Date: Sat, 10 Nov 2018 22:45:31 +0000 (UTC) From: Olivier Cochard <olivier@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r484647 - in head/www/shellinabox: . files Message-ID: <201811102245.wAAMjVc9027208@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: olivier Date: Sat Nov 10 22:45:31 2018 New Revision: 484647 URL: https://svnweb.freebsd.org/changeset/ports/484647 Log: Fixes: - build with OpenSSL 1.1 - broken multipart/form-data (CVE-2018-16789) - Interpret aixterm high-intensity color escape codes All these patches came from the project pull requests list. Reported by: pkg-fallout Security: CVE-2018-16789 Added: head/www/shellinabox/files/patch-configure.ac (contents, props changed) head/www/shellinabox/files/patch-libhttp_ssl.c (contents, props changed) head/www/shellinabox/files/patch-libhttp_ssl.h (contents, props changed) head/www/shellinabox/files/patch-libhttp_url.c (contents, props changed) head/www/shellinabox/files/patch-shellinabox_launcher.c (contents, props changed) head/www/shellinabox/files/patch-shellinabox_vt100.jspp (contents, props changed) Modified: head/www/shellinabox/Makefile Modified: head/www/shellinabox/Makefile ============================================================================== --- head/www/shellinabox/Makefile Sat Nov 10 22:17:55 2018 (r484646) +++ head/www/shellinabox/Makefile Sat Nov 10 22:45:31 2018 (r484647) @@ -4,6 +4,7 @@ PORTNAME= shellinabox PORTVERSION= 2.20 DISTVERSIONPREFIX= v +PORTREVISION= 1 CATEGORIES= www MAINTAINER= olivier@FreeBSD.org @@ -11,15 +12,15 @@ COMMENT= Publish command line shell through AJAX inter LICENSE= GPLv2 -USE_GITHUB= yes -GH_ACCOUNT= shellinabox +USES= autoreconf libtool OPTIONS_DEFINE= CORES NOLOGIN CORES_DESC= Patch shellinaboxd to enable core dumps NOLOGIN_DESC= Login through ssh (not through login) -USES= autoreconf libtool GNU_CONFIGURE= yes +USE_GITHUB= yes +GH_ACCOUNT= shellinabox USE_RC_SUBR= shellinaboxd USERS?= shellinabox Added: head/www/shellinabox/files/patch-configure.ac ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-configure.ac Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,20 @@ +--- configure.ac.orig 2016-11-09 19:40:33 UTC ++++ configure.ac +@@ -138,6 +138,17 @@ AC_ARG_ENABLE(runtime-loading, + these libraries into the binary, thus making them a + hard dependency, then disable runtime-loading.]) + ++dnl This changes the order of the top ciphersuites ++AC_ARG_ENABLE(prefer-chacha, ++ [ --enable-prefer-chacha Prefer ChaCha20-Poly1305 ciphersuites over ++ AES256-GCM. For processors without AES-NI or ++ similar capabilities, ChaCha20-Poly1305 is 3 times ++ faster than AES, with an equivalent strength.]) ++if test "x$enable_prefer_chacha" == xyes; then ++ AC_DEFINE(SHELLINABOX_USE_CHACHA_FIRST, 1, ++ Set if you want to prefer Chacha20-Poly1305 over AES-GCM) ++fi ++ + dnl This is feature is not suported in some standard C libs. So users can use + dnl this switch to avoid compile and runtime problems. Note that utmp must + dnl disabled on systems with musl libc. Added: head/www/shellinabox/files/patch-libhttp_ssl.