diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/dropbear-CVE-2018-15599.patch | 240 | ||||
-rw-r--r-- | gnu/packages/patches/libgit2-avoid-python.patch | 322 |
2 files changed, 322 insertions, 240 deletions
diff --git a/gnu/packages/patches/dropbear-CVE-2018-15599.patch b/gnu/packages/patches/dropbear-CVE-2018-15599.patch deleted file mode 100644 index a474552cd2..0000000000 --- a/gnu/packages/patches/dropbear-CVE-2018-15599.patch +++ /dev/null @@ -1,240 +0,0 @@ -Fix CVE-2018-15599: - -http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15599 - -Patch copied from upstream source repository: - -https://github.com/mkj/dropbear/commit/52adbb34c32d3e2e1bcdb941e20a6f81138b8248 - -From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Thu, 23 Aug 2018 23:43:12 +0800 -Subject: [PATCH] Wait to fail invalid usernames - ---- - auth.h | 6 +++--- - svr-auth.c | 19 +++++-------------- - svr-authpam.c | 26 ++++++++++++++++++++++---- - svr-authpasswd.c | 27 ++++++++++++++------------- - svr-authpubkey.c | 11 ++++++++++- - 5 files changed, 54 insertions(+), 35 deletions(-) - -diff --git a/auth.h b/auth.h -index da498f5b..98f54683 100644 ---- a/auth.h -+++ b/auth.h -@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void); - void send_msg_userauth_failure(int partial, int incrfail); - void send_msg_userauth_success(void); - void send_msg_userauth_banner(const buffer *msg); --void svr_auth_password(void); --void svr_auth_pubkey(void); --void svr_auth_pam(void); -+void svr_auth_password(int valid_user); -+void svr_auth_pubkey(int valid_user); -+void svr_auth_pam(int valid_user); - - #if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT - int svr_pubkey_allows_agentfwd(void); -diff --git a/svr-auth.c b/svr-auth.c -index c19c0901..edde86bc 100644 ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -149,10 +149,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_password(); -- goto out; -- } -+ svr_auth_password(valid_user); -+ goto out; - } - } - #endif -@@ -164,10 +162,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_pam(); -- goto out; -- } -+ svr_auth_pam(valid_user); -+ goto out; - } - } - #endif -@@ -177,12 +173,7 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PUBKEY_LEN && - strncmp(methodname, AUTH_METHOD_PUBKEY, - AUTH_METHOD_PUBKEY_LEN) == 0) { -- if (valid_user) { -- svr_auth_pubkey(); -- } else { -- /* pubkey has no failure delay */ -- send_msg_userauth_failure(0, 0); -- } -+ svr_auth_pubkey(valid_user); - goto out; - } - #endif -diff --git a/svr-authpam.c b/svr-authpam.c -index 05e4f3e5..d201bc96 100644 ---- a/svr-authpam.c -+++ b/svr-authpam.c -@@ -178,13 +178,14 @@ pamConvFunc(int num_msg, - * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it - * gets very messy trying to send the interactive challenges, and read the - * interactive responses, over the network. */ --void svr_auth_pam() { -+void svr_auth_pam(int valid_user) { - - struct UserDataS userData = {NULL, NULL}; - struct pam_conv pamConv = { - pamConvFunc, - &userData /* submitted to pamvConvFunc as appdata_ptr */ - }; -+ const char* printable_user = NULL; - - pam_handle_t* pamHandlep = NULL; - -@@ -204,12 +205,23 @@ void svr_auth_pam() { - - password = buf_getstring(ses.payload, &passwordlen); - -+ /* We run the PAM conversation regardless of whether the username is valid -+ in case the conversation function has an inherent delay. -+ Use ses.authstate.username rather than ses.authstate.pw_name. -+ After PAM succeeds we then check the valid_user flag too */ -+ - /* used to pass data to the PAM conversation function - don't