- don't report duplicate syslog messages, use correct local time (#189158)

- don't allow spnego as gssapi mechanism (from upstream) - fixed memleaks found by Coverity (from upstream) - allow ip options except source routing (#202856) (patch by HP)
2006-08-23 21:06:38 +00:00 · 2006-08-23 21:06:38 +00:00 · ac4818c499
commit ac4818c499
parent c12d6ba86c
2 changed files with 81 additions and 3 deletions
--- a/openssh-4.3p2-allow-ip-opts.patch
+++ b/openssh-4.3p2-allow-ip-opts.patch
@ -0,0 +1,59 @@
+From: Paul Moore <paul.moore@hp.com>
+Subject: OpenSSH: fix option handling on incoming connections
+
+OpenSSH rejects incoming connections if any IP options are present when the
+comments state that they are only concerned with source routing options.  This
+connection rejection causes problems with CIPSO which uses IP options to tag
+packets with security attributes.
+
+This patch modifies the check_ip_options() function to only fail if loose or
+strict source routing options are present, all other options are allowed.
+
+Signed-off-by: Paul Moore <paul.moore@hp.com>
+
+---
+ canohost.c |   23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+Index: openssh-4.3p2/canohost.c
+===================================================================
+--- openssh-4.3p2.orig/canohost.c
+++ openssh-4.3p2/canohost.c
+@@ -146,6 +146,7 @@ check_ip_options(int sock, char *ipaddr)
+ 	u_int i;
+ 	int ipproto;
+ 	struct protoent *ip;
+	u_int opt_iter;
+ 
+ 	if ((ip = getprotobyname("ip")) != NULL)
+ 		ipproto = ip->p_proto;
+@@ -154,13 +155,23 @@ check_ip_options(int sock, char *ipaddr)
+ 	option_size = sizeof(options);
+ 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
+ 	    &option_size) >= 0 && option_size != 0) {
+-		text[0] = '\0';
+-		for (i = 0; i < option_size; i++)
+-			snprintf(text + i*3, sizeof(text) - i*3,
+-			    " %2.2x", options[i]);
+-		fatal("Connection from %.100s with IP options:%.800s",
+-		    ipaddr, text);
+		opt_iter = 0;
+		do {
+			/* Fail, fatally, if we detect either loose or strict
+			 * source routing options. */
+			if (options[opt_iter] == 131 ||
+			    options[opt_iter] == 137)
+				goto fail;
+			opt_iter += options[opt_iter + 1] + 2;
+		} while (opt_iter < option_size);
+ 	}
+	return;
+
+fail:
+	text[0] = '\0';
+	for (i = 0; i < option_size; i++)
+		snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]);
+	fatal("Connection from %.100s with IP options:%.800s", ipaddr, text);
+ #endif /* IP_OPTIONS */
+ }
+ 
--- a/openssh.spec
+++ b/openssh.spec
@ -61,7 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-Release: 8%{?rescue_rel}
+Release: 9%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -91,6 +91,11 @@ Patch36: openssh-4.3p2-buffer-len.patch
 Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
+Patch40: openssh-4.3p2-coverity-memleaks.patch
+Patch41: openssh-4.3p2-gssapi-no-spnego.patch
+Patch42: openssh-4.3p2-no-dup-logs.patch
+Patch43: openssh-4.3p2-localtime.patch
+Patch44: openssh-4.3p2-allow-ip-opts.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@ -219,6 +224,11 @@ an X11 passphrase dialog for OpenSSH.
 %patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
 %patch39 -p1 -b .no-v6only
+%patch40 -p1 -b .memleaks
+%patch41 -p1 -b .no-spnego
+%patch42 -p1 -b .no-dups
+%patch43 -p1 -b .localtime
+%patch44 -p1 -b .ip-opts

 autoreconf

@ -228,7 +238,7 @@ CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
 CFLAGS="$CFLAGS -Os"
 %endif
 %if %{pie}
-%ifarch s390 s390x
+%ifarch s390 s390x sparc sparc64
 CFLAGS="$CFLAGS -fPIE"
 %else
 CFLAGS="$CFLAGS -fpie"
@ -311,9 +321,10 @@ popd
 rm -rf $RPM_BUILD_ROOT
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd/etc
 make install DESTDIR=$RPM_BUILD_ROOT

+touch $RPM_BUILD_ROOT%{_var}/empty/sshd/etc/localtime
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
@ -440,6 +451,8 @@ fi
 %files server
 %defattr(-,root,root)
 %dir %attr(0711,root,root) %{_var}/empty/sshd
+%dir %attr(0755,root,root) %{_var}/empty/sshd/etc
+%ghost %verify(not md5 size mtime) %{_var}/empty/sshd/etc/localtime
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -460,6 +473,12 @@ fi
 %endif

 %changelog
+* Wed Aug 23 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-9
+- don't report duplicate syslog messages, use correct local time (#189158)
+- don't allow spnego as gssapi mechanism (from upstream)
+- fixed memleaks found by Coverity (from upstream)
+- allow ip options except source routing (#202856) (patch by HP)
+
 * Tue Aug  8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8
 - drop the pam-session patch from the previous build (#201341)
 - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)