Ticket #16871: dropbear-2014.63.patch

File dropbear-2014.63.patch, 14.6 KB (added by yohimba@…, 4 years ago)

dropbear update to 2014.63 (attitude_adjustment)

  • package/dropbear/files/dropbear.init

    diff -Nru attitude_adjustment.orig/package/dropbear/files/dropbear.init attitude_adjustment/package/dropbear/files/dropbear.init
    old new  
    8080        config_get val "${section}" rsakeyfile 
    8181        [ -f "${val}" ] && append args "-r ${val}" 
    8282        config_get val "${section}" dsskeyfile 
    83         [ -f "${val}" ] && append args "-d ${val}" 
     83        [ -f "${val}" ] && append args "-r ${val}" 
     84        config_get val "${section}" ecdsakeyfile 
     85        [ -f "${val}" ] && append args "-r ${val}" 
    8486 
    8587        # execute program and return its exit code 
    8688        [ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}" 
     
    8991 
    9092keygen() 
    9193{ 
    92         for keytype in rsa dss; do 
     94        for keytype in rsa dss ecdsa; do 
    9395                # check for keys 
    9496                key=dropbear/dropbear_${keytype}_host_key 
    9597                [ -f /tmp/$key -o -s /etc/$key ] || { 
     
    113115start() 
    114116{ 
    115117        [ -s /etc/dropbear/dropbear_rsa_host_key -a \ 
    116           -s /etc/dropbear/dropbear_dss_host_key ] || keygen 
     118          -s /etc/dropbear/dropbear_dss_host_key -a \ 
     119          -s /etc/dropbear/dropbear_ecdsa_host_key ] || keygen 
    117120 
    118121        include /lib/network 
    119122        scan_interfaces 
  • package/dropbear/Makefile

    diff -Nru attitude_adjustment.orig/package/dropbear/Makefile attitude_adjustment/package/dropbear/Makefile
    old new  
    88include $(TOPDIR)/rules.mk 
    99 
    1010PKG_NAME:=dropbear 
    11 PKG_VERSION:=2011.54 
    12 PKG_RELEASE:=2 
     11PKG_VERSION:=2014.63 
     12PKG_RELEASE:=1 
    1313 
    1414PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 
    1515PKG_SOURCE_URL:= \ 
    1616        http://matt.ucc.asn.au/dropbear/releases/ \ 
    1717        http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ 
    18 PKG_MD5SUM:=c627ffe09570fad7aa94d8eac2b9320c 
     18PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd 
    1919 
    2020PKG_BUILD_PARALLEL:=1 
    2121 
     
    3838 
    3939define Package/dropbear/conffiles 
    4040/etc/dropbear/dropbear_rsa_host_key 
    41 /etc/dropbear/dropbear_dss_host_key  
    42 /etc/config/dropbear  
     41/etc/dropbear/dropbear_dss_host_key 
     42/etc/dropbear/dropbear_ecdsa_host_key 
     43/etc/config/dropbear 
    4344endef 
    4445 
    4546define Package/dropbearconvert 
     
    103104        $(INSTALL_DIR) $(1)/etc/dropbear 
    104105        touch $(1)/etc/dropbear/dropbear_rsa_host_key 
    105106        touch $(1)/etc/dropbear/dropbear_dss_host_key 
     107        touch $(1)/etc/dropbear/dropbear_ecdsa_host_key 
    106108endef 
    107109 
    108110define Package/dropbearconvert/install 
  • package/dropbear/patches/110-change_user.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/110-change_user.patch attitude_adjustment/package/dropbear/patches/110-change_user.patch
    old new  
    11--- a/svr-chansession.c 
    22+++ b/svr-chansession.c 
    3 @@ -884,12 +884,12 @@ static void execchild(void *user_data) { 
     3@@ -889,12 +889,12 @@ static void execchild(void *user_data) { 
    44        /* We can only change uid/gid as root ... */ 
    55        if (getuid() == 0) { 
    66  
  • package/dropbear/patches/120-openwrt_options.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/120-openwrt_options.patch attitude_adjustment/package/dropbear/patches/120-openwrt_options.patch
    old new  
    11--- a/options.h 
    22+++ b/options.h 
    3 @@ -38,7 +38,7 @@ 
     3@@ -41,7 +41,7 @@ 
    44  * Both of these flags can be defined at once, don't compile without at least 
    55  * one of them. */ 
    66 #define NON_INETD_MODE 
     
