Change COMPILER_VERSION tests which limited additional
warnings to gcc4 to instead skip them on gcc3 as clang can handle
-Wpointer-sign and -Wold-style-definition.
Avoid relying on implementation-specific behavior when
detecting whether the timestamp or file size overflowed. If time_t and off_t
are not either 32-bit or 64-bit scp will exit with an error. OK djm@
Darren Tucker [Mon, 24 Apr 2017 09:40:31 +0000 (19:40 +1000)]
Deny socketcall in seccomp filter on ppc64le.
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
Recognize nl_langinfo(CODESET) return values "646" and ""
as aliases for "US-ASCII", useful for different versions of NetBSD and
Solaris. Found by dtucker@ and by Tom G. Christensen <tgc at jupiterrise dot
com>. OK dtucker@ deraadt@
Change COMPILER_VERSION tests which limited additional
warnings to gcc4 to instead skip them on gcc3 as clang can handle
-Wpointer-sign and -Wold-style-definition.
Darren Tucker [Wed, 29 Mar 2017 05:34:44 +0000 (16:34 +1100)]
Import fmt_scaled.c rev 1.16 from OpenBSD.
Fix overly-conservative overflow checks on mulitplications and add checks
on additions. This allows scan_scaled to work up to +/-LLONG_MAX (LLONG_MIN
will still be flagged as a range error). ok millert@
Darren Tucker [Wed, 29 Mar 2017 01:39:39 +0000 (12:39 +1100)]
Don't check privsep user or path when unprivileged
If running with privsep (mandatory now) as a non-privileged user, we
don't chroot or change to an unprivileged user however we still checked
the existence of the user and directory. Don't do those checks if we're
not going to use them. Based in part on a patch from Lionel Fourquaux
via Corinna Vinschen, ok djm@
Damien Miller [Sun, 19 Mar 2017 22:58:34 +0000 (09:58 +1100)]
create test mux socket in /tmp
Creating the socket in $OBJ could blow past the (quite limited)
path limit for Unix domain sockets. As a bandaid for bz#2660,
reported by Colin Watson; ok dtucker@
djm@openbsd.org [Wed, 15 Mar 2017 02:25:09 +0000 (02:25 +0000)]
upstream commit
fix regression in 7.4: deletion of PKCS#11-hosted keys
would fail unless they were specified by full physical pathname. Report and
fix from Jakub Jelen via bz#2682; ok dtucker@
djm@openbsd.org [Wed, 15 Mar 2017 02:19:09 +0000 (02:19 +0000)]
upstream commit
Fix segfault when sshd attempts to load RSA1 keys (can
only happen when protocol v.1 support is enabled for the client). Reported by
Jakub Jelen in bz#2686; ok dtucker
Damien Miller [Tue, 14 Mar 2017 07:26:29 +0000 (18:26 +1100)]
Make seccomp-bpf sandbox work on Linux/X32
Allow clock_gettime syscall with X32 bit masked off. Apparently
this is required for at least some kernel versions. bz#2142
Patch mostly by Colin Watson. ok dtucker@
Damien Miller [Tue, 14 Mar 2017 06:48:43 +0000 (17:48 +1100)]
Remove macro trickery; no binary change
This stops the SC_ALLOW(), SC_ALLOW_ARG() and SC_DENY() macros
prepending __NR_ to the syscall number parameter and just makes
them explicit in the macro invocations.
No binary change in stripped object file before/after.
Damien Miller [Tue, 14 Mar 2017 01:24:47 +0000 (12:24 +1100)]
Fix weakness in seccomp-bpf sandbox arg inspection
Syscall arguments are passed via an array of 64-bit values in struct
seccomp_data, but we were only inspecting the bottom 32 bits and not
even those correctly for BE systems.
Fortunately, the only case argument inspection was used was in the
socketcall filtering so using this for sandbox escape seems
impossible.
djm@openbsd.org [Sat, 11 Mar 2017 23:40:26 +0000 (23:40 +0000)]
upstream commit
allow ssh to use certificates accompanied by a private
key file but no corresponding plain *.pub public key. bz#2617 based on patch
from Adam Eijdenberg; ok dtucker@ markus@
Don't count the initial block twice when computing how
many bytes to discard for the work around for the attacks against CBC-mode.
ok djm@; report from Jean Paul, Kenny, Martin and Torben @ RHUL
Damien Miller [Sat, 11 Mar 2017 23:48:14 +0000 (10:48 +1100)]
sync fmt_scaled.c with OpenBSD
revision 1.13
date: 2017/03/11 23:37:23; author: djm; state: Exp; lines: +14 -1; commitid: jnFKyHkB3CEiEZ2R;
fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
using AFL against ssh_config. ok deraadt@ millert@
----------------------------
revision 1.12
date: 2013/11/29 19:00:51; author: deraadt; state: Exp; lines: +6 -5;
fairly simple unsigned char casts for ctype
ok krw
----------------------------
revision 1.11
date: 2012/11/12 14:07:20; author: halex; state: Exp; lines: +4 -2;
make scan_scaled set errno to EINVAL rather than ERANGE if it encounters
an invalid multiplier, like the man page says it should
"looks sensible" deraadt@, ok ian@
----------------------------
revision 1.10
date: 2009/06/20 15:00:04; author: martynas; state: Exp; lines: +4 -4;
use llabs instead of the home-grown version; and some comment changes
ok ian@, millert@
----------------------------
djm@openbsd.org [Fri, 10 Mar 2017 05:01:13 +0000 (05:01 +0000)]
upstream commit
When updating hostkeys, accept RSA keys if
HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA
keys when any of the ssh-rsa-sha2-* methods was enabled in HostkeyAlgorithms
nit ssh-rsa (SHA1 signatures) was not. bz#2650 reported by Luis Ressel; ok
dtucker@
djm@openbsd.org [Fri, 10 Mar 2017 04:27:32 +0000 (04:27 +0000)]
upstream commit
better match sshd config parser behaviour: fatal() if
line is overlong, increase line buffer to match sshd's; bz#2651 reported by
Don Fong; ok dtucker@
djm@openbsd.org [Fri, 10 Mar 2017 04:07:20 +0000 (04:07 +0000)]
upstream commit
fix regression in 7.4 server-sig-algs, where we were
accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@
projects / thirdparty / openssh-portable.git / log
