From 96d3631f52312f0cdbb7f764aeb3586063ba1b50 Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Tue, 15 Nov 2005 10:20:12 +0000 Subject: [PATCH] security update, fixes #52 SVN-Revision: 2494 --- openwrt/package/base-files/default/etc/banner | 2 +- openwrt/package/openswan/Makefile | 10 +- .../openswan/patches/pluto-includes.patch | 25 +- .../package/openswan/patches/scripts.patch | 217 +++++++++--------- .../target/linux/package/openswan/Makefile | 5 +- 5 files changed, 120 insertions(+), 139 deletions(-) diff --git a/openwrt/package/base-files/default/etc/banner b/openwrt/package/base-files/default/etc/banner index 374aad427e..50805eff3a 100644 --- a/openwrt/package/base-files/default/etc/banner +++ b/openwrt/package/base-files/default/etc/banner @@ -3,7 +3,7 @@ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M - WHITE RUSSIAN (RC3) ------------------------------- + WHITE RUSSIAN (RC4) ------------------------------- * 2 oz Vodka Mix the Vodka and Kahlua together * 1 oz Kahlua over ice, then float the cream or * 1/2oz cream milk on the top. diff --git a/openwrt/package/openswan/Makefile b/openwrt/package/openswan/Makefile index 0e92d8a1b0..39ff4af089 100644 --- a/openwrt/package/openswan/Makefile +++ b/openwrt/package/openswan/Makefile @@ -3,9 +3,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openswan -PKG_VERSION:=2.3.1 +PKG_VERSION:=2.4.2 PKG_RELEASE:=1 -PKG_MD5SUM:=3dcf1cd7efcbe8db3148fc288d429db1 +PKG_MD5SUM:=38c7ad91312bdd67fa57fe987b21183e PKG_SOURCE_URL:=http://www.openswan.org/download PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -19,12 +19,6 @@ $(eval $(call PKG_template,OPENSWAN,openswan,$(PKG_VERSION)-$(PKG_RELEASE),$(ARC FLAGS := $(TARGET_CFLAGS) -I$(PKG_BUILD_DIR)/linux/include -L$(STAGING_DIR)/usr/lib -I$(STAGING_DIR)/usr/include $(PKG_BUILD_DIR)/.built: -# $(MAKE) -C $(PKG_BUILD_DIR) \ -# $(TARGET_CONFIGURE_OPTS) \ -# KERNELSRC="$(LINUX_DIR)" \ -# ARCH="mips" \ -# USERCOMPILE="$(FLAGS)" \ -# module $(MAKE) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ KERNELSRC="$(LINUX_DIR)" \ diff --git a/openwrt/package/openswan/patches/pluto-includes.patch b/openwrt/package/openswan/patches/pluto-includes.patch index d189c1f4a8..8cd1398d4a 100644 --- a/openwrt/package/openswan/patches/pluto-includes.patch +++ b/openwrt/package/openswan/patches/pluto-includes.patch @@ -1,25 +1,12 @@ -diff -urN openswan-2.3.1dr6.old/programs/pluto/Makefile openswan-2.3.1dr6/programs/pluto/Makefile ---- openswan-2.3.1dr6.old/programs/pluto/Makefile 2005-03-27 22:21:41.000000000 +0200 -+++ openswan-2.3.1dr6/programs/pluto/Makefile 2005-04-05 02:58:42.000000000 +0200 -@@ -66,7 +66,7 @@ - - # where to find klips headers and Openswan headers - # and 2.6 kernel's and --HDRDIRS = -I${OPENSWANSRCDIR}/programs/pluto/linux26 -I${OPENSWANSRCDIR}/include -I$(KLIPSINC) -+HDRDIRS = -I${OPENSWANSRCDIR}/programs/pluto/linux26 -I${OPENSWANSRCDIR}/include -I$(KLIPSINC) $(EXTRA_INCLUDE) - - # On non-LINUX systems, these one of these may be needed (see endian.h) - # BYTE_ORDER = -DBIG_ENDIAN=4321 -DLITTLE_ENDIAN=1234 -DBYTE_ORDER=BIG_ENDIAN -diff -urN openswan-2.3.1dr6.old/programs/pluto/Makefile openswan-2.3.1dr6.dev/programs/pluto/Makefile ---- openswan-2.3.1dr6.old/programs/pluto/Makefile 2005-04-05 03:00:36.000000000 +0200 -+++ openswan-2.3.1dr6.dev/programs/pluto/Makefile 2005-04-05 