Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
aports
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Andy Postnikov
aports
Commits
1356b123
Commit
1356b123
authored
Jan 21, 2021
by
Leo
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
main/*: remove stale patches
parent
95c56863
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
0 additions
and
241 deletions
+0
-241
main/ppp/fix-bound-check-eap.patch
main/ppp/fix-bound-check-eap.patch
+0
-40
main/ppp/fix-pppd-pppoe.h.patch
main/ppp/fix-pppd-pppoe.h.patch
+0
-21
main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
...ppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
+0
-64
main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch
main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch
+0
-33
main/py3-requests/0001-don-t-depend-on-certifi.patch
main/py3-requests/0001-don-t-depend-on-certifi.patch
+0
-21
main/py3-requests/certs.patch
main/py3-requests/certs.patch
+0
-14
main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch
main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch
+0
-48
No files found.
main/ppp/fix-bound-check-eap.patch
deleted
100644 → 0
View file @
95c56863
From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Mon, 3 Feb 2020 15:53:28 +1100
Subject: [PATCH] pppd: Fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
pppd/eap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pppd/eap.c b/pppd/eap.c
index 94407f5..1b93db0 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
@@ -1420,7 +1420,7 @@
int len;
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1846,7 +1846,7 @@
int len;
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
--
2.25.0
main/ppp/fix-pppd-pppoe.h.patch
deleted
100644 → 0
View file @
95c56863
--- a/pppd/plugins/pppoe/pppoe.h 2020-02-06 09:59:38.086103782 +0100
+++ b/pppd/plugins/pppoe/pppoe.h 2020-02-06 20:50:20.159705281 +0100
@@ -84,18 +84,6 @@
#include <linux/if_ether.h>
#endif
-#ifdef HAVE_NETINET_IF_ETHER_H
-#include <sys/types.h>
-
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifndef HAVE_SYS_DLPI_H
-#include <netinet/if_ether.h>
-#endif
-#endif
-
-
/* Ethernet frame types according to RFC 2516 */
#define ETH_PPPOE_DISCOVERY 0x8863
#define ETH_PPPOE_SESSION 0x8864
main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch
deleted
100644 → 0
View file @
95c56863
From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Mon, 3 Feb 2020 16:31:42 +1100
Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP
This adds some basic checks to the subroutines of eap_input to check
that we have requested or agreed to doing EAP authentication before
doing any processing on the received packet. The motivation is to
make it harder for a malicious peer to disrupt the operation of pppd
by sending unsolicited EAP packets. Note that eap_success() already
has a check that the EAP client state is reasonable, and does nothing
(apart
from possibly printing a debug message) if not.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
pppd/eap.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/pppd/eap.c b/pppd/eap.c
index 1b93db0..082e953 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
@@ -1328,6 +1328,12 @@
int len;
int fd;
#endif /* USE_SRP */
+ /*
+ * Ignore requests if we're not open
+ */
+ if (esp->es_client.ea_state <= eapClosed)
+ return;
+
/*
* Note: we update es_client.ea_id *only if* a Response
* message is being generated. Otherwise, we leave it the
@@ -1736,6 +1742,12 @@
int len;
u_char dig[SHA_DIGESTSIZE];
#endif /* USE_SRP */
+ /*
+ * Ignore responses if we're not open
+ */
+ if (esp->es_server.ea_state <= eapClosed)
+ return;
+
if (esp->es_server.ea_id != id) {
dbglog("EAP: discarding Response %d; expected ID %d", id,
esp->es_server.ea_id);
@@ -2047,6 +2059,12 @@
u_char *inp;
int id;
int len;
{
+ /*
+ * Ignore failure messages if we're not open
+ */
+ if (esp->es_client.ea_state <= eapClosed)
+ return;
+
if (!eap_client_active(esp)) {
dbglog("EAP unexpected failure message in state %s (%d)",
eap_state_name(esp->es_client.ea_state),
--
2.24.1
main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch
deleted
100644 → 0
View file @
95c56863
From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Sat, 4 Jan 2020 12:01:32 +1100
Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()
On some systems getpid() can return a value greater than 65535.
Increase the size of buf[] to allow for this, and use slprintf()
to make sure we never overflow it.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
pppd/plugins/radius/util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
index 6f976a7..740131e 100644
--- a/pppd/plugins/radius/util.c
+++ b/pppd/plugins/radius/util.c
@@ -73,9 +73,9 @@
void rc_mdelay(int msecs)
char *
rc_mksid (void)
{
- static char buf[15];
+ static char buf[32];
static unsigned short int cnt = 0;
- sprintf (buf, "%08lX%04X%02hX",
+ slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
(unsigned long int) time (NULL),
(unsigned int) getpid (),
cnt & 0xFF);
--
2.24.1
main/py3-requests/0001-don-t-depend-on-certifi.patch
deleted
100644 → 0
View file @
95c56863
From c67893eec31f4538dec95e208bbf418cf5f2e0de Mon Sep 17 00:00:00 2001
From: Leo <thinkabit.ukim@gmail.com>
Date: Fri, 11 Dec 2020 01:15:29 -0300
Subject: [PATCH 1/2] don't depend on certifi
---
setup.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/setup.py b/setup.py
index 7ba4b2a..065eb22 100755
--- a/setup.py
+++ b/setup.py
@@ -45,7 +45,6 @@
requires = [
'chardet>=3.0.2,<5',
'idna>=2.5,<3',
'urllib3>=1.21.1,<1.27',
- 'certifi>=2017.4.17'
]
test_requirements = [
main/py3-requests/certs.patch
deleted
100644 → 0
View file @
95c56863
diff --git a/requests/certs.py b/requests/certs.py
index d1a378d7..4e0bffd4 100644
--- a/requests/certs.py
+++ b/requests/certs.py
@@ -12,7 +12,8 @@
If you are packaging Requests, e.g., for a Linux distribution or a managed
environment, you can change the definition of where() to return a separately
packaged CA bundle.
"""
-from certifi import where
+def where():
+ return "/etc/ssl/certs/ca-certificates.crt"
if __name__ == '__main__':
print(where())
main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch
deleted
100644 → 0
View file @
95c56863
diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c
index b384c8e..cb1d055 100644
--- a/extensions/xt_DELUDE.c
+++ b/extensions/xt_DELUDE.c
@@ -122,7 +122,7 @@
static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
/* ip_route_me_harder expects skb->dst to be set */
skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
- if (ip_route_me_harder(net, nskb, addr_type))
+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c
index e99312b..2ab413b 100644
--- a/extensions/xt_ECHO.c
+++ b/extensions/xt_ECHO.c
@@ -192,7 +192,7 @@
echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
/* ip_route_me_harder expects the skb's dst to be set */
skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
- if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0)
+ if (ip_route_me_harder(par_net(par), par->state->sk, newskb, RTN_UNSPEC) != 0)
goto free_nskb;
newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index 4926f2e..6256e60 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -265,7 +265,7 @@
static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
#endif
addr_type = RTN_LOCAL;
- if (ip_route_me_harder(net, nskb, addr_type))
+ if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
goto free_nskb;
else
niph = ip_hdr(nskb);
@@ -399,7 +399,7 @@
static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
IPPROTO_TCP,
csum_partial(tcph, sizeof(struct tcphdr), 0));
- if (ip6_route_me_harder(net, nskb))
+ if (ip6_route_me_harder(net, nskb->sk, nskb))
goto free_nskb;
nskb->ip_summed = CHECKSUM_NONE;
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment