diff options
| author | taca <taca@pkgsrc.org> | 2006-10-31 03:31:19 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2006-10-31 03:31:19 +0000 |
| commit | 70d00a6d63d399a667376ec9fabcd2fe038bf8ce (patch) | |
| tree | b47413236355186a1c01c75680dfb81ede4145f8 /security/openssh | |
| parent | 05e819c6a7e0c4f63c4a1e974333a8dc78b94103 (diff) | |
| download | pkgsrc-70d00a6d63d399a667376ec9fabcd2fe038bf8ce.tar.gz | |
Update openssh package to 4.4.1 (openssh-4.4p1).
- A few pkglint warning clean up.
- Major changes are here. For complete changes,
see http://www.openssh.com/txt/release-4.4.
Changes since OpenSSH 4.3:
============================
Security bugs resolved in this release:
* Fix a pre-authentication denial of service found by Tavis Ormandy,
that would cause sshd(8) to spin until the login grace time
expired.
* Fix an unsafe signal hander reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited
to perform a pre-authentication denial of service. On portable
OpenSSH, this vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication
is enabled, but the likelihood of successful exploitation appears
remote.
* On portable OpenSSH, fix a GSSAPI authentication abort that could
be used to determine the validity of usernames on some platforms.
This release includes the following new functionality and fixes:
* Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of post-
authentication options are supported and more are expected to be
added in future releases.
* Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
* Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
* Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
* Add optional logging of transactions to sftp-server(8).
* ssh(1) will now record port numbers for hosts stored in
~/.ssh/authorized_keys when a non-standard port has been requested.
* Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with
a non-zero exit code) when requested port forwardings could not be
established.
* Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
* Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
* Many manpage fixes and improvements
* New portable OpenSSH-specific features:
- Add optional support for SELinux, controlled using the
--with-selinux configure option (experimental)
- Add optional support for Solaris process contracts, enabled
using the --with-solaris-contracts configure option (experimental)
This option will also include SMF metadata in Solaris packages
built using the "make package" target
- Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
Diffstat (limited to 'security/openssh')
30 files changed, 218 insertions, 359 deletions
diff --git a/security/openssh/Makefile b/security/openssh/Makefile index e3386ed606f..516102eb423 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.171 2006/09/28 10:10:52 taca Exp $ +# $NetBSD: Makefile,v 1.172 2006/10/31 03:31:19 taca Exp $ -DISTNAME= openssh-4.3p2 -PKGNAME= openssh-4.3.2 +DISTNAME= openssh-4.4p1 +PKGNAME= openssh-4.4.1 #PKGREVISION= 1 SVR4_PKGNAME= ossh CATEGORIES= security @@ -31,6 +31,9 @@ CRYPTO= yes # retain the following line, for IPv6-ready pkgsrc webpage BUILD_DEFS+= USE_INET6 +BUILD_DEFS+= OPENSSH_CHROOT OPENSSH_GROUP OPENSSH_USER +BUILD_DEFS+= VARBASE + INSTALL_TARGET= install-nokeys PLIST_SRC= # empty @@ -135,8 +138,8 @@ PLIST_SRC+= ${.CURDIR}/PLIST.prng EGDIR= ${PREFIX}/share/examples/${PKGBASE} CONF_FILES= # empty -.for FILE in ${CONFS} -CONF_FILES+= ${EGDIR}/${FILE} ${PKG_SYSCONFDIR}/${FILE} +.for f in ${CONFS} +CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} .endfor OWN_DIRS= ${OPENSSH_CHROOT} RCD_SCRIPTS= sshd @@ -144,6 +147,12 @@ RCD_SCRIPTS= sshd PLIST_SRC+= ${.CURDIR}/PLIST FILES_SUBST+= SSH_PID_DIR=${SSH_PID_DIR:Q} +SUBST_CLASSES+= patch +SUBST_STAGE.patch= pre-configure +SUBST_FILES.patch= session.c +SUBST_SED.patch= -e '/channel_input_port_forward_request/s/0/ROOTUID/' +SUBST_MESSAGE.patch= More patch a file. + .include "../../devel/zlib/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" .include "../../security/tcp_wrappers/buildlink3.mk" diff --git a/security/openssh/distinfo b/security/openssh/distinfo index 12ebff2a1c5..2c7d2ef0625 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1,34 +1,30 @@ -$NetBSD: distinfo,v 1.54 2006/09/28 10:10:52 taca Exp $ +$NetBSD: distinfo,v 1.55 2006/10/31 03:31:19 taca Exp $ -SHA1 (openssh-4.3p1-hpn11.diff) = 22f2c99d314abc400bd1731d9c35b0540cbf2eae -RMD160 (openssh-4.3p1-hpn11.diff) = c3b807437fd9f40f2ab73c52586de194b84cce6e -Size (openssh-4.3p1-hpn11.diff) = 11024 bytes -SHA1 (openssh-4.3p2.tar.gz) = 2b5b0751fd578283ba7b106025c0ba391fd72f1f -RMD160 (openssh-4.3p2.tar.gz) = ccd5967e3296347e6dd2be43c3d6caacde2b6833 -Size (openssh-4.3p2.tar.gz) = 941455 bytes -SHA1 (patch-aa) = 213f5f5a3c7ae0bceafac1b169063fc71806dc7c -SHA1 (patch-ab) = 6c71ad1a39a1d6f7e48fc244993a4189c2cd9ef7 -SHA1 (patch-ac) = 8c625fdaca4d73c27e4e68b5bb3aa54327eb61ff -SHA1 (patch-ad) = 23f73b7ce008c6ccd431d3d80692e59fcf33aa14 -SHA1 (patch-ae) = 0ea1559a47f536fe7bf758f78a2cae672285875f -SHA1 (patch-af) = abb711b840d58b499de961b72df7550b9298134a -SHA1 (patch-ag) = b8b454c107e4e35473265489445e8918113d8ea8 -SHA1 (patch-ah) = 5435b5d55c3a728f05243bbaade94bf6c3b7a6ef -SHA1 (patch-ai) = f4ac9340c106c30434cd017bc91a06c9bc83258c -SHA1 (patch-aj) = 44f2b11949a4dea6a8760b8397db5360b64bf01f -SHA1 (patch-ak) = 99f789676e606d4a51effc2abc02a50776f4e781 -SHA1 (patch-al) = 2843c7c6e8b3d93a03b2d66d71c894a9e302f987 -SHA1 (patch-am) = 19f8c2f251354995d5efc041023dca0290caf171 -SHA1 (patch-an) = 6242250d2393b2ac4041f117fe4539a29e1cadeb -SHA1 (patch-ao) = 9721181847cc8cab0458d84a45e0384da9d34679 -SHA1 (patch-ap) = 05f53408ea224ddd6934ae64ec7698f604ecf8cd -SHA1 (patch-aq) = 3786a41a974d6583f379350068a762a725b8334d -SHA1 (patch-ar) = fe7d5b715ac51bece44d6f3ba9c3c6245d27d00d -SHA1 (patch-as) = 6af976b7c018c1a9b0841617edbffdb8b977a2d6 -SHA1 (patch-at) = ffbcb38cf8578f05319b2af9cfcdb5ada2a57e78 -SHA1 (patch-au) = 052b0b6d8869ad09144e4fc9e1b3c5e03c669c44 -SHA1 (patch-av) = 5543fcf94eaad26e27043c1527921e23ecfefc77 -SHA1 (patch-aw) = 95d49965b0f24bf117e790785d3a8ef553865bda -SHA1 (patch-ax) = 2c6923c767e7549d746d35358ecef2156012b227 -SHA1 (patch-ay) = e64d4266556ce05a5fd5e14ee4e988e7bf075576 -SHA1 (patch-az) = 341c42c82ddb6177bd8ac41813d6ad1e4b6e3839 +SHA1 (openssh-4.4p1-hpn.diff.gz) = 20aabe012378cbb6462b685baf118f2f286ccaa8 +RMD160 (openssh-4.4p1-hpn.diff.gz) = 6cf2dba89154fc3475f4321911d8f1a307551965 +Size (openssh-4.4p1-hpn.diff.gz) = 16258 bytes +SHA1 (openssh-4.4p1.tar.gz) = 6a52b1dee1c2c9862923c0008d201d98a7fd9d6c +RMD160 (openssh-4.4p1.tar.gz) = 13eb79a54e95037fff1902b659319df1c5f79bbc +Size (openssh-4.4p1.tar.gz) = 1044334 bytes +SHA1 (patch-aa) = f29644c520908ed5489890515c0f8cea1b871480 +SHA1 (patch-ab) = 81d7c002eb83147ef80513b16bd3041af0b07ddc +SHA1 (patch-ac) = dfb054ef02fbb5d206f6adaf82944f16da20eaf9 +SHA1 (patch-ad) = 7921e029b56c0e4769a7ada03dff3eb2e275db7d +SHA1 (patch-ae) = 9585221f9e49b4ebea31c374066d70e11aa804a1 +SHA1 (patch-af) = ca3224af0b648803404776a8c12ed678db4f8ff6 +SHA1 (patch-ag) = b6f92a5394a3442fcc0c2a2ee204c10df5a4aea5 +SHA1 (patch-ah) = bc0d7c2903ecf264e62b53f3864812af5f2f04ce +SHA1 (patch-ai) = becad6262e5daeef2a6db14097a8971c40088403 +SHA1 (patch-aj) = 4f477f40d1d891dcda9083cec5521e80410ebd54 +SHA1 (patch-ak) = 3720afb4e95356d5310762cda881820d524dcffc +SHA1 (patch-al) = d312a068047a375e52180026554bab745efdcdb7 +SHA1 (patch-am) = 4e2278b20e87e530e1819efde976d4414e160e38 +SHA1 (patch-an) = 283b17f27224dad853091d5145f2dab342132f8f +SHA1 (patch-ao) = a70da4f5942553a42fa935b82172e601b29951df +SHA1 (patch-ap) = 2c0c092637661328046b71292a7412d09e92bb2a +SHA1 (patch-aq) = a619b57361b04d5ab3d41375c18f7b99d71c8b34 +SHA1 (patch-ar) = fce4dc1011a124f02b8e14980cda1d633b36aa7d +SHA1 (patch-as) = 19660f5983931ea3b053e6f4289cf6fae2ce50f3 +SHA1 (patch-au) = 6cfdfc531e2267017a15e66ea48c7ecfa2a3926f +SHA1 (patch-av) = 2e7b36f234f38c0f9e5b5d453574ff3844d466f8 +SHA1 (patch-aw) = 2a88b7563c6f52163c6c5f716e437ecaea613a30 diff --git a/security/openssh/hacks.mk b/security/openssh/hacks.mk index 69587da1f6f..584370a649a 100644 --- a/security/openssh/hacks.mk +++ b/security/openssh/hacks.mk @@ -1,4 +1,4 @@ -# $NetBSD: hacks.mk,v 1.1 2006/05/14 21:13:42 schwarz Exp $ +# $NetBSD: hacks.mk,v 1.2 2006/10/31 03:31:19 taca Exp $ .if !defined(OPENSSH_HACKS_MK) OPENSSH_HACKS_MK= # defined @@ -6,7 +6,7 @@ OPENSSH_HACKS_MK= # defined ### [Sun May 14 15:09:28 CDT 2006 : schwarz] ### work around a definition conflict for _res present in openssh ### 4.3p1 and 4.3p2 (should be fixed with later releases) -### +### .if !empty(LOWER_OPSYS:Mirix5*) PKG_HACKS+= _res-conflict CPPFLAGS+= -D_res=_compat_res diff --git a/security/openssh/options.mk b/security/openssh/options.mk index 8c887c41e68..a2754b84d9a 100644 --- a/security/openssh/options.mk +++ b/security/openssh/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.8 2006/02/12 00:13:55 salo Exp $ +# $NetBSD: options.mk,v 1.9 2006/10/31 03:31:19 taca Exp $ .include "../../mk/bsd.prefs.mk" @@ -17,7 +17,7 @@ CONFIGURE_ARGS+= --with-kerberos5=${KRB5BASE:Q} .endif .if !empty(PKG_OPTIONS:Mhpn-patch) -PATCHFILES= openssh-4.3p1-hpn11.diff +PATCHFILES= openssh-4.4p1-hpn.diff.gz PATCH_SITES= http://www.psc.edu/networking/projects/hpn-ssh/ PATCH_DIST_STRIP= -p1 .endif diff --git a/security/openssh/patches/patch-aa b/security/openssh/patches/patch-aa index 06382a4b831..0dd61a862d3 100644 --- a/security/openssh/patches/patch-aa +++ b/security/openssh/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-aa,v 1.42 2006/10/31 03:31:19 taca Exp $ ---- configure.orig 2006-02-01 05:33:51.000000000 -0600 -+++ configure 2006-02-08 22:02:30.000000000 -0600 -@@ -5417,6 +5417,36 @@ +--- configure.orig 2006-09-26 20:03:41.000000000 +0900 ++++ configure +@@ -7326,6 +7326,36 @@ _ACEOF ;; esac ;; @@ -39,7 +39,7 @@ $NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ *-*-irix5*) PATH="$PATH:/usr/etc" -@@ -6233,7 +6263,7 @@ +@@ -7931,7 +7961,7 @@ cat >>confdefs.h <<\_ACEOF _ACEOF ;; @@ -48,7 +48,7 @@ $NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ check_for_libcrypt_later=1 cat >>confdefs.h <<\_ACEOF -@@ -7269,6 +7299,9 @@ +@@ -9144,6 +9174,9 @@ _ACEOF ;; esac @@ -57,9 +57,17 @@ $NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ + # Allow user to specify flags - # Check whether --with-cflags or --without-cflags was given. -@@ -26694,14 +26727,21 @@ - rm -f conftest.err conftest.$ac_objext conftest.