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-libhttp_ssl.c Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,200 @@ +--- libhttp/ssl.c.orig 2016-11-09 19:40:33 UTC ++++ libhttp/ssl.c +@@ -117,6 +117,9 @@ SSL_CTX * (*SSL_CTX_new)(SSL_METHOD *); + int (*SSL_CTX_set_cipher_list)(SSL_CTX *, const char *); + void (*SSL_CTX_set_info_callback)(SSL_CTX *, + void (*)(const SSL *, int, int)); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++unsigned long (*SSL_CTX_set_options)(SSL_CTX *, unsigned long); ++#endif + int (*SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int); + int (*SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *, + const unsigned char *, long); +@@ -130,7 +133,9 @@ void * (*SSL_get_ex_data)(const SSL *, int); + BIO * (*SSL_get_rbio)(const SSL *); + const char * (*SSL_get_servername)(const SSL *, int); + BIO * (*SSL_get_wbio)(const SSL *); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + int (*SSL_library_init)(void); ++#endif + SSL * (*SSL_new)(SSL_CTX *); + int (*SSL_read)(SSL *, void *, int); + SSL_CTX * (*SSL_set_SSL_CTX)(SSL *, SSL_CTX *); +@@ -139,10 +144,16 @@ void (*SSL_set_bio)(SSL *, BIO *, BIO *); + int (*SSL_set_ex_data)(SSL *, int, void *); + int (*SSL_shutdown)(SSL *); + int (*SSL_write)(SSL *, const void *, int); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_METHOD * (*SSLv23_server_method)(void); ++#else ++SSL_METHOD * (*TLS_server_method)(void); ++#endif + X509 * (*d2i_X509)(X509 **px, const unsigned char **in, int len); + void (*X509_free)(X509 *a); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + void (*x_sk_zero)(void *st); ++#endif + void * (*x_SSL_COMP_get_compression_methods)(void); + #endif + +@@ -208,7 +219,7 @@ static int maybeLoadCrypto(void) { + // The feature is currently disabled. + const char* path_libcrypto = NULL; // getenv ("SHELLINABOX_LIBCRYPTO_SO"); + if (path_libcrypto == NULL) +- path_libcrypto = "libcrypto.so"; ++ path_libcrypto = DEFAULT_LIBCRYPTO_SO; + + if (!crypto++) { + #ifdef RTLD_NOLOAD +@@ -267,8 +278,8 @@ static void loadSSL(void) { + // The feature is currently disabled. + const char* path_libssl = NULL; // = getenv ("SHELLINABOX_LIBSSL_SO"); + if (path_libssl == NULL) +- path_libssl = "libssl.so"; +- check(!SSL_library_init); ++ path_libssl = DEFAULT_LIBSSL_SO; ++ check(!SSL_CTX_new); + struct { + union { + void *avoid_gcc_warning_about_type_punning; +@@ -299,6 +310,9 @@ static void loadSSL(void) { + { { &SSL_CTX_new }, "SSL_CTX_new" }, + { { &SSL_CTX_set_cipher_list }, "SSL_CTX_set_cipher_list" }, + { { &SSL_CTX_set_info_callback }, "SSL_CTX_set_info_callback" }, ++#if OPENSSL_VERSION_NUMBER > 0x10100000L ++ { { &SSL_CTX_set_options }, "SSL_CTX_set_options" }, ++#endif + { { &SSL_CTX_use_PrivateKey_file }, "SSL_CTX_use_PrivateKey_file" }, + { { &SSL_CTX_use_PrivateKey_ASN1 }, "SSL_CTX_use_PrivateKey_ASN1" }, + { { &SSL_CTX_use_certificate_file },"SSL_CTX_use_certificate_file"}, +@@ -312,7 +326,9 @@ static void loadSSL(void) { + { { &SSL_get_servername }, "SSL_get_servername" }, + #endif + { { &SSL_get_wbio }, "SSL_get_wbio" }, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + { { &SSL_library_init }, "SSL_library_init" }, ++#endif + { { &SSL_new }, "SSL_new" }, + { { &SSL_read }, "SSL_read" }, + #ifdef HAVE_TLSEXT +@@ -323,10 +339,16 @@ static void loadSSL(void) { + { { &SSL_set_ex_data }, "SSL_set_ex_data" }, + { { &SSL_shutdown }, "SSL_shutdown" }, + { { &SSL_write }, "SSL_write" }, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + { { &SSLv23_server_method }, "SSLv23_server_method" }, ++#else ++ { { &TLS_server_method }, "TLS_server_method" }, ++#endif + { { &d2i_X509 }, "d2i_X509" }, + { { &X509_free }, "X509_free" }, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + { { &x_sk_zero }, "sk_zero" } ++#endif + }; + for (unsigned i = 0; i < sizeof(symbols)/sizeof(symbols[0]); i++) { + if (!