03:06:18.000000000 +0200 -@@ -255,7 +255,7 @@ - LIBSPLUTO+=$(IPSECPOLICY_LIBS) $(X509_LIBS) $(SMARTCARD_LIBS) +diff -Nur openswan-2.4.0.orig/programs/pluto/Makefile openswan-2.4.0/programs/pluto/Makefile +--- openswan-2.4.0.orig/programs/pluto/Makefile 2005-08-12 03:12:38.000000000 +0200 ++++ openswan-2.4.0/programs/pluto/Makefile 2005-09-29 13:41:14.016377750 +0200 +@@ -271,7 +271,7 @@ LIBSPLUTO+=$(HAVE_THREADS_LIBS) ${XAUTHPAM_LIBS} LIBSPLUTO+=${CURL_LIBS} + LIBSPLUTO+=${EXTRA_CRYPTO_LIBS} -LIBSPLUTO+= -lgmp -lresolv # -lefence -+LIBSPLUTO+= $(EXTRA_LIBS) -lgmp -lresolv # -lefence ++LIBSPLUTO+=$(EXTRA_LIBS) -lgmp -lresolv # -lefence ifneq ($(LD_LIBRARY_PATH),) LDFLAGS=-L$(LD_LIBRARY_PATH) -Binary files openswan-2.3.1dr6.old/programs/pluto/.Makefile.swp and openswan-2.3.1dr6.dev/programs/pluto/.Makefile.swp differ diff --git a/openwrt/package/openswan/patches/scripts.patch b/openwrt/package/openswan/patches/scripts.patch index f788f78e9d..5925f0768a 100644 --- a/openwrt/package/openswan/patches/scripts.patch +++ b/openwrt/package/openswan/patches/scripts.patch @@ -1,100 +1,78 @@ -diff -uNr openswan-2.3.0.orig/programs/loggerfix openswan-2.3.0/programs/loggerfix ---- openswan-2.3.0.orig/programs/loggerfix 1970-01-01 00:00:00.000000000 +0000 -+++ openswan-2.3.0/programs/loggerfix 2005-02-02 20:34:54.000000000 +0000 +diff -Nur openswan-2.4.0.orig/programs/loggerfix openswan-2.4.0/programs/loggerfix +--- openswan-2.4.0.orig/programs/loggerfix 1970-01-01 01:00:00.000000000 +0100 ++++ openswan-2.4.0/programs/loggerfix 2005-09-29 13:44:43.325458750 +0200 @@ -0,0 +1,5 @@ +#!/bin/sh +# use filename instead of /dev/null to log, but dont log to flash or ram +# pref. log to nfs mount +echo "$*" >> /dev/null +exit 0 -diff -uNr openswan-2.3.0.orig/programs/look/look.in openswan-2.3.0/programs/look/look.in ---- openswan-2.3.0.orig/programs/look/look.in 2003-10-31 02:32:42.000000000 +0000 -+++ openswan-2.3.0/programs/look/look.in 2005-02-02 20:34:54.000000000 +0000 -@@ -79,7 +79,7 @@ +diff -Nur openswan-2.4.0.orig/programs/look/look.in openswan-2.4.0/programs/look/look.in +--- openswan-2.4.0.orig/programs/look/look.in 2005-08-18 16:10:09.000000000 +0200 ++++ openswan-2.4.0/programs/look/look.in 2005-09-29 13:44:49.537847000 +0200 +@@ -84,7 +84,7 @@ then pat="$pat|$defaultroutephys\$|$defaultroutevirt\$" else -- for i in `echo "$IPSECinterfaces" | tr '=' ' '` -+ for i in `echo "$IPSECinterfaces" | sed 's/=/ /'` +- for i in `echo "$IPSECinterfaces" | sed 's/=/ /'` ++ for i in `echo "$IPSECinterfaces" | tr '=' ' '` do pat="$pat|$i\$" done -diff -uNr openswan-2.3.0.orig/programs/manual/manual.in openswan-2.3.0/programs/manual/manual.in ---- openswan-2.3.0.orig/programs/manual/manual.in 2004-11-01 22:49:01.000000000 +0000 -+++ openswan-2.3.0/programs/manual/manual.in 2005-02-02 20:34:54.000000000 +0000 +diff -Nur openswan-2.4.0.orig/programs/manual/manual.in openswan-2.4.0/programs/manual/manual.in +--- openswan-2.4.0.orig/programs/manual/manual.in 2005-04-18 00:57:12.000000000 +0200 ++++ openswan-2.4.0/programs/manual/manual.in 2005-09-29 13:44:52.446028750 +0200 @@ -104,7 +104,7 @@ sub(/:/, " ", $0) if (interf != "") print $3 "@" interf -- }' | tr '\n' ' '`" -+ }' | sed ':a;N;$!ba;s/\n/ /g'`" +- }' | sed ':a;N;$!ba;s/\n/ /g'`" ++ }' | tr '\n' ' '`" ;; esac - diff -uNr