diff options
author | Marcin Juszkiewicz <hrw@openembedded.org> | 2005-12-20 12:59:18 +0000 |
---|---|---|
committer | OpenEmbedded Project <openembedded-devel@lists.openembedded.org> | 2005-12-20 12:59:18 +0000 |
commit | 6ff4fc9768de7fc490d215ff6f1fd4b25e505897 (patch) | |
tree | 503d8f1d0e537ec9d61adb8dc9a17ffcda9a27cf /packages/dropbear/dropbear-0.47 | |
parent | dcad9f821f496edc4c81670c06f737a379a78a31 (diff) |
dropbear: added 0.47
Note from upstream author about 0.47 and fix for older:
This release also fixes a potential security issue, which may allow
authenticated users to run arbitrary code as the server user. I'm unsure
exactly how likely it is to be exploitable, but anyone who's running a
multi-user server is advised to upgrade.
Diffstat (limited to 'packages/dropbear/dropbear-0.47')
5 files changed, 96 insertions, 0 deletions
diff --git a/packages/dropbear/dropbear-0.47/.mtn2git_empty b/packages/dropbear/dropbear-0.47/.mtn2git_empty new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/packages/dropbear/dropbear-0.47/.mtn2git_empty diff --git a/packages/dropbear/dropbear-0.47/allow-nopw.patch b/packages/dropbear/dropbear-0.47/allow-nopw.patch new file mode 100644 index 0000000000..1a709b8da0 --- /dev/null +++ b/packages/dropbear/dropbear-0.47/allow-nopw.patch @@ -0,0 +1,37 @@ +diff -Nurd dropbear-0.45/svr-auth.c dropbear-0.45.patched/svr-auth.c +--- dropbear-0.45/svr-auth.c 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/svr-auth.c 2005-03-08 15:22:43.998592744 -0800 +@@ -237,6 +237,7 @@ + } + + /* check for an empty password */ ++#ifdef DISALLOW_EMPTY_PW + if (ses.authstate.pw->pw_passwd[0] == '\0') { + TRACE(("leave checkusername: empty pword")) + dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected", +@@ -244,7 +245,7 @@ + send_msg_userauth_failure(0, 1); + return DROPBEAR_FAILURE; + } +- ++#endif + TRACE(("shell is %s", ses.authstate.pw->pw_shell)) + + /* check that the shell is set */ +diff -Nurd dropbear-0.45/svr-authpasswd.c dropbear-0.45.patched/svr-authpasswd.c +--- dropbear-0.45/svr-authpasswd.c 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/svr-authpasswd.c 2005-03-08 15:22:44.010591023 -0800 +@@ -64,9 +64,13 @@ + * since the shadow password may differ to that tested + * in auth.c */ + if (passwdcrypt[0] == '\0') { ++#ifdef DISALLOW_EMPTY_PASSWD + dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected", + ses.authstate.printableuser); + send_msg_userauth_failure(0, 1); ++#else ++ send_msg_userauth_success(); ++#endif + return; + } + diff --git a/packages/dropbear/dropbear-0.47/configure.patch b/packages/dropbear/dropbear-0.47/configure.patch new file mode 100644 index 0000000000..9ae84b2604 --- /dev/null +++ b/packages/dropbear/dropbear-0.47/configure.patch @@ -0,0 +1,27 @@ +diff -Nurd dropbear-0.45/configure.in dropbear-0.45.patched/configure.in +--- dropbear-0.45/configure.in 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/configure.in 2005-03-08 15:22:44.040586721 -0800 +@@ -161,15 +161,20 @@ + AC_MSG_RESULT(Not using openpty) + else + AC_MSG_RESULT(Using openpty if available) +- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) ++ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) + fi + ], + [ + AC_MSG_RESULT(Using openpty if available) +- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) ++ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) + ] + ) +- ++ ++if test "x$dropbear_cv_func_have_openpty" = "xyes"; then ++ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function) ++ no_ptc_check=yes ++ no_ptmx_check=yes ++fi + + AC_ARG_ENABLE(syslog, + [ --disable-syslog Don't include syslog support], diff --git a/packages/dropbear/dropbear-0.47/fix-2kb-keys.patch b/packages/dropbear/dropbear-0.47/fix-2kb-keys.patch new file mode 100644 index 0000000000..ba2b19d44a --- /dev/null +++ b/packages/dropbear/dropbear-0.47/fix-2kb-keys.patch @@ -0,0 +1,11 @@ +diff -Nurd dropbear-0.45/kex.h dropbear-0.45.patched/kex.h +--- dropbear-0.45/kex.h 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/kex.h 2005-03-08 15:22:44.064583279 -0800 +@@ -64,6 +64,6 @@ + + }; + +-#define MAX_KEXHASHBUF 2000 ++#define MAX_KEXHASHBUF 3000 + + #endif /* _KEX_H_ */ diff --git a/packages/dropbear/dropbear-0.47/urandom-xauth-changes-to-options.h.patch b/packages/dropbear/dropbear-0.47/urandom-xauth-changes-to-options.h.patch new file mode 100644 index 0000000000..e2b1dd5da5 --- /dev/null +++ b/packages/dropbear/dropbear-0.47/urandom-xauth-changes-to-options.h.patch @@ -0,0 +1,21 @@ +diff -Nurd dropbear-0.45/options.h dropbear-0.45.patched/options.h +--- dropbear-0.45/options.h 2005-03-06 20:27:02.000000000 -0800 ++++ dropbear-0.45.patched/options.h 2005-03-08 15:25:09.368742090 -0800 +@@ -143,7 +143,7 @@ + * however significantly reduce the security of your ssh connections + * if the PRNG state becomes guessable - make sure you know what you are + * doing if you change this. */ +-#define DROPBEAR_RANDOM_DEV "/dev/random" ++#define DROPBEAR_RANDOM_DEV "/dev/urandom" + + /* prngd must be manually set up to produce output */ + /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ +@@ -167,7 +167,7 @@ + /* The command to invoke for xauth when using X11 forwarding. + * "-q" for quiet */ + #ifndef XAUTH_COMMAND +-#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" ++#define XAUTH_COMMAND "xauth -q" + #endif + + /* if you want to enable running an sftp server (such as the one included with |