cp; u_int nalloc; + int r; va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); + r = vasprintf(&cp, fmt, ap); va_end(ap); + if (r == -1) + fatal("addargs: argument too long"); nalloc = args->nalloc; if (args->list == NULL) { @@@@ -372,10 +375,44 @@@@ args->list = xrealloc(args->list, nalloc * sizeof(char *)); args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); + args->list[args->num++] = cp; args->list[args->num] = NULL; } +void +replacearg(arglist *args, u_int which, char *fmt, ...) +{ + va_list ap; + char *cp; + int r; + + va_start(ap, fmt); + r = vasprintf(&cp, fmt, ap); + va_end(ap); + if (r == -1) + fatal("replacearg: argument too long"); + + if (which >= args->num) + fatal("replacearg: tried to replace invalid arg %d >= %d", + which, args->num); + xfree(args->list[which]); + args->list[which] = cp; +} + +void +freeargs(arglist *args) +{ + u_int i; + + if (args->list != NULL) { + for (i = 0; i < args->num; i++) + xfree(args->list[i]); + xfree(args->list); + args->nalloc = args->num = 0; + args->list = NULL; + } +} + /* * Expands tildes in the file name. Returns data allocated by xmalloc. * Warning: this calls getpw*. Index: misc.h --- misc.h.orig 2005-07-14 09:07:21 +0200 +++ misc.h 2006-02-18 12:51:11 +0100 @@@@ -36,7 +36,11 @@@@ u_int num; u_int nalloc; }; -void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void addargs(arglist *, char *, ...) + __attribute__((format(printf, 2, 3))); +void replacearg(arglist *, u_int, char *, ...) + __attribute__((format(printf, 3, 4))); +void freeargs(arglist *); /* readpass.c */ Index: scp.c --- scp.c.orig 2005-08-02 09:07:08 +0200 +++ scp.c 2006-02-18 12:53:25 +0100 @@@@ -118,6 +118,48 @@@@ exit(1); } +static int +do_local_cmd(arglist *a) +{ + u_int i; + int status; + pid_t pid; + + if (a->num == 0) + fatal("do_local_cmd: no arguments"); + + if (verbose_mode) { + fprintf(stderr, "Executing:"); + for (i = 0; i < a->num; i++) + fprintf(stderr, " %s", a->list[i]); + fprintf(stderr, "\n"); + } + if ((pid = fork()) == -1) + fatal("do_local_cmd: fork: %s", strerror(errno)); + + if (pid == 0) { + execvp(a->list[0], a->list); + perror(a->list[0]); + exit(1); + } + + do_cmd_pid = pid; + signal(SIGTERM, killchild); + signal(SIGINT, killchild); + signal(SIGHUP, killchild); + + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("do_local_cmd: waitpid: %s", strerror(errno)); + + do_cmd_pid = -1; + + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return (-1); + + return (0); +} + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@@@ -162,7 +204,7 @@@@ close(pin[0]); close(pout[1]); - args.list[0] = ssh_program; + replacearg(&args, 0, "%s", ssh_program); if (remuser != NULL) addargs(&args, "-l%s", remuser); addargs(&args, "%s", host); @@@@ -224,8 +266,9 @@@@ __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, "%s", ssh_program); addargs(&args, "-x"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -336,9 +379,9 @@@@ if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ toremote(targ, argc, argv); else { - tolocal(argc, argv); /* Dest is local host. */ if (targetshouldbedirectory) verifydir(argv[argc - 1]); + tolocal(argc, argv); /* Dest is local host. */ } /* * Finally check the exit status of the ssh process, if one was forked @@@@ -364,6 +407,10 @@@@ { int i, len; char *bp, *host, *src, *suser, *thost, *tuser, *arg; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; *targ++ = 0; if (*targ == 0) @@@@ -381,56 +428,48 @@@@ tuser = NULL; } + if (tuser != NULL && !okname(tuser)) { + xfree(arg); + return; + } + for (i = 0; i < argc - 1; i++) { src = colon(argv[i]); if (src) { /* remote to remote */ - static char *ssh_options = - "-x -o'ClearAllForwardings yes'"; + freeargs(&alist); + addargs(&alist, "%s", ssh_program); + if (verbose_mode) + addargs(&alist, "-v"); + addargs(&alist, "-x"); + addargs(&alist, "-oClearAllForwardings yes"); + addargs(&alist, "-n"); + *src++ = 0; if (*src == 0) src = "."; host = strrchr(argv[i], '@@'); - len = strlen(ssh_program) + strlen(argv[i]) + - strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + - strlen(ssh_options) + CMDNEEDS + 20; - bp = xmalloc(len); + if (host) { *host++ = 0; host = cleanhostname(host); suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) { - xfree(bp); + else if (!okname(suser)) continue; - } - if (tuser && !okname(tuser)) { - xfree(bp); - continue; - } - snprintf(bp, len, - "%s%s %s -n " - "-l %s %s %s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, suser, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); + addargs(&alist, "-l"); + addargs(&alist, "%s", suser); } else { host = cleanhostname(argv[i]); - snprintf(bp, len, - "exec %s%s %s -n %s " - "%s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); } - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp) != 0) + addargs(&alist, "%s", host); + addargs(&alist, "%s", cmd); + addargs(&alist, "%s", src); + addargs(&alist, "%s%s%s:%s", + tuser ? tuser : "", tuser ? "@@" : "", + thost, targ); + if (do_local_cmd(&alist) != 0) errs = 1; - (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { len = strlen(targ) + CMDNEEDS + 20; @@@@ -454,20 +493,23 @@@@ { int i, len; char *bp, *host, *src, *suser; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; for (i = 0; i < argc - 1; i++) { if (!(src = colon(argv[i]))) { /* Local to local. */ - len = strlen(_PATH_CP) + strlen(argv[i]) + - strlen(argv[argc - 1]) + 20; - bp = xmalloc(len); - (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, - iamrecursive ? " -r" : "", pflag ? " -p" : "", - argv[i], argv[argc - 1]); - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp)) + freeargs(&alist); + addargs(&alist, "%s", _PATH_CP); + if (iamrecursive) + addargs(&alist, "-r"); + if (pflag) + addargs(&alist, "-p"); + addargs(&alist, "%s", argv[i]); + addargs(&alist, "%s", argv[argc-1]); + if (do_local_cmd(&alist)) ++errs; - (void) xfree(bp); continue; } *src++ = 0; Index: sftp.c --- sftp.c.orig 2005-08-23 00:06:56 +0200 +++ sftp.c 2006-02-18 12:52:38 +0100 @@@@ -1448,8 +1448,9 @@@@ extern char *optarg; __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, ssh_program); addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -1483,6 +1484,7 @@@@ break; case 'S': ssh_program = optarg; + replacearg(&args, 0, "%s", ssh_program); break; case 'b': if (batchmode) @@@@ -1559,7 +1561,6 @@@@ addargs(&args, "%s", host); addargs(&args, "%s", (sftp_server != NULL ? sftp_server : "sftp")); - args.list[0] = ssh_program; if (!batchmode) fprintf(stderr, "Connecting to %s...