wok-current view openssh/receipt @ rev 25725

Patch openssh CVE-2024-6387
author Stanislas Leduc <shann@slitaz.org>
date Mon Jul 01 15:09:44 2024 +0000 (5 months ago)
parents c848b3839e4a
children
line source
1 # SliTaz package receipt.
2
3 PACKAGE="openssh"
4 VERSION="9.6p1"
5 CATEGORY="security"
6 TAGS="ssh security"
7 SHORT_DESC="Openbsd Secure Shell."
8 MAINTAINER="pascal.bellard@slitaz.org"
9 LICENSE="BSD"
10 WEB_SITE="https://www.openssh.com/"
11
12 TARBALL="$PACKAGE-$VERSION.tar.gz"
13 WGET_URL="https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/$TARBALL"
14
15 PROVIDE="ssh"
16 SUGGESTED="gtk+"
17 DEPENDS="libcrypto sftp-server zlib"
18 BUILD_DEPENDS="gtk+-dev glib-dev libcrypto-dev openssl-dev zlib-dev"
19 SPLIT="sftp-server"
20 TAZPANEL_DAEMON="man::sshd|edit::/etc/ssh/sshd_config|options|web::$WEB_SITE"
21
22 CONFIG_FILES="/etc/ssh/*config /etc/ssh/moduli"
23 SECRET_FILES="/etc/ssh/*key*"
24
25 HOST_ARCH="i486 arm"
26
27 # @maintainer: Please update also sftp-server
28
29 current_version()
30 {
31 wget -O - ${WGET_URL%/*}/ 2>/dev/null | \
32 sed '/tar..z"/!d;s|.*ssh-\(.*\).tar..z".*|\1|' | tail -n1
33 }
34
35 # Rules to configure and make the package.
36 compile_rules()
37 {
38 # Patch CVE-2024-6387
39 # see https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
40 patch -p1 < $stuff/CVE-2024-6387.patch
41
42 unset LD # for cross compiling with --disable-strip
43 ./configure \
44 --prefix=/usr \
45 --sysconfdir=/etc/ssh \
46 --libexecdir=/usr/sbin \
47 --with-privsep-user=nobody \
48 --with-xauth=/usr/bin/xauth \
49 --with-privsep-path=/var/run/sshd \
50 --without-pam \
51 --disable-strip \
52 $CONFIGURE_ARGS &&
53 make STRIP_OPT="" &&
54 make install -j 1 DESTDIR=$DESTDIR
55 install -d -m 755 $DESTDIR/usr/share/doc &&
56 install -m 644 $src/[A-Z][A-Z]* $DESTDIR/usr/share/doc
57 cd contrib &&
58 cc -Wall $(pkg-config --cflags gtk+-2.0) gnome-ssh-askpass2.c \
59 -o gnome-ssh-askpass $(pkg-config --libs gtk+-2.0) -lX11 &&
60 cp gnome-ssh-askpass $DESTDIR/usr/bin/ssh-askpass
61 }
62
63 # Rules to gen a SliTaz package suitable for Tazpkg.
64 genpkg_rules()
65 {
66 mkdir -p $fs/usr
67 mkdir -p $fs/etc/init.d
68 mkdir -p $fs/etc/ssh
69
70 cp -a $install/usr/sbin $fs/usr
71 cp -a $install/usr/bin $fs/usr
72 rm -f $fs/usr/sbin/sftp-server
73 install -m 755 -oroot -groot $src/contrib/ssh-copy-id \
74 $fs/usr/bin
75 cp $src/contrib/ssh-copy-id.1 $install/usr/share/man/cat1
76 cp -a $install/etc $fs
77 cp $stuff/openssh $fs/etc/init.d
78 sed -i 's|/usr/libexec/sftp-server|/usr/sbin/sftp-server|' \
79 $fs/etc/ssh/sshd_config
80
81 cat >> $fs/etc/ssh/ssh_config <<EOT
82
83 # client bug CVE-2016-0777 and CVE-2016-0778
84 Host *
85 UseRoaming no
86
87 # From https://wiki.gentoo.org/wiki/SSH_jump_host
88 Host *+*
89 ProxyCommand ssh \$(echo %h | sed 's/+[^+]*$//;s/\\([^+%%]*\\)%%\\([^+]*\\)\$/\\2 -l \\1/;s/:/ -p /') exec nc -w1 \$(echo %h | sed 's/^.*+//;/:/!s/\$/ %p/;s/:/ /')
90
91 EOT
92 }
93
94 post_install()
95 {
96 grep -q ssh "$1/etc/inetd.conf" ||
97 cat >> "$1/etc/inetd.conf" <<EOT
98 #ssh stream tcp nowait root sshd sshd -i
99 EOT
100 while read dropbear openssh
101 do
102 [ -s "$1$dropbear" ] || continue
103 [ -s "$1$openssh" ] && continue
104 chroot "$1/" dropbearconvert dropbear openssh $dropbear $openssh
105 chroot "$1/" dropbearkey -y -f $dropbear | grep ssh > "$1$openssh.pub"
106 chroot "$1/" dropbearkey -y -f $dropbear | grep Fingerprint
107 done <<EOT
108 /etc/dropbear/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key
109 /etc/dropbear/dropbear_dss_host_key /etc/ssh/ssh_host_dsa_key
110 /etc/dropbear/dropbear_ecdsa_host_key /etc/ssh/ssh_host_ecdsa_key
111 /etc/dropbear/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key
112 EOT
113
114 chroot "$1/" ssh-keygen -A
115 }
116
117 post_remove()
118 {
119 grep -q sshd "$1/etc/inetd.conf" &&
120 sed -i '/sshd/d' "$1/etc/inetd.conf"
121 }