dropbear: update to 2012.55 and refresh patches
Upstream has a few code cleanups, more eagerly burns sensitive memory and includes the fix for CVE-2012-0920. Full changelog: https://matt.ucc.asn.au/dropbear/CHANGES Local changes: - Removed PKG_MULTI which is no longer in options.h (even before 2011.54) - Merged DO_HOST_LOOKUP into 120-openwrt_options.patch - Removed LD from make opts (now included in TARGET_CONFIGURE_OPTS) - Removed 400-CVE-2012-0920.patch which is included in 2012.55 Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> Signed-off-by: Florian Fainelli <florian@openwrt.org> SVN-Revision: 34496
This commit is contained in:
parent
4f78be25e1
commit
9e355444a6
5 changed files with 10 additions and 104 deletions
|
@ -8,14 +8,14 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=dropbear
|
PKG_NAME:=dropbear
|
||||||
PKG_VERSION:=2011.54
|
PKG_VERSION:=2012.55
|
||||||
PKG_RELEASE:=2
|
PKG_RELEASE:=2
|
||||||
|
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
PKG_SOURCE_URL:= \
|
PKG_SOURCE_URL:= \
|
||||||
http://matt.ucc.asn.au/dropbear/releases/ \
|
http://matt.ucc.asn.au/dropbear/releases/ \
|
||||||
http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/
|
http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/
|
||||||
PKG_MD5SUM:=c627ffe09570fad7aa94d8eac2b9320c
|
PKG_MD5SUM:=8c784baec3054cdb1bb4bfa792c87812
|
||||||
|
|
||||||
PKG_LICENSE:=MIT
|
PKG_LICENSE:=MIT
|
||||||
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
|
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
|
||||||
|
@ -72,21 +72,13 @@ CONFIGURE_ARGS += \
|
||||||
TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
|
TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
|
||||||
TARGET_LDFLAGS += -Wl,--gc-sections
|
TARGET_LDFLAGS += -Wl,--gc-sections
|
||||||
|
|
||||||
define Build/Configure
|
|
||||||
$(SED) 's,^/\* #define PKG_MULTI.*,#define PKG_MULTI,g' $(PKG_BUILD_DIR)/options.h
|
|
||||||
$(SED) 's,^#define DO_HOST_LOOKUP,/* & */,g' $(PKG_BUILD_DIR)/options.h
|
|
||||||
$(call Build/Configure/Default)
|
|
||||||
endef
|
|
||||||
|
|
||||||
define Build/Compile
|
define Build/Compile
|
||||||
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
||||||
$(TARGET_CONFIGURE_OPTS) \
|
$(TARGET_CONFIGURE_OPTS) \
|
||||||
LD="$(TARGET_CC)" \
|
|
||||||
PROGRAMS="dropbear dbclient dropbearkey scp" \
|
PROGRAMS="dropbear dbclient dropbearkey scp" \
|
||||||
MULTI=1 SCPPROGRESS=1
|
MULTI=1 SCPPROGRESS=1
|
||||||
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
||||||
$(TARGET_CONFIGURE_OPTS) \
|
$(TARGET_CONFIGURE_OPTS) \
|
||||||
LD="$(TARGET_CC)" \
|
|
||||||
PROGRAMS="dropbearconvert"
|
PROGRAMS="dropbearconvert"
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
--- a/svr-chansession.c
|
--- a/svr-chansession.c
|
||||||
+++ b/svr-chansession.c
|
+++ b/svr-chansession.c
|
||||||
@@ -884,12 +884,12 @@ static void execchild(void *user_data) {
|
@@ -891,12 +891,12 @@ static void execchild(void *user_data) {
|
||||||
/* We can only change uid/gid as root ... */
|
/* We can only change uid/gid as root ... */
|
||||||
if (getuid() == 0) {
|
if (getuid() == 0) {
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,12 @@
|
||||||
#define DROPBEAR_MD5_HMAC
|
#define DROPBEAR_MD5_HMAC
|
||||||
|
|
||||||
/* Hostkey/public key algorithms - at least one required, these are used
|
/* Hostkey/public key algorithms - at least one required, these are used
|
||||||
@@ -148,7 +148,7 @@ much traffic. */
|
@@ -144,11 +144,11 @@ much traffic. */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Whether to do reverse DNS lookups. */
|
||||||
|
-#define DO_HOST_LOOKUP
|
||||||
|
+/*#define DO_HOST_LOOKUP*/
|
||||||
|
|
||||||
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
||||||
* size */
|
* size */
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
--- a/dbutil.h
|
--- a/dbutil.h
|