    99  
    1010 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 
    1111  * perhaps 20% slower for pubkey operations (it is probably worth experimenting 
    12 @@ -49,7 +49,7 @@ 
    13  several kB in binary size however will make the symmetrical ciphers and hashes 
    14  slower, perhaps by 50%. Recommended for small systems that aren't doing 
    15  much traffic. */ 
    16 -/*#define DROPBEAR_SMALL_CODE*/ 
    17 +#define DROPBEAR_SMALL_CODE 
    18   
    19  /* Enable X11 Forwarding - server only */ 
    20  #define ENABLE_X11FWD 
    21 @@ -78,7 +78,7 @@ much traffic. */ 
     12@@ -81,7 +81,7 @@ 
    2213  
    2314 /* Enable "Netcat mode" option. This will forward standard input/output 
    2415  * to a remote TCP-forwarded connection */ 
    2516-#define ENABLE_CLI_NETCAT 
    2617+/*#define ENABLE_CLI_NETCAT*/ 
    2718  
    28  /* Encryption - at least one required. 
    29   * Protocol RFC requires 3DES and recommends AES128 for interoperability. 
    30 @@ -89,8 +89,8 @@ much traffic. */ 
     19 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ 
     20 #define ENABLE_USER_ALGO_LIST 
     21@@ -95,8 +95,8 @@ 
    3122 #define DROPBEAR_AES256 
    3223 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ 
    3324 /*#define DROPBEAR_BLOWFISH*/ 
     
    3829  
    3930 /* Enable "Counter Mode" for ciphers. This is more secure than normal 
    4031  * CBC mode against certain attacks. This adds around 1kB to binary  
    41 @@ -110,7 +110,7 @@ much traffic. */ 
     32@@ -122,7 +122,7 @@ 
    4233  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, 
    4334  * which are not the standard form. */ 
    4435 #define DROPBEAR_SHA1_HMAC 
    4536-#define DROPBEAR_SHA1_96_HMAC 
    4637+/*#define DROPBEAR_SHA1_96_HMAC*/ 
     38 /*#define DROPBEAR_SHA2_256_HMAC*/ 
     39 /*#define DROPBEAR_SHA2_512_HMAC*/ 
    4740 #define DROPBEAR_MD5_HMAC 
    48   
    49  /* Hostkey/public key algorithms - at least one required, these are used 
    50 @@ -148,7 +148,7 @@ much traffic. */ 
     41@@ -175,7 +175,7 @@ 
    5142  
    5243 /* Whether to print the message of the day (MOTD). This doesn't add much code 
    5344  * size */ 
     
    5647  
    5748 /* The MOTD file path */ 
    5849 #ifndef MOTD_FILENAME 
    59 @@ -192,7 +192,7 @@ much traffic. */ 
     50@@ -213,7 +213,7 @@ 
    6051  * note that it will be provided for all "hidden" client-interactive 
    6152  * style prompts - if you want something more sophisticated, use  
    6253  * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ 
  • package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch attitude_adjustment/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
    old new  
    11--- a/cli-runopts.c 
    22+++ b/cli-runopts.c 
    3 @@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) 
     3@@ -309,6 +309,10 @@ void cli_getopts(int argc, char ** argv) 
    44                                        debug_trace = 1; 
    55                                        break; 
    66 #endif 
     
