From 55f86e1efde67aa3bdf431c6cc0e4d8f127aebd24562ce77d567f175e94474f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 15:55:51 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main libssh2_org revision b3ed47b7b5f4ef41d836955ed4299c43 --- .gitattributes | 23 ++ baselibs.conf | 4 + libssh2-1.11.0.tar.xz | 3 + libssh2-1.11.0.tar.xz.asc | 11 + libssh2-ocloexec.patch | 72 ++++ libssh2_org-CVE-2023-48795.patch | 459 ++++++++++++++++++++++++ libssh2_org.changes | 598 +++++++++++++++++++++++++++++++ libssh2_org.keyring | 58 +++ libssh2_org.spec | 110 ++++++ 9 files changed, 1338 insertions(+) create mode 100644 .gitattributes create mode 100644 baselibs.conf create mode 100644 libssh2-1.11.0.tar.xz create mode 100644 libssh2-1.11.0.tar.xz.asc create mode 100644 libssh2-ocloexec.patch create mode 100644 libssh2_org-CVE-2023-48795.patch create mode 100644 libssh2_org.changes create mode 100644 libssh2_org.keyring create mode 100644 libssh2_org.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..629c483 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +libssh2-1 + obsoletes "libssh2- <= " + provides "libssh2- = " + diff --git a/libssh2-1.11.0.tar.xz b/libssh2-1.11.0.tar.xz new file mode 100644 index 0000000..3f79063 --- /dev/null +++ b/libssh2-1.11.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a488a22625296342ddae862de1d59633e6d446eff8417398e06674a49be3d7c2 +size 686796 diff --git a/libssh2-1.11.0.tar.xz.asc b/libssh2-1.11.0.tar.xz.asc new file mode 100644 index 0000000..02e1fc9 --- /dev/null +++ b/libssh2-1.11.0.tar.xz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmR2HWEACgkQXMkI/bce +EsIBgwf/ZExq9GsrLaX3eFiOe6/qjcixscNfP2TfBn/b9miKzmTCEle9H/wLUaeI +VVB/Zs9pNAlROJ+QEGQKfBb5fzGJm9nifWsuZ+Y65s8JGUzI3Y3cKdsyYTV8Myaj +1IvMR/oQoPjW8bd0a3SsKRLdWhN/9/Q4fiEjSs2Zp1OuCaLnLebyPgXx8f3BpXKQ +YfLYUslRgKGND+VULfUki1i8mvF4ledhanf1nTRxwfK5HrXWLT/Yd+lVRKTZgWl+ +2YqXvGU9pI9N7GSVfHttYEbqP8hd8ncxea46bSaSauc4e5Sn9lYAvo2Wri33zPLw +MwI17cyi7s1H0CuIc2cT4L8BUYg3vw== +=eRz/ +-----END PGP SIGNATURE----- diff --git a/libssh2-ocloexec.patch b/libssh2-ocloexec.patch new file mode 100644 index 0000000..b2f437f --- /dev/null +++ b/libssh2-ocloexec.patch @@ -0,0 +1,72 @@ +From 33a59a1905feb5d786e9d457f287dd9e81a9f747 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Tue, 27 Dec 2011 00:33:28 -0300 +Subject: [PATCH] Use O_CLOEXEC where needed + +--- + src/agent.c | 2 +- + src/knownhost.c | 4 ++-- + src/userauth.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +Index: libssh2-1.11.0/src/agent.c +=================================================================== +--- libssh2-1.11.0.orig/src/agent.c ++++ libssh2-1.11.0/src/agent.c +@@ -177,7 +177,7 @@ agent_connect_unix(LIBSSH2_AGENT *agent) + "no auth sock variable"); + } + +- agent->fd = socket(PF_UNIX, SOCK_STREAM, 0); ++ agent->fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); + if(agent->fd < 0) + return _libssh2_error(agent->session, LIBSSH2_ERROR_BAD_SOCKET, + "failed creating socket"); +Index: libssh2-1.11.0/src/knownhost.c +=================================================================== +--- libssh2-1.11.0.orig/src/knownhost.c ++++ libssh2-1.11.0/src/knownhost.c +@@ -962,7 +962,7 @@ libssh2_knownhost_readfile(LIBSSH2_KNOWN + "Unsupported type of known-host information " + "store"); + +- file = fopen(filename, FOPEN_READTEXT); ++ file = fopen(filename, FOPEN_READTEXT_CLOEXEC); + if(file) { + while(fgets(buf, sizeof(buf), file)) { + if(libssh2_knownhost_readline(hosts, buf, strlen(buf), type)) { +@@ -1203,7 +1203,7 @@ libssh2_knownhost_writefile(LIBSSH2_KNOW + "Unsupported type of known-host information " + "store"); + +- file = fopen(filename, FOPEN_WRITETEXT); ++ file = fopen(filename, FOPEN_WRITETEXT_CLOEXEC); + if(!file) + return _libssh2_error(hosts->session, LIBSSH2_ERROR_FILE, + "Failed to open file"); +Index: libssh2-1.11.0/src/userauth.c +=================================================================== +--- libssh2-1.11.0.orig/src/userauth.c ++++ libssh2-1.11.0/src/userauth.c +@@ -654,7 +654,7 @@ file_read_publickey(LIBSSH2_SESSION * se + _libssh2_debug((session, LIBSSH2_TRACE_AUTH, "Loading public key file: %s", + pubkeyfile)); + /* Read Public Key */ +- fd = fopen(pubkeyfile, FOPEN_READTEXT); ++ fd = fopen(pubkeyfile, FOPEN_READTEXT_CLOEXEC); + if(!fd) { + return _libssh2_error(session, LIBSSH2_ERROR_FILE, + "Unable to open public key file"); +Index: libssh2-1.11.0/src/libssh2_priv.h +=================================================================== +--- libssh2-1.11.0.orig/src/libssh2_priv.h ++++ libssh2-1.11.0/src/libssh2_priv.h +@@ -1218,6 +1218,8 @@ size_t plain_method(char *method, size_t + #define FOPEN_READTEXT "r" + #define FOPEN_WRITETEXT "w" + #define FOPEN_APPENDTEXT "a" ++#define FOPEN_READTEXT_CLOEXEC "re" ++#define FOPEN_WRITETEXT_CLOEXEC "we" + #endif + + #endif /* __LIBSSH2_PRIV_H */ diff --git a/libssh2_org-CVE-2023-48795.patch b/libssh2_org-CVE-2023-48795.patch new file mode 100644 index 0000000..154c987 --- /dev/null +++ b/libssh2_org-CVE-2023-48795.patch @@ -0,0 +1,459 @@ +From d34d9258b8420b19ec3f97b4cc5bf7aa7d98e35a Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Thu, 30 Nov 2023 15:08:02 -0800 +Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + +Refs: +https://terrapin-attack.com/ +https://seclists.org/oss-sec/2023/q4/292 +https://osv.dev/list?ecosystem=&q=CVE-2023-48795 +https://github.com/advisories/GHSA-45x7-px36-x8w8 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 + +Fixes #1290 +Closes #1291 +--- + src/kex.c | 63 +++++++++++++++++++++++------------ + src/libssh2_priv.h | 18 +++++++--- + src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++--- + src/packet.h | 2 +- + src/session.c | 3 ++ + src/transport.c | 12 ++++++- + 6 files changed, 149 insertions(+), 32 deletions(-) + +Index: libssh2-1.11.0/src/kex.c +=================================================================== +--- libssh2-1.11.0.orig/src/kex.c ++++ libssh2-1.11.0/src/kex.c +@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = { + 0, + }; + ++static const LIBSSH2_KEX_METHOD ++kex_method_strict_client_extension = { ++ "kex-strict-c-v00@openssh.com", ++ NULL, ++ 0, ++}; ++ + static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = { + #if LIBSSH2_ED25519 + &kex_method_ssh_curve25519_sha256, +@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2 + &kex_method_diffie_helman_group1_sha1, + &kex_method_diffie_helman_group_exchange_sha1, + &kex_method_extension_negotiation, ++ &kex_method_strict_client_extension, + NULL + }; + +@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * ses + return 0; + } + +-/* kex_agree_instr ++/* _libssh2_kex_agree_instr + * Kex specific variant of strstr() + * Needle must be preceded by BOL or ',', and followed by ',' or EOL + */ +-static unsigned char * +-kex_agree_instr(unsigned char *haystack, size_t haystack_len, +- const unsigned char *needle, size_t needle_len) ++unsigned char * ++_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len, ++ const unsigned char *needle, size_t needle_len) + { + unsigned char *s; + unsigned char *end_haystack; +@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SES + while(s && *s) { + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) { + const LIBSSH2_HOSTKEY_METHOD *method = + (const LIBSSH2_HOSTKEY_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SES + } + + while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) { +- s = kex_agree_instr(hostkey, hostkey_len, +- (unsigned char *) (*hostkeyp)->name, +- strlen((*hostkeyp)->name)); ++ s = _libssh2_kex_agree_instr(hostkey, hostkey_len, ++ (unsigned char *) (*hostkeyp)->name, ++ strlen((*hostkeyp)->name)); + if(s) { + /* So far so good, but does it suit our purposes? (Encrypting vs + Signing) */ +@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2 + { + const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods; + unsigned char *s; ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ ++ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) { ++ session->kex_strict = 1; ++ } + + if(session->kex_prefs) { + s = (unsigned char *) session->kex_prefs; +@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2 + while(s && *s) { + unsigned char *q, *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); +- q = kex_agree_instr(kex, kex_len, s, method_len); ++ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len); + if(q) { + const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2 + } + + while(*kexp && (*kexp)->name) { +- s = kex_agree_instr(kex, kex_len, +- (unsigned char *) (*kexp)->name, +- strlen((*kexp)->name)); ++ s = _libssh2_kex_agree_instr(kex, kex_len, ++ (unsigned char *) (*kexp)->name, ++ strlen((*kexp)->name)); + if(s) { + /* We've agreed on a key exchange method, + * Can we agree on a hostkey that works with this kex? +@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSI + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(crypt, crypt_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) { + const LIBSSH2_CRYPT_METHOD *method = + (const LIBSSH2_CRYPT_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSI + } + + while(*cryptp && (*cryptp)->name) { +- s = kex_agree_instr(crypt, crypt_len, +- (unsigned char *) (*cryptp)->name, +- strlen((*cryptp)->name)); ++ s = _libssh2_kex_agree_instr(crypt, crypt_len, ++ (unsigned char *) (*cryptp)->name, ++ strlen((*cryptp)->name)); + if(s) { + endpoint->crypt = *cryptp; + return 0; +@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(mac, mac_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) { + const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *) + kex_get_method_by_name((char *) s, method_len, + (const LIBSSH2_COMMON_METHOD **) +@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION + } + + while(*macp && (*macp)->name) { +- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name, +- strlen((*macp)->name)); ++ s = _libssh2_kex_agree_instr(mac, mac_len, ++ (unsigned char *) (*macp)->name, ++ strlen((*macp)->name)); + if(s) { + endpoint->mac = *macp; + return 0; +@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSIO + unsigned char *p = (unsigned char *) strchr((char *) s, ','); + size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s)); + +- if(kex_agree_instr(comp, comp_len, s, method_len)) { ++ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) { + const LIBSSH2_COMP_METHOD *method = + (const LIBSSH2_COMP_METHOD *) + kex_get_method_by_name((char *) s, method_len, +@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSIO + } + + while(*compp && (*compp)->name) { +- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name, +- strlen((*compp)->name)); ++ s = _libssh2_kex_agree_instr(comp, comp_len, ++ (unsigned char *) (*compp)->name, ++ strlen((*compp)->name)); + if(s) { + endpoint->comp = *compp; + return 0; +@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * + session->local.kexinit = key_state->oldlocal; + session->local.kexinit_len = key_state->oldlocal_len; + key_state->state = libssh2_NB_state_idle; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + return -1; +@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * + session->remote.kexinit = NULL; + } + ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_KEX_ACTIVE; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + +Index: libssh2-1.11.0/src/libssh2_priv.h +=================================================================== +--- libssh2-1.11.0.orig/src/libssh2_priv.h ++++ libssh2-1.11.0/src/libssh2_priv.h +@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION + /* key signing algorithm preferences -- NULL yields server order */ + char *sign_algo_prefs; + ++ /* Whether to use the OpenSSH Strict KEX extension */ ++ int kex_strict; ++ + /* (remote as source of data -- packet_read ) */ + libssh2_endpoint_data remote; + +@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION + int fullpacket_macstate; + size_t fullpacket_payload_len; + int fullpacket_packet_type; ++ uint32_t fullpacket_required_type; + + /* State variables used in libssh2_sftp_init() */ + libssh2_nonblocking_states sftpInit_state; +@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION + }; + + /* session.state bits */ +-#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001 +-#define LIBSSH2_STATE_NEWKEYS 0x00000002 +-#define LIBSSH2_STATE_AUTHENTICATED 0x00000004 +-#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008 ++#define LIBSSH2_STATE_INITIAL_KEX 0x00000001 ++#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002 ++#define LIBSSH2_STATE_NEWKEYS 0x00000004 ++#define LIBSSH2_STATE_AUTHENTICATED 0x00000008 ++#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010 + + /* session.flag helpers */ + #ifdef MSG_NOSIGNAL +@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t s + int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange, + key_exchange_state_t * state); + ++unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack, ++ size_t haystack_len, ++ const unsigned char *needle, ++ size_t needle_len); ++ + /* Let crypt.c/hostkey.c expose their method structs */ + const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void); + const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void); +Index: libssh2-1.11.0/src/packet.c +=================================================================== +--- libssh2-1.11.0.orig/src/packet.c ++++ libssh2-1.11.0/src/packet.c +@@ -605,14 +605,13 @@ authagent_exit: + * layer when it has received a packet. + * + * The input pointer 'data' is pointing to allocated data that this function +- * is asked to deal with so on failure OR success, it must be freed fine. +- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN. ++ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN. + * + * This function will always be called with 'datalen' greater than zero. + */ + int + _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate) ++ size_t datalen, int macstate, uint32_t seq) + { + int rc = 0; + unsigned char *message = NULL; +@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * se + break; + } + ++ if(session->state & LIBSSH2_STATE_INITIAL_KEX) { ++ if(msg == SSH_MSG_KEXINIT) { ++ if(!session->kex_strict) { ++ if(datalen < 17) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting kex"); ++ } ++ else { ++ const unsigned char *strict = ++ (unsigned char *)"kex-strict-s-v00@openssh.com"; ++ struct string_buf buf; ++ unsigned char *algs = NULL; ++ size_t algs_len = 0; ++ ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 17; /* advance past type and cookie */ ++ ++ if(_libssh2_get_string(&buf, &algs, &algs_len)) { ++ LIBSSH2_FREE(session, data); ++ session->packAdd_state = libssh2_NB_state_idle; ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Algs too short"); ++ } ++ ++ if(algs_len == 0 || ++ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) { ++ session->kex_strict = 1; ++ } ++ } ++ } ++ ++ if(session->kex_strict && seq) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "KEXINIT was not the first packet"); ++ } ++ } ++ ++ if(session->kex_strict && session->fullpacket_required_type && ++ session->fullpacket_required_type != msg) { ++ LIBSSH2_FREE(session, data); ++ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED; ++ session->packAdd_state = libssh2_NB_state_idle; ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } ++ } ++ + if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ + switch(msg) { +@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * se + + return 0; + } ++ else if(session->kex_strict && ++ (session->state & LIBSSH2_STATE_INITIAL_KEX)) { ++ libssh2_session_disconnect(session, "strict KEX violation: " ++ "unexpected packet type"); ++ ++ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT, ++ "strict KEX violation: " ++ "unexpected packet type"); ++ } + packet = _libssh2_list_next(&packet->node); + } + return -1; +@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION + } + + while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) { +- int ret = _libssh2_transport_read(session); ++ int ret; ++ session->fullpacket_required_type = packet_type; ++ ret = _libssh2_transport_read(session); ++ session->fullpacket_required_type = 0; + if(ret == LIBSSH2_ERROR_EAGAIN) + return ret; + else if(ret < 0) { +Index: libssh2-1.11.0/src/packet.h +=================================================================== +--- libssh2-1.11.0.orig/src/packet.h ++++ libssh2-1.11.0/src/packet.h +@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION + int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data, + unsigned long data_len); + int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +- size_t datalen, int macstate); ++ size_t datalen, int macstate, uint32_t seq); + + #endif /* __LIBSSH2_PACKET_H */ +Index: libssh2-1.11.0/src/session.c +=================================================================== +--- libssh2-1.11.0.orig/src/session.c ++++ libssh2-1.11.0/src/session.c +@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FU + session->abstract = abstract; + session->api_timeout = 0; /* timeout-free API by default */ + session->api_block_mode = 1; /* blocking API by default */ ++ session->state = LIBSSH2_STATE_INITIAL_KEX; ++ session->fullpacket_required_type = 0; + session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT; + session->flag.quote_paths = 1; /* default behavior is to quote paths + for the scp subsystem */ +@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SE + const char *desc, const char *lang) + { + int rc; ++ session->state &= ~LIBSSH2_STATE_INITIAL_KEX; + session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS; + BLOCK_ADJUST(rc, session, + session_disconnect(session, reason, desc, lang)); +Index: libssh2-1.11.0/src/transport.c +=================================================================== +--- libssh2-1.11.0.orig/src/transport.c ++++ libssh2-1.11.0/src/transport.c +@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, in + struct transportpacket *p = &session->packet; + int rc; + int compressed; ++ uint32_t seq = session->remote.seqno; + + if(session->fullpacket_state == libssh2_NB_state_idle) { + session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED; +@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, in + if(session->fullpacket_state == libssh2_NB_state_created) { + rc = _libssh2_packet_add(session, p->payload, + session->fullpacket_payload_len, +- session->fullpacket_macstate); ++ session->fullpacket_macstate, seq); + if(rc == LIBSSH2_ERROR_EAGAIN) + return rc; + if(rc) { +@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, in + + session->fullpacket_state = libssh2_NB_state_idle; + ++ if(session->kex_strict && ++ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) { ++ session->remote.seqno = 0; ++ } ++ + return session->fullpacket_packet_type; + } + +@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESS + + session->local.seqno++; + ++ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) { ++ session->local.seqno = 0; ++ } ++ + ret = LIBSSH2_SEND(session, p->outbuf, total_length, + LIBSSH2_SOCKET_SEND_FLAGS(session)); + if(ret < 0) diff --git a/libssh2_org.changes b/libssh2_org.changes new file mode 100644 index 0000000..032c9bf --- /dev/null +++ b/libssh2_org.changes @@ -0,0 +1,598 @@ +------------------------------------------------------------------- +Tue Dec 19 11:25:35 UTC 2023 - Otto Hollmann + +- Security fix: [bsc#1218127, CVE-2023-48795] + * Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack" + * Add libssh2_org-CVE-2023-48795.patch + +------------------------------------------------------------------- +Tue Jun 20 08:17:25 UTC 2023 - Pedro Monreal + +- Update to 1.11.0: + * Enhancements and bugfixes + - Adds support for encrypt-then-mac (ETM) MACs + - Adds support for AES-GCM crypto protocols + - Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys + - Adds support for RSA certificate authentication + - Adds FIDO support with *_sk() functions + - Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends + - Adds Agent Forwarding and libssh2_agent_sign() + - Adds support for Channel Signal message libssh2_channel_signal_ex() + - Adds support to get the user auth banner message libssh2_userauth_banner() + - Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519, + AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options + - Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex() + - Adds wolfSSL support to CMake file + - Adds mbedTLS 3.x support + - Adds LibreSSL 3.5 support + - Adds support for CMake "unity" builds + - Adds CMake support for building shared and static libs in a single pass + - Adds symbol hiding support to CMake + - Adds support for libssh2.rc for all build tools + - Adds .zip, .tar.xz and .tar.bz2 release tarballs + - Enables ed25519 key support for LibreSSL 3.7.0 or higher + - Improves OpenSSL 1.1 and 3 compatibility + - Now requires OpenSSL 1.0.2 or newer + - Now requires CMake 3.1 or newer + - SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs + - SFTP: No longer has a packet limit when reading a directory + - SFTP: now parses attribute extensions if they exist + - SFTP: no longer will busy loop if SFTP fails to initialize + - SFTP: now clear various errors as expected + - SFTP: no longer skips files if the line buffer is too small + - SCP: add option to not quote paths + - SCP: Enables 64-bit offset support unconditionally + - Now skips leading \r and \n characters in banner_receive() + - Enables secure memory zeroing with all build tools on all platforms + - No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive + - Speed up base64 encoding by 7x + - Assert if there is an attempt to write a value that is too large + - WinCNG: fix memory leak in _libssh2_dh_secret() + - Added protection against possible null pointer dereferences + - Agent now handles overly large comment lengths + - Now ensure KEX replies don't include extra bytes + - Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER + - Fixed possible buffer overflow in keyboard interactive code path + - Fixed overlapping memcpy() + - Fixed Windows UWP builds + - Fixed DLL import name + - Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows + - Support for building with gcc versions older than 8 + - Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files + - Restores ANSI C89 compliance + - Enabled new compiler warnings and fixed/silenced them + - Improved error messages + - Now uses CIFuzz + - Numerous minor code improvements + - Improvements to CI builds + - Improvements to unit tests + - Improvements to doc files + - Improvements to example files + - Removed "old gex" build option + - Removed no-encryption/no-mac builds + - Removed support for NetWare and Watcom wmake build files + * Rebase libssh2-ocloexec.patch + +------------------------------------------------------------------- +Fri Dec 10 14:41:20 UTC 2021 - David Anes + +- Bump to version 1.10.0 + Enhancements and bugfixes: + * support ECDSA certificate authentication + * fix detailed _libssh2_error being overwritten by generic errors + * unified error handling + * fix _libssh2_random() silently discarding errors + * don't error if using keys without RSA + * avoid OpenSSL latent error in FIPS mode + * fix EVP_Cipher interface change in openssl 3 + * fix potential overwrite of buffer when reading stdout of command + * use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data + * correct a typo which may lead to stack overflow + * fix random big number generation to match openssl + * added key exchange group16-sha512 and group18-sha512. + * add support for an OSS Fuzzer fuzzing target + * adds support for ECDSA for both key exchange and host key algorithms + * clean up curve25519 code + * update the min, preferred and max DH group values based on RFC 8270. + * changed type of LIBSSH2_FX_* constants to unsigned long + * added diffie-hellman-group14-sha256 kex + * fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression + * fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x. + * fixes crash with delayed compression option using Bitvise server. + * adds support for PKIX key reading + * use new API to parse data in packet_x11_open() for better bounds checking. + * double the static buffer size when reading and writing known hosts + * improved bounds checking in packet_queue_listener + * improve message parsing (CVE-2019-17498) + * improve bounds checking in kex_agree_methods() + * adding SSH agent forwarding. + * fix agent forwarding message, updated example. + * added integration test code and cmake target. Added example to cmake list. + * don't call `libssh2_crypto_exit()` until `_libssh2_initialized` count is down to zero. + * add an EWOULDBLOCK check for better portability + * fix off by one error when loading public keys with no id + * fix use-after-free crash on reinitialization of openssl backend + * preserve error info from agent_list_identities() + * make sure the error code is set in _libssh2_channel_open() + * fixed misspellings + * fix potential typecast error for `_libssh2_ecdsa_key_get_curve_type` + * rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type + +- Rebased patch libssh2-ocloexec.path +- Removed patch libssh2_org-CVE-2019-17498.patch: the security fix + is already included in the latest version. + +------------------------------------------------------------------- +Thu Aug 27 12:47:32 UTC 2020 - Dominique Leuenberger + +- Drop man and groff BuildRequires: both