\n", host); @@@@ -1572,6 +1573,7 @@@@ fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } + freeargs(&args); err = interactive_loop(in, out, file1, file2); @ 1.14.2.2 log @fix security patch: use snprintf(3) because vasprintf(3) is not portable enough and a replacement code exists in OpenSSH 4.3p1 and higher only @ text @d41 25 a65 2 +++ misc.c 2006-02-20 14:28:44 +0100 @@@@ -376,6 +376,37 @@@@ d73 2 a74 1 + char buf[1024]; d77 1 a77 1 + vsnprintf(buf, sizeof(buf), fmt, ap); d79 2 d86 1 a86 1 + args->list[which] = xstrdup(buf); d108 1 a108 1 +++ misc.h 2006-02-20 14:24:07 +0100 d124 1 a124 1 +++ scp.c 2006-02-20 14:24:07 +0100 d333 1 a333 1 +++ sftp.c 2006-02-20 14:24:07 +0100 @ 1.14.2.3 log @Security Fixes (CVE-2006-4924, CVE-2006-4925, CVE-2006-5051) @ text @a342 206 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-4924) Index: deattack.c --- deattack.c.orig 2003-09-22 13:04:23 +0200 +++ deattack.c 2006-09-29 19:56:07 +0200 @@@@ -27,6 +27,24 @@@@ #include "xmalloc.h" #include "deattack.h" +/* + * CRC attack detection has a worst-case behaviour that is O(N^3) over + * the number of identical blocks in a packet. This behaviour can be + * exploited to create a limited denial of service attack. + * + * However, because we are dealing with encrypted data, identical + * blocks should only occur every 2^35 maximally-sized packets or so. + * Consequently, we can detect this DoS by looking for identical blocks + * in a packet. + * + * The parameter below determines how many identical blocks we will + * accept in a single packet, trading off between attack detection and + * likelihood of terminating a legitimate connection. A value of 32 + * corresponds to an average of 2^40 messages before an attack is + * misdetected + */ +#define MAX_IDENTICAL 32 + /* SSH Constants */ #define SSH_MAXBLOCKS (32 * 1024) #define SSH_BLOCKSIZE (8) @@@@ -87,7 +105,7 @@@@ static u_int16_t *h = (u_int16_t *) NULL; static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; u_int32_t i, j; - u_int32_t l; + u_int32_t l, same; u_char *c; u_char *d; @@@@ -133,11 +151,13 @@@@ if (IV) h[HASH(IV) & (n - 1)] = HASH_IV; - for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { + for (c = buf, same = j = -1; c < (buf + len); c += SSH_BLOCKSIZE, j++) { for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; i = (i + 1) & (n - 1)) { if (h[i] == HASH_IV) { if (!CMP(c, IV)) { + if (++same > MAX_IDENTICAL) + return (DEATTACK_DOS_DETECTED); if (check_crc(c, buf, len, IV)) return (DEATTACK_DETECTED); else Index: deattack.h --- deattack.h.orig 2001-07-04 06:46:57 +0200 +++ deattack.h 2006-09-29 19:54:32 +0200 @@@@ -25,6 +25,7 @@@@ /* Return codes */ #define DEATTACK_OK 0 #define DEATTACK_DETECTED 1 +#define DEATTACK_DOS_DETECTED 2 int detect_attack(u_char *, u_int32_t, u_char[8]); #endif Index: packet.c --- packet.c.orig 2005-08-12 14:10:29 +0200 +++ packet.c 2006-09-29 19:57:25 +0200 @@@@ -978,9 +978,16 @@@@ * (C)1998 CORE-SDI, Buenos Aires Argentina * Ariel Futoransky(futo@@core-sdi.com) */ - if (!receive_context.plaintext && - detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) - packet_disconnect("crc32 compensation attack: network attack detected"); + if (!receive_context.plaintext) { + switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) { + case DEATTACK_DETECTED: + packet_disconnect("crc32 compensation attack: " + "network attack detected"); + case DEATTACK_DOS_DETECTED: + packet_disconnect("deattack denial of " + "service detected"); + } + } /* Decrypt data to incoming_packet. */ buffer_clear(&incoming_packet); ----------------------------------------------------------------------------- Security Fixes (CVE-2006-4925) Index: packet.c --- packet.c.orig 2005-08-12 14:10:29 +0200 +++ packet.c 2006-09-29 19:58:02 +0200 @@@@ -669,6 +669,9 @@@@ */ after_authentication = 1; for (mode = 0; mode < MODE_MAX; mode++) { + /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ + if (newkeys[mode] == NULL) + continue; comp = &newkeys[mode]->comp; if (comp && !comp->enabled && comp->type == COMP_DELAYED) { packet_init_compression(); ----------------------------------------------------------------------------- Security Fixes (CVE-2006-5051) Index: auth.h --- auth.h.orig 2005-07-07 03:50:20 +0200 +++ auth.h 2006-10-01 10:05:56 +0200 @@@@ -49,6 +49,7 @@@@ struct Authctxt { int success; + int authenticated; /* authenticated and alarms cancelled */ int postponed; /* authentication needs another step */ int valid; /* user exists and is allowed to login */ int attempt; Index: defines.h --- defines.h.orig 2005-08-31 18:59:49 +0200 +++ defines.h 2006-10-01 10:05:56 +0200 @@@@ -540,6 +540,11 @@@@ # undef HAVE_UPDWTMPX #endif +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \ + defined(SYSLOG_R_SAFE_IN_SIGHAND) +# define DO_LOG_SAFE_IN_SIGHAND +#endif + #if !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ Index: log.c --- log.c.orig 2005-03-09 10:12:48 +0100 +++ log.c 2006-10-01 10:05:56 +0200 @@@@ -130,6 +130,20 @@@@ va_end(args); } +void +sigdie(const char *fmt,...) +{ +#ifdef DO_LOG_SAFE_IN_SIGHAND + va_list args; + + va_start(args, fmt); + do_log(SYSLOG_LEVEL_FATAL, fmt, args); + va_end(args); +#endif + _exit(1); +} + + /* Log this message (information that usually should go to the log). */ void Index: log.h --- log.h.orig 2004-06-22 04:57:44 +0200 +++ log.h 2006-10-01 10:05:56 +0200 @@@@ -55,6 +55,7 @@@@ void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); void error(const char *, ...) __attribute__((format(printf, 1, 2))); +void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); void logit(const char *, ...) __attribute__((format(printf, 1, 2))); void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); void debug(const char *, ...) __attribute__((format(printf, 1, 2))); Index: session.c --- session.c.orig 2005-08-31 18:59:49 +0200 +++ session.c 2006-10-01 10:05:57 +0200 @@@@ -2434,7 +2434,7 @@@@ return; called = 1; - if (authctxt == NULL) + if (authctxt == NULL || !authctxt->authenticated) return; #ifdef KRB5 if (options.kerberos_ticket_cleanup && Index: sshd.c --- sshd.c.orig 2005-07-26 13:54:56 +0200 +++ sshd.c 2006-10-01 10:05:57 +0200 @@@@ -312,7 +312,7 @@@@ kill(pmonitor->m_pid, SIGALRM); /* Log error and exit. */ - fatal("Timeout before authentication for %s", get_remote_ipaddr()); + sigdie("Timeout before authentication for %s", get_remote_ipaddr()); } /* @@@@ -1714,6 +1714,7 @@@@ } authenticated: + authctxt->authenticated = 1; #ifdef SSH_AUDIT_EVENTS audit_event(SSH_AUTH_SUCCESS); #endif @ 1.13 log @upgrading package: openssh 3.9p1 -> 4.0p1 @ text @d2 2 a3 2 --- Makefile.in.orig 2005-02-26 00:12:38 +0100 +++ Makefile.in 2005-03-09 19:57:49 +0100 d15 1 a15 1 +++ auth-pam.h 2005-03-09 19:56:10 +0100 a24 15 Index: openbsd-compat/fake-rfc2553.h --- openbsd-compat/fake-rfc2553.h.orig 2005-02-11 08:32:13 +0100 +++ openbsd-compat/fake-rfc2553.h 2005-03-09 19:56:10 +0100 @@@@ -115,7 +115,11 @@@@ #ifndef EAI_NODATA # define EAI_NODATA 1 +#endif +#ifndef EAI_MEMORY # define EAI_MEMORY 2 +#endif +#ifndef EAI_NONAME # define EAI_NONAME 3 # define EAI_SYSTEM 4 #endif d26 2 a27 2 --- version.h.orig 2005-03-09 01:00:43 +0100 +++ version.h 2005-03-09 19:57:28 +0100 d29 1 a29 1 #define SSH_VERSION "OpenSSH_4.0" @ 1.13.2.1 log @Security Bugfix: a bug introduced in OpenSSH 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D port") when no listen address was explicitly specified (as in "-D address:port"). As a result, a wildcard