logo

overlay

My (experimental) gentoo overlay
commit: f95a22d1cdd7ed94e2beb34a4b4d15b3510d651c
parent: 2b8723c69a8f6407894615adb52a051ad7954f6b
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Tue, 15 Jan 2019 11:21:49 +0100

net-misc/dropbear: Port OpenSSH CVE-2018-20685 to dropbear

Diffstat:

Anet-misc/dropbear/dropbear-2018.76-r1.ebuild104+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Dnet-misc/dropbear/dropbear-2018.76.ebuild103-------------------------------------------------------------------------------
Anet-misc/dropbear/files/dropbear-openssh-CVE-2018-20685.patch14++++++++++++++
3 files changed, 118 insertions(+), 103 deletions(-)

diff --git a/net-misc/dropbear/dropbear-2018.76-r1.ebuild b/net-misc/dropbear/dropbear-2018.76-r1.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils savedconfig pam user + +DESCRIPTION="small SSH 2 client/server designed for small memory environments" +HOMEPAGE="https://matt.ucc.asn.au/dropbear/dropbear.html" +SRC_URI="https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2 + https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="bsdpty minimal multicall pam +shadow static +syslog zlib" + +LIB_DEPEND="zlib? ( sys-libs/zlib[static-libs(+)] ) + dev-libs/libtomcrypt[static-libs(+)] + dev-libs/libtommath[static-libs(+)]" +RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} )" +RDEPEND+=" pam? ( >=sys-auth/pambase-20080219.1 )" + +REQUIRED_USE="pam? ( !static )" + +set_options() { + progs=( + dropbear dbclient dropbearkey + $(usex minimal "" "dropbearconvert scp") + ) + makeopts=( + MULTI=$(usex multicall 1 0) + STATIC=$(usex static 1 0) + ) +} + +src_prepare() { + epatch "${FILESDIR}/${PN}-0.46-dbscp.patch" + epatch "${FILESDIR}/dropbear-openssh-CVE-2018-20685.patch" + rm -fr libtomcrypt || die + rm -fr libtommath || die + sed \ + -e '/SFTPSERVER_PATH/s:".*":"/usr/lib/misc/sftp-server":' \ + default_options.h > localoptions.h || die + sed -i \ + -e '/pam_start/s:sshd:dropbear:' \ + svr-authpam.c || die + restore_config localoptions.h +} + +src_configure() { + # We disable the hardening flags as our compiler already enables them + # by default as is appropriate for the target. + econf \ + --disable-harden \ + --disable-bundled-libtom \ + $(use_enable zlib) \ + $(use_enable pam) \ + $(use_enable !bsdpty openpty) \ + $(use_enable shadow) \ + $(use_enable syslog) +} + +src_compile() { + set_options + emake "${makeopts[@]}" PROGRAMS="${progs[*]}" +} + +src_install() { + set_options + emake "${makeopts[@]}" PROGRAMS="${progs[*]}" DESTDIR="${D}" install + doman *.8 + newinitd "${FILESDIR}"/dropbear.init.d dropbear + newconfd "${FILESDIR}"/dropbear.conf.d dropbear + dodoc CHANGES README SMALL MULTI + + # The multi install target does not install the links right. + if use multicall ; then + cd "${ED}"/usr/bin + local x + for x in "${progs[@]}" ; do + ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed" + done + rm -f dropbear + dodir /usr/sbin + dosym ../bin/dropbearmulti /usr/sbin/dropbear + cd "${S}" + fi + save_config localoptions.h + + if ! use minimal ; then + mv "${ED}"/usr/bin/{,db}scp || die + fi + + pamd_mimic system-remote-login dropbear auth account password session +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} diff --git a/net-misc/dropbear/dropbear-2018.76.ebuild b/net-misc/dropbear/dropbear-2018.76.ebuild @@ -1,103 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" - -inherit eutils savedconfig pam user - -DESCRIPTION="small SSH 2 client/server designed for small memory environments" -HOMEPAGE="https://matt.ucc.asn.au/dropbear/dropbear.html" -SRC_URI="https://matt.ucc.asn.au/dropbear/releases/${P}.tar.bz2 - https://matt.ucc.asn.au/dropbear/testing/${P}.tar.bz2" - -LICENSE="MIT" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux" -IUSE="bsdpty minimal multicall pam +shadow static +syslog zlib" - -LIB_DEPEND="zlib? ( sys-libs/zlib[static-libs(+)] ) - dev-libs/libtomcrypt[static-libs(+)] - dev-libs/libtommath[static-libs(+)]" -RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} )" -RDEPEND+=" pam? ( >=sys-auth/pambase-20080219.1 )" - -REQUIRED_USE="pam? ( !static )" - -set_options() { - progs=( - dropbear dbclient dropbearkey - $(usex minimal "" "dropbearconvert scp") - ) - makeopts=( - MULTI=$(usex multicall 1 0) - STATIC=$(usex static 1 0) - ) -} - -src_prepare() { - epatch "${FILESDIR}"/${PN}-0.46-dbscp.patch - rm -fr libtomcrypt || die - rm -fr libtommath || die - sed \ - -e '/SFTPSERVER_PATH/s:".*":"/usr/lib/misc/sftp-server":' \ - default_options.h > localoptions.h || die - sed -i \ - -e '/pam_start/s:sshd:dropbear:' \ - svr-authpam.c || die - restore_config localoptions.h -} - -src_configure() { - # We disable the hardening flags as our compiler already enables them - # by default as is appropriate for the target. - econf \ - --disable-harden \ - --disable-bundled-libtom \ - $(use_enable zlib) \ - $(use_enable pam) \ - $(use_enable !bsdpty openpty) \ - $(use_enable shadow) \ - $(use_enable syslog) -} - -src_compile() { - set_options - emake "${makeopts[@]}" PROGRAMS="${progs[*]}" -} - -src_install() { - set_options - emake "${makeopts[@]}" PROGRAMS="${progs[*]}" DESTDIR="${D}" install - doman *.8 - newinitd "${FILESDIR}"/dropbear.init.d dropbear - newconfd "${FILESDIR}"/dropbear.conf.d dropbear - dodoc CHANGES README SMALL MULTI - - # The multi install target does not install the links right. - if use multicall ; then - cd "${ED}"/usr/bin - local x - for x in "${progs[@]}" ; do - ln -sf dropbearmulti ${x} || die "ln -s dropbearmulti to ${x} failed" - done - rm -f dropbear - dodir /usr/sbin - dosym ../bin/dropbearmulti /usr/sbin/dropbear - cd "${S}" - fi - save_config localoptions.h - - if ! use minimal ; then - mv "${ED}"/usr/bin/{,db}scp || die - fi - - pamd_mimic system-remote-login dropbear auth account password session -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} diff --git a/net-misc/dropbear/files/dropbear-openssh-CVE-2018-20685.patch b/net-misc/dropbear/files/dropbear-openssh-CVE-2018-20685.patch @@ -0,0 +1,14 @@ +diff --git a/scp.c b/scp.c +index 742ae00..7b8e7d2 100644 +--- a/scp.c ++++ b/scp.c +@@ -935,7 +935,8 @@ sink(int argc, char **argv) + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); +- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ if (*cp == '\0' || strchr(cp, '/') != NULL || ++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + run_err("error: unexpected filename: %s", cp); + exit(1); + }