$ac_ext + # Check whether --with-cflags was given. +@@ -9344,6 +9377,7 @@ for ac_header in \ + maillock.h \ + ndir.h \ + net/if_tun.h \ ++ net/tun/if_tun.h \ + netdb.h \ + netgroup.h \ + pam/pam_appl.h \ +@@ -32055,14 +32089,21 @@ fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then - cat >>confdefs.h <<\_ACEOF @@ -84,8 +92,8 @@ $NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ #define CONF_UTMPX_FILE "$conf_utmpx_location" _ACEOF -@@ -26769,14 +26809,20 @@ - rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +@@ -32143,14 +32184,20 @@ fi + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then - cat >>confdefs.h <<\_ACEOF @@ -110,7 +118,7 @@ $NetBSD: patch-aa,v 1.41 2006/02/12 00:13:55 salo Exp $ #define CONF_WTMPX_FILE "$conf_wtmpx_location" _ACEOF -@@ -28002,7 +28048,7 @@ +@@ -33383,7 +33430,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ab b/security/openssh/patches/patch-ab index 6820ed2f6b0..6e8f34f8387 100644 --- a/security/openssh/patches/patch-ab +++ b/security/openssh/patches/patch-ab @@ -1,8 +1,8 @@ -$NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ab,v 1.24 2006/10/31 03:31:20 taca Exp $ ---- configure.ac.orig 2006-01-29 07:22:39.000000000 -0600 -+++ configure.ac 2006-02-08 20:55:34.000000000 -0600 -@@ -277,6 +277,15 @@ +--- configure.ac.orig 2006-09-25 04:08:59.000000000 +0900 ++++ configure.ac +@@ -324,6 +324,15 @@ main() { if (NSVersionOfRunTimeLibrary(" ;; esac ;; @@ -18,7 +18,7 @@ $NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $ *-*-irix5*) PATH="$PATH:/usr/etc" AC_DEFINE(BROKEN_INET_NTOA, 1, -@@ -597,6 +606,9 @@ +@@ -663,6 +672,9 @@ mips-sony-bsd|mips-sony-newsos4) ;; esac @@ -28,7 +28,15 @@ $NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $ # Allow user to specify flags AC_ARG_WITH(cflags, [ --with-cflags Specify additional flags to pass to compiler], -@@ -3668,9 +3680,17 @@ +@@ -745,6 +757,7 @@ AC_CHECK_HEADERS( \ + maillock.h \ + ndir.h \ + net/if_tun.h \ ++ net/tun/if_tun.h \ + netdb.h \ + netgroup.h \ + pam/pam_appl.h \ +@@ -3873,9 +3886,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_utmpx_location"; then if test x"$system_utmpx_path" = x"no" ; then @@ -48,7 +56,7 @@ $NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $ AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", [Define if you want to specify the path to your utmpx file]) fi -@@ -3694,9 +3714,17 @@ +@@ -3899,9 +3920,17 @@ AC_TRY_COMPILE([ ) if test -z "$conf_wtmpx_location"; then if test x"$system_wtmpx_path" = x"no" ; then @@ -68,7 +76,7 @@ $NetBSD: patch-ab,v 1.23 2006/02/12 00:13:55 salo Exp $ AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", [Define if you want to specify the path to your wtmpx file]) fi -@@ -3743,7 +3771,7 @@ +@@ -3941,7 +3970,7 @@ echo "OpenSSH has been configured with t echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" diff --git a/security/openssh/patches/patch-ac b/security/openssh/patches/patch-ac index 946429ead91..d1859243214 100644 --- a/security/openssh/patches/patch-ac +++ b/security/openssh/patches/patch-ac @@ -1,7 +1,7 @@ -$NetBSD: patch-ac,v 1.15 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ac,v 1.16 2006/10/31 03:31:20 taca Exp $ ---- defines.h.orig 2005-12-17 05:04:09.000000000 -0600 -+++ defines.h 2006-02-08 20:58:45.000000000 -0600 +--- defines.h.orig 2006-09-21 22:13:30.000000000 +0900 ++++ defines.h @@ -30,6 +30,15 @@ /* Constants */ @@ -15,10 +15,10 @@ $NetBSD: patch-ac,v 1.15 2006/02/12 00:13:55 salo Exp $ +# define ROOTGID 0 +#endif + - #ifndef SHUT_RDWR + #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0 enum { -@@ -442,10 +451,6 @@ +@@ -437,10 +446,6 @@ struct winsize { # define __attribute__(x) #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ @@ -29,7 +29,7 @@ $NetBSD: patch-ac,v 1.15 2006/02/12 00:13:55 salo Exp $ #if !defined(HAVE_ATTRIBUTE__SENTINEL__) && !defined(__sentinel__) # define __sentinel__ #endif -@@ -639,6 +644,24 @@ +@@ -643,6 +648,24 @@ struct winsize { # endif # endif #endif diff --git a/security/openssh/patches/patch-ad b/security/openssh/patches/patch-ad index 06259b5c89b..12ae915a4e4 100644 --- a/security/openssh/patches/patch-ad +++ b/security/openssh/patches/patch-ad @@ -1,8 +1,8 @@ -$NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ +$NetBSD: patch-ad,v 1.12 2006/10/31 03:31:20 taca Exp $ ---- loginrec.c.orig 2005-07-17 02:26:44.000000000 -0500 +--- loginrec.c.orig 2006-09-07 21:57:54.000000000 +0900 +++ loginrec.c -@@ -414,8 +414,8 @@ +@@ -430,8 +430,8 @@ login_set_addr(struct logininfo *li, con int login_write(struct logininfo *li) { @@ -13,7 +13,7 @@ $NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ logit("Attempt to write login records by non-root user (aborting)"); return (1); } -@@ -423,7 +423,7 @@ +@@ -439,7 +439,7 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); @@ -22,7 +22,7 @@ $NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ syslogin_write_entry(li); #endif #ifdef USE_LASTLOG -@@ -603,7 +603,7 @@ +@@ -619,7 +619,7 @@ line_abbrevname(char *dst, const char *s ** into account. **/ @@ -31,7 +31,7 @@ $NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ /* build the utmp structure */ void -@@ -740,10 +740,6 @@ +@@ -756,10 +756,6 @@ construct_utmpx(struct logininfo *li, st set_utmpx_time(li, utx); utx->ut_pid = li->pid; @@ -42,7 +42,7 @@ $NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ if (li->type == LTYPE_LOGOUT) return; -@@ -752,6 +748,8 @@ +@@ -768,6 +764,8 @@ construct_utmpx(struct logininfo *li, st * for logouts. */ @@ -51,7 +51,7 @@ $NetBSD: patch-ad,v 1.11 2005/09/21 18:07:09 reed Exp $ # ifdef HAVE_HOST_IN_UTMPX strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); -@@ -1381,7 +1379,7 @@ +@@ -1397,7 +1395,7 @@ wtmpx_get_entry(struct logininfo *li) ** Low-level libutil login() functions **/ diff --git a/security/openssh/patches/patch-ae b/security/openssh/patches/patch-ae index e77ef625ee5..a4541a50b6e 100644 --- a/security/openssh/patches/patch-ae +++ b/security/openssh/patches/patch-ae @@ -1,8 +1,8 @@ -$NetBSD: patch-ae,v 1.11 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ae,v 1.12 2006/10/31 03:31:20 taca Exp $ ---- includes.h.orig 2006-01-02 06:40:10.000000000 -0600 -+++ includes.h 2006-02-08 21:01:39.000000000 -0600 -@@ -165,6 +165,10 @@ +--- includes.h.orig 2006-09-01 19:29:11.000000000 +0900 ++++ includes.h +@@ -123,6 +123,10 @@ #ifdef HAVE_READPASSPHRASE_H # include <readpassphrase.h> #endif diff --git a/security/openssh/patches/patch-af b/security/openssh/patches/patch-af index 5a48b6632c2..8eb186e3542 100644 --- a/security/openssh/patches/patch-af +++ b/security/openssh/patches/patch-af @@ -1,8 +1,8 @@ -$NetBSD: patch-af,v 1.9 2005/11/07 19:35:23 tv Exp $ +$NetBSD: patch-af,v 1.10 2006/10/31 03:31:20 taca Exp $ ---- auth-passwd.c.orig 2005-07-26 06:54:12.000000000 -0500 +--- auth-passwd.c.orig 2006-08-05 11:39:39.000000000 +0900 +++ auth-passwd.c -@@ -78,7 +78,7 @@ +@@ -87,7 +87,7 @@ auth_password(Authctxt *authctxt, const #endif #ifndef HAVE_CYGWIN @@ -11,7 +11,7 @@ $NetBSD: patch-af,v 1.9 2005/11/07 19:35:23 tv Exp $ ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) -@@ -113,7 +113,12 @@ +@@ -122,7 +122,12 @@ auth_password(Authctxt *authctxt, const authctxt->force_pwchange = 1; } #endif diff --git a/security/openssh/patches/patch-ag b/security/openssh/patches/patch-ag index ea563bd5898..b647b6f6dcf 100644 --- a/security/openssh/patches/patch-ag +++ b/security/openssh/patches/patch-ag @@ -1,7 +1,7 @@ -$NetBSD: patch-ag,v 1.8 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ag,v 1.9 2006/10/31 03:31:20 taca Exp $ ---- config.h.in.orig 2006-02-01 05:33:49.000000000 -0600 -+++ config.h.in 2006-02-08 21:02:59.000000000 -0600 +--- config.h.in.orig 2006-09-26 20:03:33.000000000 +0900 ++++ config.h.in @@ -32,6 +32,9 @@ */ #undef BROKEN_ONE_BYTE_DIRENT_D_NAME @@ -12,3 +12,13 @@ $NetBSD: patch-ag,v 1.8 2006/02/12 00:13:55 salo Exp $ /* Define if you have a broken realpath. */ #undef BROKEN_REALPATH +@@ -573,6 +576,9 @@ + /* Define to 1 if you have the <net/if_tun.h> header file. */ + #undef HAVE_NET_IF_TUN_H + ++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ ++#undef HAVE_NET_TUN_IF_TUN_H ++ + /* Define if you are on NeXT */ + #undef HAVE_NEXT + diff --git a/security/openssh/patches/patch-ah b/security/openssh/patches/patch-ah index 51898964cb2..0899809e42a 100644 --- a/security/openssh/patches/patch-ah +++ b/security/openssh/patches/patch-ah @@ -1,8 +1,8 @@ -$NetBSD: patch-ah,v 1.23 2005/09/23 15:45:14 taca Exp $ +$NetBSD: patch-ah,v 1.24 2006/10/31 03:31:20 taca Exp $ ---- Makefile.in.orig 2005-05-29 00:22:29.000000000 -0700 -+++ Makefile.in 2005-09-21 10:18:46.000000000 -0700 -@@ -21,7 +21,7 @@ +--- Makefile.in.orig 2006-09-12 20:54:10.000000000 +0900 ++++ Makefile.in +@@ -21,7 +21,7 @@ top_srcdir=@top_srcdir@ DESTDIR= VPATH=@srcdir@ SSH_PROGRAM=@bindir@/ssh @@ -11,7 +11,7 @@ $NetBSD: patch-ah,v 1.23 2005/09/23 15:45:14 taca Exp $ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign RAND_HELPER=$(libexecdir)/ssh-rand-helper -@@ -231,7 +231,7 @@ +@@ -234,7 +234,7 @@ distprep: catman-do (cd scard && $(MAKE) -f Makefile.in distprep) install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config @@ -20,7 +20,7 @@ $NetBSD: patch-ah,v 1.23 2005/09/23 15:45:14 taca Exp $ install-nosysconf: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files check-config: -@@ -240,7 +240,7 @@ +@@ -243,7 +243,7 @@ check-config: scard-install: (cd scard && $(MAKE) DESTDIR=$(DESTDIR) install) diff --git a/security/openssh/patches/patch-ai b/security/openssh/patches/patch-ai index f14f4625ffa..8957e922c93 100644 --- a/security/openssh/patches/patch-ai +++ b/security/openssh/patches/patch-ai @@ -1,8 +1,8 @@ -$NetBSD: patch-ai,v 1.9 2005/11/04 14:47:17 tv Exp $ +$NetBSD: patch-ai,v 1.10 2006/10/31 03:31:20 taca Exp $ ---- openbsd-compat/openbsd-compat.h.orig 2005-08-26 16:15:20.000000000 -0400 +--- openbsd-compat/openbsd-compat.h.orig 2006-09-03 21:44:50.000000000 +0900 +++ openbsd-compat/openbsd-compat.h -@@ -78,6 +78,10 @@ size_t strlcat(char *dst, const char *sr +@@ -83,6 +83,10 @@ size_t strlcat(char *dst, const char *sr int setenv(register const char *name, register const char *value, int rewrite); #endif diff --git a/security/openssh/patches/patch-aj b/security/openssh/patches/patch-aj index a76b5e4a3bc..e403be88acf 100644 --- a/security/openssh/patches/patch-aj +++ b/security/openssh/patches/patch-aj @@ -1,8 +1,8 @@ -$NetBSD: patch-aj,v 1.6 2005/03/07 23:29:50 tv Exp $ +$NetBSD: patch-aj,v 1.7 2006/10/31 03:31:20 taca Exp $ ---- auth-rhosts.c.orig 2003-11-17 05:13:41.000000000 -0500 +--- auth-rhosts.c.orig 2006-08-05 11:39:39.000000000 +0900 +++ auth-rhosts.c -@@ -198,7 +198,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -212,7 +212,7 @@ auth_rhosts2_raw(struct passwd *pw, cons return 0; /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ @@ -11,7 +11,7 @@ $NetBSD: patch-aj,v 1.6 2005/03/07 23:29:50 tv Exp $ if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", -@@ -224,7 +224,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -238,7 +238,7 @@ auth_rhosts2_raw(struct passwd *pw, cons return 0; } if (options.strict_modes && @@ -20,7 +20,7 @@ $NetBSD: patch-aj,v 1.6 2005/03/07 23:29:50 tv Exp $ (st.st_mode & 022) != 0)) { logit("Rhosts authentication refused for %.100s: " "bad ownership or modes for home directory.", pw->pw_name); -@@ -251,7 +251,7 @@ auth_rhosts2_raw(struct passwd *pw, cons +@@ -265,7 +265,7 @@ auth_rhosts2_raw(struct passwd *pw, cons * allowing access to their account by anyone. */ if (options.strict_modes && diff --git a/security/openssh/patches/patch-ak b/security/openssh/patches/patch-ak index 294ebd26865..8f219befee9 100644 --- a/security/openssh/patches/patch-ak +++ b/security/openssh/patches/patch-ak @@ -1,8 +1,8 @@ -$NetBSD: patch-ak,v 1.7 2005/09/21 18:07:09 reed Exp $ +$NetBSD: patch-ak,v 1.8 2006/10/31 03:31:20 taca Exp $ ---- auth.c.orig 2005-08-31 11:59:49.000000000 -0500 +--- auth.c.orig 2006-09-07 09:36:43.000000000 +0900 +++ auth.c -@@ -388,7 +388,7 @@ +@@ -377,7 +377,7 @@ check_key_in_hostfiles(struct passwd *pw user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && (stat(user_hostfile, &st) == 0) && @@ -11,7 +11,7 @@ $NetBSD: patch-ak,v 1.7 2005/09/21 18:07:09 reed Exp $ (st.st_mode & 022) != 0)) { logit("Authentication refused for %.100s: " "bad owner or modes for %.200s", -@@ -441,7 +441,7 @@ +@@ -430,7 +430,7 @@ secure_filename(FILE *f, const char *fil /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || @@ -20,7 +20,7 @@ $NetBSD: patch-ak,v 1.7 2005/09/21 18:07:09 reed Exp $ (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); -@@ -458,7 +458,7 @@ +@@ -447,7 +447,7 @@ secure_filename(FILE *f, const char *fil debug3("secure_filename: checking '%s'", buf); if (stat(buf, &st) < 0 || diff --git a/security/openssh/patches/patch-al b/security/openssh/patches/patch-al index f1fbc22d859..3e8b49202b2 100644 --- a/security/openssh/patches/patch-al +++ b/security/openssh/patches/patch-al @@ -1,8 +1,8 @@ -$NetBSD: patch-al,v 1.6 2005/09/21 18:07:09 reed Exp $ +$NetBSD: patch-al,v 1.7 2006/10/31 03:31:20 taca Exp $ ---- auth1.c.orig 2005-07-17 02:26:44.000000000 -0500 +--- auth1.c.orig 2006-09-01 14:38:36.000000000 +0900 +++ auth1.c -@@ -307,7 +307,7 @@ +@@ -325,7 +325,7 @@ do_authloop(Authctxt *authctxt) } #else /* Special handling for root */ @@ -11,7 +11,7 @@ $NetBSD: patch-al,v 1.6 2005/09/21 18:07:09 reed Exp $ !auth_root_allowed(meth->name)) { authenticated = 0; # ifdef SSH_AUDIT_EVENTS -@@ -405,8 +405,8 @@ +@@ -423,8 +423,8 @@ do_authentication(Authctxt *authctxt) * If we are not running as root, the user must have the same uid as * the server. */ diff --git a/security/openssh/patches/patch-am b/security/openssh/patches/patch-am index 417c7d6bade..6b4cf1f9a92 100644 --- a/security/openssh/patches/patch-am +++ b/security/openssh/patches/patch-am @@ -1,8 +1,8 @@ -$NetBSD: patch-am,v 1.6 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-am,v 1.7 2006/10/31 03:31:20 taca Exp $ ---- auth2.c.orig 2005-09-23 21:43:51.000000000 -0500 -+++ auth2.c 2006-02-08 21:05:04.000000000 -0600 -@@ -212,7 +212,7 @@ +--- auth2.c.orig 2006-08-05 11:39:39.000000000 +0900 ++++ auth2.c +@@ -223,7 +223,7 @@ userauth_finish(Authctxt *authctxt, int authctxt->user); /* Special handling for root */ diff --git a/security/openssh/patches/patch-an b/security/openssh/patches/patch-an index 318b2827609..929a983dc72 100644 --- a/security/openssh/patches/patch-an +++ b/security/openssh/patches/patch-an @@ -1,8 +1,8 @@ -$NetBSD: patch-an,v 1.7 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-an,v 1.8 2006/10/31 03:31:20 taca Exp $ ---- scp.c.orig 2006-01-31 05:11:38.000000000 -0600 -+++ scp.c 2006-02-08 21:06:37.000000000 -0600 -@@ -345,7 +345,11 @@ +--- scp.c.orig 2006-10-29 12:02:30.000000000 +0900 ++++ scp.c +@@ -375,7 +375,11 @@ main(int argc, char **argv) argc -= optind; argv += optind; @@ -14,7 +14,7 @@ $NetBSD: patch-an,v 1.7 2006/02/12 00:13:55 salo Exp $ fatal("unknown user %u", (u_int) userid); if (!isatty(STDERR_FILENO)) -@@ -695,8 +699,10 @@ +@@ -722,8 +726,10 @@ rsource(char *name, struct stat *statp) return; } while ((dp = readdir(dirp)) != NULL) { @@ -25,7 +25,7 @@ $NetBSD: patch-an,v 1.7 2006/02/12 00:13:55 salo Exp $ if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) continue; if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) { -@@ -1145,7 +1151,9 @@ +@@ -1173,7 +1179,9 @@ okname(char *cp0) case '\'': case '"': case '`': diff --git a/security/openssh/patches/patch-ao b/security/openssh/patches/patch-ao index 010b7f61f1c..5533c0d999f 100644 --- a/security/openssh/patches/patch-ao +++ b/security/openssh/patches/patch-ao @@ -1,17 +1,8 @@ -$NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ao,v 1.9 2006/10/31 03:31:20 taca Exp $ ---- session.c.orig 2005-12-23 21:59:12.000000000 -0600 -+++ session.c 2006-02-08 21:07:01.000000000 -0600 -@@ -322,7 +322,7 @@ - break; - } - debug("Received TCP/IP port forwarding request."); -- channel_input_port_forward_request(s->pw->pw_uid == 0, options.gateway_ports); -+ channel_input_port_forward_request(s->pw->pw_uid == ROOTUID, options.gateway_ports); - success = 1; - break; - -@@ -921,7 +921,7 @@ +--- session.c.orig 2006-10-29 17:01:29.000000000 +0900 ++++ session.c +@@ -956,7 +956,7 @@ read_etc_default_login(char ***env, u_in if (tmpenv == NULL) return; @@ -20,7 +11,7 @@ $NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ var = child_get_env(tmpenv, "SUPATH"); else var = child_get_env(tmpenv, "PATH"); -@@ -1027,7 +1027,7 @@ +@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *she # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { child_set_env(&env, &envsize, "PATH", @@ -29,7 +20,7 @@ $NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ SUPERUSER_PATH : _PATH_STDPATH); } # endif /* HAVE_CYGWIN */ -@@ -1141,6 +1141,18 @@ +@@ -1179,6 +1179,18 @@ do_setup_env(Session *s, const char *she strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); read_environment_file(&env, &envsize, buf); } @@ -48,7 +39,7 @@ $NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); -@@ -1251,9 +1263,9 @@ +@@ -1289,9 +1301,9 @@ do_nologin(struct passwd *pw) void do_setusercontext(struct passwd *pw) { @@ -60,7 +51,7 @@ $NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ { #ifdef HAVE_SETPCRED -@@ -1295,11 +1307,13 @@ +@@ -1333,11 +1345,13 @@ do_setusercontext(struct passwd *pw) perror("setgid"); exit(1); } @@ -74,7 +65,7 @@ $NetBSD: patch-ao,v 1.8 2006/02/12 00:13:55 salo Exp $ endgrent(); #ifdef GSSAPI if (options.gss_authentication) { -@@ -2045,7 +2059,7 @@ +@@ -2095,7 +2109,7 @@ session_pty_cleanup2(Session *s) record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ diff --git a/security/openssh/patches/patch-ap b/security/openssh/patches/patch-ap index b531a18d2cb..8155f7cb536 100644 --- a/security/openssh/patches/patch-ap +++ b/security/openssh/patches/patch-ap @@ -1,8 +1,8 @@ -$NetBSD: patch-ap,v 1.7 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-ap,v 1.8 2006/10/31 03:31:20 taca Exp $ ---- ssh.c.orig 2005-12-30 23:33:37.000000000 -0600 -+++ ssh.c 2006-02-08 21:07:24.000000000 -0600 -@@ -648,7 +648,7 @@ +--- ssh.c.orig 2006-10-29 12:02:30.000000000 +0900 ++++ ssh.c +@@ -684,7 +684,7 @@ main(int ac, char **av) /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, diff --git a/security/openssh/patches/patch-aq b/security/openssh/patches/patch-aq index a92d3e287c9..2501dc65c6e 100644 --- a/security/openssh/patches/patch-aq +++ b/security/openssh/patches/patch-aq @@ -1,8 +1,8 @@ -$NetBSD: patch-aq,v 1.5 2005/03/07 23:29:50 tv Exp $ +$NetBSD: patch-aq,v 1.6 2006/10/31 03:31:20 taca Exp $ ---- sshpty.c.orig 2004-06-21 22:56:02.000000000 -0400 +--- sshpty.c.orig 2006-08-05 11:39:41.000000000 +0900 +++ sshpty.c -@@ -62,7 +62,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha +@@ -78,7 +78,7 @@ pty_allocate(int *ptyfd, int *ttyfd, cha void pty_release(const char *tty) { @@ -11,7 +11,7 @@ $NetBSD: patch-aq,v 1.5 2005/03/07 23:29:50 tv Exp $ error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno)); if (chmod(tty, (mode_t) 0666) < 0) error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno)); -@@ -203,7 +203,7 @@ pty_setowner(struct passwd *pw, const ch +@@ -224,7 +224,7 @@ pty_setowner(struct passwd *pw, const ch if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS && diff --git a/security/openssh/patches/patch-ar b/security/openssh/patches/patch-ar index 33b5ed33c47..b60e7466dae 100644 --- a/security/openssh/patches/patch-ar +++ b/security/openssh/patches/patch-ar @@ -1,8 +1,8 @@ -$NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ +$NetBSD: patch-ar,v 1.7 2006/10/31 03:31:20 taca Exp $ ---- uidswap.c.orig 2005-02-22 01:57:13.000000000 -0500 +--- uidswap.c.orig 2006-08-05 11:39:41.000000000 +0900 +++ uidswap.c -@@ -57,13 +57,13 @@ temporarily_use_uid(struct passwd *pw) +@@ -66,13 +66,13 @@ temporarily_use_uid(struct passwd *pw) (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid, (u_int)saved_egid); #ifndef HAVE_CYGWIN @@ -18,7 +18,7 @@ $NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ privileged = 0; return; } -@@ -87,9 +87,11 @@ temporarily_use_uid(struct passwd *pw) +@@ -96,9 +96,11 @@ temporarily_use_uid(struct passwd *pw) /* set and save the user's groups */ if (user_groupslen == -1) { @@ -30,7 +30,7 @@ $NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ user_groupslen = getgroups(0, NULL); if (user_groupslen < 0) -@@ -104,9 +106,11 @@ temporarily_use_uid(struct passwd *pw) +@@ -113,9 +115,11 @@ temporarily_use_uid(struct passwd *pw) xfree(user_groups); } } @@ -42,7 +42,7 @@ $NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) -@@ -154,8 +158,10 @@ restore_uid(void) +@@ -198,8 +202,10 @@ restore_uid(void) setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ @@ -53,7 +53,7 @@ $NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ temporarily_use_uid_effective = 0; } -@@ -174,6 +180,10 @@ permanently_set_uid(struct passwd *pw) +@@ -220,6 +226,10 @@ permanently_set_uid(struct passwd *pw) debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); @@ -64,7 +64,7 @@ $NetBSD: patch-ar,v 1.6 2005/11/04 14:47:17 tv Exp $ #if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); -@@ -222,6 +232,7 @@ permanently_set_uid(struct passwd *pw) +@@ -268,6 +278,7 @@ permanently_set_uid(struct passwd *pw) (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); #endif diff --git a/security/openssh/patches/patch-as b/security/openssh/patches/patch-as index 715c09f3619..aaa954ff6cb 100644 --- a/security/openssh/patches/patch-as +++ b/security/openssh/patches/patch-as @@ -1,17 +1,17 @@ -$NetBSD: patch-as,v 1.4 2005/11/04 15:45:03 tv Exp $ +$NetBSD: patch-as,v 1.5 2006/10/31 03:31:20 taca Exp $ ---- log.h.orig 2004-06-21 22:57:44.000000000 -0400 +--- log.h.orig 2006-08-18 23:32:21.000000000 +0900 +++ log.h -@@ -53,7 +53,7 @@ void log_init(char *, LogLevel, Sysl +@@ -51,7 +51,7 @@ void log_init(char *, LogLevel, Sysl SyslogFacility log_facility_number(char *); LogLevel log_level_number(char *); -void fatal(const char *, ...) __dead __attribute__((format(printf, 1, 2))); +void fatal(const char *, ...