bother with - * strdup() etc since these are touched only by our own conversation - * function (above) which takes care of it */ -- userData.user = ses.authstate.pw_name; -+ userData.user = ses.authstate.username; - userData.passwd = password; - -+ if (ses.authstate.pw_name) { -+ printable_user = ses.authstate.pw_name; -+ } else { -+ printable_user = "<invalid username>"; -+ } -+ - /* Init pam */ - if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", -@@ -242,7 +254,7 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; -@@ -253,12 +265,18 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; - } - -+ if (!valid_user) { -+ /* PAM auth succeeded but the username isn't allowed in for another reason -+ (checkusername() failed) */ -+ send_msg_userauth_failure(0, 1); -+ } -+ - /* successful authentication */ - dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", - ses.authstate.pw_name, -diff --git a/svr-authpasswd.c b/svr-authpasswd.c -index bdee2aa1..69c7d8af 100644 ---- a/svr-authpasswd.c -+++ b/svr-authpasswd.c -@@ -48,22 +48,14 @@ static int constant_time_strcmp(const char* a, const char* b) { - - /* Process a password auth request, sending success or failure messages as - * appropriate */ --void svr_auth_password() { -+void svr_auth_password(int valid_user) { - - char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ - char * testcrypt = NULL; /* crypt generated from the user's password sent */ -- char * password; -+ char * password = NULL; - unsigned int passwordlen; -- - unsigned int changepw; - -- passwdcrypt = ses.authstate.pw_passwd; -- --#ifdef DEBUG_HACKCRYPT -- /* debugging crypt for non-root testing with shadows */ -- passwdcrypt = DEBUG_HACKCRYPT; --#endif -- - /* check if client wants to change password */ - changepw = buf_getbool(ses.payload); - if (changepw) { -@@ -73,12 +65,21 @@ void svr_auth_password() { - } - - password = buf_getstring(ses.payload, &passwordlen); -- -- /* the first bytes of passwdcrypt are the salt */ -- testcrypt = crypt(password, passwdcrypt); -+ if (valid_user) { -+ /* the first bytes of passwdcrypt are the salt */ -+ passwdcrypt = ses.authstate.pw_passwd; -+ testcrypt = crypt(password, passwdcrypt); -+ } - m_burn(password, passwordlen); - m_free(password); - -+ /* After we have got the payload contents we can exit if the username -+ is invalid. Invalid users have already been logged. */ -+ if (!valid_user) { -+ send_msg_userauth_failure(0, 1); -+ return; -+ } -+ - if (testcrypt == NULL) { - /* crypt() with an invalid salt like "!!" */ - dropbear_log(LOG_WARNING, "User account '%s' is locked", -diff --git a/svr-authpubkey.c b/svr-authpubkey.c -index aa6087c9..ff481c87 100644 ---- a/svr-authpubkey.c -+++ b/svr-authpubkey.c -@@ -79,7 +79,7 @@ static int checkfileperm(char * filename); - - /* process a pubkey auth request, sending success or failure message as - * appropriate */ --void svr_auth_pubkey() { -+void svr_auth_pubkey(int valid_user) { - - unsigned char testkey; /* whether we're just checking if a key is usable */ - char* algo = NULL; /* pubkey algo */ -@@ -102,6 +102,15 @@ void svr_auth_pubkey() { - keybloblen = buf_getint(ses.payload); - keyblob = buf_getptr(ses.payload, keybloblen); - -+ if (!valid_user) { -+ /* Return failure once we have read the contents of the packet -+ required to validate a public key. -+ Avoids blind user enumeration though it isn't possible to prevent -+ testing for user existence if the public key is known */ -+ send_msg_userauth_failure(0, 0); -+ goto out; -+ } -+ - /* check if the key is valid */ - if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { - send_msg_userauth_failure(0, 0); diff --git a/gnu/packages/patches/libgit2-avoid-python.patch b/gnu/packages/patches/libgit2-avoid-python.patch new file mode 100644 index 0000000000..b2e5141563 --- /dev/null +++ b/gnu/packages/patches/libgit2-avoid-python.patch @@ -0,0 +1,322 @@ +This provides a Guile reimplementation of clar's "generate.py". +It makes it possible for us to remove Python from libgit2's build-time +dependencies. +libgit2 is used in order to fetch a lot of sources for guix packages. +Both Python2 and Python3 builds acted up in the past. +Hence this patch which makes the number of libgit2 dependencies very +small. +The reimplementation tries to keep as close as possible to the original +in both structure and runtime effect. Some things are thus overly +convoluted just to make them the same as in the original. + +Both implementations basically do: + +grep -r 'test_.*__.*' . > clar.suite + +It is important that the directory traversal order of the original and +the reimplementation stay the same. + +diff -ruN orig/libgit2-0.27.7/tests/CMakeLists.txt libgit2-0.27.7/tests/CMakeLists.txt +--- orig/libgit2-0.27.7/tests/CMakeLists.txt 1970-01-01 01:00:00.000000000 +0100 ++++ libgit2-0.27.7/tests/CMakeLists.txt 2019-03-04 11:13:06.640118979 +0100 +@@ -1,10 +1,3 @@ +-FIND_PACKAGE(PythonInterp) +- +-IF(NOT PYTHONINTERP_FOUND) +- MESSAGE(FATAL_ERROR "Could not find a python interpeter, which is needed to build the tests. " +- "Make sure python is available, or pass -DBUILD_CLAR=OFF to skip building the tests") +-ENDIF() +- + SET(CLAR_FIXTURES "${CMAKE_CURRENT_SOURCE_DIR}/resources/") + SET(CLAR_PATH "${CMAKE_CURRENT_SOURCE_DIR}") + ADD_DEFINITIONS(-DCLAR_FIXTURE_PATH=\"${CLAR_FIXTURES}\") +@@ -21,7 +14,7 @@ + + ADD_CUSTOM_COMMAND( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/clar.suite +- COMMAND ${PYTHON_EXECUTABLE} generate.py -o "${CMAKE_CURRENT_BINARY_DIR}" -f -xonline -xstress -xperf . ++ COMMAND guile generate.scm -o "${CMAKE_CURRENT_BINARY_DIR}" -f -x online -x stress -x perf . + DEPENDS ${SRC_TEST} + WORKING_DIRECTORY ${CLAR_PATH} + ) +diff -ruN orig/libgit2-0.27.7/tests/generate.scm libgit2-0.27.7/tests/generate.scm +--- orig/libgit2-0.27.7/tests/generate.scm 1970-01-01 01:00:00.000000000 +0100 ++++ libgit2-0.27.7/tests/generate.scm 2019-03-04 12:18:00.688040975 +0100 +@@ -0,0 +1,277 @@ ++;; -*- geiser-scheme-implementation: guile -*- ++ ++;;; Implementation: Danny Milosavljevic <dannym@scratchpost.org> ++;;; Based on: Implementation in Python by Vicent Marti. ++;;; License: ISC, like the original generate.py in clar. ++ ++(use-modules (ice-9 ftw)) ++(use-modules (ice-9 regex)) ++(use-modules (ice-9 getopt-long)) ++(use-modules (ice-9 rdelim)) ++(use-modules (ice-9 match)) ++(use-modules (ice-9 textual-ports)) ++(use-modules (srfi srfi-1)) ++ ++(define (render-callback cb) ++ (if cb ++ (string-append " { \"" (assoc-ref cb "short-name") "\", &" ++ (assoc-ref cb "symbol") " }") ++ " { NULL, NULL }")) ++ ++(define (replace needle replacement haystack) ++ "Replace all occurences of NEEDLE in HAYSTACK by REPLACEMENT. ++NEEDLE is a regular expression." ++ (regexp-substitute/global #f needle haystack 'pre replacement 'post)) ++ ++(define (skip-comments* text) ++ (call-with-input-string ++ text ++ (lambda (port) ++ (let loop ((result '()) ++ (section #f)) ++ (define (consume-char) ++ (cons (read-char port) result)) ++ (define (skip-char) ++ (read-char port) ++ result) ++ (match section ++ (#f ++ (match (peek-char port) ++ (#\/ (loop (consume-char) 'almost-in-block-comment)) ++ (#\" (loop (consume-char) 'in-string-literal)) ++ (#\' (loop (consume-char) 'in-character-literal)) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) section)))) ++ ('almost-in-block-comment ++ (match (peek-char port) ++ (#\* (loop (consume-char) 'in-block-comment)) ++ (#\/ (loop (consume-char) 'in-line-comment)) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) #f)))) ++ ('in-line-comment ++ (match (peek-char port) ++ (#\newline (loop (consume-char) #f)) ++ ((? eof-object?) result) ++ (_ (loop (skip-char) section)))) ++ ('in-block-comment ++ (match (peek-char port) ++ (#\* (loop (skip-char) 'almost-out-of-block-comment)) ++ ((? eof-object?) result) ++ (_ (loop (skip-char) section)))) ++ ('almost-out-of-block-comment ++ (match (peek-char port) ++ (#\/ (loop (cons (read-char port) (cons #\* result)) #f)) ++ (#\* (loop (skip-char) 'almost-out-of-block-comment)) ++ ((? eof-object?) result) ++ (_ (loop (skip-char) 'in-block-comment)))) ++ ('in-string-literal ++ (match (peek-char port) ++ (#\\ (loop (consume-char) 'in-string-literal-escape)) ++ (#\" (loop (consume-char) #f)) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) section)))) ++ ('in-string-literal-escape ++ (match (peek-char port) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) 'in-string-literal)))) ++ ('in-character-literal ++ (match (peek-char port) ++ (#\\ (loop (consume-char) 'in-character-literal-escape)) ++ (#\' (loop (consume-char) #f)) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) section)))) ++ ('in-character-literal-escape ++ (match (peek-char port) ++ ((? eof-object?) result) ++ (_ (loop (consume-char) 'in-character-literal))))))))) ++ ++(define (skip-comments text) ++ (list->string (reverse (skip-comments* text)))) ++ ++(define (maybe-only items) ++ (match items ++ ((a) a) ++ (_ #f))) ++ ++(define (Module name path excludes) ++ (let* ((clean-name (replace "_" "::" name)) ++ (enabled (not (any (lambda (exclude) ++ (string-prefix? exclude clean-name)) ++ excludes)))) ++ (define (parse contents) ++ (define (cons-match match prev) ++ (cons ++ `(("declaration" . ,(match:substring match 1)) ++ ("symbol" . ,(match:substring match 2)) ++ ("short-name" . ,(match:substring match 3))) ++ prev)) ++ (let* ((contents (skip-comments contents)) ++ (entries (fold-matches (make-regexp ++ (string-append "^(void\\s+(test_" ++ name ++ "__(\\w+))\\s*\\(\\s*void\\s*\\))\\s*\\{") ++ regexp/newline) ++ contents ++ '() ++ cons-match)) ++ (entries (reverse entries)) ++ (callbacks (filter (lambda (entry) ++ (match (assoc-ref entry "short-name") ++ ("initialize" #f) ++ ("cleanup" #f) ++ (_ #t))) ++ entries))) ++ (if (> (length callbacks) 0) ++ `(("name" . ,name) ++ ("enabled" . ,(if enabled "1" "0")) ++ ("clean-name" . ,clean-name) ++ ("initialize" . ,(maybe-only (filter-map (lambda (entry) ++ (match (assoc-ref entry "short-name") ++ ("initialize" entry) ++ (_ #f))) ++ entries))) ++ ("cleanup" . ,(maybe-only (filter-map (lambda (entry) ++ (match (assoc-ref entry "short-name") ++ ("cleanup" entry) ++ (_ #f))) ++ entries))) ++ ("callbacks" . ,callbacks)) ++ #f))) ++ ++ (define (refresh path) ++ (and (file-exists? path) ++ (parse (call-with-input-file path get-string-all)))) ++ (refresh path))) ++ ++(define (generate-TestSuite path output excludes) ++ (define (load) ++ (define enter? (const #t)) ++ (define (leaf file stat result) ++ (let* ((module-root (string-drop (dirname file) ++ (string-length path))) ++ (module-root (filter-map (match-lambda ++ ("" #f) ++ (a a)) ++ (string-split module-root #\/)))) ++ (define (make-module path) ++ (let* ((name (string-join (append module-root (list (string-drop-right (basename path) (string-length ".c")))) "_")) ++ (name (replace "-" "_" name))) ++ (Module name path excludes))) ++ (if (string-suffix? ".c" file) ++ (let ((module (make-module file))) ++ (if module ++ (cons module result) ++ result)) ++ result))) ++ (define (down dir stat result) ++ result) ++ (define (up file state result) ++ result) ++ (define skip (const #f)) ++ (file-system-fold enter? leaf down up skip error '() path)) ++ ++ (define (CallbacksTemplate module) ++ (string-append "static const struct clar_func _clar_cb_" ++ (assoc-ref module "name") "[] = {\n" ++ (string-join (map render-callback ++ (assoc-ref module "callbacks")) ++ ",\n") ++ "\n};\n")) ++ ++ (define (DeclarationTemplate module) ++ (string-append (string-join (map (lambda (cb) ++ (string-append "extern " ++ (assoc-ref cb "declaration") ++ ";")) ++ (assoc-ref module "callbacks")) ++ "\n") ++ "\n" ++ (if (assoc-ref module "initialize") ++ (string-append "extern " (assoc-ref (assoc-ref module "initialize") "declaration") ";\n") ++ "") ++ (if (assoc-ref module "cleanup") ++ (string-append "extern " (assoc-ref (assoc-ref module "cleanup") "declaration") ";\n") ++ ""))) ++ ++ (define (InfoTemplate module) ++ (string-append " ++ { ++ \"" (assoc-ref module "clean-name") "\", ++ " (render-callback (assoc-ref module "initialize")) ", ++ " (render-callback (assoc-ref module "cleanup")) ", ++ _clar_cb_" (assoc-ref module "name") ", " ++ (number->string (length (assoc-ref module "callbacks"))) ++ ", " (assoc-ref module "enabled") " ++ }")) ++ ++ (define (Write data) ++ (define (name< module-a module-b) ++ (string<? (assoc-ref module-a "name") ++ (assoc-ref module-b "name"))) ++ (define modules (sort (load) name<)) ++ ++ (define (suite-count) ++ (length modules)) ++ ++ (define (callback-count) ++ (fold + 0 (map (lambda (entry) ++ (length (assoc-ref entry "callbacks"))) ++ modules))) ++ ++ (define (display-x value) ++ (display value data)) ++ ++ (for-each (compose display-x DeclarationTemplate) modules) ++ (for-each (compose display-x CallbacksTemplate) modules) ++ ++ (display-x "static struct clar_suite _clar_suites[] = {") ++ (display-x (string-join (map InfoTemplate modules) ",")) ++ (display-x "\n};\n") ++ ++ (let ((suite-count-str (number->string (suite-count))) ++ (callback-count-str (number->string (callback-count)))) ++ (display-x "static const size_t _clar_suite_count = ") ++ (display-x suite-count-str) ++ (display-x ";\n") ++ ++ (display-x "static const size_t _clar_callback_count = ") ++ (display-x callback-count-str) ++ (display-x ";\n") ++ ++ (display (string-append "Written `clar.suite` (" ++ callback-count-str ++ " tests in " ++ suite-count-str ++ " suites)")) ++ (newline)) ++ #t) ++ ++ (call-with-output-file (string-append output "/clar.suite") Write)) ++ ++;;; main ++ ++(define (main) ++ (define option-spec ++ '((force (single-char #\f) (value #f)) ++ (exclude (single-char #\x) (value #t)) ++ (output (single-char #\o) (value #t)) ++ (help (single-char #\h) (value #f)))) ++ ++ (define options (getopt-long (command-line) option-spec #:stop-at-first-non-option #t)) ++ (define args (reverse (option-ref options '() '()))) ++ (when (> (length args) 1) ++ (display "More than one path given\n") ++ (exit 1)) ++ ++ (if (< (length args) 1) ++ (set! args '("."))) ++ ++ (let* ((path (car args)) ++ (output (option-ref options 'output path)) ++ (excluded (filter-map (match-lambda ++ (('exclude . value) value) ++ (_ #f)) ++ options))) ++ (generate-TestSuite path output excluded))) ++ ++(main) |