openswan-2.3.0.orig/programs/_startklips/_startklips.in openswan-2.3.0/programs/_startklips/_startklips.in ---- openswan-2.3.0.orig/programs/_startklips/_startklips.in 2004-12-10 12:38:28.000000000 +0000 -+++ openswan-2.3.0/programs/_startklips/_startklips.in 2005-02-02 20:34:54.000000000 +0000 -@@ -292,7 +292,12 @@ + +diff -Nur openswan-2.4.0.orig/programs/_plutorun/_plutorun.in openswan-2.4.0/programs/_plutorun/_plutorun.in +--- openswan-2.4.0.orig/programs/_plutorun/_plutorun.in 2005-04-21 23:57:16.000000000 +0200 ++++ openswan-2.4.0/programs/_plutorun/_plutorun.in 2005-09-29 13:44:53.442091000 +0200 +@@ -147,7 +147,7 @@ + exit 1 fi - unset MODPATH MODULECONF # no user overrides! - depmod -a >/dev/null 2>&1 -- modprobe -v ipsec -+ if [ -f modprobe ] -+ then modprobe -v ipsec -+ elif [ -f insmod ] -+ then insmod ipsec -+ fi -+ - fi - if test ! -f $ipsecversion - then -diff -uNr openswan-2.3.0.orig/programs/setup/setup.in openswan-2.3.0/programs/setup/setup.in ---- openswan-2.3.0.orig/programs/setup/setup.in 2004-03-22 00:24:06.000000000 +0000 -+++ openswan-2.3.0/programs/setup/setup.in 2005-02-02 20:34:54.000000000 +0000 -@@ -110,12 +110,22 @@ - # do it - case "$1" in - start|--start|stop|--stop|_autostop|_autostart) -- if test " `id -u`" != " 0" -+ if [ "x${USER}" != "xroot" ] + else +- if test ! -w "`dirname $stderrlog`" ++ if test ! -w "`echo $stderrlog | sed -r 's/(^.*\/)(.*$)/\1/'`" + then + echo Cannot write to directory to create \"$stderrlog\". + exit 1 +diff -Nur openswan-2.4.0.orig/programs/_realsetup/_realsetup.in openswan-2.4.0/programs/_realsetup/_realsetup.in +--- openswan-2.4.0.orig/programs/_realsetup/_realsetup.in 2005-07-28 02:23:48.000000000 +0200 ++++ openswan-2.4.0/programs/_realsetup/_realsetup.in 2005-09-29 13:44:53.442091000 +0200 +@@ -235,7 +235,7 @@ + + # misc pre-Pluto setup + +- perform test -d `dirname $subsyslock` "&&" touch $subsyslock ++ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock + + if test " $IPSECforwardcontrol" = " yes" then - echo "permission denied (must be superuser)" | - logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 - exit 1 - fi -+ -+ # make sure all required directories exist -+ if [ ! -d /var/run/pluto ] -+ then -+ mkdir -p /var/run/pluto -+ fi -+ if [ ! -d /var/lock/subsys ] -+ then -+ mkdir -p /var/lock/subsys -+ fi - tmp=/var/run/pluto/ipsec_setup.st - outtmp=/var/run/pluto/ipsec_setup.out - ( -diff -uNr openswan-2.3.0.orig/programs/showhostkey/showhostkey.in openswan-2.3.0/programs/showhostkey/showhostkey.in ---- openswan-2.3.0.orig/programs/showhostkey/showhostkey.in 2004-11-14 13:40:41.000000000 +0000 -+++ openswan-2.3.0/programs/showhostkey/showhostkey.in 2005-02-02 20:34:54.000000000 +0000 -@@ -63,7 +63,7 @@ - exit 1 - fi +@@ -347,7 +347,7 @@ + lsmod 2>&1 | grep "^xfrm_user" > /dev/null && rmmod -s xfrm_user + fi --host="`hostname --fqdn`" -+host="`cat /proc/sys/kernel/hostname`" +- perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock ++ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock "&&" rm -f $subsyslock - awk ' BEGIN { - -diff -uNr openswan-2.3.0.orig/programs/send-pr/send-pr.in openswan-2.3.0/programs/send-pr/send-pr.in ---- openswan-2.3.0.orig/programs/send-pr/send-pr.in 2003-07-14 12:26:17.000000000 +0000 -+++ openswan-2.3.0/programs/send-pr/send-pr.in 2005-02-02 20:34:54.000000000 +0000 + perform rm -f $info $lock $plutopid + perform echo "...Openswan IPsec stopped" "|" $LOGONLY +diff -Nur openswan-2.4.0.orig/programs/send-pr/send-pr.in openswan-2.4.0/programs/send-pr/send-pr.in +--- openswan-2.4.0.orig/programs/send-pr/send-pr.in 2005-04-18 01:04:46.000000000 +0200 ++++ openswan-2.4.0/programs/send-pr/send-pr.in 2005-09-29 13:44:53.442091000 +0200 @@ -402,7 +402,7 @@ else if [ "$fieldname" != "Category" ] then -- values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'` -+ values=`${BINDIR}/query-pr --valid-values $fieldname | sed ':a;N;$!ba;s/\n/ /g' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'` +- values=`${BINDIR}/query-pr --valid-values $fieldname | sed ':a;N;$!ba;s/\n/ /g' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'` ++ values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'` valslen=`echo "$values" | wc -c` else values="choose from a category listed above" @@ -102,8 +80,8 @@ diff -uNr openswan-2.3.0.orig/programs/send-pr/send-pr.in openswan-2.3.0/program else desc="<${values} (one line)>"; fi -- dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` -+ dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` +- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` ++ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL fi echo "${fmtname}${desc}" >> $file @@ -111,8 +89,8 @@ diff -uNr openswan-2.3.0.orig/programs/send-pr/send-pr.in openswan-2.3.0/program desc=" $default_val"; else desc=" <`${BINDIR}/query-pr --field-description $fieldname` (multiple lines)>"; -- dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` -+ dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` +- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` ++ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` echo "s/^${dpat}//" >> $FIXFIL fi echo "${fmtname}" >> $file; @@ -120,46 +98,53 @@ diff -uNr openswan-2.3.0.orig/programs/send-pr/send-pr.in openswan-2.3.0/program desc="${default_val}" else desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>" -- dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` -+ dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` +- dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'` ++ dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'` echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL fi echo "${fmtname}${desc}" >> $file -diff -uNr openswan-2.3.0.orig/programs/_realsetup/_realsetup.in openswan-2.3.0/programs/_realsetup/_realsetup.in ---- openswan-2.3.0.orig/programs/_realsetup/_realsetup.in 2004-12-10 13:10:04.000000000 +0000 -+++ openswan-2.3.0/programs/_realsetup/_realsetup.in 2005-02-02 20:34:54.000000000 +0000 -@@ -209,7 +209,7 @@ - - # misc pre-Pluto setup - -- perform test -d `dirname $subsyslock` "&&" touch $subsyslock -+ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock - - if test " $IPSECforwardcontrol" = " yes" +diff -Nur openswan-2.4.0.orig/programs/setup/setup.in openswan-2.4.0/programs/setup/setup.in +--- openswan-2.4.0.orig/programs/setup/setup.in 2005-07-25 21:17:03.000000000 +0200 ++++ openswan-2.4.0/programs/setup/setup.in 2005-09-29 13:44:52.446028750 +0200 +@@ -117,12 +117,22 @@ + # do it + case "$1" in + start|--start|stop|--stop|_autostop|_autostart) +- if test " `id -u`" != " 0" ++ if [ "x${USER}" != "xroot" ] then -@@ -313,7 +313,7 @@ - lsmod 2>&1 | grep "^xfrm_user" > /dev/null && rmmod -s xfrm_user - fi + echo "permission denied (must be superuser)" | + logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 + exit 1 + fi ++ ++ # make sure all required directories exist ++ if [ ! -d /var/run/pluto ] ++ then ++ mkdir -p /var/run/pluto ++ fi ++ if [ ! -d /var/lock/subsys ] ++ then ++ mkdir -p /var/lock/subsys ++ fi + tmp=/var/run/pluto/ipsec_setup.st + outtmp=/var/run/pluto/ipsec_setup.out + ( +diff -Nur openswan-2.4.0.orig/programs/showhostkey/showhostkey.in openswan-2.4.0/programs/showhostkey/showhostkey.in +--- openswan-2.4.0.orig/programs/showhostkey/showhostkey.in 2004-11-14 14:40:41.000000000 +0100 ++++ openswan-2.4.0/programs/showhostkey/showhostkey.in 2005-09-29 13:44:52.446028750 +0200 +@@ -63,7 +63,7 @@ + exit 1 + fi -- perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock -+ perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock "&&" rm -f $subsyslock +-host="`hostname --fqdn`" ++host="`cat /proc/sys/kernel/hostname`" - perform rm -f $info $lock $plutopid - perform echo "...Openswan IPsec stopped" "|" $LOGONLY ---- openswan-2.3.0.orig/programs/_plutorun/_plutorun.in 2004-11-03 20:21:08.000000000 +0000 -+++ openswan-2.3.0/programs/_plutorun/_plutorun.in 2005-02-02 20:34:54.000000000 +0000 -@@ -140,7 +140,7 @@ - exit 1 - fi - else -- if test ! -w "`dirname $stderrlog`" -+ if test ! -w "`echo $stderrlog | sed -r 's/(^.*\/)(.*$)/\1/'`" - then - echo Cannot write to directory to create \"$stderrlog\". - exit 1 -diff -urN openswan-2.3.1.old/programs/_startklips/_startklips.in openswan-2.3.1/programs/_startklips/_startklips.in ---- openswan-2.3.1.old/programs/_startklips/_startklips.in 2005-04-10 23:57:51.000000000 +0200 -+++ openswan-2.3.1/programs/_startklips/_startklips.in 2005-04-11 00:00:36.000000000 +0200 + awk ' BEGIN { + inkey = 0 +diff -Nur openswan-2.4.0.orig/programs/_startklips/_startklips.in openswan-2.4.0/programs/_startklips/_startklips.in +--- openswan-2.4.0.orig/programs/_startklips/_startklips.in 2005-03-31 23:07:27.000000000 +0200 ++++ openswan-2.4.0/programs/_startklips/_startklips.in 2005-09-29 13:44:53.442091000 +0200 @@ -262,15 +262,15 @@ echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel" exit @@ -207,3 +192,17 @@ diff -urN openswan-2.3.1.old/programs/_startklips/_startklips.in openswan-2.3.1/ fi fi +@@ -305,7 +305,12 @@ + fi + unset MODPATH MODULECONF # no user overrides! + depmod -a >/dev/null 2>&1 +- modprobe -v ipsec ++ if [ -f modprobe ] ++ then modprobe -v ipsec ++ elif [ -f insmod ] ++ then insmod ipsec ++ fi ++ + fi + if test ! -f $ipsecversion + then diff --git a/openwrt/target/linux/package/openswan/Makefile b/openwrt/target/linux/package/openswan/Makefile index a105a1f540..0344336fe8 100644 --- a/openwrt/target/linux/package/openswan/Makefile +++ b/openwrt/target/linux/package/openswan/Makefile @@ -3,9 +3,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openswan -PKG_VERSION:=2.3.1 +PKG_VERSION:=2.4.2 PKG_RELEASE:=1 -PKG_MD5SUM:=3dcf1cd7efcbe8db3148fc288d429db1 +PKG_MD5SUM:=38c7ad91312bdd67fa57fe987b21183e PKG_SOURCE_URL:=http://www.openswan.org/download PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -28,6 +28,7 @@ $(PKG_BUILD_DIR)/.built: KERNELSRC="$(KERNEL_DIR)" \ ARCH="mips" \ USERCOMPILE="$(FLAGS)" \ + AS="$(TARGET_CC) -c $(TARGET_CFLAGS)" \ module $(IPKG_KMOD_OPENSWAN): -- 2.30.2