Date: Monday, June 13, 2011 @ 07:08:41
Author: bisson
Revision: 127348
fix FS#24693
Added:
openssh/trunk/authfile.c.patch
Modified:
openssh/trunk/PKGBUILD
------------------+
PKGBUILD | 29 +++++--
authfile.c.patch | 198 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 220 insertions(+), 7 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2011-06-13 09:11:03 UTC (rev 127347)
+++ PKGBUILD 2011-06-13 11:08:41 UTC (rev 127348)
@@ -5,7 +5,7 @@
pkgname=openssh
pkgver=5.8p2
-pkgrel=6
+pkgrel=7
pkgdesc='Free version of the SSH connectivity tools'
arch=('i686' 'x86_64')
license=('custom:BSD')
@@ -13,10 +13,12 @@
backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd'
'etc/conf.d/sshd')
depends=('tcp_wrappers' 'krb5' 'openssl' 'libedit')
source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz";
+ 'authfile.c.patch'
'sshd.confd'
'sshd.pam'
'sshd')
sha1sums=('64798328d310e4f06c9f01228107520adbc8b3e5'
+ '3669cb5ca6149f69015df5ce8e60b82c540eb0a4'
'ec102deb69cad7d14f406289d2fc11fee6eddbdd'
'660092c57bde28bed82078f74011f95fc51c2293'
'6b7f8ebf0c1cc37137a7d9a53447ac8a0ee6a2b5')
@@ -24,11 +26,24 @@
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
- ./configure --prefix=/usr --libexecdir=/usr/lib/ssh \
- --sysconfdir=/etc/ssh --with-tcp-wrappers
--with-privsep-user=nobody \
- --with-md5-passwords --with-pam --with-mantype=man
--mandir=/usr/share/man \
- --with-xauth=/usr/bin/xauth --with-kerberos5=/usr
--with-ssl-engine \
- --with-libedit=/usr/lib --disable-strip # stripping is done by
makepkg
+ patch -p1 -i ../authfile.c.patch # fix FS#24693 using
http://anoncvs.mindrot.org/index.cgi/openssh/authfile.c?revision=1.95
+
+ ./configure \
+ --prefix=/usr \
+ --libexecdir=/usr/lib/ssh \
+ --sysconfdir=/etc/ssh \
+ --with-tcp-wrappers \
+ --with-privsep-user=nobody \
+ --with-md5-passwords \
+ --with-pam \
+ --with-mantype=man \
+ --mandir=/usr/share/man \
+ --with-xauth=/usr/bin/xauth \
+ --with-kerberos5=/usr \
+ --with-ssl-engine \
+ --with-libedit=/usr/lib \
+ --disable-strip # stripping is done by makepkg
+
make
}
@@ -52,5 +67,5 @@
# PAM is a common, standard feature to have
sed -i -e '/^#ChallengeResponseAuthentication yes$/c
ChallengeResponseAuthentication no' \
-e '/^#UsePAM no$/c UsePAM yes' \
- "$pkgdir"/etc/ssh/sshd_config
+ "${pkgdir}"/etc/ssh/sshd_config
}
Added: authfile.c.patch
===================================================================
--- authfile.c.patch (rev 0)
+++ authfile.c.patch 2011-06-13 11:08:41 UTC (rev 127348)
@@ -0,0 +1,198 @@
+diff -aur old/authfile.c new/authfile.c
+--- old/authfile.c 2011-06-12 02:21:52.262338254 +0200
++++ new/authfile.c 2011-06-12 02:13:43.051467269 +0200
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: authfile.c,v 1.87 2010/11/29 18:57:04 markus Exp $ */
++/* $OpenBSD: authfile.c,v 1.95 2011/05/29 11:42:08 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <[email protected]>
+ * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
+@@ -69,6 +69,8 @@
+ #include "misc.h"
+ #include "atomicio.h"
+
++#define MAX_KEY_FILE_SIZE (1024 * 1024)
++
+ /* Version identification string for SSH v1 identity files. */
+ static const char authfile_id_string[] =
+ "SSH PRIVATE KEY FILE FORMAT 1.1\n";
+@@ -312,12 +314,12 @@
+ return pub;
+ }
+
+-/* Load the contents of a key file into a buffer */
+-static int
++/* Load a key from a fd into a buffer */
++int
+ key_load_file(int fd, const char *filename, Buffer *blob)
+ {
++ u_char buf[1024];
+ size_t len;
+- u_char *cp;
+ struct stat st;
+
+ if (fstat(fd, &st) < 0) {
+@@ -325,30 +327,45 @@
+ filename == NULL ? "" : filename,
+ filename == NULL ? "" : " ",
+ strerror(errno));
+- close(fd);
+ return 0;
+ }
+- if (st.st_size > 1*1024*1024) {
++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++ st.st_size > MAX_KEY_FILE_SIZE) {
++ toobig:
+ error("%s: key file %.200s%stoo large", __func__,
+ filename == NULL ? "" : filename,
+ filename == NULL ? "" : " ");
+- close(fd);
+ return 0;
+ }
+- len = (size_t)st.st_size; /* truncated */
