Coverity second pass

Reenable akc patch
This commit is contained in:
Jan F. Chadima 2011-09-09 21:18:35 +02:00
parent fc87f2dced
commit ea97ffa1ed
4 changed files with 127 additions and 52 deletions

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-09 17:26:31.000000000 +0200
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-09 17:28:15.000000000 +0200
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-09 19:27:15.369501615 +0200
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-09 19:30:32.958509941 +0200
@@ -27,6 +27,7 @@
#include <sys/types.h>
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc 2011-08-18 06:48:24.000000000 +0200
+++ openssh-5.9p1/configure.ac 2011-09-09 17:26:31.000000000 +0200
+++ openssh-5.9p1/configure.ac 2011-09-09 19:27:17.548440048 +0200
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
esac ]
)
@ -271,8 +271,8 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc 2011-09-09 17:26:30.000000000 +0200
+++ openssh-5.9p1/servconf.c 2011-09-09 17:26:31.000000000 +0200
--- openssh-5.9p1/servconf.c.akc 2011-09-09 19:27:03.490455245 +0200
+++ openssh-5.9p1/servconf.c 2011-09-09 19:27:17.666565662 +0200
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
@ -344,8 +344,8 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc 2011-09-09 17:26:30.000000000 +0200
+++ openssh-5.9p1/servconf.h 2011-09-09 17:26:31.000000000 +0200
--- openssh-5.9p1/servconf.h.akc 2011-09-09 19:27:03.614494286 +0200
+++ openssh-5.9p1/servconf.h 2011-09-09 19:27:18.043502934 +0200
@@ -174,6 +174,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
@ -355,22 +355,9 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
} ServerOptions;
/*
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-09-09 17:26:30.000000000 +0200
+++ openssh-5.9p1/sshd_config 2011-09-09 17:26:31.000000000 +0200
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2011-09-09 17:26:31.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2011-09-09 19:27:18.168626976 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
@ -406,8 +393,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc 2011-09-09 17:26:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2011-09-09 17:26:31.000000000 +0200
--- openssh-5.9p1/sshd_config.5.akc 2011-09-09 19:27:03.912515059 +0200
+++ openssh-5.9p1/sshd_config.5 2011-09-09 19:27:18.292494317 +0200
@@ -706,6 +706,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
@ -446,3 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-09-09 19:27:03.754502770 +0200
+++ openssh-5.9p1/sshd_config 2011-09-09 19:27:18.446471121 +0200
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.9p1/auth-pam.c 2011-09-08 14:13:59.596485750 +0200
+++ openssh-5.9p1/auth-pam.c 2011-09-09 15:13:32.820565436 +0200
@@ -216,7 +216,7 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
@ -12,7 +12,7 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
#endif
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
+++ openssh-5.9p1/channels.c 2011-09-08 14:13:59.724564062 +0200
+++ openssh-5.9p1/channels.c 2011-09-09 15:13:32.911439569 +0200
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@ -45,7 +45,7 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
}
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
+++ openssh-5.9p1/clientloop.c 2011-09-08 14:13:59.829450205 +0200
+++ openssh-5.9p1/clientloop.c 2011-09-09 15:13:33.017564323 +0200
@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
char *rtype;
int want_reply;
@ -56,7 +56,7 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
want_reply = packet_get_char();
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
+++ openssh-5.9p1/key.c 2011-09-08 14:13:59.959563856 +0200
+++ openssh-5.9p1/key.c 2011-09-09 15:13:33.145442605 +0200
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
@ -68,9 +68,45 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.coverity 2011-09-09 17:13:15.937439833 +0200
+++ openssh-5.9p1/monitor.c 2011-09-09 17:15:18.625466696 +0200
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
+
+ debug3("%s: key %p is %s",
+ __func__, key, allowed ? "allowed" : "not allowed");
+
if (key != NULL)
key_free(key);
@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost);
}
- debug3("%s: key %p is %s",
- __func__, key, allowed ? "allowed" : "not allowed");
-
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2011-09-09 17:29:14.709442881 +0200
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-09 17:32:48.770563974 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
- socklen_t salen;
+ socklen_t salen = sizeof(struct sockaddr_storage);
int i;
if (sa == NULL) {
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
+++ openssh-5.9p1/packet.c 2011-09-08 14:14:00.075501777 +0200
+++ openssh-5.9p1/packet.c 2011-09-09 15:13:33.263447887 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
@ -90,7 +126,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.9p1/progressmeter.c 2011-09-08 14:14:00.186620217 +0200
+++ openssh-5.9p1/progressmeter.c 2011-09-09 15:13:33.382566039 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
@ -111,7 +147,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
file = f;
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-5.9p1/progressmeter.h 2011-09-08 14:14:00.299626834 +0200
+++ openssh-5.9p1/progressmeter.h 2011-09-09 15:13:33.501438992 +0200
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
@ -121,7 +157,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
void stop_progress_meter(void);
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
+++ openssh-5.9p1/scp.c 2011-09-08 14:14:00.404502349 +0200
+++ openssh-5.9p1/scp.c 2011-09-09 15:13:33.607564009 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
@ -131,9 +167,21 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
}
if (signo)
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.coverity 2011-09-09 17:24:09.333561142 +0200
+++ openssh-5.9p1/servconf.c 2011-09-09 17:26:41.488502345 +0200
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
+++ openssh-5.9p1/serverloop.c 2011-09-08 14:14:00.516501505 +0200
+++ openssh-5.9p1/serverloop.c 2011-09-09 15:13:33.723564433 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@ -245,7 +293,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
tun = forced_tun_device;
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp-client.c 2011-09-08 14:14:00.640502358 +0200
+++ openssh-5.9p1/sftp-client.c 2011-09-09 15:13:33.845564522 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
}
@ -470,7 +518,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp-client.h 2011-09-08 14:14:00.750502818 +0200
+++ openssh-5.9p1/sftp-client.h 2011-09-09 15:13:33.954567073 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *);
@ -570,7 +618,16 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
#endif
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
+++ openssh-5.9p1/sftp.c 2011-09-08 14:25:08.647440423 +0200
+++ openssh-5.9p1/sftp.c 2011-09-09 15:13:34.086441893 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -316,7 +316,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
@ -674,9 +731,23 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
+++ openssh-5.9p1/ssh-agent.c 2011-09-09 15:13:34.203567987 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
- setegid(getgid());
- setgid(getgid());
+ (void) setegid(getgid());
+ (void) setgid(getgid());
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
+++ openssh-5.9p1/sshd.c 2011-09-08 14:14:01.018565321 +0200
+++ openssh-5.9p1/sshd.c 2011-09-09 15:13:34.317564195 +0200
@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;

