From 76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Mon, 4 Nov 2013 17:08:47 +0000 Subject: Slackware 14.1 Mon Nov 4 17:08:47 UTC 2013 Slackware 14.1 x86_64 stable is released! It's been another interesting release cycle here at Slackware bringing new features like support for UEFI machines, updated compilers and development tools, the switch from MySQL to MariaDB, and many more improvements throughout the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-) --- source/installer/dropbear/dropbear.Slackbuild | 57 ++++++++++++-------- .../installer/dropbear/dropbear.glibc.crypt.diff | 28 ++++++++++ source/installer/dropbear/dropbear.xauth.patch | 8 +-- .../installer/dropbear/dropbear_dbclientpath.patch | 16 +++--- source/installer/dropbear/dropbear_emptypass.patch | 63 +++++----------------- 5 files changed, 86 insertions(+), 86 deletions(-) create mode 100644 source/installer/dropbear/dropbear.glibc.crypt.diff (limited to 'source/installer') diff --git a/source/installer/dropbear/dropbear.Slackbuild b/source/installer/dropbear/dropbear.Slackbuild index 5bd3bd99d..37ab7c012 100755 --- a/source/installer/dropbear/dropbear.Slackbuild +++ b/source/installer/dropbear/dropbear.Slackbuild @@ -23,11 +23,18 @@ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=dropbear -VERSION=0.50 -ARCH=${ARCH:-i486} +VERSION=2012.55 BUILD=${BUILD:-10} TAG=${TAG:-''} +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + # The programs we want to have as symlinks to dropbearmulti binary: PROGS="dropbear dbclient dropbearkey dropbearconvert scp ssh" @@ -36,33 +43,37 @@ PROGS="dropbear dbclient dropbearkey dropbearconvert scp ssh" # and adding symlinks for ssh and scp without worry # about overwriting any pre-existing binaries. -CWD=`pwd` +CWD=$(pwd) TMP=${TMP:-/tmp} PKG=$TMP/pkg-$PRGNAM -OUTPUT=${OUTPUT:-/tmp} -if [ "$ARCH" = "i386" ]; then - SLKCFLAGS="-O2 -march=i386 -mcpu=i686" -elif [ "$ARCH" = "i486" ]; then +if [ "$ARCH" = "i486" ]; then SLKCFLAGS="-O2 -march=i486 -mtune=i686" -elif [ "$ARCH" = "s390" ]; then - SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else SLKCFLAGS="-O2" + LIBDIRSUFFIX="" fi rm -rf $PKG -mkdir -p $TMP $PKG $OUTPUT +mkdir -p $TMP $PKG cd $TMP || exit 1 rm -rf $PRGNAM-$VERSION tar xvf $CWD/$PRGNAM-$VERSION.tar.bz2 || exit 1 cd $PRGNAM-$VERSION || exit 1 -# Fix ownership and permissions inside the source tarball. -# It's appalling how many projects have 777 permissions or -# even suid, sgid, and sticky bits set on things. chown -R root:root . -chmod -R u+w,go+r-w,a-s . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; # Patch to allow empty passwords (used in Slackware's installer): patch -p1 < $CWD/dropbear_emptypass.patch @@ -70,6 +81,8 @@ patch -p1 < $CWD/dropbear_emptypass.patch patch -p0 < $CWD/dropbear.xauth.patch # Change the path used for dbclient because our prefix is '/' not '/usr': patch -p1 < $CWD/dropbear_dbclientpath.patch +# Patch for new glibc crypt() that may return NULL: +patch -p1 < $CWD/dropbear.glibc.crypt.diff CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ @@ -96,10 +109,8 @@ cp dbclient.1 $PKG/usr/man/man1 cp dropbearkey.8 dropbear.8 $PKG/usr/man/man8 if [ -d $PKG/usr/man ]; then - (cd $PKG/usr/man - find . -type f -exec gzip -9 {} \; - for i in `find . -type l` ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done - ) + find $PKG/usr/man -type f -exec gzip -9 {} \; + for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done fi # Link binaries to dropbearmulti since the 'make install' does not do that @@ -111,10 +122,10 @@ fi done ) -(cd $PKG - find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null - find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null -) +make install DESTDIR=$PKG + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | \ + grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true mkdir -p $PKG/etc/rc.d $PKG/etc/dropbear cp $CWD/rc.dropbear.new $PKG/etc/rc.d/ # doinst.sh will handle .new @@ -128,4 +139,4 @@ cat $CWD/slack-desc > $PKG/install/slack-desc cat $CWD/doinst.sh > $PKG/install/doinst.sh cd $PKG -/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz +/sbin/makepkg -l y -c n $TMP/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz diff --git a/source/installer/dropbear/dropbear.glibc.crypt.diff b/source/installer/dropbear/dropbear.glibc.crypt.diff new file mode 100644 index 000000000..3184210dd --- /dev/null +++ b/source/installer/dropbear/dropbear.glibc.crypt.diff @@ -0,0 +1,28 @@ + +# HG changeset patch +# User Matt Johnston +# Date 1367250157 -28800 +# Node ID 7bd88d546627ff31d0e2d91e6022b3e77a943efb +# Parent ea04e3eb03e2c3d59d82e361882711de844068a4 +Avoid segfault for locked accounts (invalid salt to crypt()) + +diff -r ea04e3eb03e2 -r 7bd88d546627 svr-authpasswd.c +--- a/svr-authpasswd.c Thu Apr 18 23:15:17 2013 +0800 ++++ b/svr-authpasswd.c Mon Apr 29 23:42:37 2013 +0800 +@@ -66,6 +66,14 @@ + m_burn(password, passwordlen); + m_free(password); + ++ if (testcrypt == NULL) { ++ /* crypt() with an invalid salt like "!!" */ ++ dropbear_log(LOG_WARNING, "User account '%s' is locked", ++ ses.authstate.pw_name); ++ send_msg_userauth_failure(0, 1); ++ return; ++ } ++ + /* check for empty password */ + if (passwdcrypt[0] == '\0') { + dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", + + diff --git a/source/installer/dropbear/dropbear.xauth.patch b/source/installer/dropbear/dropbear.xauth.patch index d01e15e04..e32f0c644 100644 --- a/source/installer/dropbear/dropbear.xauth.patch +++ b/source/installer/dropbear/dropbear.xauth.patch @@ -1,10 +1,10 @@ ---- options.h.old 2008-01-29 11:54:45.000000000 -0200 -+++ options.h 2008-01-29 11:54:52.000000000 -0200 -@@ -197,7 +197,7 @@ +--- options.h.orig 2013-06-21 21:50:34.859528230 -0500 ++++ options.h 2013-06-21 21:52:59.208516285 -0500 +@@ -243,7 +243,7 @@ /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ #ifndef XAUTH_COMMAND --#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" +-#define XAUTH_COMMAND "/usr/bin/X11/xauth -q" +#define XAUTH_COMMAND "/usr/bin/xauth -q" #endif diff --git a/source/installer/dropbear/dropbear_dbclientpath.patch b/source/installer/dropbear/dropbear_dbclientpath.patch index ef5cddc79..781349f83 100644 --- a/source/installer/dropbear/dropbear_dbclientpath.patch +++ b/source/installer/dropbear/dropbear_dbclientpath.patch @@ -1,12 +1,12 @@ -diff -uarN dropbear-0.50.orig/options.h dropbear-0.50/options.h ---- dropbear-0.50.orig/options.h 2007-08-08 18:39:38.000000000 +0200 -+++ dropbear-0.50/options.h 2008-03-10 14:43:29.261618300 +0100 -@@ -209,7 +209,7 @@ - +diff -Nur dropbear-2012.55.orig/options.h dropbear-2012.55/options.h +--- dropbear-2012.55.orig/options.h 2012-02-23 07:47:06.000000000 -0600 ++++ dropbear-2012.55/options.h 2012-04-07 15:12:46.040452209 -0500 +@@ -255,7 +255,7 @@ + /* This is used by the scp binary when used as a client binary. If you're * not using the Dropbear client, you'll need to change it */ -#define _PATH_SSH_PROGRAM "/usr/bin/dbclient" +#define _PATH_SSH_PROGRAM "/bin/dbclient" - - /* Whether to log commands executed by a client. This only logs the - * (single) command sent to the server, not what a user did in a + + /* Whether to log commands executed by a client. This only logs the + * (single) command sent to the server, not what a user did in a diff --git a/source/installer/dropbear/dropbear_emptypass.patch b/source/installer/dropbear/dropbear_emptypass.patch index 995b4d5c5..259240082 100644 --- a/source/installer/dropbear/dropbear_emptypass.patch +++ b/source/installer/dropbear/dropbear_emptypass.patch @@ -1,51 +1,12 @@ -diff -uarN dropbear-0.50.orig/options.h dropbear-0.50/options.h ---- dropbear-0.50.orig/options.h 2007-08-08 17:39:37.000000000 +0200 -+++ dropbear-0.50/options.h 2008-02-01 00:22:07.000000000 +0100 -@@ -148,6 +148,9 @@ - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ - #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" - -+/* disable server empty password check because root has no password on EZX */ -+#define DISABLE_SVR_EMPTY_PASSWD_CHECK -+ - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of - * a helper program for the ssh client. The helper program should be - * specified in the SSH_ASKPASS environment variable, and dbclient -diff -uarN dropbear-0.50.orig/svr-auth.c dropbear-0.50/svr-auth.c ---- dropbear-0.50.orig/svr-auth.c 2007-08-08 17:39:37.000000000 +0200 -+++ dropbear-0.50/svr-auth.c 2008-02-01 00:22:07.000000000 +0100 -@@ -236,6 +236,7 @@ - return DROPBEAR_FAILURE; - } - -+#ifndef DISABLE_SVR_EMPTY_PASSWD_CHECK - /* check for an empty password */ - if (ses.authstate.pw->pw_passwd[0] == '\0') { - TRACE(("leave checkusername: empty pword")) -@@ -244,6 +245,7 @@ - send_msg_userauth_failure(0, 1); - return DROPBEAR_FAILURE; - } -+#endif - - TRACE(("shell is %s", ses.authstate.pw->pw_shell)) - -diff -uarN dropbear-0.50.orig/svr-authpasswd.c dropbear-0.50/svr-authpasswd.c ---- dropbear-0.50.orig/svr-authpasswd.c 2007-08-08 17:39:37.000000000 +0200 -+++ dropbear-0.50/svr-authpasswd.c 2008-02-01 00:23:00.000000000 +0100 -@@ -60,6 +60,7 @@ - passwdcrypt = DEBUG_HACKCRYPT; - #endif - -+#ifndef DISABLE_SVR_EMPTY_PASSWD_CHECK - /* check for empty password - need to do this again here - * since the shadow password may differ to that tested - * in auth.c */ -@@ -69,6 +70,7 @@ - send_msg_userauth_failure(0, 1); - return; - } -+#endif - - /* check if client wants to change password */ - changepw = buf_getbool(ses.payload); +diff -Nur dropbear-2012.55.orig/options.h dropbear-2012.55/options.h +--- dropbear-2012.55.orig/options.h 2012-02-23 07:47:06.000000000 -0600 ++++ dropbear-2012.55/options.h 2012-04-07 15:09:15.676322495 -0500 +@@ -180,7 +180,7 @@ + * Public key logins are allowed for blank-password accounts regardless of this + * setting. PAM is not affected by this setting, it uses the normal pam.d + * settings ('nullok' option) */ +-/* #define ALLOW_BLANK_PASSWORD */ ++#define ALLOW_BLANK_PASSWORD + + #define ENABLE_CLI_PASSWORD_AUTH + #define ENABLE_CLI_PUBKEY_AUTH -- cgit v1.2.3