bind was performed for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be reached also via the external interface of the SSH client machine. @ text @a48 37 ----------------------------------------------------------------------------- Security Bugfix: a bug introduced in OpenSSH 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D port") when no listen address was explicitly specified (as in "-D address:port"). As a result, a wildcard bind was performed for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be reached also via the external interface of the SSH client machine. Index: readconf.c --- readconf.c.orig 2005-03-14 13:08:12 +0100 +++ readconf.c 2005-08-12 14:11:18 +0200 @@@@ -695,7 +695,7 @@@@ fwd.listen_host = cleanhostname(fwd.listen_host); } else { fwd.listen_port = a2port(fwd.listen_host); - fwd.listen_host = ""; + fwd.listen_host = NULL; } if (fwd.listen_port == 0) fatal("%.200s line %d: Badly formatted port number.", Index: ssh.c --- ssh.c.orig 2005-05-04 07:33:09 +0200 +++ ssh.c 2005-08-12 14:10:56 +0200 @@@@ -436,7 +439,7 @@@@ fwd.listen_host = cleanhostname(fwd.listen_host); } else { fwd.listen_port = a2port(fwd.listen_host); - fwd.listen_host = ""; + fwd.listen_host = NULL; } if (fwd.listen_port == 0) { @ 1.13.2.2 log @Security Fixes (CVE-2006-0225) @ text @a85 334 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-0225) Index: misc.c --- misc.c.orig 2005-03-14 13:08:12 +0100 +++ misc.c 2006-02-18 12:56:15 +0100 @@@@ -355,12 +355,15 @@@@ addargs(arglist *args, char *fmt, ...) { va_list ap; - char buf[1024]; + char *cp; u_int nalloc; + int r; va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); + r = vasprintf(&cp, fmt, ap); va_end(ap); + if (r == -1) + fatal("addargs: argument too long"); nalloc = args->nalloc; if (args->list == NULL) { @@@@ -371,10 +374,44 @@@@ args->list = xrealloc(args->list, nalloc * sizeof(char *)); args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); + args->list[args->num++] = cp; args->list[args->num] = NULL; } +void +replacearg(arglist *args, u_int which, char *fmt, ...) +{ + va_list ap; + char *cp; + int r; + + va_start(ap, fmt); + r = vasprintf(&cp, fmt, ap); + va_end(ap); + if (r == -1) + fatal("replacearg: argument too long"); + + if (which >= args->num) + fatal("replacearg: tried to replace invalid arg %d >= %d", + which, args->num); + xfree(args->list[which]); + args->list[which] = cp; +} + +void +freeargs(arglist *args) +{ + u_int i; + + if (args->list != NULL) { + for (i = 0; i < args->num; i++) + xfree(args->list[i]); + xfree(args->list); + args->nalloc = args->num = 0; + args->list = NULL; + } +} + /* * Read an entire line from a public key file into a static buffer, discarding * lines that exceed the buffer size. Returns 0 on success, -1 on failure. Index: misc.h --- misc.h.orig 2005-03-01 11:24:33 +0100 +++ misc.h 2006-02-18 12:56:15 +0100 @@@@ -33,7 +33,11 @@@@ u_int num; u_int nalloc; }; -void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void addargs(arglist *, char *, ...) + __attribute__((format(printf, 2, 3))); +void replacearg(arglist *, u_int, char *, ...) + __attribute__((format(printf, 3, 4))); +void freeargs(arglist *); /* tildexpand.c */ Index: scp.c --- scp.c.orig 2005-04-03 02:16:40 +0200 +++ scp.c 2006-02-18 12:56:15 +0100 @@@@ -116,6 +116,48 @@@@ _exit(1); } +static int +do_local_cmd(arglist *a) +{ + u_int i; + int status; + pid_t pid; + + if (a->num == 0) + fatal("do_local_cmd: no arguments"); + + if (verbose_mode) { + fprintf(stderr, "Executing:"); + for (i = 0; i < a->num; i++) + fprintf(stderr, " %s", a->list[i]); + fprintf(stderr, "\n"); + } + if ((pid = fork()) == -1) + fatal("do_local_cmd: fork: %s", strerror(errno)); + + if (pid == 0) { + execvp(a->list[0], a->list); + perror(a->list[0]); + exit(1); + } + + do_cmd_pid = pid; + signal(SIGTERM, killchild); + signal(SIGINT, killchild); + signal(SIGHUP, killchild); + + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("do_local_cmd: waitpid: %s", strerror(errno)); + + do_cmd_pid = -1; + + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return (-1); + + return (0); +} + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@@@ -160,7 +202,7 @@@@ close(pin[0]); close(pout[1]); - args.list[0] = ssh_program; + replacearg(&args, 0, "%s", ssh_program); if (remuser != NULL) addargs(&args, "-l%s", remuser); addargs(&args, "%s", host); @@@@ -222,8 +264,9 @@@@ __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, "%s", ssh_program); addargs(&args, "-x"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -334,9 +377,9 @@@@ if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ toremote(targ, argc, argv); else { - tolocal(argc, argv); /* Dest is local host. */ if (targetshouldbedirectory) verifydir(argv[argc - 1]); + tolocal(argc, argv); /* Dest is local host. */ } /* * Finally check the exit status of the ssh process, if one was forked @@@@ -362,6 +405,10 @@@@ { int i, len; char *bp, *host, *src, *suser, *thost, *tuser, *arg; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; *targ++ = 0; if (*targ == 0) @@@@ -379,56 +426,48 @@@@ tuser = NULL; } + if (tuser != NULL && !okname(tuser)) { + xfree(arg); + return; + } + for (i = 0; i < argc - 1; i++) { src = colon(argv[i]); if (src) { /* remote to remote */ - static char *ssh_options = - "-x -o'ClearAllForwardings yes'"; + freeargs(&alist); + addargs(&alist, "%s", ssh_program); + if (verbose_mode) + addargs(&alist, "-v"); + addargs(&alist, "-x"); + addargs(&alist, "-oClearAllForwardings yes"); + addargs(&alist, "-n"); + *src++ = 0; if (*src == 0) src = "."; host = strrchr(argv[i], '@@'); - len = strlen(ssh_program) + strlen(argv[i]) + - strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + - strlen(ssh_options) + CMDNEEDS + 20; - bp = xmalloc(len); + if (host) { *host++ = 0; host = cleanhostname(host); suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) { - xfree(bp); + else if (!okname(suser)) continue; - } - if (tuser && !okname(tuser)) { - xfree(bp); - continue; - } - snprintf(bp, len, - "%s%s %s -n " - "-l %s %s %s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, suser, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); + addargs(&alist, "-l"); + addargs(&alist, "%s", suser); } else { host = cleanhostname(argv[i]); - snprintf(bp, len, - "exec %s%s %s -n %s " - "%s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); } - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp) != 0) + addargs(&alist, "%s", host); + addargs(&alist, "%s", cmd); + addargs(&alist, "%s", src); + addargs(&alist, "%s%s%s:%s", + tuser ? tuser : "", tuser ? "@@" : "", + thost, targ); + if (do_local_cmd(&alist) != 0) errs = 1; - (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { len = strlen(targ) + CMDNEEDS + 20; @@@@ -452,20 +491,23 @@@@ { int i, len; char *bp, *host, *src, *suser; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; for (i = 0; i < argc - 1; i++) { if (!