diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-19 18:16:39 +0200 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-19 20:10:38 +0200 |
| commit | ed91ec54fcc777d8b5f9fb32f78bf14c4e8ea343 (patch) | |
| tree | 9d82f66b9d9e0fdbe5367bce83465129684248b3 /main/openssh | |
| parent | bf8d905764917d140c05af013574051809056da0 (diff) | |
main/openssh: fix segfault with VerifyHostKeyDNS=yes
fix a case in openbsd-compat where there are no DNS answers. Apparently
OpenBSD returns ancount=0 but the answer struct is non NULL, while with
musl the answer is NULL.
fixes #8323
Diffstat (limited to 'main/openssh')
| -rw-r--r-- | main/openssh/APKBUILD | 7 | ||||
| -rw-r--r-- | main/openssh/fix-verify-dns-segfault.patch | 57 |
2 files changed, 62 insertions, 2 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD index 1a12f8c7633..a8c56873fca 100644 --- a/main/openssh/APKBUILD +++ b/main/openssh/APKBUILD @@ -4,7 +4,7 @@ pkgname=openssh pkgver=8.0_p1 _myver=${pkgver%_*}${pkgver#*_} -pkgrel=0 +pkgrel=1 pkgdesc="Port of OpenBSD's free SSH release" url="https://www.openssh.com/portable.html" arch="all" @@ -17,7 +17,8 @@ makedepends="$makedepends_build $makedepends_host" # Add more packages support here e.g. kerberos _pkgsupport="" [ -z "$BOOTSTRAP" ] && _pkgsupport="pam" -subpackages="$pkgname-doc +subpackages="$pkgname-dbg + $pkgname-doc $pkgname-keygen $pkgname-client $pkgname-keysign @@ -34,6 +35,7 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta bsd-compatible-realpath.patch sftp-interactive.patch disable-forwarding-by-default.patch + fix-verify-dns-segfault.patch sshd.initd sshd.confd @@ -211,5 +213,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73 bsd-compatible-realpath.patch c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9 sftp-interactive.patch 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de disable-forwarding-by-default.patch +b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d fix-verify-dns-segfault.patch 8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8 sshd.initd ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc sshd.confd" diff --git a/main/openssh/fix-verify-dns-segfault.patch b/main/openssh/fix-verify-dns-segfault.patch new file mode 100644 index 00000000000..11b65c28971 --- /dev/null +++ b/main/openssh/fix-verify-dns-segfault.patch @@ -0,0 +1,57 @@ +Handle case when answer=NULL due to zero answers + +diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c +index dc6fe05..28622b5 100644 +--- a/openbsd-compat/getrrsetbyname.c ++++ b/openbsd-compat/getrrsetbyname.c +@@ -268,7 +268,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + } + rrset->rri_rdclass = response->query->class; + rrset->rri_rdtype = response->query->type; +- rrset->rri_ttl = response->answer->ttl; ++ rrset->rri_ttl = response->answer ? response->answer->ttl : 0; + rrset->rri_nrdatas = response->header.ancount; + + #ifdef HAVE_HEADER_AD +@@ -276,6 +276,17 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + if (response->header.ad == 1) + rrset->rri_flags |= RRSET_VALIDATED; + #endif ++ /* allocate memory for signatures */ ++ if (rrset->rri_nsigs > 0) { ++ rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); ++ if (rrset->rri_sigs == NULL) { ++ result = ERRSET_NOMEMORY; ++ goto fail; ++ } ++ } ++ ++ if (response->answer == NULL || response->header.ancount == 0) ++ goto done; + + /* copy name from answer section */ + rrset->rri_name = strdup(response->answer->name); +@@ -298,15 +309,6 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + goto fail; + } + +- /* allocate memory for signatures */ +- if (rrset->rri_nsigs > 0) { +- rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); +- if (rrset->rri_sigs == NULL) { +- result = ERRSET_NOMEMORY; +- goto fail; +- } +- } +- + /* copy answers & signatures */ + for (rr = response->answer, index_ans = 0, index_sig = 0; + rr; rr = rr->next) { +@@ -334,6 +336,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + } + free_dns_response(response); + ++done: + *res = rrset; + return (ERRSET_SUCCESS); + |