add more bugfix patches from Solar Designer

openssh/openssh.patch

@@ -0,0 +1,130 @@
+These patches adjust (re)allocation procedures so they do not
+alter context structures unless the (re)allocation was successful.
+Otherwise the fatal cleanup functions (trigged from within the
+failing (re)allocation functions) will be confused and especially
+(for some instances) incorrectly clear (smaller than recorded) memory
+buffers with NUL bytes. This patch is based on work by Solar Designer
+<solar@openwall.com>.
+
+Index: deattack.c
+--- deattack.c.orig	2002-03-05 02:53:05.000000000 +0100
++++ deattack.c	2003-09-17 09:30:09.000000000 +0200
+@@ -100,12 +100,12 @@
+ 
+ 	if (h == NULL) {
+ 		debug("Installing crc compensation attack detector.");
++		h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+ 		n = l;
+-		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ 	} else {
+ 		if (l > n) {
++			h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+ 			n = l;
+-			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ 		}
+ 	}
+ 
+Index: misc.c
+--- misc.c.orig	2003-08-25 03:16:21.000000000 +0200
++++ misc.c	2003-09-17 09:30:09.000000000 +0200
+@@ -308,18 +308,21 @@
+ {
+ 	va_list ap;
+ 	char buf[1024];
++	int nalloc;
+ 
+ 	va_start(ap, fmt);
+ 	vsnprintf(buf, sizeof(buf), fmt, ap);
+ 	va_end(ap);
+ 
++	nalloc = args->nalloc;
+ 	if (args->list == NULL) {
+-		args->nalloc = 32;
++		nalloc = 32;
+ 		args->num = 0;
+-	} else if (args->num+2 >= args->nalloc)
+-		args->nalloc *= 2;
++	} else if (args->num+2 >= nalloc)
++		nalloc *= 2;
+ 
+-	args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
++	args->list = xrealloc(args->list, nalloc * sizeof(char *));
++	args->nalloc = nalloc;
+ 	args->list[args->num++] = xstrdup(buf);
+ 	args->list[args->num] = NULL;
+ }
+Index: session.c
+--- session.c.orig	2003-09-16 03:52:19.000000000 +0200
++++ session.c	2003-09-17 09:34:20.000000000 +0200
+@@ -800,6 +800,7 @@
+ {
+ 	u_int i, namelen;
+ 	char **env;
++	u_int envsize;
+ 
+ 	/*
+ 	 * If we're passed an uninitialized list, allocate a single null
+@@ -826,12 +827,14 @@
+ 		xfree(env[i]);
+ 	} else {
+ 		/* New variable.  Expand if necessary. */
+-		if (i >= (*envsizep) - 1) {
+-			if (*envsizep >= 1000)
++		envsize = *envsizep;
++		if (i >= envsize - 1) {
++			if (envsize >= 1000)
+ 				fatal("child_set_env: too many env vars,"
+ 				    " skipping: %.100s", name);
+-			(*envsizep) += 50;
+-			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++			envsize += 50;
++			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++			*envsizep = envsize;
+ 		}
+ 		/* Need to set the NULL pointer at end of array beyond the new slot. */
+ 		env[i + 1] = NULL;
+Index: ssh-agent.c
+--- ssh-agent.c.orig	2003-08-22 01:34:41.000000000 +0200
++++ ssh-agent.c	2003-09-17 09:30:09.000000000 +0200
+@@ -784,7 +784,7 @@
+ static void
+ new_socket(sock_type type, int fd)
+ {
+-	u_int i, old_alloc;
++	u_int i, old_alloc, new_alloc;
+ 
+ 	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+ 		error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -795,25 +795,26 @@
+ 	for (i = 0; i < sockets_alloc; i++)
+ 		if (sockets[i].type == AUTH_UNUSED) {
+ 			sockets[i].fd = fd;
+-			sockets[i].type = type;
+ 			buffer_init(&sockets[i].input);
+ 			buffer_init(&sockets[i].output);
+ 			buffer_init(&sockets[i].request);
++			sockets[i].type = type;
+ 			return;
+ 		}
+ 	old_alloc = sockets_alloc;
+-	sockets_alloc += 10;
++	new_alloc = sockets_alloc + 10;
+ 	if (sockets)
+-		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+ 	else
+-		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+-	for (i = old_alloc; i < sockets_alloc; i++)
++		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++	for (i = old_alloc; i < new_alloc; i++)
+ 		sockets[i].type = AUTH_UNUSED;
+-	sockets[old_alloc].type = type;
++	sockets_alloc = new_alloc;
+ 	sockets[old_alloc].fd = fd;
+ 	buffer_init(&sockets[old_alloc].input);
+ 	buffer_init(&sockets[old_alloc].output);
+ 	buffer_init(&sockets[old_alloc].request);
++	sockets[old_alloc].type = type;
+ }
+ 
+ static int

openssh/openssh.spec

@@ -59,6 +59,7 @@ Source6:      ssh-keyman
 Source7:      ssh-keyman.1
 Source8:      ssh-keyman.pod
 Source9:      http://chrootssh.sourceforge.net/download/osshChroot-%{V_chroot}.diff
+Patch0:       openssh.patch
 
 #   build information
 Prefix:       %{l_prefix}
@@ -104,6 +105,7 @@ AutoReqProv:  no
 %prep
     #   unpack distribution
     %setup -q
+    %patch -p0
 
     #   optionally apply chroot(2) patch
 %if "%{with_chroot}" == "yes"