    1010+                                       break; 
    1111                                case 'F': 
    1212                                case 'e': 
    13                                 case 'c': 
    14 @@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) 
     13 #ifndef ENABLE_USER_ALGO_LIST 
     14@@ -322,7 +326,6 @@ void cli_getopts(int argc, char ** argv) 
    1515 #ifndef ENABLE_CLI_LOCALTCPFWD 
    1616                                case 'L': 
    1717 #endif 
  • package/dropbear/patches/140-disable_assert.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/140-disable_assert.patch attitude_adjustment/package/dropbear/patches/140-disable_assert.patch
    old new  
    11--- a/dbutil.h 
    22+++ b/dbutil.h 
    3 @@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig 
     3@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig 
    44 #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} 
    55  
    66 /* Dropbear assertion */ 
     
    1111+ 
    1212+#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) 
    1313  
    14  #endif /* _DBUTIL_H_ */ 
     14 /* Returns 0 if a and b have the same contents */ 
     15 int constant_time_memcmp(const void* a, const void *b, size_t n); 
  • package/dropbear/patches/150-dbconvert_standalone.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/150-dbconvert_standalone.patch attitude_adjustment/package/dropbear/patches/150-dbconvert_standalone.patch
    old new  
    99+#define DROPBEAR_CLIENT 
    1010+#endif 
    1111+ 
    12  /****************************************************************** 
    13   * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" 
    14   * parts are to allow for commandline -DDROPBEAR_XXX options etc. 
     12 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" 
     13  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ 
     14  
  • package/dropbear/patches/200-lcrypt_bsdfix.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/200-lcrypt_bsdfix.patch attitude_adjustment/package/dropbear/patches/200-lcrypt_bsdfix.patch
    old new  
    11--- a/Makefile.in 
    22+++ b/Makefile.in 
    3 @@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac 
    4                 loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ 
    5                 listener.h fake-rfc2553.h 
    6   
    7 -dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@  
    8 +dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) 
    9  dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) 
    10  dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) 
    11  dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) 
    12 @@ -77,7 +77,7 @@ STRIP=@STRIP@ 
     3@@ -83,7 +83,7 @@ 
    134 INSTALL=@INSTALL@ 
    145 CPPFLAGS=@CPPFLAGS@ 
    156 CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ 
     
    189 LDFLAGS=@LDFLAGS@ 
    1910  
    2011 EXEEXT=@EXEEXT@ 
    21 @@ -169,7 +169,7 @@ scp: $(SCPOBJS)  $(HEADERS) Makefile 
    22  # multi-binary compilation. 
    23  MULTIOBJS= 
    24  ifeq ($(MULTI),1) 
    25 -       MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@  
    26 +       MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) 
    27         CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI 
    28  endif 
    29   
  • package/dropbear/patches/300-ipv6_addr_port_split.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/300-ipv6_addr_port_split.patch attitude_adjustment/package/dropbear/patches/300-ipv6_addr_port_split.patch
    old new  
    1 --- a/svr-runopts.c 
    2 +++ b/svr-runopts.c 
    3 @@ -325,7 +325,7 @@ static void addportandaddress(char* spec 
    4                 myspec = m_strdup(spec); 
    5   
    6                 /* search for ':', that separates address and port */ 
    7 -               svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); 
    8 +               svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); 
    9   
    10                 if (svr_opts.ports[svr_opts.portcount] == NULL) { 
    11                         /* no ':' -> the whole string specifies just a port */ 
  • package/dropbear/patches/400-CVE-2012-0920.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/400-CVE-2012-0920.patch attitude_adjustment/package/dropbear/patches/400-CVE-2012-0920.patch
    old new  
    1  
    2 # HG changeset patch 
    3 # User Matt Johnston <matt@ucc.asn.au> 
    4 # Date 1322947885 -28800 
    5 # Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8 
    6 # Parent  5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f 
    7 - Fix use-after-free if multiple command requests were sent. Move 
    8 the original_command into chansess struct since that makes more sense 
    9  
    10 --- a/auth.h 
    11 +++ b/auth.h 
    12 @@ -133,7 +133,6 @@ struct PubKeyOptions { 
    13         int no_pty_flag; 
    14         /* "command=" option. */ 
    15         unsigned char * forced_command; 
    16 -       unsigned char * original_command; 
    17  }; 
    18  #endif 
    19   
    20 --- a/chansession.h 
    21 +++ b/chansession.h 
    22 @@ -69,6 +69,10 @@ struct ChanSess { 
    23         char * agentfile; 
    24         char * agentdir; 
    25  #endif 
    26 + 
    27 +#ifdef ENABLE_SVR_PUBKEY_OPTIONS 
    28 +       char *original_command; 
    29 +#endif 
    30  }; 
    31   
    32  struct ChildPid { 
    33 --- a/svr-authpubkeyoptions.c 
    34 +++ b/svr-authpubkeyoptions.c 
    35 @@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() { 
    36   * by any 'command' public key option. */ 
    37  void svr_pubkey_set_forced_command(struct ChanSess *chansess) { 
    38         if (ses.authstate.pubkey_options) { 
    39 -               ses.authstate.pubkey_options->original_command = chansess->cmd; 
    40 -               if (!chansess->cmd) 
    41 -               { 
    42 -                       ses.authstate.pubkey_options->original_command = m_strdup(""); 
    43 +               if (chansess->cmd) { 
    44 +                       /* original_command takes ownership */ 
    45 +                       chansess->original_command = chansess->cmd; 
    46 +               } else { 
    47 +                       chansess->original_command = m_strdup(""); 
    48                 } 
    49 -               chansess->cmd = ses.authstate.pubkey_options->forced_command; 
    50 +               chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command); 
    51  #ifdef LOG_COMMANDS 
    52 -               dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command); 
    53 +               dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command); 
    54  #endif 
    55         } 
    56  } 
    57 --- a/svr-chansession.c 
    58 +++ b/svr-chansession.c 
    59 @@ -217,6 +217,8 @@ static int newchansess(struct Channel *c 
    60   
    61         struct ChanSess *chansess; 
    62   
    63 +       TRACE(("new chansess %p", channel)) 
    64 + 
    65         dropbear_assert(channel->typedata == NULL); 
    66   
    67         chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess)); 
    68 @@ -279,6 +281,10 @@ static void closechansess(struct Channel 
    69         m_free(chansess->cmd); 
    70         m_free(chansess->term); 
    71   
    72 +#ifdef ENABLE_SVR_PUBKEY_OPTIONS 
    73 +       m_free(chansess->original_command); 
    74 +#endif 
    75 + 
    76         if (chansess->tty) { 
    77                 /* write the utmp/wtmp login record */ 
    78                 li = chansess_login_alloc(chansess); 
    79 @@ -924,10 +930,8 @@ static void execchild(void *user_data) { 
    80         } 
    81          
    82  #ifdef ENABLE_SVR_PUBKEY_OPTIONS 
    83 -       if (ses.authstate.pubkey_options && 
    84 -                       ses.authstate.pubkey_options->original_command) { 
    85 -               addnewvar("SSH_ORIGINAL_COMMAND",  
    86 -                       ses.authstate.pubkey_options->original_command); 
    87 +       if (chansess->original_command) { 
    88 +               addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command); 
    89         } 
    90  #endif 
    91   
  • package/dropbear/patches/500-set-default-path.patch

    diff -Nru attitude_adjustment.orig/package/dropbear/patches/500-set-default-path.patch attitude_adjustment/package/dropbear/patches/500-set-default-path.patch
    old new  
    11--- a/options.h 
    22+++ b/options.h 
    3 @@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa 
     3@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa 
    44 #define DEFAULT_IDLE_TIMEOUT 0 
    55  
    66 /* The default path. This will often get replaced by the shell */