diff --git a/openssh-4.3p2-allow-ip-opts.patch b/openssh-4.3p2-allow-ip-opts.patch deleted file mode 100644 index 9413dd8..0000000 --- a/openssh-4.3p2-allow-ip-opts.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Paul Moore -Subject: OpenSSH: fix option handling on incoming connections - -OpenSSH rejects incoming connections if any IP options are present when the -comments state that they are only concerned with source routing options. This -connection rejection causes problems with CIPSO which uses IP options to tag -packets with security attributes. - -This patch modifies the check_ip_options() function to only fail if loose or -strict source routing options are present, all other options are allowed. - -Signed-off-by: Paul Moore - ---- - canohost.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - -Index: openssh-4.3p2/canohost.c -=================================================================== ---- openssh-4.3p2.orig/canohost.c -+++ openssh-4.3p2/canohost.c -@@ -146,6 +146,7 @@ check_ip_options(int sock, char *ipaddr) - u_int i; - int ipproto; - struct protoent *ip; -+ u_int opt_iter; - - if ((ip = getprotobyname("ip")) != NULL) - ipproto = ip->p_proto; -@@ -154,13 +155,23 @@ check_ip_options(int sock, char *ipaddr) - option_size = sizeof(options); - if (getsockopt(sock, ipproto, IP_OPTIONS, options, - &option_size) >= 0 && option_size != 0) { -- text[0] = '\0'; -- for (i = 0; i < option_size; i++) -- snprintf(text + i*3, sizeof(text) - i*3, -- " %2.2x", options[i]); -- fatal("Connection from %.100s with IP options:%.800s", -- ipaddr, text); -+ opt_iter = 0; -+ do { -+ /* Fail, fatally, if we detect either loose or strict -+ * source routing options. */ -+ if (options[opt_iter] == 131 || -+ options[opt_iter] == 137) -+ goto fail; -+ opt_iter += options[opt_iter + 1] + 2; -+ } while (opt_iter < option_size); - } -+ return; -+ -+fail: -+ text[0] = '\0'; -+ for (i = 0; i < option_size; i++) -+ snprintf(text + i*3, sizeof(text) - i*3, " %2.2x", options[i]); -+ fatal("Connection from %.100s with IP options:%.800s", ipaddr, text); - #endif /* IP_OPTIONS */ - } - diff --git a/openssh-5.2p1-allow-ip-opts.patch b/openssh-5.2p1-allow-ip-opts.patch new file mode 100644 index 0000000..96aaab1 --- /dev/null +++ b/openssh-5.2p1-allow-ip-opts.patch @@ -0,0 +1,37 @@ +diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c +--- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100 ++++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200 +@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr) + option_size = sizeof(options); + if (getsockopt(sock, ipproto, IP_OPTIONS, options, + &option_size) >= 0 && option_size != 0) { +- text[0] = '\0'; +- for (i = 0; i < option_size; i++) +- snprintf(text + i*3, sizeof(text) - i*3, +- " %2.2x", options[i]); +- fatal("Connection from %.100s with IP options:%.800s", +- ipaddr, text); ++ i = 0; ++ do { ++ switch (options[i]) { ++ case 0: ++ case 1: ++ ++i; ++ break; ++ case 131: ++ case 137: ++ /* Fail, fatally, if we detect either loose or strict ++ * source routing options. */ ++ text[0] = '\0'; ++ for (i = 0; i < option_size; i++) ++ snprintf(text + i*3, sizeof(text) - i*3, ++ " %2.2x", options[i]); ++ fatal("Connection from %.100s with IP options:%.800s", ++ ipaddr, text); ++ default: ++ i += options[i + 1]; ++ } ++ } while (i < option_size); + } + #endif /* IP_OPTIONS */ + } diff --git a/openssh.spec b/openssh.spec index 13d3e77..33478f2 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 22%{?dist}%{?rescue_rel} +Release: 23%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -468,6 +468,9 @@ fi %endif %changelog +* Tue Sep 1 2009 Jan F. Chadima - 5.2p1-23 +- add correct patch for ip-opts + * Tue Sep 1 2009 Jan F. Chadima - 5.2p1-22 - replace ip-opts patch by an upstream candidate version