View File

@ -1,7 +1,7 @@
diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c
--- openssh-5.2p1/dns.c.rh205842 2009-07-27 16:25:28.000000000 +0200
+++ openssh-5.2p1/dns.c 2009-07-27 16:40:59.000000000 +0200
@@ -176,6 +176,7 @@ verify_host_key_dns(const char *hostname
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
{
u_int counter;
int result;
@ -9,7 +9,7 @@ diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -199,8 +200,19 @@ verify_host_key_dns(const char *hostname
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
return -1;
}
@ -30,9 +30,9 @@ diff -up openssh-5.2p1/dns.c.rh205842 openssh-5.2p1/dns.c
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.c
--- openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 2009-07-27 16:22:23.000000000 +0200
+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.c 2009-07-27 16:41:55.000000000 +0200
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
goto fail;
}
@ -40,7 +40,7 @@ diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/op
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@ -57,9 +57,9 @@ diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.c.rh205842 openssh-5.2p1/op
#endif /* RES_USE_DNSEC */
/* make query */
diff -up openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 openssh-5.2p1/openbsd-compat/getrrsetbyname.h
--- openssh-5.2p1/openbsd-compat/getrrsetbyname.h.rh205842 2009-07-27 16:35:02.000000000 +0200
+++ openssh-5.2p1/openbsd-compat/getrrsetbyname.h 2009-07-27 16:36:09.000000000 +0200
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1

View File

@ -79,7 +79,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.9p1
%define openssh_rel 2
%define openssh_rel 3
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 32
@ -183,7 +183,7 @@ Patch702: openssh-5.1p1-askpass-progress.patch
#?
Patch703: openssh-4.3p2-askpass-grab-info.patch
#?
Patch704: openssh-5.2p1-edns.patch
Patch704: openssh-5.9p1-edns.patch
#?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
@ -785,6 +785,10 @@ fi
%endif
%changelog
* Fri Sep 9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-3 + 0.9.2-32
- Coverity second pass
- Reenable akc patch
* Thu Sep 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-2 + 0.9.2-32
- Coverity first pass