Re: [PATCH 1/1] openssh: three fixes

[Rongqing Li <rongqing.li@windriver.com>]

On 06/08/2013 05:41 AM, Saul Wold wrote:
> On 06/06/2013 07:27 PM, rongqing.li@windriver.com wrote:
>> From: "Roy.Li" <rongqing.li@windriver.com>
>>
>> 1. fix a alignment issue on ARM v7 NEON cpu
>> 2. fix a empty passwd issue
>> 3. enable tcp-wrappers by default
>>
> openssh has been updated to 6.2p2, so can you please rebase these
> patches to that newer version.
>
> Also, have they been sumbitted upstream, for security related bug, I
> would like to know if the upstream will accept them for correctness
> since they could lead to security issues otherwise.
>


Seems they are not submitted to upstream,
I will submit them to upstream, then send out to Oe-core.

-Roy




> Thanks
>      Sau!
>
>> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
>> ---
>>   .../openssh-6.2p1/mac_compute-alignment.patch      |   39
>> ++++++++++++++++++++
>>   .../openssh-permit_empty_passwd.patch              |   33
>> +++++++++++++++++
>>   meta/recipes-connectivity/openssh/openssh_6.2p1.bb |    5 +++
>>   3 files changed, 77 insertions(+)
>>   create mode 100644
>> meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>>   create mode 100644
>> meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>> new file mode 100644
>> index 0000000..ea8a31a
>> --- /dev/null
>> +++
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>> @@ -0,0 +1,39 @@
>> +Upstream-Status: Pending
>> +
>> +The mac_compute() function in openssh calls umac_final() to prepend a
>> tag
>> +to a buffer.  Umac_final() calls pdf_gen_xor() on the tag as its final
>> +operation, and as implemented, pdf_gen_xor() assumes an appropriate
>> +alignment for 64-bit operations on its buffer.  However, the buffer
>> +is declared in mac_compute() as a static u_char array, and the linker
>> +doesn't guarantee 64-bit alignment for such arrays.  On ARM v7 NEON
>> +platforms with gcc, 64-bit values must be 64-bit aligned, and the
>> +unaligned buffer declaration caused alignment faults when executing
>> +certain openssh tests.
>> +
>> +Force the buffer in mac_compute() to be 64-bit aligned.
>> +
>> +Signed-off-by: Donn Seeley <donn.seeley@windriver.com>
>> +---
>> + mac.c |    8 +++++---
>> + 1 file changed, 5 insertions(+), 3 deletions(-)
>> +
>> +--- a/mac.c
>> ++++ b/mac.c
>> +@@ -132,12 +132,14 @@ mac_init(Mac *mac)
>> + u_char *
>> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
>> + {
>> +-    static u_char m[EVP_MAX_MD_SIZE];
>> ++    static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
>> ++        / sizeof (u_int64_t)];
>> ++    u_char *m = (u_char *)m_buf;
>> +     u_char b[4], nonce[8];
>> +
>> +-    if (mac->mac_len > sizeof(m))
>> ++    if (mac->mac_len > EVP_MAX_MD_SIZE)
>> +         fatal("mac_compute: mac too long %u %lu",
>> +-            mac->mac_len, (u_long)sizeof(m));
>> ++            mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
>> +
>> +     switch (mac->type) {
>> +     case SSH_EVP:
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>> new file mode 100644
>> index 0000000..c1d7f8e
>> --- /dev/null
>> +++
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>> @@ -0,0 +1,33 @@
>> +Subject: [PATCH] openssh: fix permit_empty_passwd
>> +
>> +Upstream-Status: pending
>> +
>> +When pam enabled, userauth_none calls auth_password("") -->
>> +pam_authenticate("") will cause pam_auth process in the fail
>> +status. This will block all login, even users with a correct
>> +password.
>> +
>> +userauth_none should alway return false since sshd
>> +would check passwords in userauth_passwd using pam* modules.
>> +
>> +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
>> +---
>> + auth2-none.c |    2 ++
>> + 1 file changed, 2 insertions(+)
>> +
>> +diff --git a/auth2-none.c b/auth2-none.c
>> +index c8c6c74..560feef 100644
>> +--- a/auth2-none.c
>> ++++ b/auth2-none.c
>> +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
>> + {
>> +     none_enabled = 0;
>> +     packet_check_eom();
>> ++    if (options.use_pam)
>> ++        return 0;
>> +     if (options.permit_empty_passwd && options.password_authentication)
>> +         return (PRIVSEP(auth_password(authctxt, "")));
>> +     return (0);
>> +--
>> +1.7.9.5
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> index 20502c4..198c09d 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> @@ -25,6 +25,8 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>>              file://ssh_config \
>>              file://init \
>>              file://openssh-CVE-2011-4327.patch \
>> +           file://mac_compute-alignment.patch \
>> +           file://openssh-permit_empty_passwd.patch \
>>              ${@base_contains('DISTRO_FEATURES', 'pam',
>> '${PAM_SRC_URI}', '', d)}"
>>
>>   PAM_SRC_URI = "file://sshd"
>> @@ -45,6 +47,9 @@ inherit autotools
>>   CFLAGS += "-D__FILE_OFFSET_BITS=64"
>>   export LD = "${CC}"
>>
>> +PACKAGECONFIG ??= "tcp-wrappers"
>> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>> +
>>   EXTRA_OECONF = "--with-rand-helper=no \
>>                   ${@base_contains('DISTRO_FEATURES', 'pam',
>> '--with-pam', '--without-pam', d)} \
>>                   --without-zlib-version-check \
>>
>
>

-- 
Best Reagrds,
Roy | RongQing Li