summaryrefslogtreecommitdiff
path: root/system/openssh
diff options
context:
space:
mode:
Diffstat (limited to 'system/openssh')
-rw-r--r--system/openssh/APKBUILD50
-rw-r--r--system/openssh/CVE-2018-20685.patch33
-rw-r--r--system/openssh/bsd-compatible-realpath.patch62
-rw-r--r--system/openssh/fix-utmpx.patch14
-rw-r--r--system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch13
-rw-r--r--system/openssh/openssh7.4-peaktput.patch62
-rw-r--r--system/openssh/sftp-interactive.patch14
-rwxr-xr-xsystem/openssh/sshd.initd7
-rw-r--r--system/openssh/utmpx.patch103
9 files changed, 133 insertions, 225 deletions
diff --git a/system/openssh/APKBUILD b/system/openssh/APKBUILD
index 38d947585..3c877c3c8 100644
--- a/system/openssh/APKBUILD
+++ b/system/openssh/APKBUILD
@@ -2,16 +2,16 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Maintainer: Horst Burkhardt <horst@adelielinux.org>
pkgname=openssh
-pkgver=7.9_p1
+pkgver=9.9_p2
_myver=${pkgver%_*}${pkgver#*_}
-pkgrel=4
-pkgdesc="Port of OpenBSD's free SSH release"
+pkgrel=1
+pkgdesc="Remote login tool using encrypted SSH protocol"
url="https://www.openssh.com/portable.html"
arch="all"
-license="BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause"
options="suid !check"
+license="BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause"
depends="openssh-client openssh-sftp-server openssh-server"
-makedepends_build="linux-pam-dev gettext-tiny"
+makedepends_build="autoconf automake linux-pam-dev gettext-tiny"
makedepends_host="openssl-dev zlib-dev linux-headers linux-pam-dev
gettext-tiny-dev utmps-dev"
makedepends="$makedepends_build $makedepends_host"
@@ -25,18 +25,18 @@ subpackages="$pkgname-doc
"
source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar.gz
- bsd-compatible-realpath.patch
- CVE-2018-20685.patch
disable-forwarding-by-default.patch
- fix-utmpx.patch
- openssh7.4-peaktput.patch
- openssh-7.9_p1-openssl-1.0.2-compat.patch
- sftp-interactive.patch
+ utmpx.patch
sshd.initd
sshd.confd
"
+
# secfixes:
+# 9.0_p1-r0:
+# - CVE-2021-41617
+# - CVE-2021-28041
+# - CVE-2020-14145
# 7.9_p1-r2:
# - CVE-2018-20685
# 7.9_p1:
@@ -49,11 +49,10 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta
# - CVE-2016-10011
# - CVE-2016-10012
-# HPN patches are from: http://hpnssh.sourceforge.net/
-
builddir="$srcdir"/$pkgname-$_myver
build() {
+ autoreconf -vif
export LD="$CC"
LIBS="-lutmps -lskarnet" ./configure --build=$CBUILD \
--host=$CHOST \
@@ -66,13 +65,13 @@ build() {
--with-ldflags="${LDFLAGS}" \
--enable-lastlog \
--disable-strip \
- --enable-wtmp \
+ --enable-wtmpx \
--with-privsep-path=/var/empty \
--with-xauth=/usr/bin/xauth \
--with-privsep-user=sshd \
- --with-md5-passwords \
--with-ssl-engine \
- --with-pam
+ --with-pam \
+ --without-zlib-version-check
make
}
@@ -136,10 +135,14 @@ server() {
pkgdesc="OpenSSH server"
depends="openssh-client openssh-keygen"
replaces="openssh-server-common"
- cd "$builddir"
+
install -d "$subpkgdir"/usr/sbin
- install -d "$subpkgdir"/etc/ssh
mv "$pkgdir"/usr/sbin/sshd "$subpkgdir"/usr/sbin/
+
+ install -d "$subpkgdir"/usr/lib/ssh
+ mv "$pkgdir"/usr/lib/ssh/sshd-session "$subpkgdir"/usr/lib/ssh/
+
+ install -d "$subpkgdir"/etc/ssh
mv "$pkgdir"/etc/ssh/sshd_config "$subpkgdir"/etc/ssh/
}
@@ -149,13 +152,8 @@ openrc() {
install_if="openssh-server=$pkgver-r$pkgrel openrc"
}
-sha512sums="0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e openssh-7.9p1.tar.gz
-f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch
-b8907d3d6ebceeca15f6bc97551a7613c68df5c31e4e76d43b7c0bd9ad42dedcabc20a2cc5404b89f40850a4765b24892bde50eab1db55c96ad5cf23bb1f8d04 CVE-2018-20685.patch
+sha512sums="4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 openssh-9.9p2.tar.gz
f3d5960572ddf49635d4edbdff45835df1b538a81840db169c36b39862e6fa8b0393ca90626000b758f59567ff6810b2537304098652483b3b31fb438a061de6 disable-forwarding-by-default.patch
