diff options
Diffstat (limited to 'system/openssh')
-rw-r--r-- | system/openssh/APKBUILD | 50 | ||||
-rw-r--r-- | system/openssh/CVE-2018-20685.patch | 33 | ||||
-rw-r--r-- | system/openssh/bsd-compatible-realpath.patch | 62 | ||||
-rw-r--r-- | system/openssh/fix-utmpx.patch | 14 | ||||
-rw-r--r-- | system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch | 13 | ||||
-rw-r--r-- | system/openssh/openssh7.4-peaktput.patch | 62 | ||||
-rw-r--r-- | system/openssh/sftp-interactive.patch | 14 | ||||
-rwxr-xr-x | system/openssh/sshd.initd | 7 | ||||
-rw-r--r-- | system/openssh/utmpx.patch | 103 |
9 files changed, 133 insertions, 225 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD index 38d947585..3c877c3c8 100644 --- a/system/openssh/APKBUILD +++ b/system/openssh/APKBUILD @@ -2,16 +2,16 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Maintainer: Horst Burkhardt <horst@adelielinux.org> pkgname=openssh -pkgver=7.9_p1 +pkgver=9.9_p2 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=4 -pkgdesc="Port of OpenBSD's free SSH release" +pkgrel=1 +pkgdesc="Remote login tool using encrypted SSH protocol" url="https://www.openssh.com/portable.html" arch="all" -license="BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause" options="suid !check" +license="BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause" depends="openssh-client openssh-sftp-server openssh-server" -makedepends_build="linux-pam-dev gettext-tiny" +makedepends_build="autoconf automake linux-pam-dev gettext-tiny" makedepends_host="openssl-dev zlib-dev linux-headers linux-pam-dev gettext-tiny-dev utmps-dev" makedepends="$makedepends_build $makedepends_host" @@ -25,18 +25,18 @@ subpackages="$pkgname-doc " source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz - bsd-compatible-realpath.patch - CVE-2018-20685.patch disable-forwarding-by-default.patch - fix-utmpx.patch - openssh7.4-peaktput.patch - openssh-7.9_p1-openssl-1.0.2-compat.patch - sftp-interactive.patch + utmpx.patch sshd.initd sshd.confd " + # secfixes: +# 9.0_p1-r0: +# - CVE-2021-41617 +# - CVE-2021-28041 +# - CVE-2020-14145 # 7.9_p1-r2: # - CVE-2018-20685 # 7.9_p1: @@ -49,11 +49,10 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta # - CVE-2016-10011 # - CVE-2016-10012 -# HPN patches are from: http://hpnssh.sourceforge.net/ - builddir="$srcdir"/$pkgname-$_myver build() { + autoreconf -vif export LD="$CC" LIBS="-lutmps -lskarnet" ./configure --build=$CBUILD \ --host=$CHOST \ @@ -66,13 +65,13 @@ build() { --with-ldflags="${LDFLAGS}" \ --enable-lastlog \ --disable-strip \ - --enable-wtmp \ + --enable-wtmpx \ --with-privsep-path=/var/empty \ --with-xauth=/usr/bin/xauth \ --with-privsep-user=sshd \ - --with-md5-passwords \ --with-ssl-engine \ - --with-pam + --with-pam \ + --without-zlib-version-check make } @@ -136,10 +135,14 @@ server() { pkgdesc="OpenSSH server" depends="openssh-client openssh-keygen" replaces="openssh-server-common" - cd "$builddir" + install -d "$subpkgdir"/usr/sbin - install -d "$subpkgdir"/etc/ssh mv "$pkgdir"/usr/sbin/sshd "$subpkgdir"/usr/sbin/ + + install -d "$subpkgdir"/usr/lib/ssh + mv "$pkgdir"/usr/lib/ssh/sshd-session "$subpkgdir"/usr/lib/ssh/ + + install -d "$subpkgdir"/etc/ssh mv "$pkgdir"/etc/ssh/sshd_config "$subpkgdir"/etc/ssh/ } @@ -149,13 +152,8 @@ openrc() { install_if="openssh-server=$pkgver-r$pkgrel openrc" } -sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e openssh-7.9p1.tar.gz -f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch -b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04 CVE-2018-20685.patch +sha512sums="4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 openssh-9.9p2.tar.gz f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch -0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch -398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch -dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 openssh-7.9_p1-openssl-1.0.2-compat.patch -c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch -394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd +56543469db242699d8a04d0ba133b9ab0d980224035de57f70f773ca1593828cf4e41d3306f72b5ac95423f1e512bd6b92f69f86b847e05abfbd48737431104b utmpx.patch +964c0f8538ba25bdc9cdbd1467bbdfb2090e38492ff0ef7c64473785713fe26d752ea6a7b0ee7a0b34e08f4d3b4bccf6a69e6c456f0c57d0d0c581aa8a046936 sshd.initd ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd" diff --git a/system/openssh/CVE-2018-20685.patch b/system/openssh/CVE-2018-20685.patch deleted file mode 100644 index f2f1ecfc5..000000000 --- a/system/openssh/CVE-2018-20685.