summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/dropbear/APKBUILD19
-rw-r--r--main/dropbear/after-free-fix.patch96
2 files changed, 109 insertions, 6 deletions
diff --git a/main/dropbear/APKBUILD b/main/dropbear/APKBUILD
index ecd4c4614fe..6253458cfc5 100644
--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dropbear
pkgver=0.53.1
-pkgrel=1
+pkgrel=2
pkgdesc="small SSH 2 client/server designed for small memory environments"
url="http://matt.ucc.asn.au/dropbear/dropbear.html"
arch="all"
@@ -10,16 +10,22 @@ license='MIT'
depends=
makedepends="zlib-dev"
source="http://matt.ucc.asn.au/dropbear/releases/${pkgname}-${pkgver}.tar.bz2
-dropbear.initd
-dropbear.confd
-dropbear-0.53.1-static_build_fix.patch"
+ dropbear.initd
+ dropbear.confd
+ dropbear-0.53.1-static_build_fix.patch
+ after-free-fix.patch
+ "
_builddir="$srcdir"/$pkgname-$pkgver
_progs="dropbear dbclient dropbearkey dropbearconvert scp"
prepare() {
cd "$_builddir"
- patch -p1 -i "$srcdir"/dropbear-0.53.1-static_build_fix.patch
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
}
build() {
@@ -48,4 +54,5 @@ package() {
md5sums="0284ea239083f04c8b874e08e1aca243 dropbear-0.53.1.tar.bz2
d181e2234f34ae5b1e45f8ebf5f14e07 dropbear.initd
af73c487e2be37d65d0e8bf80489357e dropbear.confd
-d33de2027d5dc851762b65b276f1ac83 dropbear-0.53.1-static_build_fix.patch"
+d33de2027d5dc851762b65b276f1ac83 dropbear-0.53.1-static_build_fix.patch
+4f23b4a4214f98b7dd5c1c1727a9c0b4 after-free-fix.patch"
diff --git a/main/dropbear/after-free-fix.patch b/main/dropbear/after-free-fix.patch
new file mode 100644
index 00000000000..2f239637dfd
--- /dev/null
+++ b/main/dropbear/after-free-fix.patch
@@ -0,0 +1,96 @@
+
+# HG changeset patch
+# User Matt Johnston <matt@ucc.asn.au>
+# Date 1322947885 -28800
+# Node ID 818108bf7749bfecd4715a30e2583aac9dbe25e8
+# Parent 5e8d84f3ee7256d054ecf7e9f248765ccaa7f24f
+- Fix use-after-free if multiple command requests were sent. Move
+the original_command into chansess struct since that makes more sense
+
+diff -r 5e8d84f3ee72 -r 818108bf7749 auth.h
+--- a/auth.h Sun Dec 04 05:27:57 2011 +0800
++++ b/auth.h Sun Dec 04 05:31:25 2011 +0800
+@@ -133,7 +133,6 @@
+ int no_pty_flag;
+ /* "command=" option. */
+ unsigned char * forced_command;
+- unsigned char * original_command;
+ };
+ #endif
+
+diff -r 5e8d84f3ee72 -r 818108bf7749 chansession.h
+--- a/chansession.h Sun Dec 04 05:27:57 2011 +0800
++++ b/chansession.h Sun Dec 04 05:31:25 2011 +0800
+@@ -69,6 +69,10 @@
+ char * agentfile;
+ char * agentdir;
+ #endif
++
++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
++ char *original_command;
++#endif
+ };
+
+ struct ChildPid {
+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-authpubkeyoptions.c
+--- a/svr-authpubkeyoptions.c Sun Dec 04 05:27:57 2011 +0800
++++ b/svr-authpubkeyoptions.c Sun Dec 04 05:31:25 2011 +0800
+@@ -92,14 +92,15 @@
+ * by any 'command' public key option. */
+ void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
+ if (ses.authstate.pubkey_options) {
+- ses.authstate.pubkey_options->original_command = chansess->cmd;
+- if (!chansess->cmd)
+- {
+- ses.authstate.pubkey_options->original_command = m_strdup("");
++ if (chansess->cmd) {
++ /* original_command takes ownership */
++ chansess->original_command = chansess->cmd;
++ } else {
++ chansess->original_command = m_strdup("");
+ }
+- chansess->cmd = ses.authstate.pubkey_options->forced_command;
++ chansess->cmd = m_strdup(ses.authstate.pubkey_options->forced_command);
+ #ifdef LOG_COMMANDS
+- dropbear_log(LOG_INFO, "Command forced to '%s'", ses.authstate.pubkey_options->original_command);
++ dropbear_log(LOG_INFO, "Command forced to '%s'", chansess->original_command);
+ #endif
+ }
+ }
+diff -r 5e8d84f3ee72 -r 818108bf7749 svr-chansession.c
+--- a/svr-chansession.c Sun Dec 04 05:27:57 2011 +0800
++++ b/svr-chansession.c Sun Dec 04 05:31:25 2011 +0800
+@@ -217,6 +217,8 @@
+
+ struct ChanSess *chansess;
+
++ TRACE(("new chansess %p", channel))
++
+ dropbear_assert(channel->typedata == NULL);
+
+ chansess = (struct ChanSess*)m_malloc(sizeof(struct ChanSess));
+@@ -279,6 +281,10 @@
+ m_free(chansess->cmd);
+ m_free(chansess->term);
+
++#ifdef ENABLE_SVR_PUBKEY_OPTIONS
++ m_free(chansess->original_command);
++#endif
++
+ if (chansess->tty) {
+ /* write the utmp/wtmp login record */
+ li = chansess_login_alloc(chansess);
+@@ -924,10 +930,8 @@
+ }
+
+ #ifdef ENABLE_SVR_PUBKEY_OPTIONS
+- if (ses.authstate.pubkey_options &&
+- ses.authstate.pubkey_options->original_command) {
+- addnewvar("SSH_ORIGINAL_COMMAND",
+- ses.authstate.pubkey_options->original_command);
++ if (chansess->original_command) {
++ addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
+ }
+ #endif
+
+