-0c1e832cec420bc7b57558041d2288912a438db97050b87f6a57e94a2741a374cc5d141fe352968b0d1ba6accaff965794463fe9169d136678a8915a60d2f0b7 fix-utmpx.patch
-398096a89aa104abeff31aa043ac406a6348e0fdd4d313b7888ee0b931d38fd71fc21bceee46145e88f03bc27e00890e068442faee2d33f86cfbc04d58ffa4b6 openssh7.4-peaktput.patch
-dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 openssh-7.9_p1-openssl-1.0.2-compat.patch
-c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch
-394a420a36880bb0dd37dfd8727cea91fd9de6534050169e21212a46513ef3aaafe2752c338699b3d4ccd14871b26cf01a152df8060cd37f86ce0665fd53c63f sshd.initd
+56543469db242699d8a04d0ba133b9ab0d980224035de57f70f773ca1593828cf4e41d3306f72b5ac95423f1e512bd6b92f69f86b847e05abfbd48737431104b utmpx.patch
+964c0f8538ba25bdc9cdbd1467bbdfb2090e38492ff0ef7c64473785713fe26d752ea6a7b0ee7a0b34e08f4d3b4bccf6a69e6c456f0c57d0d0c581aa8a046936 sshd.initd
ce0abddbd2004891f88efd8522c4b37a4989290269fab339c0fa9aacc051f7fd3b20813e192e92e0e64315750041cb74012d4321260f4865ff69d7a935b259d4 sshd.confd"
diff --git a/system/openssh/CVE-2018-20685.patch b/system/openssh/CVE-2018-20685.patch
deleted file mode 100644
index f2f1ecfc5..000000000
--- a/system/openssh/CVE-2018-20685.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Fri, 16 Nov 2018 03:03:10 +0000
-Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
- to the
-
-current directory; based on report/patch from Harry Sintonen
-
-OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
----
- scp.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/scp.c b/scp.c
-index 60682c687..4f3fdcd3d 100644
---- a/scp.c
-+++ b/scp.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
-+/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
- /*
- * scp - secure remote copy. This is basically patched BSD rcp which
- * uses ssh to do the data transfer (instead of using rcmd).
-@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
- SCREWUP("size out of range");
- size = (off_t)ull;
-
-- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
-+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
- run_err("error: unexpected filename: %s", cp);
- exit(1);
- }
diff --git a/system/openssh/bsd-compatible-realpath.patch b/system/openssh/bsd-compatible-realpath.patch
deleted file mode 100644
index 1cdb4f7c5..000000000
--- a/system/openssh/bsd-compatible-realpath.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-fix issues with fortify-headers and the way openssh handles the needed
-BSD compatible realpath(3).
-
-unconditionally use the provided realpath() as otherwise cross-builds
-would try to use musl realpath() which is posix compliant and not
-working to openssh expectations.
-
-diff -ru openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h openssh-7.2p2/openbsd-compat/openbsd-compat.h
---- openssh-7.2p2.orig/openbsd-compat/openbsd-compat.h 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/openbsd-compat.h 2016-07-18 13:33:16.260357745 +0300
-@@ -68,17 +68,7 @@
- void *reallocarray(void *, size_t, size_t);
- #endif
-
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
--/*
-- * glibc's FORTIFY_SOURCE can redefine this and prevent us picking up the
-- * compat version.
-- */
--# ifdef BROKEN_REALPATH
--# define realpath(x, y) _ssh_compat_realpath(x, y)
--# endif
--
--char *realpath(const char *path, char *resolved);
--#endif
-+char *ssh_realpath(const char *path, char *resolved);
-
- #ifndef HAVE_RRESVPORT_AF
- int rresvport_af(int *alport, sa_family_t af);
-diff -ru openssh-7.2p2.orig/openbsd-compat/realpath.c openssh-7.2p2/openbsd-compat/realpath.c
---- openssh-7.2p2.orig/openbsd-compat/realpath.c 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/openbsd-compat/realpath.c 2016-07-18 13:33:45.420721690 +0300
-@@ -31,7 +31,7 @@
-
- #include "includes.h"
-
--#if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
-+#if 1
-
- #include <sys/types.h>
- #include <sys/param.h>
-@@ -58,7 +58,7 @@
- * in which case the path which caused trouble is left in (resolved).