(*symbols[i].var = loadSymbol(path_libssl, symbols[i].fn))) { +@@ -343,7 +365,9 @@ static void loadSSL(void) { + // ends + + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_library_init(); ++#endif + dcheck(!ERR_peek_error()); + debug("[ssl] Loaded SSL suppport..."); + } +@@ -351,8 +375,12 @@ static void loadSSL(void) { + + int serverSupportsSSL(void) { + #if defined(HAVE_OPENSSL) && !defined(HAVE_DLOPEN) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + return SSL_library_init(); + #else ++ return 1; ++#endif ++#else + #if defined(HAVE_OPENSSL) + // We want to call loadSSL() exactly once. For single-threaded applications, + // this is straight-forward. For threaded applications, we need to call +@@ -372,8 +400,12 @@ int serverSupportsSSL(void) { + loadSSL(); + } + } ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + return !!SSL_library_init; + #else ++ return 1; ++#endif ++#else + return 0; + #endif + #endif +@@ -623,7 +655,11 @@ static void sslInfoCallback(const SSL *sslHndl, int ty + static SSL_CTX *sslMakeContext(void) { + + SSL_CTX *context; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + check(context = SSL_CTX_new(SSLv23_server_method())); ++#else ++ check(context = SSL_CTX_new(TLS_server_method())); ++#endif + + long options = SSL_OP_ALL; + options |= SSL_OP_NO_SSLv2; +@@ -641,6 +677,7 @@ static SSL_CTX *sslMakeContext(void) { + // Set default SSL options. + SSL_CTX_set_options(context, options); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + // Workaround for SSL_OP_NO_COMPRESSION with older OpenSSL versions. + #ifdef HAVE_DLOPEN + if (SSL_COMP_get_compression_methods) { +@@ -649,6 +686,7 @@ static SSL_CTX *sslMakeContext(void) { + #elif OPENSSL_VERSION_NUMBER >= 0x00908000L + sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); + #endif ++#endif + + // For Perfect Forward Secrecy (PFS) support we need to enable some additional + // SSL options, provide eliptic curve key object for handshake and add chipers +@@ -657,21 +695,39 @@ static SSL_CTX *sslMakeContext(void) { + SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L /* openssl 1.1 does this automatically */ + EC_KEY *ecKey; + check(ecKey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); + SSL_CTX_set_tmp_ecdh(context, ecKey); + EC_KEY_free(ecKey); ++#endif + + debug("[ssl] Support for PFS enabled..."); + #endif + + check(SSL_CTX_set_cipher_list(context, ++#ifdef SHELLINABOX_USE_CHACHA_FIRST ++ "ECDHE-ECDSA-CHACHA20-POLY1305:" ++ "ECDHE-RSA-CHACHA20-POLY1305:" ++ "ECDHE-ECDSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES256-GCM-SHA384:" ++#else ++ "ECDHE-ECDSA-AES256-GCM-SHA384:" ++ "ECDHE-RSA-AES256-GCM-SHA384:" ++ "ECDHE-ECDSA-CHACHA20-POLY1305:" ++ "ECDHE-RSA-CHACHA20-POLY1305:" ++#endif ++ "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" ++ "ECDHE-ECDSA-AES256-SHA384:" + "ECDHE-RSA-AES256-SHA384:" ++ "ECDHE-ECDSA-AES128-SHA256:" + "ECDHE-RSA-AES128-SHA256:" ++ "ECDHE-ECDSA-AES256-SHA:" + "ECDHE-RSA-AES256-SHA:" ++ "ECDHE-ECDSA-AES128-SHA:" + "ECDHE-RSA-AES128-SHA:" ++ "ECDHE-ECDSA-DES-CBC3-SHA:" + "ECDHE-RSA-DES-CBC3-SHA:" + "HIGH:MEDIUM:!RC4:!aNULL:!MD5")); + Added: head/www/shellinabox/files/patch-libhttp_ssl.