(src = colon(argv[i]))) { /* Local to local. */ - len = strlen(_PATH_CP) + strlen(argv[i]) + - strlen(argv[argc - 1]) + 20; - bp = xmalloc(len); - (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, - iamrecursive ? " -r" : "", pflag ? " -p" : "", - argv[i], argv[argc - 1]); - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp)) + freeargs(&alist); + addargs(&alist, "%s", _PATH_CP); + if (iamrecursive) + addargs(&alist, "-r"); + if (pflag) + addargs(&alist, "-p"); + addargs(&alist, "%s", argv[i]); + addargs(&alist, "%s", argv[argc-1]); + if (do_local_cmd(&alist)) ++errs; - (void) xfree(bp); continue; } *src++ = 0; Index: sftp.c --- sftp.c.orig 2005-03-14 13:08:12 +0100 +++ sftp.c 2006-02-18 12:56:15 +0100 @@@@ -1433,8 +1433,9 @@@@ extern char *optarg; __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, ssh_program); addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -1468,6 +1469,7 @@@@ break; case 'S': ssh_program = optarg; + replacearg(&args, 0, "%s", ssh_program); break; case 'b': if (batchmode) @@@@ -1544,7 +1546,6 @@@@ addargs(&args, "%s", host); addargs(&args, "%s", (sftp_server != NULL ? sftp_server : "sftp")); - args.list[0] = ssh_program; if (!batchmode) fprintf(stderr, "Connecting to %s...\n", host); @@@@ -1557,6 +1558,7 @@@@ fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } + freeargs(&args); err = interactive_loop(in, out, file1, file2); @ 1.13.2.3 log @fix security patch: use vsnprintf(3) because vasprintf(3) is not portable enough and a replacement code exists in OpenSSH 4.3p1 and higher only @ text @d92 25 a116 2 +++ misc.c 2006-02-20 14:30:38 +0100 @@@@ -375,6 +375,37 @@@@ d124 2 a125 1 + char buf[1024]; d128 1 a128 1 + vsnprintf(buf, sizeof(buf), fmt, ap); d130 2 d137 1 a137 1 + args->list[which] = xstrdup(buf); d159 1 a159 1 +++ misc.h 2006-02-20 14:29:24 +0100 d175 1 a175 1 +++ scp.c 2006-02-20 14:29:24 +0100 d384 1 a384 1 +++ sftp.c 2006-02-20 14:29:24 +0100 @ 1.12 log @silence building under FreeBSD 5 @ text @d2 3 a4 3 --- Makefile.in.orig 2004-02-18 04:35:11.000000000 +0100 +++ Makefile.in 2004-02-24 20:25:23.000000000 +0100 @@@@ -226,7 +226,7 @@@@ d8 4 a11 3 -install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config +install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files a12 1 check-config: d14 2 a15 2 --- auth-pam.h.orig 2004-02-10 03:23:29.000000000 +0100 +++ auth-pam.h 2004-02-24 20:25:23.000000000 +0100 d24 1 a24 9 void start_pam(const char *); Index: version.h --- version.h.orig 2004-02-23 23:24:02.000000000 +0100 +++ version.h 2004-02-24 20:25:23.000000000 +0100 @@@@ -1,3 +1,3 @@@@ /* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.9p1" +#define SSH_VERSION "OpenSSH_3.9p1 @@l_openpkg_release@@" d26 2 a27 2 --- openbsd-compat/fake-rfc2553.h.orig 2004-03-10 11:06:33 +0100 +++ openbsd-compat/fake-rfc2553.h 2004-12-27 19:42:35 +0100 d38 1 d40 9 a48 1 @ 1.12.2.1 log @Security Fixes (CVE-2006-0225) @ text @a47 330 ----------------------------------------------------------------------------- Security Fixes (CVE-2006-0225) Index: misc.c --- misc.c.orig 2004-08-13 13:18:01 +0200 +++ misc.c 2006-02-18 12:59:04 +0100 @@@@ -313,12 +313,15 @@@@ addargs(arglist *args, char *fmt, ...) { va_list ap; - char buf[1024]; + char *cp; u_int nalloc; + int r; va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); + r = vasprintf(&cp, fmt, ap); va_end(ap); + if (r == -1) + fatal("addargs: argument too long"); nalloc = args->nalloc; if (args->list == NULL) { @@@@ -329,6 +332,41 @@@@ args->list = xrealloc(args->list, nalloc * sizeof(char *)); args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); + args->list[args->num++] = cp; args->list[args->num] = NULL; } + +void +replacearg(arglist *args, u_int which, char *fmt, ...) +{ + va_list ap; + char *cp; + int r; + + va_start(ap, fmt); + r = vasprintf(&cp, fmt, ap); + va_end(ap); + if (r == -1) + fatal("replacearg: argument too long"); + + if (which >= args->num) + fatal("replacearg: tried to replace invalid arg %d >= %d", + which, args->num); + xfree(args->list[which]); + args->list[which] = cp; +} + +void +freeargs(arglist *args) +{ + u_int i; + + if (args->list != NULL) { + for (i = 0; i < args->num; i++) + xfree(args->list[i]); + xfree(args->list); + args->nalloc = args->num = 0; + args->list = NULL; + } +} + Index: misc.h --- misc.h.orig 2004-08-13 13:18:01 +0200 +++ misc.h 2006-02-18 12:56:49 +0100 @@@@ -32,7 +32,11 @@@@ u_int num; u_int nalloc; }; -void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void addargs(arglist *, char *, ...) + __attribute__((format(printf, 2, 3))); +void replacearg(arglist *, u_int, char *, ...) + __attribute__((format(printf, 3, 4))); +void freeargs(arglist *); /* tildexpand.c */ Index: scp.c --- scp.c.orig 2004-08-13 13:19:38 +0200 +++ scp.c 2006-02-18 13:15:34 +0100 @@@@ -114,6 +114,48 @@@@ _exit(1); } +static int +do_local_cmd(arglist *a) +{ + u_int i; + int status; + pid_t pid; + + if (a->num == 0) + fatal("do_local_cmd: no arguments"); + + if (verbose_mode) { + fprintf(stderr, "Executing:"); + for (i = 0; i < a->num; i++) + fprintf(stderr, " %s", a->list[i]); + fprintf(stderr, "\n"); + } + if ((pid = fork()) == -1) + fatal("do_local_cmd: fork: %s", strerror(errno)); + + if (pid == 0) { + execvp(a->list[0], a->list); + perror(a->list[0]); + exit(1); + } + + do_cmd_pid = pid; + signal(SIGTERM, killchild); + signal(SIGINT, killchild); + signal(SIGHUP, killchild); + + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("do_local_cmd: waitpid: %s", strerror(errno)); + + do_cmd_pid = -1; + + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + return (-1); + + return (0); +} + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@@@ -158,7 +200,7 @@@@ close(pin[0]); close(pout[1]); - args.list[0] = ssh_program; + replacearg(&args, 0, "%s", ssh_program); if (remuser != NULL) addargs(&args, "-l%s", remuser); addargs(&args, "%s", host); @@@@ -220,8 +262,9 @@@@ __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, "%s", ssh_program); addargs(&args, "-x"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -332,9 +375,9 @@@@ if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ toremote(targ, argc, argv); else { - tolocal(argc, argv); /* Dest is local host. */ if (targetshouldbedirectory) verifydir(argv[argc - 1]); + tolocal(argc, argv); /* Dest is local host. */ } /* * Finally check the exit status of the ssh process, if one was forked @@@@ -360,6 +403,10 @@@@ { int i, len; char *bp, *host, *src, *suser, *thost, *tuser; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; *targ++ = 0; if (*targ == 0) @@@@ -376,56 +423,47 @@@@ tuser = NULL; } + if (tuser != NULL && !okname(tuser)) { + return; + } + for (i = 0; i < argc - 1; i++) { src = colon(argv[i]); if (src) { /* remote to remote */ - static char *ssh_options = - "-x -o'ClearAllForwardings yes'"; + freeargs(&alist); + addargs(&alist, "%s", ssh_program); + if (verbose_mode) + addargs(&alist, "-v"); + addargs(&alist, "-x"); + addargs(&alist, "-oClearAllForwardings yes"); + addargs(&alist, "-n"); + *src++ = 0; if (*src == 0) src = "."; host = strrchr(argv[i], '@@'); - len = strlen(ssh_program) + strlen(argv[i]) + - strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + - strlen(ssh_options) + CMDNEEDS + 20; - bp = xmalloc(len); + if (host) { *host++ = 0; host = cleanhostname(host); suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) { - xfree(bp); + else if (!okname(suser)) continue; - } - if (tuser && !okname(tuser)) { - xfree(bp); - continue; - } - snprintf(bp, len, - "%s%s %s -n " - "-l %s %s %s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, suser, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); + addargs(&alist, "-l"); + addargs(&alist, "%s", suser); } else { host = cleanhostname(argv[i]); - snprintf(bp, len, - "exec %s%s %s -n %s " - "%s %s '%s%s%s:%s'", - ssh_program, verbose_mode ? " -v" : "", - ssh_options, host, cmd, src, - tuser ? tuser : "", tuser ? "@@" : "", - thost, targ); } - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp) != 0) + addargs(&alist, "%s", host); + addargs(&alist, "%s", cmd); + addargs(&alist, "%s", src); + addargs(&alist, "%s%s%s:%s", + tuser ? tuser : "", tuser ? "@@" : "", + thost, targ); + if (do_local_cmd(&alist) != 0) errs = 1; - (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { len = strlen(targ) + CMDNEEDS + 20; @@@@ -449,20 +487,23 @@@@ { int i, len; char *bp, *host, *src, *suser; + arglist alist; + + memset(&alist, '\0', sizeof(alist)); + alist.list = NULL; for (i = 0; i < argc - 1; i++) { if (!(src = colon(argv[i]))) { /* Local to local. */ - len = strlen(_PATH_CP) + strlen(argv[i]) + - strlen(argv[argc - 1]) + 20; - bp = xmalloc(len); - (void) snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, - iamrecursive ? " -r" : "", pflag ? " -p" : "", - argv[i], argv[argc - 1]); - if (verbose_mode) - fprintf(stderr, "Executing: %s\n", bp); - if (system(bp)) + freeargs(&alist); + addargs(&alist, "%s", _PATH_CP); + if (iamrecursive) + addargs(&alist, "-r"); + if (pflag) + addargs(&alist, "-p"); + addargs(&alist, "%s", argv[i]); + addargs(&alist, "%s", argv[argc-1]); + if (do_local_cmd(&alist)) ++errs; - (void) xfree(bp); continue; } *src++ = 0; Index: sftp.c --- sftp.c.orig 2004-07-17 08:12:08 +0200 +++ sftp.c 2006-02-18 12:56:49 +0100 @@@@ -1374,8 +1374,9 @@@@ extern char *optarg; __progname = ssh_get_progname(argv[0]); + memset(&args, '\0', sizeof(args)); args.list = NULL; - addargs(&args, "ssh"); /* overwritten with ssh_program */ + addargs(&args, ssh_program); addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); @@@@ -1409,6 +1410,7 @@@@ break; case 'S': ssh_program = optarg; + replacearg(&args, 0, "%s", ssh_program); break; case 'b': if (batchmode) @@@@ -1484,7 +1486,6 @@@@ addargs(&args, "%s", host); addargs(&args, "%s", (sftp_server != NULL ? sftp_server : "sftp")); - args.list[0] = ssh_program; if (!batchmode) fprintf(stderr, "Connecting to %s...\n", host); @@@@ -1497,6 +1498,7 @@@@ fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } + freeargs(&args); err = interactive_loop(in, out, file1, file2); @ 1.12.2.2 log @fix security patch: use vsnprintf(3) because vasprintf(3) is not portable enough and a replacement code exists in OpenSSH 4.3p1 and higher only @ text @d54 25 a78 3 +++ misc.c 2006-02-20 14:32:01 +0100 @@@@ -332,3 +332,35 @@@@ args->list[args->num++] = xstrdup(buf); d86 2 a87 1 + char buf[1024]; d90 1 a90 1 + vsnprintf(buf, sizeof(buf), fmt, ap); d92 2 d99 1 a99 1 + args->list[which] = xstrdup(buf); d118 1 a118 1 +++ misc.h 2006-02-20 14:31:14 +0100 d134 1 a134 1 +++ scp.c 2006-02-20 14:31:14 +0100 d342 1 a342 1 +++ sftp.c 2006-02-20 14:31:14 +0100 @ 1.11 log @upgrading package: openssh 3.8.1p1 -> 3.9p1 @ text @d33 15 @ 1.10 log @upgrading package: openssh 3.8p1 -> 3.8.1p1 @ text @d31 2 a32 2 -#define SSH_VERSION "OpenSSH_3.8.1p1" +#define SSH_VERSION "OpenSSH_3.8.1p1 @@l_openpkg_release@@" @ 1.9 log @add Alias feature and cleanup ChRoot feature packaging @ text @d31 2 a32 2 -#define SSH_VERSION "OpenSSH_3.8p1" +#define SSH_VERSION "OpenSSH_3.8p1 @@l_openpkg_release@@" @ 1.8 log @upgrading package: openssh 3.7.1p2 -> 3.8p1 @ text @a24 72 Index: session.c --- session.c.orig 2004-02-23 14:01:27.000000000 +0100 +++ session.c 2004-02-24 20:25:23.000000000 +0100 @@@@ -1270,6 +1270,26 @@@@ exit(1); } endgrent(); +# ifdef USE_CHROOT + { + char *user_dir; + char *new_root; + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + if (chroot(user_dir) == -1) + fatal("Couldn't chroot to user directory \"%s\"", user_dir); + pw->pw_dir = new_root; + break; + } + new_root += 2; + } + } +# endif /* USE_CHROOT */ # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. Index: sftp-server.c --- sftp-server.c.orig 2004-02-23 23:19:15.000000000 +0100 +++ sftp-server.c 2004-02-24 20:25:23.000000000 +0100 @@@@ -1029,6 +1029,38 @@@@ log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); #endif +#ifdef USE_CHROOT +{ + char *user_dir; + char *new_root; + user_dir = getenv("HOME"); + if (user_dir == NULL) + fatal("HOME variable not found in environment"); + new_root = user_dir + 1; + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + if (geteuid() == 0) { + /* chroot to subdir and adjust HOME for remaining path */ + if (chroot(user_dir) == -1) + fatal("Couldn't chroot to user directory \"%s\": %s", user_dir, strerror(errno)); + if (setuid(getuid()) == -1) + fatal("Couldn't drop privileges: %s", strerror(errno)); + setenv("HOME", new_root, 1); + } + else { + /* ignore chroot request and adjust HOME for preceeding path */ + setenv("HOME", user_dir, 1); + } + break; + } + new_root += 2; + } +} +#endif /* USE_CHROOT */ + in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); @ 1.7 log @also drop priviledges because chroot requires setuid root @ text @d1 22 a22 5 Index: version.h --- version.h.orig 2003-09-23 11:26:51.000000000 +0200 +++ version.h 2003-09-27 12:30:35.000000000 +0200 @@@@ -1,3 +1,3 @@@@ /* $OpenBSD: version.h,v 1.39 2003/09/16 21:02:40 markus Exp $ */ d24 1 a24 2 -#define SSH_VERSION "OpenSSH_3.7.1p2" +#define SSH_VERSION "OpenSSH_3.7.1p2 @@l_openpkg_release@@" d26 3 a28 3 --- session.c.orig 2003-09-23 10:59:08.000000000 +0200 +++ session.c 2003-09-27 12:29:28.000000000 +0200 @@@@ -1268,6 +1268,26 @@@@ d54 1 a54 1 * PAM credentials may take the form of supplementary groups. d56 3 a58 3 --- sftp-server.c.orig 2003-08-22 01:34:41.000000000 +0200 +++ sftp-server.c 2003-12-23 22:02:33.000000000 +0100 @@@@ -1037,6 +1037,38 @@@@ d97 5 a101 10 Index: auth-pam.h --- auth-pam.h.orig 2003-09-02 15:18:53.000000000 +0200 +++ auth-pam.h 2003-09-27 12:29:28.000000000 +0200 @@@@ -28,7 +28,7 @@@@ #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname +# define SSHD_PAM_SERVICE "openssh" #endif d103 2 a104 206 void start_pam(const char *); Index: Makefile.in --- Makefile.in.orig 2003-09-22 03:00:12.000000000 +0200 +++ Makefile.in 2003-09-27 12:29:28.000000000 +0200 @@@@ -224,7 +224,7 @@@@ $(AUTORECONF) (cd scard && $(MAKE) -f Makefile.in distprep) -install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config +install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key install-nokeys: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config: Index: configure --- configure.orig 2003-12-03 18:30:30.000000000 +0100 +++ configure 2003-12-03 18:29:05.000000000 +0100 @@@@ -6452,92 +6452,6 @@@@ fi; -# Check whether user wants TCP wrappers support -TCPW_MSG="no" - -# Check whether --with-tcp-wrappers or --without-tcp-wrappers was given. -if test "${with_tcp_wrappers+set}" = set; then - withval="$with_tcp_wrappers" - - if test "x$withval" != "xno" ; then - saved_LIBS="$LIBS" - saved_LDFLAGS="$LDFLAGS" - saved_CPPFLAGS="$CPPFLAGS" - if test -n "${withval}" -a "${withval}" != "yes"; then - if test -d "${withval}/lib"; then - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" - else - LDFLAGS="-L${withval}/lib ${LDFLAGS}" - fi - else - if test -n "${need_dash_r}"; then - LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" - else - LDFLAGS="-L${withval} ${LDFLAGS}" - fi - fi - if test -d "${withval}/include"; then - CPPFLAGS="-I${withval}/include ${CPPFLAGS}" - else - CPPFLAGS="-I${withval} ${CPPFLAGS}" - fi - fi - LIBWRAP="-lwrap" - LIBS="$LIBWRAP $LIBS" - echo "$as_me:6488: checking for libwrap" >&5 -echo $ECHO_N "checking for libwrap... $ECHO_C" >&6 - cat >conftest.$ac_ext <<_ACEOF -#line 6491 "configure" -#include "confdefs.h" - -#include - int deny_severity = 0, allow_severity = 0; - -int -main () -{ -hosts_access(0); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6506: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:6509: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6512: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:6515: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - - echo "$as_me:6518: result: yes" >&5 -echo "${ECHO_T}yes" >&6 - cat >>confdefs.h <<\EOF -#define LIBWRAP 1 -EOF - - TCPW_MSG="yes" - -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 - - { { echo "$as_me:6530: error: *** libwrap missing" >&5 -echo "$as_me: error: *** libwrap missing" >&2;} - { (exit 1); exit 1; }; } - -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext - LIBS="$saved_LIBS" - fi - -fi; - for ac_func in \ arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename \ bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ @@@@ -15674,6 +15588,96 @@@@ fi; +#--------------------------------------------------- + +# Check whether user wants TCP wrappers support +TCPW_MSG="no" + +# Check whether --with-tcp-wrappers or --without-tcp-wrappers was given. +if test "${with_tcp_wrappers+set}" = set; then + withval="$with_tcp_wrappers" + + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" -a "${withval}" != "yes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBWRAP="-lwrap" + LIBS="$LIBWRAP $LIBS" + echo "$as_me:6488: checking for libwrap" >&5 +echo $ECHO_N "checking for libwrap... $ECHO_C" >&6 + cat >conftest.$ac_ext <<_ACEOF +#line 6491 "configure" +#include "confdefs.h" + +#include + int deny_severity = 0, allow_severity = 0; + +int +main () +{ +hosts_access(0); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:6506: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:6509: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:6512: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:6515: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:6518: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + cat >>confdefs.h <<\EOF +#define LIBWRAP 1 +EOF + + TCPW_MSG="yes" + +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 + + { { echo "$as_me:6530: error: *** libwrap missing" >&5 +echo "$as_me: error: *** libwrap missing" >&2;} + { (exit 1); exit 1; }; } + +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext + LIBS="$saved_LIBS" + fi + +fi; + +#--------------------------------------------------- + echo "$as_me:15677: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 echo $ECHO_N "checking if we need to convert IPv4 in IPv6-mapped addresses... $ECHO_C" >&6 IPV4_IN6_HACK_MSG="no" @ 1.6 log @add chroot support also to sftp-server (actually a double-chroot if one uses a regular shell, but useful if one uses an own shell which manipulates HOME before calling sftp-server in order to trick it to do a delayed chroot(2) operation) @ text @d41 2 a42 2 +++ sftp-server.c 2003-12-23 21:42:19.000000000 +0100 @@@@ -1037,6 +1037,29 @@@@ d48 27 a74 18 + char *user_dir; + char *new_root; + user_dir = getenv("HOME"); + if (user_dir == NULL) + fatal("HOME variable not found in environment"); + new_root = user_dir + 1; + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + if (chroot(user_dir) == -1) + fatal("Couldn't chroot to user directory \"%s\"", user_dir); + setenv("HOME", new_root, 1); + break; + } + new_root += 2; + } @ 1.5 log @integrate Matthias KURZ's patch to fix with_wrap on Solaris PR#300 @ text @d39 33 @ 1.4 log @1. Because the CHROOT patch is maintained with delays and is small enough, we finally move it into a local patch and maintain it ourself from now on. 2. Move some more substitutions into our new local patch files, too. 3. Add OpenPKG release identification. @ text @d63 193 @ 1.3 log @upgrading package: openssh 3.7.1p1 -> 3.7.1p2 @ text @d1 5 a5 12 These patches adjust (re)allocation procedures so they do not alter context structures unless the (re)allocation was successful. Otherwise the fatal cleanup functions (trigged from within the failing (re)allocation functions) will be confused and especially (for some instances) incorrectly clear (smaller than recorded) memory buffers with NUL bytes. This patch is based on work by Solar Designer . Index: deattack.c --- deattack.c.orig 2002-03-05 02:53:05.000000000 +0100 +++ deattack.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -100,12 +100,12 @@@@ d7 2 a8 42 if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } Index: misc.c --- misc.c.orig 2003-08-25 03:16:21.000000000 +0200 +++ misc.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -308,18 +308,21 @@@@ { va_list ap; char buf[1024]; + int nalloc; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); + nalloc = args->nalloc; if (args->list == NULL) { - args->nalloc = 32; + nalloc = 32; args->num = 0; - } else if (args->num+2 >= args->nalloc) - args->nalloc *= 2; + } else if (args->num+2 >= nalloc) + nalloc *= 2; - args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); + args->list = xrealloc(args->list, nalloc * sizeof(char *)); + args->nalloc = nalloc; args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; } d10 4 a13 51 --- session.c.orig 2003-09-16 03:52:19.000000000 +0200 +++ session.c 2003-09-17 09:34:20.000000000 +0200 @@@@ -800,6 +800,7 @@@@ { u_int i, namelen; char **env; + u_int envsize; /* * If we're passed an uninitialized list, allocate a single null @@@@ -826,12 +827,14 @@@@ xfree(env[i]); } else { /* New variable. Expand if necessary. */ - if (i >= (*envsizep) - 1) { - if (*envsizep >= 1000) + envsize = *envsizep; + if (i >= envsize - 1) { + if (envsize >= 1000) fatal("child_set_env: too many env vars," " skipping: %.100s", name); - (*envsizep) += 50; - env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + envsize += 50; + env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; Index: ssh-agent.c --- ssh-agent.c.orig 2003-08-22 01:34:41.000000000 +0200 +++ ssh-agent.