diff options
author | Waldemar Brodkorb <wbx@openadk.org> | 2017-05-24 16:49:09 +0200 |
---|---|---|
committer | Waldemar Brodkorb <wbx@openadk.org> | 2017-05-24 16:49:09 +0200 |
commit | d27e9056a96b8eebd987e039d0c5a54023a35577 (patch) | |
tree | 8cbb0448373053d1324230bf624b6ae91934c4ad /package/dropbear | |
parent | 122a6698ca001699ab0f8c3aea7706a1353d2784 (diff) |
dropbear: update to 2017.75
Diffstat (limited to 'package/dropbear')
-rw-r--r-- | package/dropbear/Makefile | 6 | ||||
-rw-r--r-- | package/dropbear/patches/patch-svr-authpubkey_c | 109 |
2 files changed, 88 insertions, 27 deletions
diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile index f92f6609c..7a3f2b074 100644 --- a/package/dropbear/Makefile +++ b/package/dropbear/Makefile @@ -4,9 +4,9 @@ include $(ADK_TOPDIR)/rules.mk PKG_NAME:= dropbear -PKG_VERSION:= 2016.74 -PKG_RELEASE:= 2 -PKG_HASH:= 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891 +PKG_VERSION:= 2017.75 +PKG_RELEASE:= 1 +PKG_HASH:= 6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c PKG_DESCR:= ssh server/client designed for embedded systems PKG_SECTION:= net/security PKG_URL:= http://matt.ucc.asn.au/dropbear/ diff --git a/package/dropbear/patches/patch-svr-authpubkey_c b/package/dropbear/patches/patch-svr-authpubkey_c index 90ec56d9e..fe63792f7 100644 --- a/package/dropbear/patches/patch-svr-authpubkey_c +++ b/package/dropbear/patches/patch-svr-authpubkey_c @@ -1,46 +1,107 @@ -$Id: update-patches 24 2008-08-31 14:56:13Z wbx $ ---- dropbear-2014.63.orig/svr-authpubkey.c 2014-02-19 15:05:24.000000000 +0100 -+++ dropbear-2014.63/svr-authpubkey.c 2014-02-27 16:29:05.000000000 +0100 -@@ -208,6 +208,8 @@ static int checkpubkey(unsigned char* al +--- dropbear-2017.75.orig/svr-authpubkey.c 2017-05-18 16:47:02.000000000 +0200 ++++ dropbear-2017.75/svr-authpubkey.c 2017-05-24 00:12:02.175883130 +0200 +@@ -220,24 +220,31 @@ static int checkpubkey(char* algo, unsig goto out; } +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); ++ /* special case for root authorized_keys in /etc/dropbear/authorized_keys */ + if (ses.authstate.pw_uid != 0) { -+ - /* we don't need to check pw and pw_dir for validity, since - * its been done in checkpubkeyperms. */ - len = strlen(ses.authstate.pw_dir); -@@ -219,6 +221,9 @@ static int checkpubkey(unsigned char* al - /* open the file */ - authfile = fopen(filename, "r"); +- /* open the file as the authenticating user. */ +- origuid = getuid(); +- origgid = getgid(); +- if ((setegid(ses.authstate.pw_gid)) < 0 || +- (seteuid(ses.authstate.pw_uid)) < 0) { +- dropbear_exit("Failed to set euid"); +- } ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); + +- authfile = fopen(filename, "r"); ++ /* open the file as the authenticating user. */ ++ origuid = getuid(); ++ origgid = getgid(); ++ if ((setegid(ses.authstate.pw_gid)) < 0 || ++ (seteuid(ses.authstate.pw_uid)) < 0) { ++ dropbear_exit("Failed to set euid"); ++ } ++ ++ authfile = fopen(filename, "r"); ++ + } else { + authfile = fopen("/etc/dropbear/authorized_keys","r"); + } - if (authfile == NULL) { - goto out; - } -@@ -371,6 +376,8 @@ static int checkpubkeyperms() { + + if ((seteuid(origuid)) < 0 || + (setegid(origgid)) < 0) { +@@ -396,26 +403,39 @@ static int checkpubkeyperms() { goto out; } +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); + if (ses.authstate.pw_uid != 0) { + +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); + +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - filename = m_malloc(len + 22); -@@ -392,6 +399,14 @@ static int checkpubkeyperms() { - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } + } else { ++ + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + goto out; + } + if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { + goto out; + } -+ } + +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; + } /* file looks ok, return success */ - ret = DROPBEAR_SUCCESS; |