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2))); void error(const char *, ...) __attribute__((format(printf, 1, 2))); + void sigdie(const char *, ...) __attribute__((format(printf, 1, 2))); void logit(const char *, ...) __attribute__((format(printf, 1, 2))); - void verbose(const char *, ...) __attribute__((format(printf, 1, 2))); -@@ -62,5 +62,5 @@ void debug2(const char *, ...) __att +@@ -61,5 +61,5 @@ void debug2(const char *, ...) __att void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); void do_log(LogLevel, const char *, va_list); diff --git a/security/openssh/patches/patch-at b/security/openssh/patches/patch-at deleted file mode 100644 index c3065ac48ce..00000000000 --- a/security/openssh/patches/patch-at +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-at,v 1.3 2006/02/12 00:13:55 salo Exp $ - ---- servconf.c.orig 2005-12-13 02:33:20.000000000 -0600 -+++ servconf.c 2006-02-08 21:07:59.000000000 -0600 -@@ -235,7 +235,11 @@ - - /* Turn privilege separation on by default */ - if (use_privsep == -1) -+#ifdef HAVE_INTERIX -+ use_privsep = 0; -+#else - use_privsep = 1; -+#endif - - #ifndef HAVE_MMAP - if (use_privsep && options->compression == 1) { diff --git a/security/openssh/patches/patch-au b/security/openssh/patches/patch-au index 7c67de63b1f..8f981492ab3 100644 --- a/security/openssh/patches/patch-au +++ b/security/openssh/patches/patch-au @@ -1,8 +1,8 @@ -$NetBSD: patch-au,v 1.2 2005/09/21 18:07:09 reed Exp $ +$NetBSD: patch-au,v 1.3 2006/10/31 03:31:20 taca Exp $ ---- openbsd-compat/bsd-openpty.c.orig 2005-02-25 17:04:29.000000000 -0600 +--- openbsd-compat/bsd-openpty.c.orig 2006-08-24 18:52:30.000000000 +0900 +++ openbsd-compat/bsd-openpty.c -@@ -102,15 +102,17 @@ +@@ -121,15 +121,17 @@ openpty(int *amaster, int *aslave, char return (-1); } diff --git a/security/openssh/patches/patch-av b/security/openssh/patches/patch-av index 6c1e379d1f0..2513a3d0ecb 100644 --- a/security/openssh/patches/patch-av +++ b/security/openssh/patches/patch-av @@ -1,24 +1,36 @@ -$NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ +$NetBSD: patch-av,v 1.5 2006/10/31 03:31:20 taca Exp $ ---- sshd.c.orig 2005-12-23 21:59:12.000000000 -0600 -+++ sshd.c 2006-02-08 21:08:46.000000000 -0600 -@@ -574,10 +574,15 @@ +--- sshd.c.orig 2006-10-29 17:01:29.000000000 +0900 ++++ sshd.c +@@ -232,7 +232,11 @@ int *startup_pipes = NULL; + int startup_pipe; /* in child */ + + /* variables used for privilege separation */ ++#ifdef HAVE_INTERIX + int use_privsep = -1; ++#else ++int use_privsep = 0; ++#endif + struct monitor *pmonitor = NULL; + + /* global authentication context */ +@@ -608,10 +612,15 @@ privsep_preauth_child(void) /* XXX not ready, too heavy after chroot */ - do_setusercontext(pw); + do_setusercontext(privsep_pw); #else +#ifdef HAVE_INTERIX + if (setuser(pw->pw_name, NULL, SU_COMPLETE)) + fatal("setuser: %.100s", strerror(errno)); +#else - gidset[0] = pw->pw_gid; + gidset[0] = privsep_pw->pw_gid; if (setgroups(1, gidset) < 0) fatal("setgroups: %.100s", strerror(errno)); - permanently_set_uid(pw); + permanently_set_uid(privsep_pw); +#endif /* HAVE_INTERIX */ #endif } -@@ -617,7 +622,7 @@ +@@ -651,7 +660,7 @@ privsep_preauth(Authctxt *authctxt) close(pmonitor->m_sendfd); /* Demote the child */ @@ -27,7 +39,7 @@ $NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ privsep_preauth_child(); setproctitle("%s", "[net]"); } -@@ -630,7 +635,7 @@ +@@ -664,7 +673,7 @@ privsep_postauth(Authctxt *authctxt) #ifdef DISABLE_FD_PASSING if (1) { #else @@ -36,7 +48,7 @@ $NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ #endif /* File descriptor passing is broken or root login */ use_privsep = 0; -@@ -914,8 +919,10 @@ +@@ -1256,8 +1265,10 @@ main(int ac, char **av) av = saved_argv; #endif @@ -48,7 +60,7 @@ $NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -@@ -1174,7 +1181,7 @@ +@@ -1519,7 +1530,7 @@ main(int ac, char **av) (st.st_uid != getuid () || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) #else @@ -57,7 +69,7 @@ $NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ #endif fatal("%s must be owned by root and not group or " "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); -@@ -1191,8 +1198,10 @@ +@@ -1536,8 +1547,10 @@ main(int ac, char **av) * to create a file, and we can't control the code in every * module which might be used). */ @@ -67,4 +79,4 @@ $NetBSD: patch-av,v 1.4 2006/02/12 00:13:55 salo Exp $ +#endif if (rexec_flag) { - rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2)); + rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); diff --git a/security/openssh/patches/patch-aw b/security/openssh/patches/patch-aw index db42bf74833..3af175388fb 100644 --- a/security/openssh/patches/patch-aw +++ b/security/openssh/patches/patch-aw @@ -1,16 +1,15 @@ -$NetBSD: patch-aw,v 1.1 2006/02/23 19:02:50 joerg Exp $ +$NetBSD: patch-aw,v 1.2 2006/10/31 03:31:20 taca Exp $ ---- openbsd-compat/port-tun.c.orig 2006-02-23 18:42:44.000000000 +0000 +--- openbsd-compat/port-tun.c.orig 2006-09-02 14:32:40.000000000 +0900 +++ openbsd-compat/port-tun.c -@@ -93,7 +93,11 @@ sys_tun_open(int tun, int mode) - #ifdef SSH_TUN_FREEBSD +@@ -109,6 +109,10 @@ sys_tun_open(int tun, int mode) #include <sys/socket.h> #include <net/if.h> -+#if defined(__DragonFly__) + ++#ifdef HAVE_NET_TUN_IF_TUN_H +#include <net/tun/if_tun.h> -+#else - #include <net/if_tun.h> +#endif - - int - sys_tun_open(int tun, int mode) ++ + #ifdef HAVE_NET_IF_TUN_H + #include <net/if_tun.h> + #endif diff --git a/security/openssh/patches/patch-ax b/security/openssh/patches/patch-ax