||||||
+++ b/dbutil.h
|
+++ b/dbutil.h
|
||||||
@@ -94,6 +94,10 @@ int m_str_to_uint(const char* str, unsig
|
@@ -93,6 +93,10 @@ int m_str_to_uint(const char* str, unsig
|
||||||
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
|
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
|
||||||
|
|
||||||
/* Dropbear assertion */
|
/* Dropbear assertion */
|
||||||
|
|
|
@ -1,91 +0,0 @@
|
||||||
|
|
||||||
# HG changeset patch
|
|
||||||
# User Matt Johnston <matt@ucc.asn.au>
|
|
||||||
# Date 1322947885 -28800
|
|
||||||
# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
|
|
||||||
# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
|
|
||||||
- Fix use-after-free if multiple command requests were sent. Move
|
|
||||||
the original_command into chansess struct since that makes more sense
|
|
||||||
|
|
||||||
--- a/auth.h
|
|
||||||
+++ b/auth.h
|
|
||||||
@@ -133,7 +133,6 @@ struct PubKeyOptions {
|
|
||||||
int no_pty_flag;
|
|
||||||
/* "command=" option. */
|
|
||||||
unsigned char * forced_command;
|
|
||||||
- unsigned char * original_command;
|
|
||||||
};
|
|
||||||
#endif
|
|
||||||
|
|
||||||
--- a/chansession.h
|
|
||||||
+++ b/chansession.h
|
|
||||||
@@ -69,6 +69,10 @@ struct ChanSess {
|
|
||||||
char * agentfile;
|
|
||||||
char * agentdir;
|
|
||||||
#endif
|
|
||||||
+
|
|
||||||
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
|
||||||
+ char *original_command;
|
|
||||||
+#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
struct ChildPid {
|
|
||||||
--- a/svr-authpubkeyoptions.c
|
|
||||||
+++ b/svr-authpubkeyoptions.c
|
|
||||||
@@ -92,14 +92,15 @@ int svr_pubkey_allows_pty() {
|
|
||||||
* by any 'command' public key option. */
|
|
||||||
void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
|
|
||||||
if (ses.authstate.pubkey_options) {
|
|
||||||
- ses.authstate.pubkey_options->original_command = chansess->cmd;
|
|
||||||
- if (!chansess->cmd)
|
|
||||||
- {
|
|
||||||
- ses.authstate.pubkey_options->original_command = m_strdup("");
|
|
||||||
+ if (chansess->cmd) {
|
|
||||||
+ /* original_command takes ownership */
|
|
||||||
+ chansess->original_command = chansess->cmd;
|
|
||||||
+ } else {
|
|
||||||
+ chansess->original_command = m_strdup("");
|
|
||||||
}
|
|
||||||
- chansess->cmd = ses.authstate.pubkey_options->forced_command;
|
|
||||||
+ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
|
|
||||||
#ifdef LOG_COMMANDS
|
|
||||||
- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
|
|
||||||
+ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--- a/svr-chansession.c
|
|
||||||
+++ b/svr-chansession.c
|
|
||||||
@@ -217,6 +217,8 @@ static int newchansess(struct Channel *c
|
|
||||||
|
|
||||||
struct ChanSess *chansess;
|
|
||||||
|
|
||||||
+ TRACE(("new chansess %p", channel))
|
|
||||||
+
|
|
||||||
dropbear_assert(channel->typedata == NULL);
|
|
||||||
|
|
||||||
chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
|
|
||||||
@@ -279,6 +281,10 @@ static void closechansess(struct Channel
|
|
||||||
m_free(chansess->cmd);
|
|
||||||
m_free(chansess->term);
|
|
||||||
|
|
||||||
+#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
|
||||||
+ m_free(chansess->original_command);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if (chansess->tty) {
|
|
||||||
/* write the utmp/wtmp login record */
|
|
||||||
li = chansess_login_alloc(chansess);
|
|
||||||
@@ -924,10 +930,8 @@ static void execchild(void *user_data) {
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
|
|
||||||
- if (ses.authstate.pubkey_options &&
|
|
||||||
- ses.authstate.pubkey_options->original_command) {
|
|
||||||
- addnewvar("SSH_ORIGINAL_COMMAND",
|
|
||||||
- ses.authstate.pubkey_options->original_command);
|
|
||||||
+ if (chansess->original_command) {
|
|
||||||
+ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
Loading…
Reference in a new issue