- don't report duplicate syslog messages, use correct local time (#189158)

- don't allow spnego as gssapi mechanism (from upstream) - fixed memleaks found by Coverity (from upstream) - allow ip options except source routing (#202856) (patch by HP)
2006-08-23 21:06:38 +00:00 · 2006-08-23 21:06:38 +00:00 · ac4818c499
commit ac4818c499
parent c12d6ba86c
2 changed files with 81 additions and 3 deletions
--- a/openssh-4.3p2-allow-ip-opts.patch
+++ b/openssh-4.3p2-allow-ip-opts.patch
@ -0,0 +1,59 @@
 From: Paul Moore <paul.moore@hp.com>
 Subject: OpenSSH: fix option handling on incoming connections
 OpenSSH rejects incoming connections if any IP options are present when the
 comments state that they are only concerned with source routing options.  This
 connection rejection causes problems with CIPSO which uses IP options to tag
 packets with security attributes.
 This patch modifies the check_ip_options() function to only fail if loose or
 strict source routing options are present, all other options are allowed.
 Signed-off-by: Paul Moore <paul.moore@hp.com>
 ---
 canohost.c |   23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)
 Index: openssh-4.3p2/canohost.c
 ===================================================================
 --- openssh-4.3p2.orig/canohost.c
 +++ openssh-4.3p2/canohost.c
@@ -146,6 +146,7 @@ check_ip_options(int sock, char *ipaddr)
 	u_int i;
 	int ipproto;
 	struct protoent *ip;
 +	u_int opt_iter;
 	if ((ip = getprotobyname("ip")) != NULL)
 		ipproto = ip->p_proto;
@@ -154,13 +155,23 @@ check_ip_options(int sock, char *ipaddr)
 	option_size = sizeof(options);
 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
 	    &option_size) >= 0 && option_size != 0) {
 -		text[0] = '\0';
 -		for (i = 0; i < option_size; i++)
 -			snprintf(text + i*3, sizeof(text) - i*3,
 -			    " %2.2x", options[i]);
 -		fatal("Connection from %.100s with IP options:%.800s",
 -		    ipaddr, text);
 +		opt_iter = 0;
 +		do {
 +			/* Fail, fatally, if we detect either loose or strict
 +			 * source routing options. */
 +			if (options[opt_iter] == 131 ||
 +			    options[opt_iter] == 137)
 +				goto fail;
 +			opt_iter += options[opt_iter + 1] + 2;
 +		} while (opt_iter < option_size);
 	}
 +	return;
 +
 +fail:
 +	text[0] = '\0';
 +	for (i = 0; i < option_size; i++)
 +		snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]);
 +	fatal("Connection from %.100s with IP options:%.800s", ipaddr, text);
 #endif /* IP_OPTIONS */
 }
--- a/openssh.spec
+++ b/openssh.spec
@ -61,7 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-Release: 8%{?rescue_rel}
+Release: 9%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -91,6 +91,11 @@ Patch36: openssh-4.3p2-buffer-len.patch
 Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
 Patch40: openssh-4.3p2-coverity-memleaks.patch
 Patch41: openssh-4.3p2-gssapi-no-spnego.patch
 Patch42: openssh-4.3p2-no-dup-logs.patch
 Patch43: openssh-4.3p2-localtime.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@ -219,6 +224,11 @@ an X11 passphrase dialog for OpenSSH.
 %patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
 %patch40 -p1 -b .memleaks
 %patch41 -p1 -b .no-spnego
 %patch42 -p1 -b .no-dups
 %patch43 -p1 -b .localtime
 %patch44 -p1 -b .ip-opts
 autoreconf
@ -228,7 +238,7 @@ CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
 CFLAGS="$CFLAGS -Os"
 %endif
 %if %{pie}
-%ifarch s390 s390x
+%ifarch s390 s390x sparc sparc64
 CFLAGS="$CFLAGS -fPIE"
 %else
 CFLAGS="$CFLAGS -fpie"
@ -311,9 +321,10 @@ popd
 rm -rf $RPM_BUILD_ROOT
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd/etc
 make install DESTDIR=$RPM_BUILD_ROOT
 touch $RPM_BUILD_ROOT%{_var}/empty/sshd/etc/localtime
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
@ -440,6 +451,8 @@ fi
 %files server
 %defattr(-,root,root)
 %dir %attr(0711,root,root) %{_var}/empty/sshd
 %dir %attr(0755,root,root) %{_var}/empty/sshd/etc
 %ghost %verify(not md5 size mtime) %{_var}/empty/sshd/etc/localtime
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -460,6 +473,12 @@ fi
 %endif
 %changelog
 * Wed Aug 23 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-9
 - don't report duplicate syslog messages, use correct local time (#189158)
 - don't allow spnego as gssapi mechanism (from upstream)
 - fixed memleaks found by Coverity (from upstream)
 - allow ip options except source routing (#202856) (patch by HP)
 * Tue Aug  8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8
 - drop the pam-session patch from the previous build (#201341)
 - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)