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -784,7 +784,7 @@@@ static void new_socket(sock_type type, int fd) { - u_int i, old_alloc; + u_int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@@@ -795,25 +795,26 @@@@ for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); buffer_init(&sockets[i].request); + sockets[i].type = type; return; d15 46 a60 20 old_alloc = sockets_alloc; - sockets_alloc += 10; + new_alloc = sockets_alloc + 10; if (sockets) - sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else - sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); - for (i = old_alloc; i < sockets_alloc; i++) + sockets = xmalloc(new_alloc * sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; - sockets[old_alloc].type = type; + sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); buffer_init(&sockets[old_alloc].request); + sockets[old_alloc].type = type; } d62 1 a62 1 static int @ 1.2 log @add more bugfix patches from Solar Designer @ text @@ 1.1 log @file openssh.patch was initially added on branch OPENPKG_1_0_SOLID. @ text @d1 130 @ 1.1.8.1 log @apply buffer.adv V2 patch plus similar extra ones @ text @a0 225 http://www.openssh.com/txt/buffer.adv: All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. Other implementations sharing common origin may also have these issues. Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -r1.16 -r1.18 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@@@ -23,8 +23,11 @@@@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@@@ -34,8 +37,10 @@@@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@@@ -69,6 +74,7 @@@@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@@@ -98,11 +104,13 @@@@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@@@ -228,12 +228,13 @@@@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } These patches adjust (re)allocation procedures so they do not alter context structures unless the (re)allocation was successful. Otherwise the fatal cleanup functions (trigged from within the failing (re)allocation functions) will be confused and especially (for some instances) incorrectly clear (smaller than recorded) memory buffers with NUL bytes. This patch is based on work by Solar Designer . Index: deattack.c --- deattack.c.orig 2002-03-05 02:53:05.000000000 +0100 +++ deattack.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -100,12 +100,12 @@@@ if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } Index: misc.c --- misc.c.orig 2003-08-25 03:16:21.000000000 +0200 +++ misc.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -308,18 +308,21 @@@@ { va_list ap; char buf[1024]; + int nalloc; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); + nalloc = args->nalloc; if (args->list == NULL) { - args->nalloc = 32; + nalloc = 32; args->num = 0; - } else if (args->num+2 >= args->nalloc) - args->nalloc *= 2; + } else if (args->num+2 >= nalloc) + nalloc *= 2; - args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); + args->list = xrealloc(args->list, nalloc * sizeof(char *)); + args->nalloc = nalloc; args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; } Index: session.c --- session.c.orig 2003-09-16 03:52:19.000000000 +0200 +++ session.c 2003-09-17 09:34:20.000000000 +0200 @@@@ -800,6 +800,7 @@@@ { u_int i, namelen; char **env; + u_int envsize; /* * If we're passed an uninitialized list, allocate a single null @@@@ -826,12 +827,14 @@@@ xfree(env[i]); } else { /* New variable. Expand if necessary. */ - if (i >= (*envsizep) - 1) { - if (*envsizep >= 1000) + envsize = *envsizep; + if (i >= envsize - 1) { + if (envsize >= 1000) fatal("child_set_env: too many env vars," " skipping: %.100s", name); - (*envsizep) += 50; - env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + envsize += 50; + env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; Index: ssh-agent.c --- ssh-agent.c.orig 2003-08-22 01:34:41.000000000 +0200 +++ ssh-agent.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -784,7 +784,7 @@@@ static void new_socket(sock_type type, int fd) { - u_int i, old_alloc; + u_int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@@@ -795,25 +795,26 @@@@ for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); buffer_init(&sockets[i].request); + sockets[i].type = type; return; } old_alloc = sockets_alloc; - sockets_alloc += 10; + new_alloc = sockets_alloc + 10; if (sockets) - sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else - sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); - for (i = old_alloc; i < sockets_alloc; i++) + sockets = xmalloc(new_alloc * sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; - sockets[old_alloc].type = type; + sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); buffer_init(&sockets[old_alloc].request); + sockets[old_alloc].type = type; } static int @ 1.1.6.1 log @OpenPKG-SA-2003.035-openssh; CAN-2003-0190 @ text @a0 131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0190 OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Based on RedHat openssh-3.5p1-6.9.src.rpm which is mostly based on a patch for 3.6 by Solar Designer. diff -ur openssh-3.5p1/auth2-none.c openssh-3.5p1-pam/auth2-none.c --- auth2-none.c.orig 2002-07-03 20:06:16.000000000 -0400 +++ auth2-none.c 2003-05-01 19:21:30.000000000 -0400 @@@@ -100,7 +100,7 @@@@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif - return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0); + return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; } Authmethod method_none = { diff -ur openssh-3.5p1/auth2-passwd.c openssh-3.5p1-pam/auth2-passwd.c --- auth2-passwd.c.orig 2002-06-06 16:27:56.000000000 -0400 +++ auth2-passwd.c 2003-05-01 19:22:52.000000000 -0400 @@@@ -47,11 +47,12 @@@@ log("password change not supported"); password = packet_get_string(&len); packet_check_eom(); - if (authctxt->valid && + if ((PRIVSEP(auth_password(authctxt, password)) == 1) + && authctxt->valid #ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw) && + && check_nt_auth(1, authctxt->pw) #endif - PRIVSEP(auth_password(authctxt, password)) == 1) + ) authenticated = 1; memset(password, 0, len); xfree(password); diff -ur openssh-3.5p1/auth-pam.c openssh-3.5p1-pam/auth-pam.c --- auth-pam.c.orig 2002-07-28 16:24:08.000000000 -0400 +++ auth-pam.c 2003-05-01 19:16:27.000000000 -0400 @@@@ -201,35 +201,35 @@@@ } } -/* Attempt password authentation using PAM */ +/* Attempt password authentication using PAM */ int auth_pam_password(Authctxt *authctxt, const char *password) { extern ServerOptions options; - int pam_retval; + int pam_retval, ok = authctxt->valid; struct passwd *pw = authctxt->pw; do_pam_set_conv(&conv); /* deny if no user. */ if (pw == NULL) - return 