Fixes from upstream for minor DOS #148228.

Package-Manager: portage-2.1.2_pre1
author: Mike Frysinger <vapier@gentoo.org> 2006-09-20 23:10:35 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2006-09-20 23:10:35 +0000
commit: bd1b9f13d5097d5184ef2280a19e780a26fbcf56 (patch)
tree: 30ab560fbddb6fc931b11408a284c54918dccf2c /net-misc/openssh
parent: rename patch (diff)
download: historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.tar.gz
historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.tar.bz2
historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.zip
8 files changed, 418 insertions, 24 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog
index bfa60169e5f7..4a570cb880f7 100644
--- a/net-misc/openssh/ChangeLog
+++ b/net-misc/openssh/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-misc/openssh
 # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.183 2006/09/08 04:37:14 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.184 2006/09/20 23:10:35 vapier Exp $
+
+*openssh-4.3_p2-r3 (20 Sep 2006)
+
+  20 Sep 2006; Mike Frysinger <vapier@gentoo.org>
+  +files/openssh-4.3_p1-chroot.patch,
+  +files/openssh-4.3_p2-identical-simple-dos.patch, files/sshd.confd,
+  files/sshd.rc6, +openssh-4.3_p2-r3.ebuild:
+  Fixes from upstream for minor DOS #148228.
 