deleted file mode 100644 index 4f5282ce59f..00000000000 --- a/security/openssh/patches/patch-ax +++ /dev/null @@ -1,107 +0,0 @@ -$NetBSD: patch-ax,v 1.1 2006/09/27 16:10:59 taca Exp $ - -Secunia Advisory SA22091 - ---- deattack.c.orig Mon Sep 22 20:04:23 2003 -+++ deattack.c -@@ -27,6 +27,24 @@ RCSID("$OpenBSD: deattack.c,v 1.19 2003/ - #include "xmalloc.h" - #include "deattack.h" - -+/* -+ * CRC attack detection has a worst-case behaviour that is O(N^3) over -+ * the number of identical blocks in a packet. This behaviour can be -+ * exploited to create a limited denial of service attack. -+ * -+ * However, because we are dealing with encrypted data, identical -+ * blocks should only occur every 2^35 maximally-sized packets or so. -+ * Consequently, we can detect this DoS by looking for identical blocks -+ * in a packet. -+ * -+ * The parameter below determines how many identical blocks we will -+ * accept in a single packet, trading off between attack detection and -+ * likelihood of terminating a legitimate connection. A value of 32 -+ * corresponds to an average of 2^40 messages before an attack is -+ * misdetected -+ */ -+#define MAX_IDENTICAL 32 -+ - /* SSH Constants */ - #define SSH_MAXBLOCKS (32 * 1024) - #define SSH_BLOCKSIZE (8) -@@ -56,17 +74,12 @@ crc_update(u_int32_t *a, u_int32_t b) - - /* detect if a block is used in a particular pattern */ - static int --check_crc(u_char *S, u_char *buf, u_int32_t len, -- u_char *IV) -+check_crc(u_char *S, u_char *buf, u_int32_t len) - { - u_int32_t crc; - u_char *c; - - crc = 0; -- if (IV && !CMP(S, IV)) { -- crc_update(&crc, 1); -- crc_update(&crc, 0); -- } - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { - if (!CMP(S, c)) { - crc_update(&crc, 1); -@@ -82,12 +95,12 @@ check_crc(u_char *S, u_char *buf, u_int3 - - /* Detect a crc32 compensation attack on a packet */ - int --detect_attack(u_char *buf, u_int32_t len, u_char *IV) -+detect_attack(u_char *buf, u_int32_t len) - { - static u_int16_t *h = (u_int16_t *) NULL; - static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; - u_int32_t i, j; -- u_int32_t l; -+ u_int32_t l, same; - u_char *c; - u_char *d; - -@@ -111,15 +124,9 @@ detect_attack(u_char *buf, u_int32_t len - - if (len <= HASH_MINBLOCKS) { - for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) { -- if (IV && (!CMP(c, IV))) { -- if ((check_crc(c, buf, len, IV))) -- return (DEATTACK_DETECTED); -- else -- break; -- } - for (d = buf; d < c; d += SSH_BLOCKSIZE) { - if (!CMP(c, d)) { -- if ((check_crc(c, buf, len, IV))) -+ if ((check_crc(c, buf, len))) - return (DEATTACK_DETECTED); - else - break; -@@ -130,21 +137,11 @@ detect_attack(u_char *buf, u_int32_t len - } - memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); - -- if (IV) -- h[HASH(IV) & (n - 1)] = HASH_IV; -- -- for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { -+ for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) { - for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; - i = (i + 1) & (n - 1)) { -- if (h[i] == HASH_IV) { -- if (!CMP(c, IV)) { -- if (check_crc(c, buf, len, IV)) -- return (DEATTACK_DETECTED); -- else -- break; -- } -- } else if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { -- if (check_crc(c, buf, len, IV)) -+ if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE)) { -+ if (check_crc(c, buf, len)) - return (DEATTACK_DETECTED); - else - break; diff --git a/security/openssh/patches/patch-ay b/security/openssh/patches/patch-ay deleted file mode 100644 index ec36f5da855..00000000000 --- a/security/openssh/patches/patch-ay +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-ay,v 1.1 2006/09/27 16:10:59 taca Exp $ - -Secunia Advisory SA22091 - ---- deattack.h.orig Wed Jul 4 13:46:57 2001 -+++ deattack.h -@@ -25,6 +25,7 @@ - /* Return codes */ - #define DEATTACK_OK 0 - #define DEATTACK_DETECTED 1 -+#define DEATTACK_DOS_DETECTED 2 - --int detect_attack(u_char *, u_int32_t, u_char[8]); -+int detect_attack(u_char *, u_int32_t); - #endif diff --git a/security/openssh/patches/patch-az b/security/openssh/patches/patch-az deleted file mode 100644 index ee002ae4158..00000000000 --- a/security/openssh/patches/patch-az +++ /dev/null @@ -1,36 +0,0 @@ -$NetBSD: patch-az,v 1.1 2006/09/27 16:10:59 taca Exp $ - -Secunia Advisory SA22091 + one more OpenBSD's CVS update 1.144-1.145 - ---- packet.c.orig Sat Nov 5 13:15:00 2005 -+++ packet.c -@@ -669,6 +669,9 @@ packet_enable_delayed_compress(void) - */ - after_authentication = 1; - for (mode = 0; mode < MODE_MAX; mode++) { -+ /* protocol error: USERAUTH_SUCCESS received before NEWKEYS */ -+ if (newkeys[mode] == NULL) -+ continue; - comp = &newkeys[mode]->comp; - if (comp && !comp->enabled && comp->type == COMP_DELAYED) { - packet_init_compression(); -@@ -978,9 +981,16 @@ packet_read_poll1(void) - * (C)1998 CORE-SDI, Buenos Aires Argentina - * Ariel Futoransky(futo@core-sdi.com) - */ -- if (!receive_context.plaintext && -- detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED) -- packet_disconnect("crc32 compensation attack: network attack detected"); -+ if (!receive_context.plaintext) { -+ switch (detect_attack(buffer_ptr(&input), padded_len)) { -+ case DEATTACK_DETECTED: -+ packet_disconnect("crc32 compensation attack: " -+ "network attack detected"); -+ case DEATTACK_DOS_DETECTED: -+ packet_disconnect("deattack denial of " -+ "service detected"); -+ } -+ } - - /* Decrypt data to incoming_packet. */ - buffer_clear(&incoming_packet); |