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-libhttp_ssl.h Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,102 @@ +--- libhttp/ssl.h.orig 2016-11-09 19:40:33 UTC ++++ libhttp/ssl.h +@@ -57,6 +57,7 @@ + #include <openssl/bio.h> + #include <openssl/err.h> + #include <openssl/ssl.h> ++#include <openssl/safestack.h> + #else + #undef HAVE_OPENSSL + typedef struct BIO BIO; +@@ -77,6 +78,17 @@ typedef struct X509 X509; + #endif + + #if defined(HAVE_DLOPEN) ++#if !defined(DEFAULT_LIBCRYPTO_SO) || !defined(DEFAULT_LIBSSL_SO) ++#undef DEFAULT_LIBCRYPTO_SO ++#undef DEFAULT_LIBSSL_SO ++#ifdef SHLIB_VERSION_NUMBER ++#define DEFAULT_LIBCRYPTO_SO "libcrypto.so." SHLIB_VERSION_NUMBER ++#define DEFAULT_LIBSSL_SO "libssl.so." SHLIB_VERSION_NUMBER ++#else ++#define DEFAULT_LIBCRYPTO_SO "libcrypto.so" ++#define DEFAULT_LIBSSL_SO "libssl.so" ++#endif ++#endif + extern long (*x_BIO_ctrl)(BIO *, int, long, void *); + extern BIO_METHOD *(*x_BIO_f_buffer)(void); + extern void (*x_BIO_free_all)(BIO *); +@@ -99,6 +111,9 @@ extern SSL_CTX*(*x_SSL_CTX_new)(SSL_METHOD *); + extern int (*x_SSL_CTX_set_cipher_list)(SSL_CTX *, const char *); + extern void (*x_SSL_CTX_set_info_callback)(SSL_CTX *, + void (*)(const SSL *, int, int)); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++extern unsigned long (*x_SSL_CTX_set_options)(SSL_CTX *, unsigned long); ++#endif + extern int (*x_SSL_CTX_use_PrivateKey_file)(SSL_CTX *, const char *, int); + extern int (*x_SSL_CTX_use_PrivateKey_ASN1)(int, SSL_CTX *, + const unsigned char *, long); +@@ -112,7 +127,9 @@ extern void *(*x_SSL_get_ex_data)(const SSL *, int); + extern BIO *(*x_SSL_get_rbio)(const SSL *); + extern const char *(*x_SSL_get_servername)(const SSL *, int); + extern BIO *(*x_SSL_get_wbio)(const SSL *); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + extern int (*x_SSL_library_init)(void); ++#endif + extern SSL *(*x_SSL_new)(SSL_CTX *); + extern int (*x_SSL_read)(SSL *, void *, int); + extern SSL_CTX*(*x_SSL_set_SSL_CTX)(SSL *, SSL_CTX *); +@@ -121,10 +138,16 @@ extern void (*x_SSL_set_bio)(SSL *, BIO *, BIO *); + extern int (*x_SSL_set_ex_data)(SSL *, int, void *); + extern int (*x_SSL_shutdown)(SSL *); + extern int (*x_SSL_write)(SSL *, const void *, int); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + extern SSL_METHOD *(*x_SSLv23_server_method)(void); ++#else ++extern SSL_METHOD *(*x_TLS_server_method)(void); ++#endif + extern X509 * (*x_d2i_X509)(X509 **px, const unsigned char **in, int len); + extern void (*x_X509_free)(X509 *a); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + extern void (*x_sk_zero)(void *st); ++#endif + extern void *(*x_SSL_COMP_get_compression_methods)(void); + + #define BIO_ctrl x_BIO_ctrl +@@ -146,6 +169,9 @@ extern void *(*x_SSL_COMP_get_compression_methods)(v + #define SSL_CTX_new x_SSL_CTX_new + #define SSL_CTX_set_cipher_list x_SSL_CTX_set_cipher_list + #define SSL_CTX_set_info_callback x_SSL_CTX_set_info_callback ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#define SSL_CTX_set_options x_SSL_CTX_set_options ++#endif + #define SSL_CTX_use_PrivateKey_file x_SSL_CTX_use_PrivateKey_file + #define SSL_CTX_use_PrivateKey_ASN1 x_SSL_CTX_use_PrivateKey_ASN1 + #define SSL_CTX_use_certificate_file x_SSL_CTX_use_certificate_file +@@ -157,7 +183,9 @@ extern void *(*x_SSL_COMP_get_compression_methods)(v + #define SSL_get_rbio x_SSL_get_rbio + #define SSL_get_servername x_SSL_get_servername + #define SSL_get_wbio x_SSL_get_wbio ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define SSL_library_init x_SSL_library_init ++#endif + #define SSL_new x_SSL_new + #define SSL_read x_SSL_read + #define SSL_set_SSL_CTX x_SSL_set_SSL_CTX +@@ -166,10 +194,16 @@ extern void *(*x_SSL_COMP_get_compression_methods)(v + #define SSL_set_ex_data x_SSL_set_ex_data + #define SSL_shutdown x_SSL_shutdown + #define SSL_write x_SSL_write ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define SSLv23_server_method x_SSLv23_server_method ++#else ++#define TLS_server_method x_TLS_server_method ++#endif + #define d2i_X509 x_d2i_X509 + #define X509_free x_X509_free ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + #define sk_zero x_sk_zero ++#endif + #define SSL_COMP_get_compression_methods x_SSL_COMP_get_compression_methods + + #undef BIO_set_buffer_read_data Added: head/www/shellinabox/files/patch-libhttp_url.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-libhttp_url.c Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,12 @@ +--- libhttp/url.c.orig 2016-11-09 19:40:33 UTC ++++ libhttp/url.c +@@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url, + } + } + } ++ } else { ++ warn("[http] broken multipart/form-data!"); ++ break; + } + } + if (lastPart) { Added: head/www/shellinabox/files/patch-shellinabox_launcher.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-shellinabox_launcher.c Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,13 @@ +--- shellinabox/launcher.c.orig 2016-11-09 19:40:33 UTC ++++ shellinabox/launcher.c +@@ -993,8 +993,8 @@ static pam_handle_t *internalLogin(struct Service *ser + if (service->authUser == 2 /* SSH */) { + // If connecting to a remote host, include that hostname + hostname = strrchr(service->cmdline, '@'); +- if (!hostname || !strcmp(++hostname, "localhost")) { +- hostname = NULL; ++ if (hostname) { ++ hostname++; + } + } + struct utsname uts; Added: head/www/shellinabox/files/patch-shellinabox_vt100.jspp ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/shellinabox/files/patch-shellinabox_vt100.jspp Sat Nov 10 22:45:31 2018 (r484647) @@ -0,0 +1,24 @@ +--- shellinabox/vt100.jspp.orig 2016-11-09 19:40:33 UTC ++++ shellinabox/vt100.jspp +@@ -3937,13 +3937,21 @@ VT100.prototype.csim = function() { + break; + default: + if (this.par[i] >= 30 && this.par[i] <= 37) { ++ // set foreground color, colors 0-7 (ansi) + var fg = this.par[i] - 30; + this.attr = ((this.attr & ~0x0F) | fg) & ~(ATTR_DEF_FG); + this.attrFg = false; + } else if (this.par[i] >= 40 && this.par[i] <= 47) { ++ // set background color, colors 0-7 (ansi) + var bg = this.par[i] - 40; + this.attr = ((this.attr & ~0xF0) | (bg << 4)) & ~(ATTR_DEF_BG); + this.attrBg = false; ++ } else if (this.par[i] >= 90 && this.par[i] <= 97) { ++ // set foreground color, colors 8-15 (aixterm high-intensity) ++ this.attrFg = this.par[i] - 82; ++ } else if (this.par[i] >= 100 && this.par[i] <= 107) { ++ // set background color, colors 8-15 (aixterm high-intensity) ++ this.attrBg = this.par[i] - 92; + } + break; + }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811102245.wAAMjVc9027208>