Re: [OE-core] [PATCH 1/1] openssh: three fixes

Fri, 07 Jun 2013 19:49:03 -0700 


On 06/08/2013 05:41 AM, Saul Wold wrote:

On 06/06/2013 07:27 PM, [email protected] wrote:

From: "Roy.Li" <[email protected]>

1. fix a alignment issue on ARM v7 NEON cpu
2. fix a empty passwd issue
3. enable tcp-wrappers by default


openssh has been updated to 6.2p2, so can you please rebase these
patches to that newer version.

Also, have they been sumbitted upstream, for security related bug, I
would like to know if the upstream will accept them for correctness
since they could lead to security issues otherwise.




Seems they are not submitted to upstream,
I will submit them to upstream, then send out to Oe-core.

-Roy





Thanks
     Sau!


Signed-off-by: Roy.Li <[email protected]>
---
  .../openssh-6.2p1/mac_compute-alignment.patch      |   39
++++++++++++++++++++
  .../openssh-permit_empty_passwd.patch              |   33
+++++++++++++++++
  meta/recipes-connectivity/openssh/openssh_6.2p1.bb |    5 +++
  3 files changed, 77 insertions(+)
  create mode 100644
meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch

  create mode 100644
meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch


diff --git
a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch

new file mode 100644
index 0000000..ea8a31a
--- /dev/null
+++
b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch

@@ -0,0 +1,39 @@
+Upstream-Status: Pending
+
+The mac_compute() function in openssh calls umac_final() to prepend a
tag
+to a buffer.  Umac_final() calls pdf_gen_xor() on the tag as its final
+operation, and as implemented, pdf_gen_xor() assumes an appropriate
+alignment for 64-bit operations on its buffer.  However, the buffer
+is declared in mac_compute() as a static u_char array, and the linker
+doesn't guarantee 64-bit alignment for such arrays.  On ARM v7 NEON
+platforms with gcc, 64-bit values must be 64-bit aligned, and the
+unaligned buffer declaration caused alignment faults when executing
+certain openssh tests.
+
+Force the buffer in mac_compute() to be 64-bit aligned.
+
+Signed-off-by: Donn Seeley <[email protected]>
+---
+ mac.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/mac.c
++++ b/mac.c
+@@ -132,12 +132,14 @@ mac_init(Mac *mac)
+ u_char *
+ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
+ {
+-    static u_char m[EVP_MAX_MD_SIZE];
++    static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
++        / sizeof (u_int64_t)];
++    u_char *m = (u_char *)m_buf;
+     u_char b[4], nonce[8];
+
+-    if (mac->mac_len > sizeof(m))
++    if (mac->mac_len > EVP_MAX_MD_SIZE)
+         fatal("mac_compute: mac too long %u %lu",
+-            mac->mac_len, (u_long)sizeof(m));
++            mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
+
+     switch (mac->type) {
+     case SSH_EVP:
diff --git
a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch

new file mode 100644
index 0000000..c1d7f8e
--- /dev/null
+++
b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch

@@ -0,0 +1,33 @@
+Subject: [PATCH] openssh: fix permit_empty_passwd
+
+Upstream-Status: pending
+
+When pam enabled, userauth_none calls auth_password("") -->
+pam_authenticate("") will cause pam_auth process in the fail
+status. This will block all login, even users with a correct
+password.
+
+userauth_none should alway return false since sshd
+would check passwords in userauth_passwd using pam* modules.
+
+Signed-off-by: Xin Ouyang <[email protected]>
+---
+ auth2-none.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/auth2-none.c b/auth2-none.c
+index c8c6c74..560feef 100644
+--- a/auth2-none.c
++++ b/auth2-none.c
+@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
+ {
+     none_enabled = 0;
+     packet_check_eom();
++    if (options.use_pam)
++        return 0;
+     if (options.permit_empty_passwd && options.password_authentication)
+         return (PRIVSEP(auth_password(authctxt, "")));
+     return (0);
+--
+1.7.9.5
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
index 20502c4..198c09d 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
@@ -25,6 +25,8 @@ SRC_URI =
"ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
             file://ssh_config \
             file://init \
             file://openssh-CVE-2011-4327.patch \
+           file://mac_compute-alignment.patch \
+           file://openssh-permit_empty_passwd.patch \
             ${@base_contains('DISTRO_FEATURES', 'pam',
'${PAM_SRC_URI}', '', d)}"

  PAM_SRC_URI = "file://sshd"
@@ -45,6 +47,9 @@ inherit autotools
  CFLAGS += "-D__FILE_OFFSET_BITS=64"
  export LD = "${CC}"

+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
+
  EXTRA_OECONF = "--with-rand-helper=no \
                  ${@base_contains('DISTRO_FEATURES', 'pam',
'--with-pam', '--without-pam', d)} \
                  --without-zlib-version-check \






--
Best Reagrds,
Roy | RongQing Li
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core






















					Reply via email to