From 9784ae6dca0c0a7826eda398a08efdea0b75ea77 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mon, 30 Aug 2021 17:28:58 +0100 Subject: [PATCH] Update to 1.10.0 - New upstream release 1.10.0 - Adds agent forwarding support - Adds OpenSSH Agent support on Windows - Adds ECDSA key support using the Mbed TLS backend - Adds ECDSA cert authentication - Adds diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512 key exchanges - Adds support for PKIX key reading when using ed25519 with OpenSSL - Adds support for EWOULDBLOCK on VMS systems - Adds support for building with OpenSSL 3 - Adds support for using FIPS mode in OpenSSL - Adds debug symbols when building with MSVC - Adds support for building on the 3DS - Adds unicode build support on Windows - Restores os400 building - Increases min, max and opt Diffie Hellman group values - Improves portability of the make file - Improves timeout behaviour with 2FA keyboard auth - Various improvements to the Wincng backend - Fixes reading partial packet replies when using an agent - Fixes Diffie Hellman key exchange on Windows 1903+ builds - Fixes building tests with older versions of OpenSSL - Fixes possible multiple definition warnings - Fixes potential cast issues _libssh2_ecdsa_key_get_curve_type() - Fixes potential use after free if libssh2_init() is called twice - Improved linking when using Mbed TLS - Fixes call to libssh2_crypto_exit() if crypto hasn't been initialized - Fixes crash when loading public keys with no id - Fixes possible out of bounds read when exchanging keys - Fixes possible out of bounds read when reading packets - Fixes possible out of bounds read when opening an X11 connection - Fixes possible out of bounds read when ecdh host keys - Fixes possible hang when trying to read a disconnected socket - Fixes a crash when using the delayed compression option - Fixes read error with large known host entries - Fixes various warnings - Fixes various small memory leaks - Improved error handling, various detailed errors will now be reported - Builds are now using OSS-Fuzz - Builds now use autoreconf instead of a custom build script - cmake now respects install directory - Improved CI backend - Updated HACKING-CRYPTO documentation - Use markdown file extensions - Improved unit tests --- 0001-libssh2-1.9.0-CVE-2019-17498.patch | 130 ------------------------ libssh2.spec | 55 ++++++++-- sources | 2 +- 3 files changed, 50 insertions(+), 137 deletions(-) delete mode 100644 0001-libssh2-1.9.0-CVE-2019-17498.patch diff --git a/0001-libssh2-1.9.0-CVE-2019-17498.patch b/0001-libssh2-1.9.0-CVE-2019-17498.patch deleted file mode 100644 index 2e2a5ee..0000000 --- a/0001-libssh2-1.9.0-CVE-2019-17498.patch +++ /dev/null @@ -1,130 +0,0 @@ -From a1554e78e15fc0daeb574c3dd5c87654469a3742 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Fri, 30 Aug 2019 09:57:38 -0700 -Subject: [PATCH] packet.c: improve message parsing (#402) - -* packet.c: improve parsing of packets - -file: packet.c - -notes: -Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. - -Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c -Signed-off-by: Kamil Dudka ---- - src/packet.c | 68 ++++++++++++++++++++++------------------------------ - 1 file changed, 29 insertions(+), 39 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index 38ab629..2e01bfc 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - size_t datalen, int macstate) - { - int rc = 0; -- char *message = NULL; -- char *language = NULL; -+ unsigned char *message = NULL; -+ unsigned char *language = NULL; - size_t message_len = 0; - size_t language_len = 0; - LIBSSH2_CHANNEL *channelp = NULL; -@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - - case SSH_MSG_DISCONNECT: - if(datalen >= 5) { -- size_t reason = _libssh2_ntohu32(data + 1); -+ uint32_t reason = 0; -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr++; /* advance past type */ - -- if(datalen >= 9) { -- message_len = _libssh2_ntohu32(data + 5); -+ _libssh2_get_u32(&buf, &reason); -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); - -- if(message_len < datalen-13) { -- /* 9 = packet_type(1) + reason(4) + message_len(4) */ -- message = (char *) data + 9; -- -- language_len = -- _libssh2_ntohu32(data + 9 + message_len); -- language = (char *) data + 9 + message_len + 4; -- -- if(language_len > (datalen-13-message_len)) { -- /* bad input, clear info */ -- language = message = NULL; -- language_len = message_len = 0; -- } -- } -- else -- /* bad size, clear it */ -- message_len = 0; -- } - if(session->ssh_msg_disconnect) { -- LIBSSH2_DISCONNECT(session, reason, message, -- message_len, language, language_len); -+ LIBSSH2_DISCONNECT(session, reason, (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } -+ - _libssh2_debug(session, LIBSSH2_TRACE_TRANS, - "Disconnect(%d): %s(%s)", reason, - message, language); -@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - int always_display = data[1]; - - if(datalen >= 6) { -- message_len = _libssh2_ntohu32(data + 2); -- -- if(message_len <= (datalen - 10)) { -- /* 6 = packet_type(1) + display(1) + message_len(4) */ -- message = (char *) data + 6; -- language_len = _libssh2_ntohu32(data + 6 + -- message_len); -- -- if(language_len <= (datalen - 10 - message_len)) -- language = (char *) data + 10 + message_len; -- } -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr += 2; /* advance past type & always display */ -+ -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); - } - - if(session->ssh_msg_debug) { -- LIBSSH2_DEBUG(session, always_display, message, -- message_len, language, language_len); -+ LIBSSH2_DEBUG(session, always_display, -+ (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } - } -+ - /* - * _libssh2_debug will actually truncate this for us so - * that it's not an inordinate about of data -@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - uint32_t len = 0; - unsigned char want_reply = 0; - len = _libssh2_ntohu32(data + 1); -- if(datalen >= (6 + len)) { -+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { - want_reply = data[5 + len]; - _libssh2_debug(session, - LIBSSH2_TRACE_CONN, --- -2.20.1 - diff --git a/libssh2.spec b/libssh2.spec index 957f3c1..e03ceea 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,14 +1,11 @@ Name: libssh2 -Version: 1.9.0 -Release: 8%{?dist} +Version: 1.10.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz -# Fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) -Patch1: 0001-libssh2-1.9.0-CVE-2019-17498.patch - BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -54,7 +51,6 @@ developing applications that use libssh2. %prep %setup -q -%patch1 -p1 # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host @@ -118,6 +114,53 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Mon Aug 30 2021 Paul Howarth - 1.10.0-1 +- Update to 1.10.0 + - Adds agent forwarding support + - Adds OpenSSH Agent support on Windows + - Adds ECDSA key support using the Mbed TLS backend + - Adds ECDSA cert authentication + - Adds diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, + diffie-hellman-group18-sha512 key exchanges + - Adds support for PKIX key reading when using ed25519 with OpenSSL + - Adds support for EWOULDBLOCK on VMS systems + - Adds support for building with OpenSSL 3 + - Adds support for using FIPS mode in OpenSSL + - Adds debug symbols when building with MSVC + - Adds support for building on the 3DS + - Adds unicode build support on Windows + - Restores os400 building + - Increases min, max and opt Diffie Hellman group values + - Improves portability of the make file + - Improves timeout behaviour with 2FA keyboard auth + - Various improvements to the Wincng backend + - Fixes reading partial packet replies when using an agent + - Fixes Diffie Hellman key exchange on Windows 1903+ builds + - Fixes building tests with older versions of OpenSSL + - Fixes possible multiple definition warnings + - Fixes potential cast issues _libssh2_ecdsa_key_get_curve_type() + - Fixes potential use after free if libssh2_init() is called twice + - Improved linking when using Mbed TLS + - Fixes call to libssh2_crypto_exit() if crypto hasn't been initialized + - Fixes crash when loading public keys with no id + - Fixes possible out of bounds read when exchanging keys + - Fixes possible out of bounds read when reading packets + - Fixes possible out of bounds read when opening an X11 connection + - Fixes possible out of bounds read when ecdh host keys + - Fixes possible hang when trying to read a disconnected socket + - Fixes a crash when using the delayed compression option + - Fixes read error with large known host entries + - Fixes various warnings + - Fixes various small memory leaks + - Improved error handling, various detailed errors will now be reported + - Builds are now using OSS-Fuzz + - Builds now use autoreconf instead of a custom build script + - cmake now respects install directory + - Improved CI backend + - Updated HACKING-CRYPTO documentation + - Use markdown file extensions + - Improved unit tests + * Thu Jul 22 2021 Fedora Release Engineering - 1.9.0-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index a8167df..5c08420 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libssh2-1.9.0.tar.gz) = 41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 +SHA512 (libssh2-1.10.0.tar.gz) = e064ee1089eb8e6cd5fa2617f4fd8ff56c2721c5476775a98bdb68c6c4ee4d05c706c3bb0eb479a27a8ec0b17a8a5ef43e1d028ad3f134519aa582d3981a3a30