[OE-core] [PATCH 1/1] openssh: three fixes

Saul Wold sgw at linux.intel.com
Fri Jun 7 21:41:41 UTC 2013 

On 06/06/2013 07:27 PM, rongqing.li at windriver.com wrote:
> From: "Roy.Li" <rongqing.li at windriver.com>
>
> 1. fix a alignment issue on ARM v7 NEON cpu
> 2. fix a empty passwd issue
> 3. enable tcp-wrappers by default
>
openssh has been updated to 6.2p2, so can you please rebase these 
patches to that newer version.

Also, have they been sumbitted upstream, for security related bug, I 
would like to know if the upstream will accept them for correctness 
since they could lead to security issues otherwise.

Thanks
	Sau!

> Signed-off-by: Roy.Li <rongqing.li at windriver.com>
> ---
>   .../openssh-6.2p1/mac_compute-alignment.patch      |   39 ++++++++++++++++++++
>   .../openssh-permit_empty_passwd.patch              |   33 +++++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.2p1.bb |    5 +++
>   3 files changed, 77 insertions(+)
>   create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>   create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
> new file mode 100644
> index 0000000..ea8a31a
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
> @@ -0,0 +1,39 @@
> +Upstream-Status: Pending
> +
> +The mac_compute() function in openssh calls umac_final() to prepend a tag
> +to a buffer.  Umac_final() calls pdf_gen_xor() on the tag as its final
> +operation, and as implemented, pdf_gen_xor() assumes an appropriate
> +alignment for 64-bit operations on its buffer.  However, the buffer
> +is declared in mac_compute() as a static u_char array, and the linker
> +doesn't guarantee 64-bit alignment for such arrays.  On ARM v7 NEON
> +platforms with gcc, 64-bit values must be 64-bit aligned, and the
> +unaligned buffer declaration caused alignment faults when executing
> +certain openssh tests.
> +
> +Force the buffer in mac_compute() to be 64-bit aligned.
> +
> +Signed-off-by: Donn Seeley <donn.seeley at windriver.com>
> +---
> + mac.c |    8 +++++---
> + 1 file changed, 5 insertions(+), 3 deletions(-)
> +
> +--- a/mac.c
> ++++ b/mac.c
> +@@ -132,12 +132,14 @@ mac_init(Mac *mac)
> + u_char *
> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + {
> +-	static u_char m[EVP_MAX_MD_SIZE];
> ++	static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
> ++	    / sizeof (u_int64_t)];
> ++	u_char *m = (u_char *)m_buf;
> + 	u_char b[4], nonce[8];
> +
> +-	if (mac->mac_len > sizeof(m))
> ++	if (mac->mac_len > EVP_MAX_MD_SIZE)
> + 		fatal("mac_compute: mac too long %u %lu",
> +-		    mac->mac_len, (u_long)sizeof(m));
> ++		    mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
> +
> + 	switch (mac->type) {
> + 	case SSH_EVP:
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
> new file mode 100644
> index 0000000..c1d7f8e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
> @@ -0,0 +1,33 @@
> +Subject: [PATCH] openssh: fix permit_empty_passwd
> +
> +Upstream-Status: pending
> +
> +When pam enabled, userauth_none calls auth_password("") -->
> +pam_authenticate("") will cause pam_auth process in the fail
> +status. This will block all login, even users with a correct
> +password.
> +
> +userauth_none should alway return false since sshd
> +would check passwords in userauth_passwd using pam* modules.
> +
> +Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
> +---
> + auth2-none.c |    2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/auth2-none.c b/auth2-none.c
> +index c8c6c74..560feef 100644
> +--- a/auth2-none.c
> ++++ b/auth2-none.c
> +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
> + {
> + 	none_enabled = 0;
> + 	packet_check_eom();
> ++	if (options.use_pam)	
> ++		return 0;
> + 	if (options.permit_empty_passwd && options.password_authentication)
> + 		return (PRIVSEP(auth_password(authctxt, "")));
> + 	return (0);
> +--
> +1.7.9.5
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> index 20502c4..198c09d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> @@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>              file://ssh_config \
>              file://init \
>              file://openssh-CVE-2011-4327.patch \
> +           file://mac_compute-alignment.patch \
> +           file://openssh-permit_empty_passwd.patch \
>              ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
>
>   PAM_SRC_URI = "file://sshd"
> @@ -45,6 +47,9 @@ inherit autotools
>   CFLAGS += "-D__FILE_OFFSET_BITS=64"
>   export LD = "${CC}"
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
>   EXTRA_OECONF = "--with-rand-helper=no \
>                   ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
>                   --without-zlib-version-check \
>

More information about the Openembedded-core mailing list