main/*: remove stale patches

main/ppp/fix-bound-check-eap.patch

-From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@ozlabs.org>
-Date: Mon, 3 Feb 2020 15:53:28 +1100
-Subject: [PATCH] pppd: Fix bounds check in EAP code
-
-Given that we have just checked vallen < len, it can never be the case
-that vallen >= len + sizeof(rhostname).  This fixes the check so we
-actually avoid overflowing the rhostname array.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
----
- pppd/eap.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 94407f5..1b93db0 100644
---- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -1420,7 +1420,7 @@ int len;
- 		}
- 
- 		/* Not so likely to happen. */
--		if (vallen >= len + sizeof (rhostname)) {
-+		if (len - vallen >= sizeof (rhostname)) {
- 			dbglog("EAP: trimming really long peer name down");
- 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
- 			rhostname[sizeof (rhostname) - 1] = '\0';
-@@ -1846,7 +1846,7 @@ int len;
- 		}
- 
- 		/* Not so likely to happen. */
--		if (vallen >= len + sizeof (rhostname)) {
-+		if (len - vallen >= sizeof (rhostname)) {
- 			dbglog("EAP: trimming really long peer name down");
- 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
- 			rhostname[sizeof (rhostname) - 1] = '\0';
--- 
-2.25.0
-

main/ppp/fix-pppd-pppoe.h.patch

---- a/pppd/plugins/pppoe/pppoe.h	2020-02-06 09:59:38.086103782 +0100
-+++ b/pppd/plugins/pppoe/pppoe.h	2020-02-06 20:50:20.159705281 +0100
-@@ -84,18 +84,6 @@
- #include <linux/if_ether.h>
- #endif
- 
--#ifdef HAVE_NETINET_IF_ETHER_H
--#include <sys/types.h>
--
--#ifdef HAVE_SYS_SOCKET_H
--#include <sys/socket.h>
--#endif
--#ifndef HAVE_SYS_DLPI_H
--#include <netinet/if_ether.h>
--#endif
--#endif
--
--
- /* Ethernet frame types according to RFC 2516 */
- #define ETH_PPPOE_DISCOVERY 0x8863
- #define ETH_PPPOE_SESSION   0x8864

main/ppp/pppd-Ignore-received-EAP-messages-when-not-doing-EAP.patch

-From 8d45443bb5c9372b4c6a362ba2f443d41c5636af Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@ozlabs.org>
-Date: Mon, 3 Feb 2020 16:31:42 +1100
-Subject: [PATCH] pppd: Ignore received EAP messages when not doing EAP
-
-This adds some basic checks to the subroutines of eap_input to check
-that we have requested or agreed to doing EAP authentication before
-doing any processing on the received packet.  The motivation is to
-make it harder for a malicious peer to disrupt the operation of pppd
-by sending unsolicited EAP packets.  Note that eap_success() already
-has a check that the EAP client state is reasonable, and does nothing
-(apart from possibly printing a debug message) if not.
-
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
----
- pppd/eap.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 1b93db0..082e953 100644
---- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -1328,6 +1328,12 @@ int len;
- 	int fd;
- #endif /* USE_SRP */
- 
-+	/*
-+	 * Ignore requests if we're not open
-+	 */
-+	if (esp->es_client.ea_state <= eapClosed)
-+		return;
-+
- 	/*
- 	 * Note: we update es_client.ea_id *only if* a Response
- 	 * message is being generated.  Otherwise, we leave it the
-@@ -1736,6 +1742,12 @@ int len;
- 	u_char dig[SHA_DIGESTSIZE];
- #endif /* USE_SRP */
- 
-+	/*
-+	 * Ignore responses if we're not open
-+	 */
-+	if (esp->es_server.ea_state <= eapClosed)
-+		return;
-+
- 	if (esp->es_server.ea_id != id) {
- 		dbglog("EAP: discarding Response %d; expected ID %d", id,
- 		    esp->es_server.ea_id);
-@@ -2047,6 +2059,12 @@ u_char *inp;
- int id;
- int len;
- {
-+	/*
-+	 * Ignore failure messages if we're not open
-+	 */
-+	if (esp->es_client.ea_state <= eapClosed)
-+		return;
-+
- 	if (!eap_client_active(esp)) {
- 		dbglog("EAP unexpected failure message in state %s (%d)",
- 		    eap_state_name(esp->es_client.ea_state),
--- 
-2.24.1
-

