tarballed
August 16th, 2002, 02:25
Ok...found some documentation for applying OpenBSD patches at www.openbsd.org of course. :)

Let me see if I have this correct.

To get the patch I can get it through CVS.

Is this the correct way to apply the 004: SECURITY FIX: May 22, 2002 patch?

cvs -d anoncvs@anoncvs5.usa.openbsd.org:/cvs co -rOPENBSD_3_1_BASE /cvs/src/usr.bin/ssh/

From their, I can apply the patch?

Do I have the basics down? Look ok? Missing anything?

Tarballed

bsdjunkie
August 16th, 2002, 12:06
you can use cvs or just download the patch to your box, and follow the instructions on it. like the one you mentiond:

Apply by doing:
cd /usr/src
patch -p0 < 004_sshbsdauth.patch
cd usr.bin/ssh
make obj
make cleandir
make depend
make && make install

Index: usr.bin/ssh/auth.c
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/auth.c,v
retrieving revision 1.41
diff -u -r1.41 auth.c
--- usr.bin/ssh/auth.c 19 Mar 2002 15:31:47 -0000 1.41
+++ usr.bin/ssh/auth.c 22 May 2002 20:28:25 -0000
@@ -410,7 +410,7 @@
}
#ifdef BSD_AUTH
if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
- auth_approval(NULL, lc, pw->pw_name, "ssh") <= 0) {
+ auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
debug("Approval failure for %s", user);
pw = NULL;
}

tarballed
August 16th, 2002, 14:31
Alright, think I have it figured out...hows this look?

For the most recently released patch:
014: SECURITY FIX: August 11, 2002

$ cvs -d anoncvs@anoncvs5.usa.openbsd.org:/cvs co -rOPENBSD_3_1_BASE sys/kern/

Then follow through with patch:

"Extra info from the errata...just wanted to paste here
[Apply by doing:
cd /usr/src
patch -p0 < 014_scarg.patch
And then rebuild your kernel."

Index: sys/kern/sys_generic.c

Look right? When rebuilding kernel,i just need to follow the steps like bsdjunkie posted correct.

Tarballed]

bsdjunkie
August 16th, 2002, 16:18
the steps i posted were Not for rebuilding a kernel, that was to build that one specific patch i listed. Check out the faq to learn how to build kernel. Its has very good instructions on it. :roll:

tarballed
August 16th, 2002, 20:39
Whoops, my mistake. I meant to say rebuilding that specific patch, not rebuilding the kernel. :)

Replace kernel with patch, thats what I meant to ask.

Thanks bsdjunkie.

tarballed

tarballed
August 16th, 2002, 22:31
Alright. I'm about to install my first OpenBSD patch. :)

Kinda of exciting, kinda of stressful. Dont want to mess anything up. :oops:

Here's a quick run down of what i'm going to issue. Tell me how it looks. I'm going to be applying the first patch from errata list, Security Fix April 22, 2002:

cvs -d anoncvs@anoncvs.usa.openbsd.org:/cvs co -rOPENBSD_3_1_BASE src/usr.bin/ssh/

(I'm pretty sure the usr.bin/ssh/radix.c is the correct index...whats specified in the errata)

Then do the following:

Apply by doing:
cd /usr/src
patch -p0 < 001_sshafs.patch
cd usr.bin/ssh
make obj
make cleandir
make depend
make && make install

This look about righ? i've been reading up on the FAQ and think i've got the hang of it, just want to make sure. :) Dont want to blow up my beautiful firewall I just got up. ehe :twisted:

Tarballed

frisco
August 16th, 2002, 22:53
This look about righ? i've been reading up on the FAQ and think i've got the hang of it, just want to make sure. Dont want to blow up my beautiful firewall I just got up. ehe

instead of cvs'ing the source, you may want to grab /pub/OpenBSD/3.1/src.tar.gz and run 'tar -zxvf src.tar.gz' in /usr.
then install the patch the way you said.

since you're going to be installing all the patches (i presume), getting the whole src tree will be easier, and it will be easier (as well as quicker) to grab the base src from ftp than from cvs.

also, blowing up the firewall may be the best thing for a learning experience. frustrating as hell, but once you *know* you can reproduce the results then you will feel like a champ. but to prevent blowing it up, a good backup is essential. backup everything in /etc, that way even if you have to reinstall, all you have to do is restore /etc and all your firewall config stuff should be set.

disclaimer: i'm inbetween bars. typos, logic errors, well i blame them on good wheat beer.

tarballed
August 16th, 2002, 23:44
also, blowing up the firewall may be the best thing for a learning experience. frustrating as hell, but once you *know* you can reproduce the results then you will feel like a champ

Very true. I purposely installed OpenBSD 3.1 via ftp about 5 times, just so I was familiar with the process and install. Works great and I can do it no problem now.

Practice makes perfect. :)

Tarballed

tarballed
August 19th, 2002, 23:41
Firewall is back up. (Was easy this time :) )

Now im downloading the src and uninstalling it.

Next, I need to patch this bad boy.

Hang around. I'll probably be asking questions. :)

Tarballed

tarballed
August 20th, 2002, 00:02
Well, I just broke my firewall. AGAIN! lol

I think what happened is that I untarred src.tar.gz in the /usr directory instead of the /usr/src directory. I think it broke something because, I cant log into my box now. When I was in, when I would try and read a man page, I would get a error with something like cannot open ld.so, or something similar along the lines.

Safe to say the untar episode broke something?

I have to laugh. I'm getting pretty good and installing OpenBSD and setting up a firewall. :)

Tarballed

bsdjunkie
August 20th, 2002, 00:03
I think what happened is that I untarred src.tar.gz in the /usr directory instead of the /usr/src directory.

AFAIK, src.tar.gz should be installed into /usr
there is no /usr/src dir by default. :roll:

tarballed
August 20th, 2002, 00:06
there is no /usr/src dir by default

Very odd. I swear I had a /usr/src directory.

Im not sure what happened, but I think something broke on my box. :(

I cant log in via SSH and when I was in, i couldnt read a man page.

I think as soon as I reboot, I'm going to get a error.

Any ideas?

Tarballed

bsdjunkie
August 20th, 2002, 00:11
i could be wrong, i may be thinking of /usr/src/sys
But its been awhile since ive looked at that on anew install. so im not sure :?

I dont know how untaring it broke the system. thats messed up.

tarballed
August 20th, 2002, 00:12
It's offical. I broke it. :)

When I try and log in via console, I get:

Failure reading ld.so

Looks like im going to have to reinstall.

Weird thing is that this happened after I d/l the src.tar.gz and untarred it while in /usr.

Not sure what happened.

::Scratches head furiously::

Tarballed

elmore
August 20th, 2002, 00:12
shouldn't be able to read man pages on a firewall anyway, since you shouldn't install them on a fw, but..... Then again you're learning and, your installing the source so man pages are no biggie. hehe. :D

Why not just start fresh, it'll only take you 10 or 15 minutes to reinstall OBSD via ftp over that nice Cable/DSL connection of yours.

tarballed
August 20th, 2002, 00:14
Why not just start fresh, it'll only take you 10 or 15 minutes to reinstall OBSD via ftp over that nice Cable/DSL connection of yours.

Ya, was just about too.

I was curious as to what did this. Obviously had to be something when I d/l the source and untarred it, but im not sure.

Thoughts before I reinstall? :)

Tarman

elmore
August 20th, 2002, 00:18
nahh, who knows what happend, at this point since you don;t have any real time into the system who cares. :D

Remember after you download the src.tar.gz do this


cp src.tar.gz /usr

cd /usr

tar xzvfp src.tar.gz

you'll be fine

tarballed
August 20th, 2002, 01:10
Alright. I will give it a whirl.

Here is what im going to do verbatim:

ftp to ftp.openbsd.org
cd /pub/OpenBSD/3.1
get src.tar.gz
download

cp src.tar.gz /usr
tar xzvfp src.tar.gz -------> (I did not use the p option last time...possibly what caused problem?)

I'll let ya know. :)

Tarballed

bsdjunkie
August 20th, 2002, 01:16
i always use cvs to get my src.

for csh

# setenv CVSROOT anoncvs@anoncvs.ca.openbsd.org:/cvs
# cd /usr
# cvs -q get -P src


:roll:

tarballed
August 20th, 2002, 01:31
CVS. Definetly something I need to read more on.

SOunds like it can make life a lot easier and sounds like a lot of fun.

For example, with that cvs command you gave bsdunkie, can you explain a little?:

for example, what does "setenv" do? I understand the next part about what server to connect to:

# cd /usr -----------> simple
# cvs -q get -P src --------> can you explain this part and the options?

Much appreciated.

Tarballed.

PS. Going to post "How I did it" in openbsd security :)

bsdjunkie
August 20th, 2002, 01:52
im not sure how to put setenv in common english since im drunk right now, but heres a decent explanation i got off a web site ;)

Setting environment variables
Unix uses environment variables to keep track of defaults for all sorts of purposes. For example, the variable PRINTER lets you set up a default printer to use with lpr. All environment variables have names in ALL CAPS and you can get a list of all the environment variables you currently have set by issuing the command printenv. To set an environment variable, issue a command like setenv ENV_VARIABLE text_string_variable_is_being_set_to. For example, to set your default editor to be emacs on cgl you would do:

cgl% setenv EDITOR /usr/local/bin/emacs

As with sourcing files above, if you find yourself setting a given environment variable almost every time you log in, you may want to add the appropriate setenv command to one of your dotfiles, such as your .cshrc or .tcshrc. If you do this, the file will automatically be sourced every time you log in. However, if you wish to immediately take advantage of this change without logging out, you will have to source the .cshrc or .tcshrc file you just changed.

the command i showed in the above post tells the shell to use that cvs server to get files from.

Look at the openbsd.org page at the anoncvs link to left. it goes into good detail on all of that.

Also, you may want to get a couple good books on shells, like Oreilly's Bash or csh/tcsh books.

tarballed
August 20th, 2002, 02:00
Cool stuff. I will definetly have to check out a few books on shells.

In regards to your command, makes sense the setenv command.

What im curious about is the command:

cvs -q get -P src

Reason I ask is, since im learning, I figured, "What the heck. If I mess it up, I can just reinstall. Im getting pretty good at it anyway." :)

So I gave it a shot. Well, its still going as I write this. I'm watching some of the information scroll by and im scratching my head going, "Do I need that stuff?"

Their seems to be alot of info i'm downloading. Not sure if i need it, but its definetly interesting.

That command. Is it the same as downloading the src.tar.gz and untarring it while in /usr directory?

Thanks bsdjunkie. Drunk eh? If i didnt have work tomorrow, i'd probably be tipping a few back as well. :)

Tarballed

bsdjunkie
August 20th, 2002, 02:27
its just looking at the server and grabbing all the files u need for /usr/src basically. Just ignore everything you see until its done ;)

tarballed
August 20th, 2002, 02:29
Hmm, I seem to be missing something here. Im trying to apply the first patch, but I seem to be having a little problem. I downloaded the whole source tree and im trying to following the information in the errata, but im a little confused.

Here is a snip from the errata:

Fix buffer overflow in AFS/Kerberos token handling.

This is the 3rd revision of the patch.

Apply by doing:
cd /usr/src
patch -p0 < 001_sshafs.patch
cd usr.bin/ssh
make obj
make cleandir
make depend
make && make install

Index: usr.bin/ssh/radix.c

Ok, so I cd /usr/src and then tried to issue:

patch -p0 < 001_sshafs.patch

I receive this error:

001_sshafs.patch: No such file or directory

After doing some reading on openbsd.org and the FAQ, I noticed in their example on how to install a patch, he has this little bit:

Applying Patches

$ cd /usr/src
$ patch -p0</path/to/026_talkd.patch <-----------/path/to/026_talkd.patch

So I must be getting the path incorrect. I think im just getting the incorrect path. I guess my question is, is this the corret path:

Index: usr.bin/ssh/radix.c

If so, I would execute the patch like so:
patch -p0 < usr.bin/ssh/radix.c/001_sshafs.patch inside the /usr/src directory?

I'm just a bit confused.

Can someone explain what im missing? I feel like im so close.

Tarballed

bsdjunkie
August 20th, 2002, 02:50
the path/to/patch is where you downloaded it to. if whatever.patch is in your home dir, patch -p0 < /home/yourhome/whatever.patch

tarballed
August 20th, 2002, 03:03
Ahhhh...success. :)

Thank you bsdjunkie. Helps alot when you d/l the patch first. :oops:

Another quick question.
I was planning on downloading all the patches to my /tmp partition and then running through them til my system is patched.

Question is, do I need to reboot after each patch?

Also, is their a way to see if a patch was installed successfully?

Thanks a bunch bsdjunkie.

Tarballed

marco_peereboom
August 20th, 2002, 09:34
Depends on the patch. Look at my firewall for example:
[root@vuurmuur log]# uptime
7:33AM up 64 days, 13:26, 2 users, load averages: 0.07, 0.08, 0.08

I have all the remote patches applied! So unless you don't rebuild your kernel there should be no reboot necessary.

/marco

tarballed
August 20th, 2002, 21:25
Just a couple quick questions on patches.

I'm having problems with two patches so far:

005: SECURITY FIX: June 19, 2002
and
006: SECURITY FIX: June 24, 2002

Now the first one is for httpd. I'm not running a web server at this time. However, when I run the patch, it asks me for which file I want to patch. Cant seem to figure it out.

Second one is on SSH. Need to upgrade this one, but the patch does not seem to work for some reason.

Anyone have ideas or suggestions?

Thanks all.

OH ya! Does it matter if what order you place the patches in? Can you patch out of order, or do you need to go in order?

Tarballed

elmore
August 20th, 2002, 21:31
ok kernel patches always, always ALWAYS go first! Second when a new kernel patch is released you must run the kernel patch then go back and rerun the other patches.

Second, if you're not running apache there should be no reason to patch something you don;t have.

Third in regards to OpenSSH go to OpenSSH.org and download the 3.4p1 version of OpenSSH. The OpenSSH website has good instuctions on upgrading OpenSSH on OpenBSD.

tarballed
August 20th, 2002, 22:00
Ok...as im going through these patches, im wondering, which one do I start with? hehe

I mean, I have done the first few. Do I need to start over with the kernel ones, then back to #1?

For example, install patch 9 then 14, then 1, 2, 3 ...

:)

This is interesting, but im having fun. :)

tarballed