- */
- char *
--realpath(const char *path, char *resolved)
-+ssh_realpath(const char *path, char *resolved)
- {
- struct stat sb;
- char *p, *q, *s;
-diff -ru openssh-7.2p2.orig/sftp-server.c openssh-7.2p2/sftp-server.c
---- openssh-7.2p2.orig/sftp-server.c 2016-03-09 20:04:48.000000000 +0200
-+++ openssh-7.2p2/sftp-server.c 2016-07-18 13:34:29.131267241 +0300
-@@ -1162,7 +1162,7 @@
- }
- debug3("request %u: realpath", id);
- verbose("realpath \"%s\"", path);
-- if (realpath(path, resolvedname) == NULL) {
-+ if (ssh_realpath(path, resolvedname) == NULL) {
- send_status(id, errno_to_portable(errno));
- } else {
- Stat s;
diff --git a/system/openssh/fix-utmpx.patch b/system/openssh/fix-utmpx.patch
deleted file mode 100644
index 7f05add35..000000000
--- a/system/openssh/fix-utmpx.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- openssh-7.7p1/loginrec.c.old 2018-04-02 00:38:28.000000000 -0500
-+++ openssh-7.7p1/loginrec.c 2018-06-15 22:09:00.091482769 -0500
-@@ -1656,7 +1656,11 @@
- const char *ttyn)
- {
- int fd;
-+#if defined(USE_UTMPX)
-+ struct utmpx ut;
-+#else
- struct utmp ut;
-+#endif
- struct sockaddr_storage from;
- socklen_t fromlen = sizeof(from);
- struct sockaddr_in *a4;
diff --git a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch b/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
deleted file mode 100644
index c1c310e8f..000000000
--- a/system/openssh/openssh-7.9_p1-openssl-1.0.2-compat.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 8b4a3627..590b66d1 100644
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
-
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- OPENSSL_config(NULL);
- #else
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
diff --git a/system/openssh/openssh7.4-peaktput.patch b/system/openssh/openssh7.4-peaktput.patch
deleted file mode 100644
index 6fc6140a6..000000000
--- a/system/openssh/openssh7.4-peaktput.patch
+++ /dev/null
@@ -1,62 +0,0 @@
---- a/progressmeter.c
-+++ b/progressmeter.c
-@@ -69,6 +69,8 @@
- static off_t start_pos; /* initial position of transfer */
- static off_t end_pos; /* ending position of transfer */
- static off_t cur_pos; /* transfer position as of last refresh */
-+static off_t last_pos;
-+static off_t max_delta_pos = 0;
- static volatile off_t *counter; /* progress counter */
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
-@@ -128,12 +130,17 @@
- int hours, minutes, seconds;
- int i, len;
- int file_len;
-+ off_t delta_pos;
-
- transferred = *counter - (cur_pos ? cur_pos : start_pos);
- cur_pos = *counter;
- now = monotime_double();
- bytes_left = end_pos - cur_pos;
-
-+ delta_pos = cur_pos - last_pos;
-+ if (delta_pos > max_delta_pos)
-+ max_delta_pos = delta_pos;
-+
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
-@@ -158,7 +165,7 @@
-
- /* filename */
- buf[0] = '\0';
-- file_len = win_size - 35;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
-@@ -188,6 +195,15 @@
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-
-+ /* instantaneous rate */
-+ if (bytes_left > 0)
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ delta_pos);
-+ else
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ max_delta_pos);
-+ strlcat(buf, "/s ", win_size);
-+
- /* ETA */
- if (!transferred)
- stalled += elapsed;
-@@ -224,6 +240,7 @@
-
- atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
- last_update = now;
-+ last_pos = cur_pos;
- }
-
- /*ARGSUSED*/
diff --git a/system/openssh/sftp-interactive.patch b/system/openssh/sftp-interactive.patch
deleted file mode 100644
index ab14f3a6b..000000000
--- a/system/openssh/sftp-interactive.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/sftp.c 2014-10-24 10:32:15.793544472 +0500
-+++ b/sftp.c 2014-10-24 10:35:22.329199875 +0500
-@@ -2076,8 +2076,10 @@
- signal(SIGINT, SIG_IGN);
-
- if (el == NULL) {
-- if (interactive)
-+ if (interactive) {
- printf("sftp> ");
-+ fflush(stdout);
-+ }
- if (fgets(cmd, sizeof(cmd), infile) == NULL) {
- if (interactive)
- printf("\n");
diff --git a/system/openssh/sshd.initd b/system/openssh/sshd.initd
index 065519174..e13924e2c 100755
--- a/system/openssh/sshd.initd
+++ b/system/openssh/sshd.initd
@@ -82,7 +82,12 @@ stop() {
eend $?