0; + ok = 0; - if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) - return 0; + if (pw && pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) + ok = 0; - if (*password == '\0' && options.permit_empty_passwd == 0) + if (password != NULL && *password == '\0' && options.permit_empty_passwd == 0) - return 0; + ok = 0; __pampasswd = password; pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - if (pam_retval == PAM_SUCCESS) { + if ((pam_retval == PAM_SUCCESS) && pw && ok) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name); return 1; } else { debug("PAM Password authentication for \"%.100s\" " - "failed[%d]: %s", pw->pw_name, pam_retval, + "failed[%d]: %s", pw ? pw->pw_name : "invalid user", pam_retval, PAM_STRERROR(__pamh, pam_retval)); return 0; } diff -ur openssh-3.5p1/auth-passwd.c openssh-3.5p1-pam/auth-passwd.c --- auth-passwd.c.orig 2002-09-25 19:14:16.000000000 -0400 +++ auth-passwd.c 2003-05-08 16:27:29.000000000 -0400 @@@@ -92,14 +92,15 @@@@ int auth_password(Authctxt *authctxt, const char *password) { + int ok = authctxt->valid && authctxt->pw; #if defined(USE_PAM) if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_pam_password(authctxt, password); + ok = 0; + return auth_pam_password(authctxt, password) && ok; #elif defined(HAVE_OSF_SIA) if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_sia_password(authctxt, password); + ok = 0; + return auth_sia_password(authctxt, password) && ok; #else struct passwd * pw = authctxt->pw; char *encrypted_password; @@@@ -119,7 +120,6 @@@@ int authsuccess; int reenter = 1; #endif - /* deny if no user. */ if (pw == NULL) return 0; diff -ur openssh-3.5p1/monitor.c openssh-3.5p1-pam/monitor.c --- monitor.c.orig 2002-09-26 23:26:02.000000000 -0400 +++ monitor.c 2003-05-01 19:23:17.000000000 -0400 @@@@ -606,7 +606,7 @@@@ passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + auth_password(authctxt, passwd) && authctxt->valid; memset(passwd, 0, strlen(passwd)); xfree(passwd); @ 1.1.6.2 log @apply buffer.adv V2 patch plus similar extra ones @ text @a131 225 http://www.openssh.com/txt/buffer.adv: All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. Other implementations sharing common origin may also have these issues. Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -r1.16 -r1.18 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@@@ -23,8 +23,11 @@@@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@@@ -34,8 +37,10 @@@@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@@@ -69,6 +74,7 @@@@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@@@ -98,11 +104,13 @@@@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@@@ -228,12 +228,13 @@@@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } These patches adjust (re)allocation procedures so they do not alter context structures unless the (re)allocation was successful. Otherwise the fatal cleanup functions (trigged from within the failing (re)allocation functions) will be confused and especially (for some instances) incorrectly clear (smaller than recorded) memory buffers with NUL bytes. This patch is based on work by Solar Designer . Index: deattack.c --- deattack.c.orig 2002-03-05 02:53:05.000000000 +0100 +++ deattack.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -100,12 +100,12 @@@@ if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } Index: misc.c --- misc.c.orig 2003-08-25 03:16:21.000000000 +0200 +++ misc.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -308,18 +308,21 @@@@ { va_list ap; char buf[1024]; + int nalloc; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); + nalloc = args->nalloc; if (args->list == NULL) { - args->nalloc = 32; + nalloc = 32; args->num = 0; - } else if (args->num+2 >= args->nalloc) - args->nalloc *= 2; + } else if (args->num+2 >= nalloc) + nalloc *= 2; - args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); + args->list = xrealloc(args->list, nalloc * sizeof(char *)); + args->nalloc = nalloc; args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; } Index: session.c --- session.c.orig 2003-09-16 03:52:19.000000000 +0200 +++ session.c 2003-09-17 09:34:20.000000000 +0200 @@@@ -800,6 +800,7 @@@@ { u_int i, namelen; char **env; + u_int envsize; /* * If we're passed an uninitialized list, allocate a single null @@@@ -826,12 +827,14 @@@@ xfree(env[i]); } else { /* New variable. Expand if necessary. */ - if (i >= (*envsizep) - 1) { - if (*envsizep >= 1000) + envsize = *envsizep; + if (i >= envsize - 1) { + if (envsize >= 1000) fatal("child_set_env: too many env vars," " skipping: %.100s", name); - (*envsizep) += 50; - env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + envsize += 50; + env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; Index: ssh-agent.c --- ssh-agent.c.orig 2003-08-22 01:34:41.000000000 +0200 +++ ssh-agent.c 2003-09-17 09:30:09.000000000 +0200 @@@@ -784,7 +784,7 @@@@ static void new_socket(sock_type type, int fd) { - u_int i, old_alloc; + u_int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@@@ -795,25 +795,26 @@@@ for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); buffer_init(&sockets[i].request); + sockets[i].type = type; return; } old_alloc = sockets_alloc; - sockets_alloc += 10; + new_alloc = sockets_alloc + 10; if (sockets) - sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else - sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); - for (i = old_alloc; i < sockets_alloc; i++) + sockets = xmalloc(new_alloc * sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; - sockets[old_alloc].type = type; + sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); buffer_init(&sockets[old_alloc].request); + sockets[old_alloc].type = type; } static int @ 1.1.2.1 log @back-port security bugfix from OpenSSH 3.1p1 @ text @a0 11 --- openssh-3.0.2p1.orig/channels.c Fri Oct 12 03:35:05 2001 +++ openssh-3.0.2p1/channels.c Thu Mar 7 16:18:42 2002 @@@@ -145,7 +145,7 @@@@ { Channel *c; - if (id < 0 || id > channels_alloc) { + if (id < 0 || id >= channels_alloc) { log("channel_lookup: %d: bad id", id); return NULL; } @ 1.1.2.2 log @fix security bug @ text @a11 32 --- openssh-3.0.2p1.orig/auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ openssh-3.0.2p1/auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@@@ -256,6 +256,8 @@@@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: --- openssh-3.0.2p1.orig/auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ openssh-3.0.2p1/auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@@@ -140,6 +140,15 @@@@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; @ 1.1.2.3 log @fix building under FreeBSD >= 4.4 @ text @a43 13 --- openssh-3.0.2p1.orig/openbsd-compat/readpassphrase.h Mon Jun 25 10:09:18 2001 +++ openssh-3.0.2p1/openbsd-compat/readpassphrase.h Wed Jul 10 11:52:46 2002 @@@@ -32,6 +32,10 @@@@ #include "includes.h" +#if defined(__FreeBSD__) +#undef HAVE_READPASSPHRASE +#endif + #ifndef HAVE_READPASSPHRASE #define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */ @