From dbb8e1ec1112621af47b5f1d4015961a73fbe490 Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Wed, 4 Nov 2020 13:05:24 +0100 Subject: dropbear: update to latest --- package/dropbear/Makefile | 4 +- package/dropbear/patches/patch-Makefile_in | 14 ++--- package/dropbear/patches/patch-svr-authpubkey_c | 72 ++++++++++++------------- package/dropbear/patches/patch-svr-main_c | 15 ++++++ 4 files changed, 60 insertions(+), 45 deletions(-) create mode 100644 package/dropbear/patches/patch-svr-main_c (limited to 'package') diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile index 34210e585..050729a5c 100644 --- a/package/dropbear/Makefile +++ b/package/dropbear/Makefile @@ -4,9 +4,9 @@ include $(ADK_TOPDIR)/rules.mk PKG_NAME:= dropbear -PKG_VERSION:= 2018.76 +PKG_VERSION:= 2020.81 PKG_RELEASE:= 1 -PKG_HASH:= f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65 +PKG_HASH:= 48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b PKG_DESCR:= ssh server/client designed for embedded systems PKG_SECTION:= net/security PKG_URL:= http://matt.ucc.asn.au/dropbear/ diff --git a/package/dropbear/patches/patch-Makefile_in b/package/dropbear/patches/patch-Makefile_in index 3a139a546..b0b77949a 100644 --- a/package/dropbear/patches/patch-Makefile_in +++ b/package/dropbear/patches/patch-Makefile_in @@ -1,6 +1,6 @@ ---- dropbear-2014.63.orig/Makefile.in 2014-02-19 15:05:24.000000000 +0100 -+++ dropbear-2014.63/Makefile.in 2014-03-01 18:27:41.000000000 +0100 -@@ -81,10 +81,10 @@ AR=@AR@ +--- dropbear-2020.81.orig/Makefile.in 2020-10-29 14:35:50.000000000 +0100 ++++ dropbear-2020.81/Makefile.in 2020-11-04 03:02:49.901343218 +0100 +@@ -106,10 +106,10 @@ AR=@AR@ RANLIB=@RANLIB@ STRIP=@STRIP@ INSTALL=@INSTALL@ @@ -15,16 +15,16 @@ EXEEXT=@EXEEXT@ -@@ -163,7 +163,7 @@ dropbearkey: $(dropbearkeyobjs) +@@ -198,7 +198,7 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile -- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ -+ $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) +- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS) ++ $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) $(PLUGIN_LIBS) dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) -@@ -184,7 +184,7 @@ ifeq ($(MULTI),1) +@@ -219,7 +219,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/dropbear/patches/patch-svr-authpubkey_c b/package/dropbear/patches/patch-svr-authpubkey_c index 0de885cfb..f3df0c58f 100644 --- a/package/dropbear/patches/patch-svr-authpubkey_c +++ b/package/dropbear/patches/patch-svr-authpubkey_c @@ -1,6 +1,6 @@ ---- dropbear-2017.75.orig/svr-authpubkey.c 2017-05-18 16:47:02.000000000 +0200 -+++ dropbear-2017.75/svr-authpubkey.c 2017-07-06 19:45:36.765143131 +0200 -@@ -220,24 +220,33 @@ static int checkpubkey(char* algo, unsig +--- dropbear-2020.81.orig/svr-authpubkey.c 2020-10-29 14:35:50.000000000 +0100 ++++ dropbear-2020.81/svr-authpubkey.c 2020-11-04 03:14:22.641017199 +0100 +@@ -386,26 +386,32 @@ static int checkpubkey(const char* keyal goto out; } @@ -14,14 +14,6 @@ - ses.authstate.pw_dir); + /* special case for root authorized_keys in /etc/dropbear/authorized_keys */ + if (ses.authstate.pw_uid != 0) { - -- /* open the file as the authenticating user. */ -- origuid = getuid(); -- origgid = getgid(); -- if ((setegid(ses.authstate.pw_gid)) < 0 || -- (seteuid(ses.authstate.pw_uid)) < 0) { -- dropbear_exit("Failed to set euid"); -- } + /* we don't need to check pw and pw_dir for validity, since + * its been done in checkpubkeyperms. */ + len = strlen(ses.authstate.pw_dir); @@ -31,7 +23,15 @@ + snprintf(filename, len + 22, "%s/.ssh/authorized_keys", + ses.authstate.pw_dir); -- authfile = fopen(filename, "r"); +-#if DROPBEAR_SVR_MULTIUSER +- /* open the file as the authenticating user. */ +- origuid = getuid(); +- origgid = getgid(); +- if ((setegid(ses.authstate.pw_gid)) < 0 || +- (seteuid(ses.authstate.pw_uid)) < 0) { +- dropbear_exit("Failed to set euid"); +- } +-#endif + /* open the file as the authenticating user. */ + origuid = getuid(); + origgid = getgid(); @@ -39,7 +39,8 @@ + (seteuid(ses.authstate.pw_uid)) < 0) { + dropbear_exit("Failed to set euid"); + } -+ + +- authfile = fopen(filename, "r"); + authfile = fopen(filename, "r"); + + } else { @@ -48,49 +49,53 @@ + authfile = fopen("/etc/dropbear/authorized_keys","r"); + } + #if DROPBEAR_SVR_MULTIUSER if ((seteuid(origuid)) < 0 || - (setegid(origgid)) < 0) { -@@ -396,26 +405,39 @@ static int checkpubkeyperms() { +@@ -474,27 +480,37 @@ static int checkpubkeyperms() { goto out; } - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- strncpy(filename, ses.authstate.pw_dir, len+1); +- len += 22; +- filename = m_malloc(len); +- strlcpy(filename, ses.authstate.pw_dir, len); + if (ses.authstate.pw_uid != 0) { - -- /* check ~ */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } + /* allocate max required pathname storage, + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ + filename = m_malloc(len + 22); + strncpy(filename, ses.authstate.pw_dir, len+1); - -- /* check ~/.ssh */ -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } ++ + /* check ~ */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } + /* check ~/.ssh */ + strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* check ~/.ssh */ +- strlcat(filename, "/.ssh", len); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } + /* now check ~/.ssh/authorized_keys */ + strncat(filename, "/authorized_keys", 16); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* now check ~/.ssh/authorized_keys */ +- strlcat(filename, "/authorized_keys", len); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; + } else { + + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { @@ -99,11 +104,6 @@ + if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { + goto out; + } - -- /* now check ~/.ssh/authorized_keys */ -- strncat(filename, "/authorized_keys", 16); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; } /* file looks ok, return success */ diff --git a/package/dropbear/patches/patch-svr-main_c b/package/dropbear/patches/patch-svr-main_c new file mode 100644 index 000000000..b2d4007b8 --- /dev/null +++ b/package/dropbear/patches/patch-svr-main_c @@ -0,0 +1,15 @@ +--- dropbear-2020.81.orig/svr-main.c 2020-10-29 14:35:50.000000000 +0100 ++++ dropbear-2020.81/svr-main.c 2020-11-04 05:04:33.736369225 +0100 +@@ -278,8 +278,12 @@ static void main_noinetd() { + #if DEBUG_NOFORK + fork_ret = 0; + #else ++#if DROPBEAR_VFORK ++ fork_ret = vfork(); ++#else + fork_ret = fork(); + #endif ++#endif + if (fork_ret < 0) { + dropbear_log(LOG_WARNING, "Error forking: %s", strerror(errno)); + goto out; -- cgit v1.2.3