From 66a6b324d094fcebf09847dc478c31a3ca6be698 Mon Sep 17 00:00:00 2001 From: bapt Date: Tue, 25 Nov 2014 22:25:13 +0000 Subject: [PATCH] Reduce overlinking The framework now ensure by itself that pthread is added to the link chain as the last component if linked to kerberos hence avoid with out any explicit addition prevent issue like CVE-2014-8475 --- secure/lib/libssh/Makefile | 1 - secure/libexec/sftp-server/Makefile | 2 -- secure/libexec/ssh-keysign/Makefile | 2 +- secure/libexec/ssh-pkcs11-helper/Makefile | 2 +- secure/usr.bin/scp/Makefile | 2 -- secure/usr.bin/sftp/Makefile | 2 -- secure/usr.bin/ssh-add/Makefile | 2 -- secure/usr.bin/ssh-agent/Makefile | 2 +- secure/usr.bin/ssh-keygen/Makefile | 3 +-- secure/usr.bin/ssh-keyscan/Makefile | 2 -- secure/usr.bin/ssh/Makefile | 5 ++--- secure/usr.sbin/sshd/Makefile | 18 ++++-------------- 12 files changed, 10 insertions(+), 33 deletions(-) diff --git a/secure/lib/libssh/Makefile b/secure/lib/libssh/Makefile index d23330da1e8d..725ace8d47f7 100644 --- a/secure/lib/libssh/Makefile +++ b/secure/lib/libssh/Makefile @@ -41,7 +41,6 @@ CFLAGS+= -I${SSHDIR} -include ssh_namespace.h .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h -LIBADD+= gssapi krb5 hx509 asn1 com_err md roken .endif .if ${MK_OPENSSH_NONE_CIPHER} != "no" diff --git a/secure/libexec/sftp-server/Makefile b/secure/libexec/sftp-server/Makefile index 3e55cc9db7eb..3ec21fdfbe50 100644 --- a/secure/libexec/sftp-server/Makefile +++ b/secure/libexec/sftp-server/Makefile @@ -21,8 +21,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypto crypto z - .include .PATH: ${SSHDIR} diff --git a/secure/libexec/ssh-keysign/Makefile b/secure/libexec/ssh-keysign/Makefile index 01e51ef70f15..9efad92e59ac 100644 --- a/secure/libexec/ssh-keysign/Makefile +++ b/secure/libexec/ssh-keysign/Makefile @@ -17,7 +17,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include diff --git a/secure/libexec/ssh-pkcs11-helper/Makefile b/secure/libexec/ssh-pkcs11-helper/Makefile index 55f151a66638..6733048c3b5c 100644 --- a/secure/libexec/ssh-pkcs11-helper/Makefile +++ b/secure/libexec/ssh-pkcs11-helper/Makefile @@ -21,7 +21,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include diff --git a/secure/usr.bin/scp/Makefile b/secure/usr.bin/scp/Makefile index 12a3caf3914b..203fbc304fd7 100644 --- a/secure/usr.bin/scp/Makefile +++ b/secure/usr.bin/scp/Makefile @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/sftp/Makefile b/secure/usr.bin/sftp/Makefile index ef130d806cd5..42728be2871b 100644 --- a/secure/usr.bin/sftp/Makefile +++ b/secure/usr.bin/sftp/Makefile @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIABDD+= crypt crypto z - .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-add/Makefile b/secure/usr.bin/ssh-add/Makefile index 2484a7bb93bd..ec6ebc13acd0 100644 --- a/secure/usr.bin/ssh-add/Makefile +++ b/secure/usr.bin/ssh-add/Makefile @@ -20,8 +20,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh-agent/Makefile b/secure/usr.bin/ssh-agent/Makefile index 807f7474e4d2..e263dec0617f 100644 --- a/secure/usr.bin/ssh-agent/Makefile +++ b/secure/usr.bin/ssh-agent/Makefile @@ -20,7 +20,7 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include diff --git a/secure/usr.bin/ssh-keygen/Makefile b/secure/usr.bin/ssh-keygen/Makefile index c2654bad1073..db8dc7efc5d8 100644 --- a/secure/usr.bin/ssh-keygen/Makefile +++ b/secure/usr.bin/ssh-keygen/Makefile @@ -15,10 +15,9 @@ LIBADD= ssh .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 -LIBADD+= ldns .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .include diff --git a/secure/usr.bin/ssh-keyscan/Makefile b/secure/usr.bin/ssh-keyscan/Makefile index b4f97a563641..b6b506063f7a 100644 --- a/secure/usr.bin/ssh-keyscan/Makefile +++ b/secure/usr.bin/ssh-keyscan/Makefile @@ -15,8 +15,6 @@ CFLAGS+= -DHAVE_LDNS=1 #USEPRIVATELIB+= ldns .endif -LIBADD+= crypt crypto z - .include .PATH: ${SSHDIR} diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index 2f2f97b26fc0..b29ee2ebf136 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -15,11 +15,10 @@ SRCS= ssh.c readconf.c clientloop.c sshtty.c \ # gss-genr.c really belongs in libssh; see src/secure/lib/libssh/Makefile SRCS+= gss-genr.c -LIBADD= ssh util +LIBADD= ssh .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 -LIBADD+= ldns .endif .if ${MK_KERBEROS_SUPPORT} != "no" @@ -31,7 +30,7 @@ LIBADD+= gssapi CFLAGS+= -DNONE_CIPHER_ENABLED .endif -LIBADD+= crypt crypto z +LIBADD+= crypto .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index f95c8c653322..f2c7e362acd4 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -25,7 +25,8 @@ SRCS+= gss-genr.c MAN= sshd.8 sshd_config.5 CFLAGS+=-I${SSHDIR} -include ssh_namespace.h -LIBADD= ssh util wrap pam +# pam should always happen before ssh here for static linking +LIBADD= pam ssh util wrap .if ${MK_LDNS} != "no" CFLAGS+= -DHAVE_LDNS=1 @@ -41,25 +42,14 @@ LIBADD+= bsm .if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h -LIBADD+= gssapi_krb5 gssapi krb5 hx509 asn1 com_err roken wind heimbase \ - heimipcc +LIBADD+= gssapi_krb5 gssapi krb5 .endif .if ${MK_OPENSSH_NONE_CIPHER} != "no" CFLAGS+= -DNONE_CIPHER_ENABLED .endif -LIBADD+= crypt crypto z - -# Fix the order of NEEDED entries for libthr and libc. The libthr -# needs to interpose libc symbols, leaving the libthr loading as -# dependency of krb causes reversed order and broken interposing. Put -# the threading library last on the linker command line, just before -# the -lc added by a compiler driver. -# XXX In theory the framework now takes care of that, it needs to be checked -.if ${MK_KERBEROS_SUPPORT} != "no" -LIBADD+= pthread -.endif +LIBADD+= crypto .if defined(LOCALBASE) CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"