main/ppp/radius-Prevent-buffer-overflow-in-rc_mksid.patch

-From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@ozlabs.org>
-Date: Sat, 4 Jan 2020 12:01:32 +1100
-Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()
-
-On some systems getpid() can return a value greater than 65535.
-Increase the size of buf[] to allow for this, and use slprintf()
-to make sure we never overflow it.
-
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
----
- pppd/plugins/radius/util.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
-index 6f976a7..740131e 100644
---- a/pppd/plugins/radius/util.c
-+++ b/pppd/plugins/radius/util.c
-@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)
- char *
- rc_mksid (void)
- {
--  static char buf[15];
-+  static char buf[32];
-   static unsigned short int cnt = 0;
--  sprintf (buf, "%08lX%04X%02hX",
-+  slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
- 	   (unsigned long int) time (NULL),
- 	   (unsigned int) getpid (),
- 	   cnt & 0xFF);
--- 
-2.24.1
-

main/py3-requests/0001-don-t-depend-on-certifi.patch

-From c67893eec31f4538dec95e208bbf418cf5f2e0de Mon Sep 17 00:00:00 2001
-From: Leo <thinkabit.ukim@gmail.com>
-Date: Fri, 11 Dec 2020 01:15:29 -0300
-Subject: [PATCH 1/2] don't depend on certifi
-
----
- setup.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/setup.py b/setup.py
-index 7ba4b2a..065eb22 100755
---- a/setup.py
-+++ b/setup.py
-@@ -45,7 +45,6 @@ requires = [
-     'chardet>=3.0.2,<5',
-     'idna>=2.5,<3',
-     'urllib3>=1.21.1,<1.27',
--    'certifi>=2017.4.17'
- 
- ]
- test_requirements = [

main/py3-requests/certs.patch

-diff --git a/requests/certs.py b/requests/certs.py
-index d1a378d7..4e0bffd4 100644
---- a/requests/certs.py
-+++ b/requests/certs.py
-@@ -12,7 +12,8 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
- environment, you can change the definition of where() to return a separately
- packaged CA bundle.
- """
--from certifi import where
-+def where():
-+    return "/etc/ssl/certs/ca-certificates.crt"
- 
- if __name__ == '__main__':
-     print(where())

main/xtables-addons-lts/ip_route_me_harder-5.4.78.patch

-diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c
-index b384c8e..cb1d055 100644
---- a/extensions/xt_DELUDE.c
-+++ b/extensions/xt_DELUDE.c
-@@ -122,7 +122,7 @@ static void delude_send_reset(struct net *net, struct sk_buff *oldskb,
- 	/* ip_route_me_harder expects skb->dst to be set */
- 	skb_dst_set(nskb, dst_clone(skb_dst(oldskb)));
- 
--	if (ip_route_me_harder(net, nskb, addr_type))
-+	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
- 		goto free_nskb;
- 	else
- 		niph = ip_hdr(nskb);
-diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c
-index e99312b..2ab413b 100644
---- a/extensions/xt_ECHO.c
-+++ b/extensions/xt_ECHO.c
-@@ -192,7 +192,7 @@ echo_tg4(struct sk_buff *oldskb, const struct xt_action_param *par)
- 	/* ip_route_me_harder expects the skb's dst to be set */
- 	skb_dst_set(newskb, dst_clone(skb_dst(oldskb)));
- 
--	if (ip_route_me_harder(par_net(par), newskb, RTN_UNSPEC) != 0)
-+	if (ip_route_me_harder(par_net(par), par->state->sk, newskb, RTN_UNSPEC) != 0)
- 		goto free_nskb;
- 
- 	newip->ttl = ip4_dst_hoplimit(skb_dst(newskb));
-diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
-index 4926f2e..6256e60 100644
---- a/extensions/xt_TARPIT.c
-+++ b/extensions/xt_TARPIT.c
-@@ -265,7 +265,7 @@ static void tarpit_tcp4(struct net *net, struct sk_buff *oldskb,
- #endif
- 		addr_type = RTN_LOCAL;
- 
--	if (ip_route_me_harder(net, nskb, addr_type))
-+	if (ip_route_me_harder(net, nskb->sk, nskb, addr_type))
- 		goto free_nskb;
- 	else
- 		niph = ip_hdr(nskb);
-@@ -399,7 +399,7 @@ static void tarpit_tcp6(struct net *net, struct sk_buff *oldskb,
- 	              IPPROTO_TCP,
- 	              csum_partial(tcph, sizeof(struct tcphdr), 0));
- 
--	if (ip6_route_me_harder(net, nskb))
-+	if (ip6_route_me_harder(net, nskb->sk, nskb))
- 		goto free_nskb;
- 
- 	nskb->ip_summed = CHECKSUM_NONE;