main/heimdal: remove broken authentication in rsh/rshd

as stated, it's broken by design security wise. and uses obsolete
functions that don't exist in musl. this fixes musl build.

1 files changed, 163 insertions, 0 deletions

diff --git a/main/heimdal/heimdal-remove-broken-auth.patch b/main/heimdal/heimdal-remove-broken-auth.patch
new file mode 100644
index 0000000000..1affcba2c2
--- /dev/null
+++ b/main/heimdal/heimdal-remove-broken-auth.patch
@@ -0,0 +1,163 @@
+--- appl/rsh/rsh.c.orig
++++ appl/rsh/rsh.c
+@@ -399,6 +399,8 @@
+ 
+ #endif /* KRB5 */
+ 
++#ifdef BROKEN_AUTH
++
+ static int
+ send_broken_auth(int s,
+ 		 struct sockaddr *thisaddr,
+@@ -428,6 +430,8 @@
+     return 0;
+ }
+ 
++#endif /* BROKEN_AUTH */
++
+ static int
+ proto (int s, int errsock,
+        const char *hostname, const char *local_user, const char *remote_user,
+@@ -629,6 +633,8 @@
+     return res;
+ }
+ 
++#ifdef BROKEN_AUTH
++
+ static int
+ doit_broken (int argc,
+ 	     char **argv,
+@@ -702,6 +708,8 @@
+     }
+ }
+ 
++#endif
++
+ #if defined(KRB5)
+ static int
+ doit (const char *hostname,
+@@ -796,7 +804,9 @@
+     { "protocol", 'P', arg_string,      &protocol_version_str,
+       "Protocol version [krb5]", "protocol" },
+ #endif
++#ifdef BROKEN_AUTH
+     { "broken", 'K', arg_flag,		&use_only_broken, "Use only priv port" },
++#endif
+ #if defined(KRB5)
+     { "encrypt", 'x', arg_flag,		&do_encrypt,	"Encrypt connection" },
+     { NULL, 	'z', arg_negative_flag,      &do_encrypt,
+@@ -831,8 +841,10 @@
+ int
+ main(int argc, char **argv)
+ {
++#ifdef BROKEN_AUTH
+     int priv_port1, priv_port2;
+     int priv_socket1, priv_socket2;
++#endif
+     int argindex = 0;
+     int error;
+     struct addrinfo hints, *ai;
+@@ -848,9 +860,11 @@
+ #endif
+     uid_t uid;
+ 
++#ifdef BROKEN_AUTH
+     priv_port1 = priv_port2 = IPPORT_RESERVED-1;
+     priv_socket1 = rresvport(&priv_port1);
+     priv_socket2 = rresvport(&priv_port2);
++#endif
+     uid = getuid ();
+     if (setuid (uid) || (uid != 0 && setuid(0) == 0))
+ 	err (1, "setuid");
+@@ -907,6 +921,7 @@
+ 
+ #endif
+ 
++#ifdef BROKEN_AUTH
+     if (use_only_broken) {
+ #ifdef KRB5
+ 	use_v5 = 0;
+@@ -918,6 +933,7 @@
+ 	    errx (1, "unable to bind reserved port: is rsh setuid root?");
+ 	use_broken = 0;
+     }
++#endif
+ 
+ #if defined(KRB5)
+     if (do_encrypt == 1 && use_only_broken)
+@@ -956,8 +972,10 @@
+     }
+ 
+     if (argindex == argc) {
++#ifdef BROKEN_AUTH
+ 	close (priv_socket1);
+ 	close (priv_socket2);
++#endif
+ 	argv[0] = "rlogin";
+ 	execvp ("rlogin", argv);
+ 	err (1, "execvp rlogin");
+@@ -1004,6 +1022,7 @@
+ 	freeaddrinfo(ai);
+     }
+ #endif
++#ifdef BROKEN_AUTH
+     if (ret && use_broken) {
+ 	memset (&hints, 0, sizeof(hints));
+ 	hints.ai_socktype = SOCK_STREAM;
+@@ -1027,6 +1046,7 @@
+ 			   cmd, cmd_len);
+ 	freeaddrinfo(ai);
+     }
++#endif
+     free(cmd);
+     return ret;
+ }
+--- appl/rsh/rshd.c.orig
++++ appl/rsh/rshd.c
+@@ -131,6 +131,7 @@
+     fatal(s, NULL, "%s too long", expl);
+ }
+ 
++#ifdef BROKEN_AUTH
+ static int
+ recv_bsd_auth (int s, u_char *buf,
+ 	       struct sockaddr_in *thisaddr,
+@@ -152,6 +153,7 @@
+ 	fatal(s, NULL, "Login incorrect.");
+     return 0;
+ }
++#endif
+ 
+ #ifdef KRB5
+ static int
+@@ -658,10 +660,11 @@
+ 	/*
+ 	 * we only do reserved port for IPv4
+ 	 */
+-
++#ifdef BROKEN_AUTH
+ 	if (erraddr->sa_family == AF_INET)
+ 	    errsock = rresvport (&priv_port);
+ 	else
++#endif
+ 	    errsock = socket (erraddr->sa_family, SOCK_STREAM, 0);
+ 	if (errsock < 0)
+ 	    syslog_and_die ("socket: %s", strerror(errno));
+@@ -689,6 +692,7 @@
+ 		syslog_and_die ("unrecognized auth protocol: %x %x %x %x",
+ 				buf[0], buf[1], buf[2], buf[3]);
+     } else {
++#ifdef BROKEN_AUTH
+ 	if(recv_bsd_auth (s, buf,
+ 			  (struct sockaddr_in *)thisaddr,
+ 			  (struct sockaddr_in *)thataddr,
+@@ -702,6 +706,9 @@
+ 	    }
+ 	} else
+ 	    syslog_and_die("recv_bsd_auth failed");
++#else
++	syslog_and_die("recv_bsd_auth is disabled for security reasons");
++#endif
+     }
+ 
+     if (client_user == NULL || server_user == NULL || cmd == NULL)