are no longer used in + current versions. + +------------------------------------------------------------------- +Wed Oct 23 13:53:38 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix: [bsc#1154862, CVE-2019-17498] + * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in + a bounds check that might lead to disclose sensitive information + or cause a denial of service + * Add patch libssh2_org-CVE-2019-17498.patch + +------------------------------------------------------------------- +Thu Jun 20 11:07:36 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 1.9.0: + Enhancements and bugfixes: + * adds ECDSA keys and host key support when using OpenSSL + * adds ED25519 key and host key support when using OpenSSL 1.1.1 + * adds OpenSSH style key file reading + * adds AES CTR mode support when using WinCNG + * adds PEM passphrase protected file support for Libgcrypt and WinCNG + * adds SHA256 hostkey fingerprint + * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() + * adds explicit zeroing of sensitive data in memory + * adds additional bounds checks to network buffer reads + * adds the ability to use the server default permissions when creating sftp directories + * adds support for building with OpenSSL no engine flag + * adds support for building with LibreSSL + * increased sftp packet size to 256k + * fixed oversized packet handling in sftp + * fixed building with OpenSSL 1.1 + * fixed a possible crash if sftp stat gets an unexpected response + * fixed incorrect parsing of the KEX preference string value + * fixed conditional RSA and AES-CTR support + * fixed a small memory leak during the key exchange process + * fixed a possible memory leak of the ssh banner string + * fixed various small memory leaks in the backends + * fixed possible out of bounds read when parsing public keys from the server + * fixed possible out of bounds read when parsing invalid PEM files + * no longer null terminates the scp remote exec command + * now handle errors when diffie hellman key pair generation fails + * improved building instructions + * improved unit tests +- Rebased patch libssh2-ocloexec.patch + +------------------------------------------------------------------- +Tue Apr 9 09:10:26 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 1.8.2: [bsc#1130103] + Bug fixes: + * Fixed the misapplied userauth patch that broke 1.8.1 + * moved the MAX size declarations from the public header + +------------------------------------------------------------------- +Tue Mar 19 09:30:12 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 1.8.1: + Bug Fixes: + * [bsc#1128471, CVE-2019-3855] Integer overflow when reading a specially + crafted packet + * [bsc#1128493, CVE-2019-3863] Integer overflow in userauth_keyboard_interactive + with a number of extremely long prompt strings + * [bsc#1128472, CVE-2019-3856] Integer overflow if the server sent an extremely + large number of keyboard prompts + * [bsc#1128490, CVE-2019-3861] Out of bounds read when processing a specially + crafted packet + * [bsc#1128474, CVE-2019-3857] Integer overflow when receiving a specially + crafted exit signal message channel packet + * [bsc#1128492, CVE-2019-3862] Out of bounds read when receiving a specially + crafted exit status message channel packet + * [bsc#1128476, CVE-2019-3858] Zero byte allocation when reading a specially + crafted SFTP packet + * [bsc#1128481, CVE-2019-3860] Out of bounds reads when processing specially + crafted SFTP packets + * [bsc#1128480, CVE-2019-3859] Out of bounds reads in _libssh2_packet_require(v) + +------------------------------------------------------------------- +Tue Jan 16 18:51:36 UTC 2018 - dimstar@opensuse.org + +- Drop openssh BuildRequires: this is only used for one of the + minor self-tests. + +------------------------------------------------------------------- +Thu Jun 29 18:59:13 UTC 2017 - jengelh@inai.de + +- Remove --with-pic which is only for static libs + +------------------------------------------------------------------- +Wed Jun 14 10:05:48 UTC 2017 - tchvatal@suse.com + +- Version update to 1.8.0: + * support openssl-1.1 + * many bugfixes +- Fixes bsc#1042660 +- Remove obsolete conditionals that are no longer needed + +------------------------------------------------------------------- +Tue Feb 23 13:37:02 UTC 2016 - vcizek@suse.com + +- update to 1.7.0 + * Fixes CVE-2016-0787 (boo#967026) + * Changes: + libssh2_session_set_last_error: Add function + mac: Add support for HMAC-SHA-256 and HMAC-SHA-512 + WinCNG: support for SHA256/512 HMAC + kex: Added diffie-hellman-group-exchange-sha256 support + OS/400 crypto library QC3 support + * and many bugfixes + +------------------------------------------------------------------- +Fri Jun 12 18:53:42 UTC 2015 - vcizek@suse.com + +- update to 1.6.0 + Changes: + Added CMake build system + Added libssh2_userauth_publickey_frommemory() + Bug fixes: + wait_socket: wrong use of difftime() + userauth: Fixed prompt text no longer being copied to the prompts struct + mingw build: allow to pass custom CFLAGS + Let mansyntax.sh work regardless of where it is called from + Init HMAC_CTX before using it + direct_tcpip: Fixed channel write + WinCNG: fixed backend breakage + OpenSSL: caused by introducing libssh2_hmac_ctx_init + userauth.c: fix possible dereferences of a null pointer + wincng: Added explicit clear memory feature to WinCNG backend + openssl.c: fix possible segfault in case EVP_DigestInit fails + wincng: fix return code of libssh2_md5_init() + kex: do not ignore failure of libssh2_sha1_init() + scp: fix that scp_send may transmit not initialised memory + scp.c: improved command length calculation + nonblocking examples: fix warning about unused tvdiff on Mac OS X + configure: make clear-memory default but WARN if backend unsupported + OpenSSL: Enable use of OpenSSL that doesn't have DSA + OpenSSL: Use correct no-blowfish #define + kex: fix libgcrypt memory leaks of bignum + libssh2_channel_open: more detailed error message + wincng: fixed memleak in (block) cipher destructor + +------------------------------------------------------------------- +Wed Mar 11 14:00:34 UTC 2015 - vcizek@suse.com + +- update to 1.5.0 + * fixes CVE-2015-1782 (bnc#921070) +- tarball verification + * added libssh2_org.keyring + * added libssh2-1.5.0.tar.gz.asc +Changes in 1.5.0: + Added Windows Cryptography API: Next Generation based backend +Bug fixes: + Security Advisory: Using `SSH_MSG_KEXINIT` data unbounded, CVE-2015-1782 + missing _libssh2_error in _libssh2_channel_write + knownhost: Fix DSS keys being detected as unknown. + knownhost: Restore behaviour of `libssh2_knownhost_writeline` with short buffer. + libssh2.h: on Windows, a socket is of type SOCKET, not int + libssh2_priv.h: a 1 bit bit-field should be unsigned + windows build: do not export externals from static library + Fixed two potential use-after-frees of the payload buffer + Fixed a few memory leaks in error paths + userauth: Fixed an attempt to free from stack on error + agent_list_identities: Fixed memory leak on OOM + knownhosts: Abort if the hosts buffer is too small + sftp_close_handle: ensure the handle is always closed + channel_close: Close the channel even in the case of errors + docs: added missing libssh2_session_handshake.3 file + docs: fixed a bunch of typos + userauth_password: pass on the underlying error code + _libssh2_channel_forward_cancel: accessed struct after free + _libssh2_packet_add: avoid using uninitialized memory + _libssh2_channel_forward_cancel: avoid memory leaks on error + _libssh2_channel_write: client spins on write when window full + windows build: fix build errors + publickey_packet_receive: avoid junk in returned pointers + channel_receive_window_adjust: store windows size always + userauth_hostbased_fromfile: zero assign to avoid uninitialized use + configure: change LIBS not LDFLAGS when checking for libs + agent_connect_unix: make sure there's a trailing zero + MinGW build: Fixed redefine warnings. + sftpdir.c: added authentication method detection. + Watcom build: added support for WinCNG build. + configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS + sftp_statvfs: fix for servers not supporting statfvs extension + knownhost.c: use LIBSSH2_FREE macro instead of free + Fixed compilation using mingw-w64 + knownhost.c: fixed that 'key_type_len' may be used uninitialized + configure: Display individual crypto backends on separate lines + examples on Windows: check for WSAStartup return code + examples on Windows: check for socket return code + agent.c: check return code of MapViewOfFile + kex.c: fix possible NULL pointer de-reference with session->kex + packet.c: fix possible NULL pointer de-reference within listen_state + tests on Windows: check for WSAStartup return code + userauth.c: improve readability and clarity of for-loops + examples on Windows: use native SOCKET-type instead of int + packet.c: i < 256 was always true and i would overflow to 0 + kex.c: make sure mlist is not set to NULL + session.c: check return value of session_nonblock in debug mode + session.c: check return value of session_nonblock during startup + userauth.c: make sure that sp_len is positive and avoid overflows + knownhost.c: fix use of uninitialized argument variable wrote + openssl: initialise the digest context before calling EVP_DigestInit() + libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET + configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib + configure.ac: Rework crypto library detection + configure.ac: Reorder --with-* options in --help output + configure.ac: Call zlib zlib and not libz in text but keep option names + Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro + sftp: seek: Don't flush buffers on same offset + sftp: statvfs: Along error path, reset the correct 'state' variable. + sftp: Add support for fsync (OpenSSH extension). + _libssh2_channel_read: fix data drop when out of window + comp_method_zlib_decomp: Improve buffer growing algorithm + _libssh2_channel_read: Honour window_size_initial + window_size: redid window handling for flow control reasons + knownhosts: handle unknown key types + +------------------------------------------------------------------- +Mon Jun 24 12:58:02 UTC 2013 - mvyskocil@suse.com + +- ignore groff-full to remove factory build cycle +- add groff to build requires to make tests passing + +------------------------------------------------------------------- +Wed Apr 24 07:54:17 UTC 2013 - boris@steki.net + +- fix building on older kernels and older OS / SLE + +------------------------------------------------------------------- +Thu Feb 28 21:13:29 UTC 2013 - crrodriguez@opensuse.org + +- Use AC_CONFIG_HEADERS instead of AM_CONFIG_HEADER, fixes + build with new automake + +------------------------------------------------------------------- +Tue Jan 8 15:24:25 UTC 2013 - vcizek@suse.com + +- update to 1.4.3 + compression: add support for zlib@openssh.com + Bug fixes: + sftp_read: return error if a too large package arrives + libssh2_hostkey_hash.3: update the description of return value + examples: use stderr for messages, stdout for data + openssl: do not leak memory when handling errors + improved handling of disabled MD5 algorithm in OpenSSL + known_hosts: Fail when parsing unknown keys in known_hosts file + configure: gcrypt doesn't come with pkg-config support + session_free: wrong variable used for keeping state + libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL + comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating + Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner + userauth.c: fread() from public key file to correctly detect any errors + configure.ac: Add option to disable build of the example applications + Added 'Requires.private:' line to libssh2.pc + SFTP: filter off incoming "zombie" responses + gettimeofday: no need for a replacement under cygwin + SSH_MSG_CHANNEL_REQUEST: default to want_reply + win32/libssh2_config.h: Remove hardcoded #define LIBSSH2_HAVE_ZLIB + build error with gcrypt backend + always do "forced" window updates to avoid corner case stalls + aes: the init function fails when OpenSSL has AES support + transport_send: Finish in-progress key exchange before sending data + channel_write: acknowledge transport errors + examples/x11.c: Make sure sizeof passed to read operation is correct + examples/x11.c:,Fix suspicious sizeof usage + sftp_packet_add: verify the packet before accepting it + SFTP: preserve the original error code more + sftp_packet_read: adjust window size as necessary + Use safer snprintf rather then sprintf in several places + Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET + sftp_write: cannot return acked data *and* EAGAIN + sftp_read: avoid data *and* EAGAIN + libssh2.h: Add missing prototype for libssh2_session_banner_set() +- dropped patches (already in the upstream) + 0004-libssh2.h-Add-missing-prototype-for-libssh2_session_.patch + 0005-Add-symbol-versioning.patch + 0006-missing-libssh2_session_banner_set.patch + +------------------------------------------------------------------- +Thu Feb 2 13:36:17 UTC 2012 - crrodriguez@opensuse.org + +- fix license + +------------------------------------------------------------------- +Thu Feb 2 04:27:50 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 1.4.0 plus git bugfixes + +------------------------------------------------------------------- +Tue Dec 27 03:41:32 UTC 2011 - crrodriguez@opensuse.org + +- Refresh patches. + +------------------------------------------------------------------- +Thu Dec 1 03:41:02 UTC 2011 - jengelh@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Thu Dec 1 02:43:46 UTC 2011 - crrodriguez@opensuse.org + +- open library file descriptors with O_CLOEXEC + +------------------------------------------------------------------- +Fri Oct 21 18:15:49 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 1.3.0 +* sftp_read: advance offset correctly for buffered copies +* libssh2_sftp_seek64: flush packetlist and buffered data +* _libssh2_packet_add: adjust window size when truncating +* sftp_read: a short read is not end of file + + +------------------------------------------------------------------- +Sat Oct 1 14:19:34 CEST 2011 - dmueller@suse.de + +- document the reason for the testsuite failure + +------------------------------------------------------------------- +Fri Sep 30 17:36:36 UTC 2011 - crrodriguez@opensuse.org + +- Workaround qemu-arm problems. + +------------------------------------------------------------------- +Tue Sep 6 04:42:00 UTC 2011 - crrodriguez@opensuse.org + +- respect user's openssl.cnf engine configuration, might + want to do crypto with aes-ni, intel-accell or use rdrand + +------------------------------------------------------------------- +Wed Aug 17 21:08:57 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 1.2.9 +* Added libssh2_session_set_timeout() and + libssh2_session_get_timeout() to make blocking calls get a timeout +* userauth_keyboard_interactive: fix buffer overflow + + +------------------------------------------------------------------- +Fri Oct 29 17:09:09 UTC 2010 - cristian.rodriguez@opensuse.org + +- Update 1.2.7 +- Better handling of invalid key files +- inputchecks: make lots of API functions check for NULL pointers +- libssh2_session_callback_set: extended the man page +- SFTP: limit write() to not produce overly large packets +- agent: make libssh2_agent_userauth() work blocking properly +- _libssh2_userauth_publickey: reject method names longer than the data +- channel_free: ignore problems with channel_close() +- typedef: make ssize_t get typedef without LIBSSH2_WIN32 +- _libssh2_wait_socket: poll needs milliseconds +- libssh2_wait_socket: reset error code to "leak" EAGAIN less +- Added include for sys/select.h to get fd.set on some platforms +- session_free: free more data to avoid memory leaks +- openssl: make use of the EVP interface +- Fix underscore typo for 64-bit printf format specifiers on Windows +- Make libssh2_debug() create a correctly terminated string +- userauth_hostbased_fromfile: packet length too short +- handshake: Compression enabled at the wrong time +- Don't overflow MD5 server hostkey- + +------------------------------------------------------------------- +Sun Aug 8 14:28:00 UTC 2010 - cristian.rodriguez@opensuse.org + +- restore %build section, accidentally removed + +------------------------------------------------------------------- +Mon Aug 2 15:57:25 UTC 2010 - cristian.rodriguez@opensuse.org + +- update to libssh2 1.2.6 + * Added libssh2_sftp_statvfs() and libssh2_sftp_fstatvfs() + * Added libssh2_knownhost_checkp() + * Added libssh2_scp_send64() + * fail to init SFTP if session isn't already authenticated + * sftp_close_handle: add precaution to not access NULL pointer + * channel_write: if data has been sent, don't return EAGAIN + +------------------------------------------------------------------- +Tue Apr 6 21:51:55 UTC 2010 - crrodriguez@opensuse.org + +- fix build in older products + +------------------------------------------------------------------- +Mon Feb 22 22:00:37 UTC 2010 - crrodriguez@opensuse.org + +- update to version 1.2.4 + +------------------------------------------------------------------- +Mon Feb 1 11:55:42 UTC 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Sat Nov 28 17:08:10 UTC 2009 - crrodriguez@opensuse.org + +- Update snapshot + +------------------------------------------------------------------- +Wed Sep 30 18:35:43 UTC 2009 - crrodriguez@opensuse.org + +- add visbility support + +------------------------------------------------------------------- +Wed Sep 30 12:45:41 UTC 2009 - crrodriguez@opensuse.org + +- update to version 1.2.1 see NEWS for details + +------------------------------------------------------------------- +Tue Aug 11 00:00:43 CEST 2009 - crrodriguez@suse.de + +- update to version 1.2 see NEWS for details + +------------------------------------------------------------------- +Wed May 27 15:13:42 CEST 2009 - crrodriguez@suse.de + +- do not provide or obsolete libssh2 [bnc#507444] + +------------------------------------------------------------------- +Sun May 10 00:20:54 CEST 2009 - crrodriguez@suse.de + +- update to version 1.1, see NEWS for details + +------------------------------------------------------------------- +Mon Jan 5 21:19:43 CET 2009 - crrodriguez@suse.de + +- update to version 1.0, see large list of changes in the NEWS file + +------------------------------------------------------------------- +Tue Oct 14 21:35:02 CEST 2008 - crrodriguez@suse.de + +- rename package to avoid all sorts of conflicts with the other + "libssh" package + +------------------------------------------------------------------- +Thu Aug 14 06:20:14 CEST 2008 - crrodriguez@suse.de + +- update current snap , version 20080814 + * Sean Peterson fixed a key re-exchange bug: + http://daniel.haxx.se/projects/libssh2/mail/libssh2-devel-archive-2008-06/0002.shtml + +------------------------------------------------------------------- +Thu Jun 26 04:53:36 CEST 2008 - crrodriguez@suse.de + +- update to version 0.19.0-20080626, two bugfixes + +------------------------------------------------------------------- +Mon Jun 23 20:47:59 CEST 2008 - crrodriguez@suse.de + +- no longer needs fno-strict-aliasing + +------------------------------------------------------------------- +Mon Jun 23 02:11:56 CEST 2008 - crrodriguez@suse.de + +- update to libssh2-0.19.0-20080622 + +------------------------------------------------------------------- +Sun Dec 23 07:22:12 CET 2007 - crrodriguez@suse.de + +- update to 0.18 final + +------------------------------------------------------------------- +Fri Aug 31 23:12:41 CEST 2007 - crrodriguez@suse.de + +- update snap + +------------------------------------------------------------------- +Sat Apr 14 03:41:03 UTC 2007 - judas_iscariote@shorewall.net + +- update snapshot. + diff --git a/libssh2_org.keyring b/libssh2_org.keyring new file mode 100644 index 0000000..7a83ce7 --- /dev/null +++ b/libssh2_org.keyring @@ -0,0 +1,58 @@ +pub dsa1024 2003-04-28 [SCA] + 914C533DF9B2ADA2204F586D78E11C6B279D5C91 +uid [ unknown] Daniel Stenberg (Haxx) +sub elg1024 2003-04-28 [E] + +pub rsa2048 2016-04-07 [SC] + 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 +uid [ unknown] Daniel Stenberg +sub rsa2048 2016-04-07 [E] + +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANuQENBD6tnn0QBACZiwDyA+Mn +vmA4g9tc2D1nfVDMjPrmpL1d02wU0B0rGdjhvvaeFzShpL3/sNx1/ZD7WYNranvY +NaT72LPuSeYEv75ywE/bP14x7mHyhXnemuo04cMfIvdYs5rbmBr3fzWBmfNahAwT +viJIEEzAPDy9ssSAhnfglpDs57703f7qfwADBwP8C/4yz7eAJzmkunifHfqqqLfp ++h1ob353Ahwxuv1uK8S2OYMd64+wPpfUn35j+KRQEgOkw+/feUnEui5s62kuES43 +Zc3+iNOu55U8MoDV/4bJ8efJ+l//vwiBfWEZWq7/dEFYo+lcXBJkDiry8VH4Vo8L +lZtTry0Usmli4L1k78uIRgQYEQIABgUCPq2efQAKCRB44RxrJ51cka09AKDGtt3n +1p96Zn04hp1kPyRQYLb11QCgn3hoZSRYLCgSI/IRlEZe/1dGV/GZAQ0EVwaI8QEI +ALuwKdpmpbF9c2AELs/bwFINSz3DjL88QWw6/1umBuBlqBfUWeEbR5XvWebSny/1 +PwF+3V5doF33vsOr2mCTmoo7TFmjx8LymsWoHl1vt8xS89kK4lNNvqUYzPg519Pp +oepS8n4sUXWYqfwSq3VDiyccZIvU8jf/7jfmoNFCxTXkZ1iuPXBo0kqTv1p6z2iC +5ojb85NCrMhw4Urm0mOVI4PWvI4gfV7y8P7kwyka+xHG/exAd5NmR9luTNIsWD8s +qmiJCTKqXX4Es2EFiryhoT+OW9CtMSRsDIqkxJx3IfCaRZYqPJm1dOsC2UKiaeSL +jILaUBX0xcg0ce80kFwhe9UAEQEAAbQgRGFuaWVsIFN0ZW5iZXJnIDxkYW5pZWxA +aGF4eC5zZT6JATcEEwEKACEFAlcGiPECGwMFCwkIBwMFFQoJCAsFFgIDAQACHgEC +F4AACgkQXMkI/bceEsI4qQf/ULKgqI3Y8KBOVahhCym/8ACayP5wXBmhsjXrsqjA +D6jfPFCrGDQxXd2zwb6KKD04i5i6uVAvkmvcJsOW1qJd1a1W15GH9UqnrUTDJerv +u+MlvHzWG865pdZYtKVTQoHfDsePpoP+a3XoOk5xj0DD3SYrK9p9FOowXtNxPsnk +d4afY0vjl0+QCGIwMSASfD3IFPEr/HpShAY+CI5bFJI3sWiPeaFQ5+WnxbSueQts +niJynKbpa4spEwoB58O+TwZWUBa5cBv2CWgvU/q7e40eWWr8g4NHZtlQEjRA0qG+ +3SJKPtYqxz+RqqxyX4AT2N3/qRd3q+FM0VZ3N5yj/aYaVrkBDQRXBojxAQgA7FAA +S8XeJ3FyfzS1tSEmDUn3x8BLsfHdaGUUbvi4CKRlCXUpmumsG7vRFZNvs2bW29l5 +dbrkiVjuSTjZuF9gOzUmsg9Y5Yq9XApYPGgRtiBb/K/LVM65cfbvrNvEuXk4QTyx +C459dmwVJfYg8X2GyA0Zo3Oivwp7tjkG4JAtwZlZbl0sVtspEqNcbwJpaawlWghz +afJcICyzar2gInXdf/nP4SLf3avCLV3c3EBiRKINBqf5+RaQK9kf50eYWNDUA0Mq +J6XFxbVV+KUrWG73OIEEN/xMIS53+rTCggAfuu8h+3iLcKqPKaicHITj86N8fyPg +S15DyqiScwKOPA1WqQARAQABiQEfBBgBCgAJBQJXBojxAhsMAAoJEFzJCP23HhLC +6mMH/1NXhqdtkrnxs3tAnmoadTcY2OW9YVlczDW7XFVztpsMnKqYV4lwniotSS8E +DQ6y+VWcxaZ4KbOxeGVBUzgG/ohbKvskFaCQrmrYJZUHn1Xu/vOd/mRacwYWEMU+ +UuwZvENYsyhkYf4jLzjCEwkWB96vAInLV00P9sdc/O1+G8VeLw02UlQUlrxe2a6C +bvwL6fA0dwWlULvQc+vehrxTU4Ncynsvxb90vd4theZEI13S6seBivMO3pX/N/nK +a8+TnDgcGhyfahEImP8VcqEUBSm2alMTeDXK9hQua4Vw0YCc8ATGYCZ3o2qwKZuP ++rHjK2O3m7G3ombohdX1yvLyLrE= +=sewG +-----END PGP PUBLIC KEY BLOCK----- diff --git a/libssh2_org.spec b/libssh2_org.spec new file mode 100644 index 0000000..94549b7 --- /dev/null +++ b/libssh2_org.spec @@ -0,0 +1,110 @@ +# +# spec file for package libssh2_org +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define pkg_name libssh2 +Name: libssh2_org +Version: 1.11.0 +Release: 0 +Summary: A library implementing the SSH2 protocol +License: BSD-3-Clause +Group: Development/Libraries/C and C++ +URL: https://www.libssh2.org/ +Source0: https://www.libssh2.org/download/%{pkg_name}-%{version}.tar.xz +Source1: https://www.libssh2.org/download/%{pkg_name}-%{version}.tar.xz.asc +Source2: baselibs.conf +Source3: libssh2_org.keyring +Patch0: libssh2-ocloexec.patch +# PATCH-FIX-UPSTREAM bsc#1218127 CVE-2023-48795: Add 'strict KEX' to fix Terrapin Attack +Patch1: libssh2_org-CVE-2023-48795.patch +BuildRequires: libtool +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(zlib) +# drops build cycle in Factory +#!BuildIgnore: groff-full + +%description +libssh2 is a library implementing the SSH2 protocol as defined by +Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, +SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and +SECSH-PUBLICKEY. + +%package -n libssh2-1 +Summary: A library implementing the SSH2 protocol +Group: Development/Libraries/C and C++ + +%description -n libssh2-1 +libssh2 is a library implementing the SSH2 protocol as defined by +Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, +SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and +SECSH-PUBLICKEY. + +%package -n libssh2-devel +Summary: A library implementing the SSH2 protocol +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libssh2-1 = %{version} + +%description -n libssh2-devel +libssh2 is a library implementing the SSH2 protocol as defined by +Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, +SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and +SECSH-PUBLICKEY. + +%prep +%autosetup -p1 -n %{pkg_name}-%{version} + +%build +sed -i -e 's@AM_CONFIG_HEADER@AC_CONFIG_HEADERS@g' configure.ac +# remove m4 macro files for libtool as they should be picked up by +rm -v m4/libtool.m4 m4/lt* +autoreconf -fiv +export CFLAGS="%{optflags} -DOPENSSL_LOAD_CONF" +%configure \ + --disable-silent_rules \ + --enable-shared \ + --disable-rpath \ + --disable-docker-tests \ + --with-libssl-prefix=%{_prefix} \ + --with-libz=%{_prefix} + +make %{?_smp_mflags} + +%check +make %{?_smp_mflags} check + +%install +%make_install +rm -f %{buildroot}%{_libdir}/*.la %{buildroot}%{_libdir}/*.a + +%post -n libssh2-1 -p /sbin/ldconfig +%postun -n libssh2-1 -p /sbin/ldconfig + +%files -n libssh2-1 +%defattr(-,root,root) +%{_libdir}/libssh2.so.1* + +%files -n libssh2-devel +%defattr(-,root,root) +%doc NEWS docs/BINDINGS.md docs/HACKING.md docs/TODO +%{_libdir}/libssh2.so +%{_includedir}/*.h +%{_mandir}/man3/* +%{_libdir}/pkgconfig/libssh2.pc + +%changelog