   08 Sep 2006; Mike Frysinger <vapier@gentoo.org> openssh-4.3_p2-r2.ebuild:
   Remove ugly flag mangling and fix building with USE=static #146654 by
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 9450dde3cb3f..b3596d5ea849 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -77,6 +77,10 @@ AUX openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 5735 RMD160 0181f78244cb85bb
 MD5 5432b9750ba57246a2ea46edb9000513 files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 5735
 RMD160 0181f78244cb85bb8964f5f4633a858449b43ab6 files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 5735
 SHA256 f3bebe98c0237b1b32a7343277d4d8ef8e5e61d8914e178c45af78346e92a654 files/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2 5735
+AUX openssh-4.3_p1-chroot.patch 1034 RMD160 5971fa1466fd9817a8ec811329a8129fcd651bec SHA1 f580aa1a180397b422193c3ebb4cc69eaa7007a0 SHA256 ccedff9ba82db6782ff80cfcafa6bd1dc754f564e61a4e789b792aaa6b3d4fc3
+MD5 5ebc9ea58d60b24a9bec95749ec36d78 files/openssh-4.3_p1-chroot.patch 1034
+RMD160 5971fa1466fd9817a8ec811329a8129fcd651bec files/openssh-4.3_p1-chroot.patch 1034
+SHA256 ccedff9ba82db6782ff80cfcafa6bd1dc754f564e61a4e789b792aaa6b3d4fc3 files/openssh-4.3_p1-chroot.patch 1034
 AUX openssh-4.3_p1-krb5-typos.patch 301 RMD160 3b1a82e230c870269f9aa25cd73e9c5be03db3f6 SHA1 dfdca93a5ffd99cdee0f8ed42ece38c06546b674 SHA256 98310c487625b5dbd86f4a2c1acd00c223911b6a7e505455bc4196063fa38b9c
 MD5 50f8706c29e6d5c509c64cfba22a78b1 files/openssh-4.3_p1-krb5-typos.patch 301
 RMD160 3b1a82e230c870269f9aa25cd73e9c5be03db3f6 files/openssh-4.3_p1-krb5-typos.patch 301
@@ -85,6 +89,10 @@ AUX openssh-4.3_p2-configure.patch 257 RMD160 379a712ed223d3a710dcddd82b67597b72
 MD5 52ae898ce6a32ab57ae44d83f831dafb files/openssh-4.3_p2-configure.patch 257
 RMD160 379a712ed223d3a710dcddd82b67597b7242d65e files/openssh-4.3_p2-configure.patch 257
 SHA256 5e78fc71f8f4622b40a3e83d12721306e67c669513f1645073cb77f03761a62a files/openssh-4.3_p2-configure.patch 257
+AUX openssh-4.3_p2-identical-simple-dos.patch 4169 RMD160 28aa8390109a50c8948f852898b1be1896027e32 SHA1 90a1e752de3e02cbe86d929dfb88d37ded9dffe1 SHA256 a53bab3ca17f42a7fd72941661d37f4dac1511188cb97e9d5db0638a99cc2441
+MD5 aa7b85cdff9f299a7a897f2cd8b9fd8a files/openssh-4.3_p2-identical-simple-dos.patch 4169
+RMD160 28aa8390109a50c8948f852898b1be1896027e32 files/openssh-4.3_p2-identical-simple-dos.patch 4169
+SHA256 a53bab3ca17f42a7fd72941661d37f4dac1511188cb97e9d5db0638a99cc2441 files/openssh-4.3_p2-identical-simple-dos.patch 4169
 AUX openssh-4.3_p2-securid-hpn-glue.patch 1731 RMD160 47eb05afaf9e0f27d4d838dd32ad36ca13ae494f SHA1 9bb463592299564c8bf6064acb15693cb6486cbf SHA256 7cafbe9c840878561e5692a810a9f503a3f5a02f39f674801c8d7858166fdc4d
 MD5 aa56fc6ed586b9c51b652e39dc034986 files/openssh-4.3_p2-securid-hpn-glue.patch 1731
 RMD160 47eb05afaf9e0f27d4d838dd32ad36ca13ae494f files/openssh-4.3_p2-securid-hpn-glue.patch 1731
@@ -105,10 +113,10 @@ AUX openssh-securid-1.3.1-updates.patch 445 RMD160 b1db3dfa75f7e03d0dff41e85e285
 MD5 eca7ba0b23754a710b42a79c1fb5e248 files/openssh-securid-1.3.1-updates.patch 445
 RMD160 b1db3dfa75f7e03d0dff41e85e285f8b749f27f0 files/openssh-securid-1.3.1-updates.patch 445
 SHA256 11c95cc508d20c8eb1e8faa0d2b5e68346cbb93db8fb560cfa8b4d2c0d1104b3 files/openssh-securid-1.3.1-updates.patch 445
-AUX sshd.confd 223 RMD160 8705077fa2f09d42db286008cda2a65becc1a307 SHA1 cea73f12016cf457339b91208a315ae11ede3684 SHA256 b855256383de617696445f39f39cb96a579a3311d93acbf9d37437dc0bf14efb
-MD5 f63b0b7359fba745965a6d302a33762c files/sshd.confd 223
-RMD160 8705077fa2f09d42db286008cda2a65becc1a307 files/sshd.confd 223
-SHA256 b855256383de617696445f39f39cb96a579a3311d93acbf9d37437dc0bf14efb files/sshd.confd 223
+AUX sshd.confd 396 RMD160 029680b2281961130a815ef599750c4fc4e84987 SHA1 23c283d0967944b6125be26ed4628f49abf586b2 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41
+MD5 b35e9f3829f4cfca07168fcba98749c7 files/sshd.confd 396
+RMD160 029680b2281961130a815ef599750c4fc4e84987 files/sshd.confd 396
+SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 files/sshd.confd 396
 AUX sshd.pam 294 RMD160 1d4499a7de54188e51e87a240ec7a1b3b1af583d SHA1 4cd17fb40793fa9ca77ac93698129f2c8cafd7b8 SHA256 f01cc51c624b21a815fb6c0be35edc590e2e6f8a5ffbdcabc220a9630517972f
 MD5 b86ae0c43a704c4ee2abd2ce5c955f8f files/sshd.pam 294
 RMD160 1d4499a7de54188e51e87a240ec7a1b3b1af583d files/sshd.pam 294
@@ -117,10 +125,10 @@ AUX sshd.pam_include 205 RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 SHA1 12
 MD5 2b66f75047edfac5d5e6cdbffa35383e files/sshd.pam_include 205
 RMD160 6b20ea83c69ef613d75daf43515aaec88d4cd815 files/sshd.pam_include 205
 SHA256 8d59135e96f4eff6b80c143b82cced7beb0bbca19ff91b479f1ba92916243d5e files/sshd.pam_include 205
-AUX sshd.rc6 1797 RMD160 896e47a5df3a7b7d6602e8a2853b8deddc00f77b SHA1 01fed78582fd158816228ad3e30436de0f66f0cd SHA256 988140af34ec5f4943e50f07e3c7933ae2aa2dc5e692c097cf769420d436d6fe
-MD5 040058236238ec4a94d3abb8a4e532e9 files/sshd.rc6 1797
-RMD160 896e47a5df3a7b7d6602e8a2853b8deddc00f77b files/sshd.rc6 1797
-SHA256 988140af34ec5f4943e50f07e3c7933ae2aa2dc5e692c097cf769420d436d6fe files/sshd.rc6 1797
+AUX sshd.rc6 1895 RMD160 ab773dbbe1b539a3639e321ec5c4d18c6a697912 SHA1 5f8abade6a9945ca433e03d5bb7664488b03615e SHA256 068251ba84e72d06fa96e935ed575ad75b2dc607d73ca48e440884c625883f67
+MD5 ef24fb627241356bac4842d52ae10a55 files/sshd.rc6 1895
+RMD160 ab773dbbe1b539a3639e321ec5c4d18c6a697912 files/sshd.rc6 1895
+SHA256 068251ba84e72d06fa96e935ed575ad75b2dc607d73ca48e440884c625883f67 files/sshd.rc6 1895
 DIST openssh-3.9p1+x509-5.3.diff.gz 126331 RMD160 7b33dc161664f7bc155a19a09c603b1938924b75 SHA1 9ba617a24da8ac9177e96863cbb05b591e37c457 SHA256 4d1a8cc0a40d45a3e8f5ffa3fa70ad8d5b4141adf0e04c1643acf30ff80899df
 DIST openssh-3.9p1-hpn11.diff 13237 RMD160 02e9a3c12e289ef7dea5b7d81ec5b2e06580b7d0 SHA1 a3140a0a206bdbcad91f6379ed3d0c596167b464 SHA256 ce83e3c38fe79c85f371e8e1a47d45085dd08b7e4604f7291264e36d9ebb35fe
 DIST openssh-3.9p1.tar.gz 854027 RMD160 e4abf280a18e3ae046d0dee19dab919bba8e5568 SHA1 80b19d83a9d4717f5c38b2d950501e1471f60afc SHA256 e119eb9b09c13ddd945a0105f19b05983e62de0bac167264f055f93115048090
@@ -176,10 +184,14 @@ EBUILD openssh-4.3_p2-r2.ebuild 5636 RMD160 51e6cafacd7250dac487b9ce7e1baa74ef85
 MD5 b8fe47224e3f6922350e72323fad75ca openssh-4.3_p2-r2.ebuild 5636
 RMD160 51e6cafacd7250dac487b9ce7e1baa74ef8575f0 openssh-4.3_p2-r2.ebuild 5636
 SHA256 b8826a7e1a83a26d2d9ce3318e0dbbb86e1fe522fd7f447579f166da7c431339 openssh-4.3_p2-r2.ebuild 5636
-MISC ChangeLog 29928 RMD160 bcbbb454f64750e9874a073263e7104560db95fb SHA1 c3959cd6cb7db748ec0717467ad826c9db22c89c SHA256 349b799fa7ddb61fd3a66a233206629bbdf946ed18328d3273c3e7e39b3952ab
-MD5 4870752bc2c8953a5f7cb6c068b3c104 ChangeLog 29928
-RMD160 bcbbb454f64750e9874a073263e7104560db95fb ChangeLog 29928
-SHA256 349b799fa7ddb61fd3a66a233206629bbdf946ed18328d3273c3e7e39b3952ab ChangeLog 29928
+EBUILD openssh-4.3_p2-r3.ebuild 5746 RMD160 a73d46230fadedb8a7c7d88ed905799be504391f SHA1 e21e0ff2d766ebf3c6497a29615eb7184fe143cd SHA256 85a294d3368cae8e352c18ac00f75f947d42408a372e07517345c276f347dd16
+MD5 781e1ef2fc650e040ca4894aeba91ac4 openssh-4.3_p2-r3.ebuild 5746
+RMD160 a73d46230fadedb8a7c7d88ed905799be504391f openssh-4.3_p2-r3.ebuild 5746
+SHA256 85a294d3368cae8e352c18ac00f75f947d42408a372e07517345c276f347dd16 openssh-4.3_p2-r3.ebuild 5746
+MISC ChangeLog 30211 RMD160 ba331b3d4f75c6a6e8f1fe902f00b6c0fa0136e7 SHA1 24ca24991de3f6395018fbfc298ee59c62c91f8a SHA256 4b711a9916e24b2e65874347758da45efd5cbb2aa51a753c0e8e57cbca050c0b
+MD5 dfbc5ae9c320d65be53d1263bad405b0 ChangeLog 30211
+RMD160 ba331b3d4f75c6a6e8f1fe902f00b6c0fa0136e7 ChangeLog 30211
+SHA256 4b711a9916e24b2e65874347758da45efd5cbb2aa51a753c0e8e57cbca050c0b ChangeLog 30211
 MISC metadata.xml 1287 RMD160 9be6778c10712b2613792647256f309898f52828 SHA1 38d05973334ed37cb9ee3778df3cf3b1369b6b81 SHA256 fbd731005f40dec6baf09aae0ba15a994e1ae448f4aa70ecd078db4b1a2feda3
 MD5 d536c311ded25994241e9708f293c9f7 metadata.xml 1287
 RMD160 9be6778c10712b2613792647256f309898f52828 metadata.xml 1287
@@ -205,10 +217,13 @@ SHA256 4210237ac3ff08d3c6fa2094fbf37cca3fc91b22d2c728c653efb36f820054de files/di
 MD5 0d0254ed9210821ca64914bd75a158a0 files/digest-openssh-4.3_p2-r2 1343
 RMD160 956c689e98e6be7279d8cffab44e6182f20f6621 files/digest-openssh-4.3_p2-r2 1343
 SHA256 a02a26ccb3fdf24c5b0a7196af3bb5273e61193f91fa383d479dc9e0e959630c files/digest-openssh-4.3_p2-r2 1343
+MD5 0d0254ed9210821ca64914bd75a158a0 files/digest-openssh-4.3_p2-r3 1343
+RMD160 956c689e98e6be7279d8cffab44e6182f20f6621 files/digest-openssh-4.3_p2-r3 1343
+SHA256 a02a26ccb3fdf24c5b0a7196af3bb5273e61193f91fa383d479dc9e0e959630c files/digest-openssh-4.3_p2-r3 1343
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (GNU/Linux)
 
-iD8DBQFFAzmCamhnQswr0vIRAivmAJ9WILWl8jw/+gdSZtfdpQBJO3n/WwCffPSn
-I6VNHPF46ebtJk9oOhiqk+g=
-=Medv
+iD8DBQFFEcqbamhnQswr0vIRAmnbAJ9htiXCIasfM650+h20JcoiqWrMigCeL1tC
+4ESthUKLsc3fhNn/m9DZnX8=
+=VOj9
 -----END PGP SIGNATURE-----
diff --git a/net-misc/openssh/files/digest-openssh-4.3_p2-r3 b/net-misc/openssh/files/digest-openssh-4.3_p2-r3
new file mode 100644
index 000000000000..adb9f80e2b55
--- /dev/null
+++ b/net-misc/openssh/files/digest-openssh-4.3_p2-r3
@@ -0,0 +1,15 @@
+MD5 3611a21a0098c32416d4b8f75232c796 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+RMD160 90c719e8b7576d06bda5fdfb86287bfa577c5e1a openssh-4.3p2+SecurID_v1.3.2.patch 47650
+SHA256 d6fc92a11c23f3fa0c77f50e6d76cb6c6635ae4907df724a12e460b90c90e988 openssh-4.3p2+SecurID_v1.3.2.patch 47650
+MD5 bc93a31436941ae32e7f9d20c592eca7 openssh-4.3p2+x509-5.5.diff.gz 136017
+RMD160 21069550bbb05ea22870da853f68ee9910b2b71e openssh-4.3p2+x509-5.5.diff.gz 136017
+SHA256 b62ee8afd927d9c97367ac738be55464327deacabf803a610159a98c569e72ad openssh-4.3p2+x509-5.5.diff.gz 136017
+MD5 41b69edab053387f5233798864fcec74 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+RMD160 34fd5390d602a9ab99edb25756318cc0dd842360 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+SHA256 14d8ec5601bf1977f583a45353213a2dc4e8a453e3fc9c7a65499d0645cc9063 openssh-4.3p2-hpn12-gentoo.patch.bz2 13642
+MD5 7e9880ac20a9b9db0d3fea30a9ff3d46 openssh-4.3p2.tar.gz 941455
+RMD160 ccd5967e3296347e6dd2be43c3d6caacde2b6833 openssh-4.3p2.tar.gz 941455
+SHA256 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f openssh-4.3p2.tar.gz 941455
+MD5 d9eacb819a73daddb3d21ca7aa8e5c25 openssh-lpk-4.3p1-0.3.7.patch 60451
+RMD160 fda93b8ee3ef9b633947784fe84a9eed2acbd325 openssh-lpk-4.3p1-0.3.7.patch 60451
+SHA256 0bcfa28804caf685de2248ddc966666196f6df81d1d058066f2da17714518af4 openssh-lpk-4.3p1-0.3.7.patch 60451
diff --git a/net-misc/openssh/files/openssh-4.3_p1-chroot.patch b/net-misc/openssh/files/openssh-4.3_p1-chroot.patch
new file mode 100644
index 000000000000..e9ca7ae94ec4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p1-chroot.patch
@@ -0,0 +1,54 @@
+http://chrootssh.sourceforge.net/
+
+--- openssh-4.3p1/session.c
++++ openssh-4.3p1/session.c
+@@ -59,6 +59,8 @@
+ #include "kex.h"
+ #include "monitor_wrap.h"
+ 
++#define CHROOT
++
+ #if defined(KRB5) && defined(USE_AFS)
+ #include <kafs.h>
+ #endif
+@@ -1251,6 +1253,11 @@
+ void
+ do_setusercontext(struct passwd *pw)
+ {
++#ifdef CHROOT
++	char *user_dir;
++	char *new_root;
++#endif /* CHROOT */
++
+ #ifndef HAVE_CYGWIN
+ 	if (getuid() == 0 || geteuid() == 0)
+ #endif /* HAVE_CYGWIN */
+@@ -1308,6 +1315,27 @@
+ 			restore_uid();
+ 		}
+ #endif
++
++#ifdef CHROOT
++	user_dir = xstrdup(pw->pw_dir);
++	new_root = user_dir + 1;
++
++	while ((new_root = strchr(new_root, '.')) != NULL) {
++		new_root--;
++		if (strncmp(new_root, "/./", 3) == 0) {
++			*new_root = '\0';
++			new_root += 2;
++
++			if(chroot(user_dir) != 0)
++				fatal("Couldn't chroot to user's directory %s", user_dir);
++			pw->pw_dir = new_root;
++			break;
++		}
++
++		new_root += 2;
++	}
++#endif /* CHROOT */
++
+ # ifdef USE_PAM
+ 		/*
+ 		 * PAM credentials may take the form of supplementary groups.
+
diff --git a/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch
new file mode 100644
index 000000000000..84c043fe6544
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.3_p2-identical-simple-dos.patch
@@ -0,0 +1,119 @@
+http://bugs.gentoo.org/148228
+
+taken from upstream cvs and munged a little to apply against 4.3p2
+
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.c,v
+retrieving revision 1.29
+retrieving revision 1.30
+diff -u -r1.29 -r1.30
+--- src/usr.bin/ssh/deattack.c	2006/08/03 03:34:42	1.29
++++ src/usr.bin/ssh/deattack.c	2006/09/16 19:53:37	1.30
+@@ -30,6 +30,24 @@
+ #include "crc32.h"
+ #include "misc.h"
+ 
++/*
++ * CRC attack detection has a worst-case behaviour that is O(N^3) over
++ * the number of identical blocks in a packet. This behaviour can be 
++ * exploited to create a limited denial of service attack. 
++ * 
++ * However, because we are dealing with encrypted data, identical
++ * blocks should only occur every 2^35 maximally-sized packets or so. 
++ * Consequently, we can detect this DoS by looking for identical blocks
++ * in a packet.
++ *
++ * The parameter below determines how many identical blocks we will
++ * accept in a single packet, trading off between attack detection and
++ * likelihood of terminating a legitimate connection. A value of 32 
++ * corresponds to an average of 2^40 messages before an attack is
++ * misdetected
++ */
++#define MAX_IDENTICAL	32
++
+ /* SSH Constants */
+ #define SSH_MAXBLOCKS	(32 * 1024)
+ #define SSH_BLOCKSIZE	(8)
+@@ -85,7 +103,7 @@
+ 	static u_int16_t *h = (u_int16_t *) NULL;
+ 	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ 	u_int32_t i, j;
+-	u_int32_t l;
++	u_int32_t l, same;
+ 	u_char *c;
+ 	u_char *d;
+ 
+@@ -122,11 +140,13 @@
+ 	if (IV)
+ 		h[HASH(IV) & (n - 1)] = HASH_IV;
+ 
+-	for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
++	for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+ 		for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
+ 		    i = (i + 1) & (n - 1)) {
+ 			if (h[i] == HASH_IV) {
+ 				if (!CMP(c, IV)) {
++					if (++same > MAX_IDENTICAL)
++						return (DEATTACK_DOS_DETECTED);
+ 					if (check_crc(c, buf, len, IV))
+ 						return (DEATTACK_DETECTED);
+ 					else
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v
+retrieving revision 1.143
+retrieving revision 1.144
+diff -u -r1.143 -r1.144
+--- src/usr.bin/ssh/packet.c	2006/08/05 08:34:04	1.143
++++ src/usr.bin/ssh/packet.c	2006/09/16 19:53:37	1.144
+@@ -991,9 +991,16 @@
+ 	 * (C)1998 CORE-SDI, Buenos Aires Argentina
+ 	 * Ariel Futoransky(futo@core-sdi.com)
+ 	 */
+-	if (!receive_context.plaintext &&
+-	    detect_attack(buffer_ptr(&input), padded_len, NULL) == DEATTACK_DETECTED)
+-		packet_disconnect("crc32 compensation attack: network attack detected");
++	if (!receive_context.plaintext) {
++		switch (detect_attack(buffer_ptr(&input), padded_len, NULL)) {
++		case DEATTACK_DETECTED:
++			packet_disconnect("crc32 compensation attack: "
++			    "network attack detected");
++		case DEATTACK_DOS_DETECTED:
++			packet_disconnect("deattack denial of "
++			    "service detected");
++		}
++	}
+ 
+ 	/* Decrypt data to incoming_packet. */
+ 	buffer_clear(&incoming_packet);
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/deattack.h,v
+retrieving revision 1.9
+retrieving revision 1.10
+diff -u -r1.9 -r1.10
+--- src/usr.bin/ssh/deattack.h	2006/03/25 22:22:43	1.9
++++ src/usr.bin/ssh/deattack.h	2006/09/16 19:53:37	1.10
+@@ -25,6 +25,7 @@
+ /* Return codes */
+ #define DEATTACK_OK		0
+ #define DEATTACK_DETECTED	1
++#define DEATTACK_DOS_DETECTED	2
+ 
+ int	 detect_attack(u_char *, u_int32_t);
+ #endif
+===================================================================
+RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/packet.c,v
+retrieving revision 1.144
+retrieving revision 1.145
+diff -u -r1.144 -r1.145
+--- src/usr.bin/ssh/packet.c	2006/09/16 19:53:37	1.144
++++ src/usr.bin/ssh/packet.c	2006/09/19 21:14:08	1.145
+@@ -682,6 +682,9 @@
+ 	 */
+ 	after_authentication = 1;
+ 	for (mode = 0; mode < MODE_MAX; mode++) {
++		/* protocol error: USERAUTH_SUCCESS received before NEWKEYS */
++		if (newkeys[mode] == NULL)
++			continue;
+ 		comp = &newkeys[mode]->comp;
+ 		if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+ 			packet_init_compression();
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
index 8e75908369be..28952b4a285a 100644
--- a/net-misc/openssh/files/sshd.confd
+++ b/net-misc/openssh/files/sshd.confd
@@ -4,7 +4,18 @@
 
 SSHD_CONFDIR="/etc/ssh"
 
+
 # Any random options you want to pass to sshd.
 # See the sshd(8) manpage for more info.
 
 SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.rc6 b/net-misc/openssh/files/sshd.rc6
index 139f9cb8364e..77cfc5a4f4e1 100644
--- a/net-misc/openssh/files/sshd.rc6
+++ b/net-misc/openssh/files/sshd.rc6
@@ -1,7 +1,7 @@
 #!/sbin/runscript
 # Copyright 1999-2006 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.19 2006/02/28 00:09:52 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.20 2006/09/20 23:10:35 vapier Exp $
 
 opts="reload"
 
@@ -11,6 +11,8 @@ depend() {
 }
 
 SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
 
 checkconfig() {
 	if [[ ! -d /var/empty ]] ; then
@@ -19,13 +21,13 @@ checkconfig() {
 
 	if [[ ! -e ${SSHD_CONFDIR}/sshd_config ]] ; then
 		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
-		eerror "There is a sample file in  /usr/share/doc/openssh"
+		eerror "There is a sample file in /usr/share/doc/openssh"
 		return 1
 	fi
 
 	gen_keys || return 1
 
-	/usr/sbin/sshd -t ${myopts} || return 1
+	${SSHD_BINARY} -t ${myopts} || return 1
 }
 
 gen_keys() {
@@ -46,24 +48,26 @@ gen_keys() {
 
 start() {
 	local myopts=""
-	[[ ${SVCNAME} != "sshd" ]] && myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid"
-	[[ ${SSHD_CONFDIR} != "/etc/ssh" ]] && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
+	[[ ${SSHD_PIDFILE} != "/var/run/sshd.pid" ]] \
+		&& myopts="${myopts} -o PidFile=${SSHD_PIDFILE}"
+	[[ ${SSHD_CONFDIR} != "/etc/ssh" ]] \
+		&& myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
 
 	checkconfig || return 1
 	ebegin "Starting ${SVCNAME}"
-	/usr/sbin/sshd ${myopts} ${SSHD_OPTS}
+	${SSHD_BINARY} ${myopts} ${SSHD_OPTS}
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping ${SVCNAME}"
-	start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid
+	start-stop-daemon --stop --quiet --pidfile ${SSHD_PIDFILE}
 	eend $?
 }
 
 reload() {
 	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid \
+	start-stop-daemon --stop --quiet --pidfile ${SSHD_PIDFILE} \
 		--signal HUP
 	eend $?
 }
diff --git a/net-misc/openssh/openssh-4.3_p2-r3.ebuild b/net-misc/openssh/openssh-4.3_p2-r3.ebuild
new file mode 100644
index 000000000000..ccb78128b3e2
--- /dev/null
+++ b/net-misc/openssh/openssh-4.3_p2-r3.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-4.3_p2-r3.ebuild,v 1.1 2006/09/20 23:10:35 vapier Exp $
+
+inherit eutils flag-o-matic ccc pam multilib
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+X509_PATCH="${PARCH}+x509-5.5.diff.gz"
+SECURID_PATCH="${PARCH}+SecurID_v1.3.2.patch"
+LDAP_PATCH="${PARCH/-4.3p2/-lpk-4.3p1}-0.3.7.patch"
+HPN_PATCH="${PARCH}-hpn12-gentoo.patch.bz2"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.com/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	hpn? ( mirror://gentoo/${HPN_PATCH} http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )
+	X509? ( http://roumenpetrov.info/openssh/x509-5.5/${X509_PATCH} )
+	smartcard? ( http://www.omniti.com/~jesus/projects/${SECURID_PATCH} )
+	ldap? ( http://www.opendarwin.org/projects/openssh-lpk/files/${LDAP_PATCH} )"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard sftplogging hpn libedit X"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=app-admin/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( || ( dev-libs/libedit sys-freebsd/freebsd-lib ) )
+	>=dev-libs/openssl-0.9.6d
+	>=sys-libs/zlib-1.2.3
+	smartcard? ( dev-libs/opensc )
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( || ( x11-apps/xauth virtual/x11 ) )
+	userland_GNU? ( sys-apps/shadow )"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+
+PROVIDE="virtual/ssh"
+
+S=${WORKDIR}/${PARCH}
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz
+	cd "${S}"
+
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+
+	epatch "${FILESDIR}"/openssh-4.3_p2-identical-simple-dos.patch #148228
+	epatch "${FILESDIR}"/openssh-4.3_p2-configure.patch #137921
+	epatch "${FILESDIR}"/openssh-4.3_p1-krb5-typos.patch #124494
+	use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${P}-x509-hpn-glue.patch
+	use sftplogging && epatch "${FILESDIR}"/openssh-4.2_p1-sftplogging-1.4-gentoo.patch.bz2
+	use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch
+	if use X509 ; then
+		cp "${FILESDIR}"/openssh-4.3_p2-selinux.patch .
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch.glue ./openssh-4.3_p2-selinux.patch
+	else
+		epatch "${FILESDIR}"/openssh-4.3_p2-selinux.patch
+	fi
+	use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
+	if ! use X509 ; then
+		if [[ -n ${SECURID_PATCH} ]] && use smartcard ; then
+			epatch "${DISTDIR}"/${SECURID_PATCH} "${FILESDIR}"/${P}-securid-hpn-glue.patch
+			use ldap && epatch "${FILESDIR}"/openssh-4.0_p1-smartcard-ldap-happy.patch
+		fi
+		if use ldap ; then
+			use sftplogging \
+				&& ewarn "Sorry, sftplogging and ldap don't get along, disabling ldap" \
+				|| epatch "${DISTDIR}"/${LDAP_PATCH}
+		fi
+	elif [[ -n ${SECURID_PATCH} ]] && use smartcard || use ldap ; then
+		ewarn "Sorry, x509 and smartcard/ldap don't get along"
+	fi
+	[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
+
+	sed -i '/LD.*ssh-keysign/s:$: '$(bindnow-flags)':' Makefile.in || die "setuid"
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	autoconf || die "autoconf failed"
+}
+
+src_compile() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	local myconf=""
+	if use static ; then
+		append-ldflags -static
+		use pam && ewarn "Disabling pam support becuse of static flag"
+		myconf="${myconf} --without-pam"
+	else
+		myconf="${myconf} $(use_with pam)"
+	fi
+
+	use ipv6 || myconf="${myconf} --with-ipv4-default"
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--disable-suid-ssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		$(use_with ldap) \
+		$(use_with libedit) \
+		$(use_with kerberos kerberos5 /usr) \
+		$(use_with tcpd tcp-wrappers) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with smartcard opensc) \
+		${myconf} \
+		|| die "bad configure"
+	emake || die "compile problem"
+}
+
+src_install() {
+	make install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include sshd
+	dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config
+	use pam \
+		&& dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config \
+		&& dosed "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" /etc/ssh/sshd_config
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+}
+
+pkg_postinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "restart sshd: '/etc/init.d/sshd restart'."
+	ewarn
+	einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation"
+	einfo "functionality, but please ensure that you do not explicitly disable"
+	einfo "this in your configuration as disabling it opens security holes"
+	einfo
+	einfo "This revision has removed your sshd user id and replaced it with a"
+	einfo "new one with UID 22.  If you have any scripts or programs that"
+	einfo "that referenced the old UID directly, you will need to update them."
+	einfo
+	if use pam ; then
+		einfo "Please be aware users need a valid shell in /etc/passwd"
+		einfo "in order to be allowed to login."
+		einfo
+	fi
+}
author	Mike Frysinger <vapier@gentoo.org>	2006-09-20 23:10:35 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2006-09-20 23:10:35 +0000
commit	bd1b9f13d5097d5184ef2280a19e780a26fbcf56 (patch)
tree	30ab560fbddb6fc931b11408a284c54918dccf2c /net-misc/openssh
parent	rename patch (diff)
download	historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.tar.gz historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.tar.bz2 historical-bd1b9f13d5097d5184ef2280a19e780a26fbcf56.zip