From owner-svn-src-all@FreeBSD.ORG Tue Nov 25 22:25:17 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10FB22BB; Tue, 25 Nov 2014 22:25:17 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E6218A7; Tue, 25 Nov 2014 22:25:16 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sAPMPGqu022828; Tue, 25 Nov 2014 22:25:16 GMT (envelope-from bapt@FreeBSD.org) Received: (from bapt@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sAPMPDb6022813; Tue, 25 Nov 2014 22:25:13 GMT (envelope-from bapt@FreeBSD.org) Message-Id: <201411252225.sAPMPDb6022813@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: bapt set sender to bapt@FreeBSD.org using -f From: Baptiste Daroussin Date: Tue, 25 Nov 2014 22:25:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275083 - in head/secure: lib/libssh libexec/sftp-server libexec/ssh-keysign libexec/ssh-pkcs11-helper usr.bin/scp usr.bin/sftp usr.bin/ssh usr.bin/ssh-add usr.bin/ssh-agent usr.bin/ssh... X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2014 22:25:17 -0000 Author: bapt Date: Tue Nov 25 22:25:13 2014 New Revision: 275083 URL: https://svnweb.freebsd.org/changeset/base/275083 Log: Reduce overlinking The framework now ensure by itself that pthread is added to the link chain as the last component if linked to kerberos hence avoid with out any explicit addition prevent issue like CVE-2014-8475 Modified: head/secure/lib/libssh/Makefile head/secure/libexec/sftp-server/Makefile head/secure/libexec/ssh-keysign/Makefile head/secure/libexec/ssh-pkcs11-helper/Makefile head/secure/usr.bin/scp/Makefile head/secure/usr.bin/sftp/Makefile head/secure/usr.bin/ssh-add/Makefile head/secure/usr.bin/ssh-agent/Makefile head/secure/usr.bin/ssh-keygen/Makefile head/secure/usr.bin/ssh-keyscan/Makefile head/secure/usr.bin/ssh/Makefile head/secure/usr.sbin/sshd/Makefile Modified: head/secure/lib/libssh/Makefile ============================================================================== --- head/secure/lib/libssh/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/lib/libssh/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -41,7 +41,6 @@ CFLAGS+= -I${SSHDIR} -include ssh_namesp .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h -LIBADD+= gssapi krb5 hx509 asn1 com_err md roken .endif .if ${MK_OPENSSH_NONE_CIPHER} != "no" Modified: head/secure/libexec/sftp-server/Makefile ============================================================================== --- head/secure/libexec/sftp-server/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/libexec/sftp-server/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -21,8 +21,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypto crypto z - .include .PATH: ${SSHDIR} Modified: head/secure/libexec/ssh-keysign/Makefile ============================================================================== --- head/secure/libexec/ssh-keysign/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/libexec/ssh-keysign/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -17,7 +17,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include Modified: head/secure/libexec/ssh-pkcs11-helper/Makefile ============================================================================== --- head/secure/libexec/ssh-pkcs11-helper/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/libexec/ssh-pkcs11-helper/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -21,7 +21,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include Modified: head/secure/usr.bin/scp/Makefile ============================================================================== --- head/secure/usr.bin/scp/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/scp/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} Modified: head/secure/usr.bin/sftp/Makefile ============================================================================== --- head/secure/usr.bin/sftp/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/sftp/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIABDD+= crypt crypto z - .include .PATH: ${SSHDIR} Modified: head/secure/usr.bin/ssh-add/Makefile ============================================================================== --- head/secure/usr.bin/ssh-add/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/ssh-add/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} Modified: head/secure/usr.bin/ssh-agent/Makefile ============================================================================== --- head/secure/usr.bin/ssh-agent/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/ssh-agent/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -20,7 +20,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include Modified: head/secure/usr.bin/ssh-keygen/Makefile ============================================================================== --- head/secure/usr.bin/ssh-keygen/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/ssh-keygen/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -15,10 +15,9 @@ LIBADD= ssh .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 -LIBADD+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include Modified: head/secure/usr.bin/ssh-keyscan/Makefile ============================================================================== --- head/secure/usr.bin/ssh-keyscan/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/ssh-keyscan/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -15,8 +15,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} Modified: head/secure/usr.bin/ssh/Makefile ============================================================================== --- head/secure/usr.bin/ssh/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.bin/ssh/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -15,11 +15,10 @@ SRCS= ssh.c readconf.c clientloop.c ssht # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile SRCS+= gss-genr.c -LIBADD= ssh util +LIBADD= ssh .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 -LIBADD+= ldns .endif .if ${MK_KERBEROS_SUPPORT} != "no" @@ -31,7 +30,7 @@ LIBADD+= gssapi CFLAGS+= -DNONE_CIPHER_ENABLED .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" Modified: head/secure/usr.sbin/sshd/Makefile ============================================================================== --- head/secure/usr.sbin/sshd/Makefile Tue Nov 25 22:17:31 2014 (r275082) +++ head/secure/usr.sbin/sshd/Makefile Tue Nov 25 22:25:13 2014 (r275083) @@ -25,7 +25,8 @@ SRCS+= gss-genr.c MAN= sshd.8 sshd_config.5 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -LIBADD= ssh util wrap pam +# pam should always happen before ssh here for static linking +LIBADD= pam ssh util wrap .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 @@ -41,25 +42,14 @@ LIBADD+= bsm .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h -LIBADD+= gssapi_krb5 gssapi krb5 hx509 asn1 com_err roken wind heimbase \ - heimipcc +LIBADD+= gssapi_krb5 gssapi krb5 .endif .if ${MK_OPENSSH_NONE_CIPHER} != "no" CFLAGS+= -DNONE_CIPHER_ENABLED .endif -LIBADD+= crypt crypto z - -# Fix the order of NEEDED entries for libthr and libc. The libthr -# needs to interpose libc symbols, leaving the libthr loading as -# dependency of krb causes reversed order and broken interposing. Put -# the threading library last on the linker command line, just before -# the -lc added by a compiler driver. -# XXX In theory the framework now takes care of that, it needs to be checked -.if ${MK_KERBEROS_SUPPORT} != "no" -LIBADD+= pthread -.endif +LIBADD+= crypto .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"