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" <djm@openbsd.org> -Date: Fri, 16 Nov 2018 03:03:10 +0000 -Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer - to the - -current directory; based on report/patch from Harry Sintonen - -OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 ---- - scp.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/scp.c b/scp.c -index 60682c687..4f3fdcd3d 100644 ---- a/scp.c -+++ b/scp.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */ -+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */ - /* - * scp - secure remote copy. This is basically patched BSD rcp which - * uses ssh to do the data transfer (instead of using rcmd). -@@ -1106,7 +1106,8 @@ sink(int argc, char **argv) - SCREWUP("size out of range"); - size = (off_t)ull; - -- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ if (*cp == '\0' || strchr(cp, '/') != NULL || -+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { - run_err("error: unexpected filename: %s", cp); - exit(1); - } diff --git a/system/openssh/bsd-compatible-realpath.patch b/system/openssh/bsd-compatible-realpath.patch deleted file mode 100644 index 1cdb4f7c5..000000000 --- a/system/openssh/bsd-compatible-realpath.patch +++ /dev/null @@ -1,62 +0,0 @@ -fix issues with fortify-headers and the way openssh handles the needed -BSD compatible realpath(3). - -unconditionally use the provided realpath() as otherwise cross-builds -would try to use musl realpath() which is posix compliant and not -working to openssh expectations. - -diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h ---- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h 2016-07-18 13:33:16.260357745 +0300 -@@ -68,17 +68,7 @@ - void *reallocarray(void *, size_t, size_t); - #endif - --#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) --/* -- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the -- * compat version. -- */ --# ifdef BROKEN_REALPATH --# define realpath(x, y) _ssh_compat_realpath(x, y) --# endif -- --char *realpath(const char *path, char *resolved); --#endif -+char *ssh_realpath(const char *path, char *resolved); - - #ifndef HAVE_RRESVPORT_AF - int rresvport_af(int *alport, sa_family_t af); -diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c ---- openssh-7.2p2.orig/openbsd-compat/realpath.c 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/openbsd-compat/realpath.c 2016-07-18 13:33:45.420721690 +0300 -@@ -31,7 +31,7 @@ - - #include "includes.h" - --#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH) -+#if 1 - - #include <sys/types.h> - #include <sys/param.h> -@@ -58,7 +58,7 @@ - * in which case the path which caused trouble is left in (resolved). - */ - char * --realpath(const char *path, char *resolved) -+ssh_realpath(const char *path, char *resolved) - { - struct stat sb; - char *p, *q, *s; -diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c ---- openssh-7.2p2.orig/sftp-server.c 2016-03-09 20:04:48.000000000 +0200 -+++ openssh-7.2p2/sftp-server.c 2016-07-18 13:34:29.131267241 +0300 -@@ -1162,7 +1162,7 @@ - } - debug3("request %u: realpath", id); - verbose("realpath \"%s\"", path); -- if (realpath(path, resolvedname) == NULL) { -+ if (ssh_realpath(path, resolvedname) == NULL) { - send_status(id, errno_to_portable(errno)); - } else { - Stat s; diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch deleted file mode 100644 index 7f05add35..000000000 --- a/system/openssh/fix-utmpx.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500 -+++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500 -@@ -1656,7 +1656,11 @@ - const char *ttyn) - { - int fd; -+#if defined(USE_UTMPX) -+ struct utmpx ut; -+#else - struct utmp ut; -+#endif - struct sockaddr_storage from; - socklen_t fromlen = sizeof(from); - struct sockaddr_in *a4; diff --git a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch b/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch deleted file mode 100644 index c1c310e8f..000000000 --- a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c -index 8b4a3627..590b66d1 100644 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - OPENSSL_config(NULL); - #else - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | diff --git a/system/openssh/openssh7.4-peaktput.patch b/system/openssh/openssh7.4-peaktput.patch deleted file mode 100644 index 6fc6140a6..000000000 --- a/system/openssh/openssh7.4-peaktput.patch +++ /dev/null @@ -1,62 +0,0 @@ ---- a/progressmeter.c -+++ b/progressmeter.c -@@ -69,6 +69,8 @@ - static off_t start_pos; /* initial position of transfer */ - static off_t end_pos; /* ending position of transfer */ - static off_t cur_pos; /* transfer position as of last refresh */ -+static off_t last_pos; -+static off_t max_delta_pos = 0; - static volatile off_t *counter; /* progress counter */ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ -@@ -128,12 +130,17 @@ - int hours, minutes, seconds; - int i, len; - int file_len; -+ off_t delta_pos; - - transferred = *counter - (cur_pos ? cur_pos : start_pos); - cur_pos = *counter; - now = monotime_double(); - bytes_left = end_pos - cur_pos; - -+ delta_pos = cur_pos - last_pos; -+ if (delta_pos > max_delta_pos) -+ max_delta_pos = delta_pos; -+ - if (bytes_left > 0) - elapsed = now - last_update; - else { -@@ -158,7 +165,7 @@ - - /* filename */ - buf[0] = '\0'; -- file_len = win_size - 35; -+ file_len = win_size - 45; - if (file_len > 0) { - len = snprintf(buf, file_len + 1, "\r%s", file); - if (len < 0) -@@ -188,6 +195,15 @@ - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); - -+ /* instantaneous rate */ -+ if (bytes_left > 0) -+ format_rate(buf + strlen(buf), win_size - strlen(buf), -+ delta_pos); -+ else -+ format_rate(buf + strlen(buf), win_size - strlen(buf), -+ max_delta_pos); -+ strlcat(buf, "/s ", win_size); -+ - /* ETA */ - if (!transferred) - stalled += elapsed; -@@ -224,6 +240,7 @@ - - atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1); - last_update = now; -+ last_pos = cur_pos; - } - - /*ARGSUSED*/ diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch deleted file mode 100644 index ab14f3a6b..000000000 --- a/system/openssh/sftp-interactive.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/sftp.c 2014-10-24 10:32:15.793544472 +0500 -+++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500 -@@ -2076,8 +2076,10 @@ - signal(SIGINT, SIG_IGN); - - if (el == NULL) { -- if (interactive) -+ if (interactive) { - printf("sftp> "); -+ fflush(stdout); -+ } - if (fgets(cmd, sizeof(cmd), infile) == NULL) { - if (interactive) - printf("\n"); diff --git a/system/openssh/sshd.initd b/system/openssh/sshd.initd index 065519174..e13924e2c 100755 --- a/system/openssh/sshd.initd +++ b/system/openssh/sshd.initd @@ -82,7 +82,12 @@ stop() { eend $? if [ "$RC_RUNLEVEL" = "shutdown" ]; then - _sshd_pids=$(pgrep "${SSHD_BINARY##*/}") + local _p _sshd_pids + for _p in $(pgrep "${SSHD_BINARY##*/}"); do + [ "$(realpath /proc/$_p/exe)" = "${SSHD_BINARY}" ] \ + || continue + _sshd_pids="$_sshd_pids $_p" + done if [ -n "$_sshd_pids" ]; then ebegin "Shutting down ssh connections" kill -TERM $_sshd_pids >/dev/null 2>&1 diff --git a/system/openssh/utmpx.patch b/system/openssh/utmpx.patch new file mode 100644 index 000000000..d3f24aa76 --- /dev/null +++ b/system/openssh/utmpx.patch @@ -0,0 +1,103 @@ +--- openssh-9.9p2/configure.ac.old 2025-02-18 02:15:08.000000000 -0600 ++++ openssh-9.9p2/configure.ac 2025-02-18 20:57:12.172701096 -0600 +@@ -5449,7 +5449,9 @@ + AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_LASTLOG_H + # include <lastlog.h> + #endif +@@ -5466,7 +5468,9 @@ + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_LASTLOG_H + # include <lastlog.h> + #endif +@@ -5504,7 +5508,9 @@ + AC_MSG_CHECKING([if your system defines UTMP_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_PATHS_H + # include <paths.h> + #endif +@@ -5534,7 +5540,9 @@ + AC_MSG_CHECKING([if your system defines WTMP_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_PATHS_H + # include <paths.h> + #endif +@@ -5564,7 +5572,9 @@ + AC_MSG_CHECKING([if your system defines WTMPX_FILE]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #include <sys/types.h> +-#include <utmp.h> ++#ifdef HAVE_UTMP_H ++# include <utmp.h> ++#endif + #ifdef HAVE_UTMPX_H + #include <utmpx.h> + #endif +--- openssh-9.9p2/loginrec.c.old 2025-02-18 02:15:08.000000000 -0600 ++++ openssh-9.9p2/loginrec.c 2025-02-18 21:01:26.034757676 -0600 +@@ -614,7 +614,7 @@ + ** into account. + **/ + +-#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) ++#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) + + /* build the utmp structure */ + void +@@ -698,7 +698,7 @@ + } + # endif + } +-#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */ ++#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ + + /** + ** utmpx utility functions +@@ -1644,7 +1644,13 @@ + const char *ttyn) + { + int fd; ++#if defined(USE_UTMP) + struct utmp ut; ++#elif defined(USE_UTMPX) ++ struct utmpx ut; ++#else ++# error either UTMP or UTMPX must be present to use BTMP ++#endif + struct logininfo li; + socklen_t fromlen = sizeof(li.hostaddr); + time_t t; +@@ -1681,7 +1687,11 @@ + (void)getpeername(ssh_packet_get_connection_in(ssh), + &li.hostaddr.sa, &fromlen); + } ++#if defined(USE_UTMP) + construct_utmp(&li, &ut); ++#elif defined(USE_UTMPX) ++ construct_utmpx(&li, &ut); ++#endif + + if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut)) { + error("Failed to write to %s: %s", _PATH_BTMP, |