if [ "$RC_RUNLEVEL" = "shutdown" ]; then
- _sshd_pids=$(pgrep "${SSHD_BINARY##*/}")
+ local _p _sshd_pids
+ for _p in $(pgrep "${SSHD_BINARY##*/}"); do
+ [ "$(realpath /proc/$_p/exe)" = "${SSHD_BINARY}" ] \
+ || continue
+ _sshd_pids="$_sshd_pids $_p"
+ done
if [ -n "$_sshd_pids" ]; then
ebegin "Shutting down ssh connections"
kill -TERM $_sshd_pids >/dev/null 2>&1
diff --git a/system/openssh/utmpx.patch b/system/openssh/utmpx.patch
new file mode 100644
index 000000000..d3f24aa76
--- /dev/null
+++ b/system/openssh/utmpx.patch
@@ -0,0 +1,103 @@
+--- openssh-9.9p2/configure.ac.old 2025-02-18 02:15:08.000000000 -0600
++++ openssh-9.9p2/configure.ac 2025-02-18 20:57:12.172701096 -0600
+@@ -5449,7 +5449,9 @@
+ AC_MSG_CHECKING([if your system defines LASTLOG_FILE])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <sys/types.h>
+-#include <utmp.h>
++#ifdef HAVE_UTMP_H
++# include <utmp.h>
++#endif
+ #ifdef HAVE_LASTLOG_H
+ # include <lastlog.h>
+ #endif
+@@ -5466,7 +5468,9 @@
+ AC_MSG_CHECKING([if your system defines _PATH_LASTLOG])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <sys/types.h>
+-#include <utmp.h>
++#ifdef HAVE_UTMP_H
++# include <utmp.h>
++#endif
+ #ifdef HAVE_LASTLOG_H
+ # include <lastlog.h>
+ #endif
+@@ -5504,7 +5508,9 @@
+ AC_MSG_CHECKING([if your system defines UTMP_FILE])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <sys/types.h>
+-#include <utmp.h>
++#ifdef HAVE_UTMP_H
++# include <utmp.h>
++#endif
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #endif
+@@ -5534,7 +5540,9 @@
+ AC_MSG_CHECKING([if your system defines WTMP_FILE])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <sys/types.h>
+-#include <utmp.h>
++#ifdef HAVE_UTMP_H
++# include <utmp.h>
++#endif
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #endif
+@@ -5564,7 +5572,9 @@
+ AC_MSG_CHECKING([if your system defines WTMPX_FILE])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <sys/types.h>
+-#include <utmp.h>
++#ifdef HAVE_UTMP_H
++# include <utmp.h>
++#endif
+ #ifdef HAVE_UTMPX_H
+ #include <utmpx.h>
+ #endif
+--- openssh-9.9p2/loginrec.c.old 2025-02-18 02:15:08.000000000 -0600
++++ openssh-9.9p2/loginrec.c 2025-02-18 21:01:26.034757676 -0600
+@@ -614,7 +614,7 @@
+ ** into account.
+ **/
+
+-#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+
+ /* build the utmp structure */
+ void
+@@ -698,7 +698,7 @@
+ }
+ # endif
+ }
+-#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */
++#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
+
+ /**
+ ** utmpx utility functions
+@@ -1644,7 +1644,13 @@
+ const char *ttyn)
+ {
+ int fd;
++#if defined(USE_UTMP)
+ struct utmp ut;
++#elif defined(USE_UTMPX)
++ struct utmpx ut;
++#else
++# error either UTMP or UTMPX must be present to use BTMP
++#endif
+ struct logininfo li;
+ socklen_t fromlen = sizeof(li.hostaddr);
+ time_t t;
+@@ -1681,7 +1687,11 @@
+ (void)getpeername(ssh_packet_get_connection_in(ssh),
+ &li.hostaddr.sa, &fromlen);
+ }
++#if defined(USE_UTMP)
+ construct_utmp(&li, &ut);
++#elif defined(USE_UTMPX)
++ construct_utmpx(&li, &ut);
++#endif
+
+ if (atomicio(vwrite, fd, &ut, sizeof(ut)) != sizeof(ut)) {
+ error("Failed to write to %s: %s", _PATH_BTMP,