+-
+ buffer_init(blob);
+- cp = buffer_append_space(blob, len);
+-
+- if (atomicio(read, fd, cp, len) != len) {
+- debug("%s: read from key file %.200s%sfailed: %.100s", __func__,
+- filename == NULL ? "" : filename,
+- filename == NULL ? "" : " ",
+- strerror(errno));
++ for (;;) {
++ if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
++ if (errno == EPIPE)
++ break;
++ debug("%s: read from key file %.200s%sfailed: %.100s",
++ __func__, filename == NULL ? "" : filename,
++ filename == NULL ? "" : " ", strerror(errno));
++ buffer_clear(blob);
++ bzero(buf, sizeof(buf));
++ return 0;
++ }
++ buffer_append(blob, buf, len);
++ if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
++ buffer_clear(blob);
++ bzero(buf, sizeof(buf));
++ goto toobig;
++ }
++ }
++ bzero(buf, sizeof(buf));
++ if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
++ st.st_size != buffer_len(blob)) {
++ debug("%s: key file %.200s%schanged size while reading",
++ __func__, filename == NULL ? "" : filename,
++ filename == NULL ? "" : " ");
+ buffer_clear(blob);
+- close(fd);
+ return 0;
+ }
++
+ return 1;
+ }
+
+@@ -606,7 +623,7 @@
+
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("Permissions 0%3.3o for '%s' are too open.",
+ (u_int)st.st_mode & 0777, filename);
+- error("It is recommended that your private key files are NOT
accessible by others.");
++ error("It is required that your private key files are NOT
accessible by others.");
+ error("This private key will be ignored.");
+ return 0;
+ }
+@@ -626,6 +643,7 @@
+ case KEY_UNSPEC:
+ return key_parse_private_pem(blob, type, passphrase, commentp);
+ default:
++ error("%s: cannot parse key type %d", __func__, type);
+ break;
+ }
+ return NULL;
+@@ -670,11 +688,38 @@
+ }
+
+ Key *
++key_parse_private(Buffer *buffer, const char *filename,
++ const char *passphrase, char **commentp)
++{
++ Key *pub, *prv;
++ Buffer pubcopy;
++
++ buffer_init(&pubcopy);
++ buffer_append(&pubcopy, buffer_ptr(buffer), buffer_len(buffer));
++ /* it's a SSH v1 key if the public key part is readable */
++ pub = key_parse_public_rsa1(&pubcopy, commentp);
++ buffer_free(&pubcopy);
++ if (pub == NULL) {
++ prv = key_parse_private_type(buffer, KEY_UNSPEC,
++ passphrase, NULL);
++ /* use the filename as a comment for PEM */
++ if (commentp && prv)
++ *commentp = xstrdup(filename);
++ } else {
++ key_free(pub);
++ /* key_parse_public_rsa1() has already loaded the comment */
++ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
++ NULL);
++ }
++ return prv;
++}
++
++Key *
+ key_load_private(const char *filename, const char *passphrase,
+ char **commentp)
+ {
+- Key *pub, *prv;
+- Buffer buffer, pubcopy;
++ Key *prv;
++ Buffer buffer;
+ int fd;
+
+ fd = open(filename, O_RDONLY);
+@@ -697,23 +742,7 @@
+ }
+ close(fd);
+
+- buffer_init(&pubcopy);
+- buffer_append(&pubcopy, buffer_ptr(&buffer), buffer_len(&buffer));
+- /* it's a SSH v1 key if the public key part is readable */
+- pub = key_parse_public_rsa1(&pubcopy, commentp);
+- buffer_free(&pubcopy);
+- if (pub == NULL) {
+- prv = key_parse_private_type(&buffer, KEY_UNSPEC,
+- passphrase, NULL);
+- /* use the filename as a comment for PEM */
+- if (commentp && prv)
+- *commentp = xstrdup(filename);
+- } else {
+- key_free(pub);
+- /* key_parse_public_rsa1() has already loaded the comment */
+- prv = key_parse_private_type(&buffer, KEY_RSA1, passphrase,
+- NULL);
+- }
++ prv = key_parse_private(&buffer, filename, passphrase, commentp);
+ buffer_free(&buffer);
+ return prv;
+ }
+@@ -737,13 +766,19 @@
+ case '\0':
+ continue;
+ }
++ /* Abort loading if this looks like a private key */
++ if (strncmp(cp, "-----BEGIN", 10) == 0)
++ break;
+ /* Skip leading whitespace. */
+ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+ ;
+ if (*cp) {
+ if (key_read(k, &cp) == 1) {
+- if (commentp)
+- *commentp=xstrdup(filename);
++ cp[strcspn(cp, "\r\n")] = '\0';
++ if (commentp) {
++ *commentp = xstrdup(*cp ?
++ cp : filename);
++ }
+ fclose(f);
+ return 1;
+ }
