From 7a07465351bb47f54cfca390fbd09a79e6ffeb816c11209923d640b539e765c3 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 14 Mar 2024 10:42:45 +0000 Subject: [PATCH] Accepting request 1157939 from home:gkenion:branches:Java:packages bsc#1218198, CVE-2023-48795 OBS-URL: https://build.opensuse.org/request/show/1157939 OBS-URL: https://build.opensuse.org/package/show/Java:packages/trilead-ssh2?expand=0&rev=10 --- ...Remove-the-dependency-on-google-tink.patch | 161 ++++++++++++++++++ build-217-jenkins-293.v56de4d4d3515.tar.gz | 3 + trilead-ssh2-build.xml | 113 ++++++++++++ trilead-ssh2-build217-jenkins-8.tar.gz | 3 - trilead-ssh2.changes | 70 ++++++++ trilead-ssh2.spec | 36 ++-- 6 files changed, 370 insertions(+), 16 deletions(-) create mode 100644 0001-Remove-the-dependency-on-google-tink.patch create mode 100644 build-217-jenkins-293.v56de4d4d3515.tar.gz create mode 100644 trilead-ssh2-build.xml delete mode 100644 trilead-ssh2-build217-jenkins-8.tar.gz diff --git a/0001-Remove-the-dependency-on-google-tink.patch b/0001-Remove-the-dependency-on-google-tink.patch new file mode 100644 index 0000000..7175dc8 --- /dev/null +++ b/0001-Remove-the-dependency-on-google-tink.patch @@ -0,0 +1,161 @@ +From 933d197b30e797d4b82eeef1953fd82e617f4cf0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fridrich=20=C5=A0trba?= +Date: Wed, 13 Mar 2024 07:05:36 +0100 +Subject: [PATCH] Remove the dependency on google tink + +--- + .../ssh2/crypto/dh/Curve25519Exchange.java | 85 ------------------- + .../ssh2/crypto/dh/GenericDhExchange.java | 3 - + .../trilead/ssh2/transport/KexManager.java | 9 +- + 3 files changed, 1 insertion(+), 96 deletions(-) + delete mode 100644 src/com/trilead/ssh2/crypto/dh/Curve25519Exchange.java + +diff --git a/src/com/trilead/ssh2/crypto/dh/Curve25519Exchange.java b/src/com/trilead/ssh2/crypto/dh/Curve25519Exchange.java +deleted file mode 100644 +index 01d4ab4..0000000 +--- a/src/com/trilead/ssh2/crypto/dh/Curve25519Exchange.java ++++ /dev/null +@@ -1,85 +0,0 @@ +-package com.trilead.ssh2.crypto.dh; +- +-import com.google.crypto.tink.subtle.X25519; +- +-import java.io.IOException; +-import java.math.BigInteger; +-import java.security.InvalidKeyException; +- +-/** +- * Created by Kenny Root on 1/23/16. +- */ +-public class Curve25519Exchange extends GenericDhExchange { +- public static final String NAME = "curve25519-sha256"; +- public static final String ALT_NAME = "curve25519-sha256@libssh.org"; +- public static final int KEY_SIZE = 32; +- +- private byte[] clientPublic; +- private byte[] clientPrivate; +- private byte[] serverPublic; +- +- public Curve25519Exchange() { +- super(); +- } +- +- /* +- * Used to test known vectors. +- */ +- public Curve25519Exchange(byte[] secret) throws InvalidKeyException { +- if (secret.length != KEY_SIZE) { +- throw new AssertionError("secret must be key size"); +- } +- clientPrivate = secret.clone(); +- } +- +- @Override +- public void init(String name) throws IOException { +- if (!NAME.equals(name) && !ALT_NAME.equals(name)) { +- throw new IOException("Invalid name " + name); +- } +- +- clientPrivate = X25519.generatePrivateKey(); +- try { +- clientPublic = X25519.publicFromPrivate(clientPrivate); +- } catch (InvalidKeyException e) { +- throw new IOException(e); +- } +- } +- +- @Override +- public byte[] getE() { +- return clientPublic.clone(); +- } +- +- @Override +- protected byte[] getServerE() { +- return serverPublic.clone(); +- } +- +- @Override +- public void setF(byte[] f) throws IOException { +- if (f.length != KEY_SIZE) { +- throw new IOException("Server sent invalid key length " + f.length + " (expected " + +- KEY_SIZE + ")"); +- } +- serverPublic = f.clone(); +- try { +- byte[] sharedSecretBytes = X25519.computeSharedSecret(clientPrivate, serverPublic); +- int allBytes = 0; +- for (int i = 0; i < sharedSecretBytes.length; i++) { +- allBytes |= sharedSecretBytes[i]; +- } +- if (allBytes == 0) { +- throw new IOException("Invalid key computed; all zeroes"); +- } +- sharedSecret = new BigInteger(1, sharedSecretBytes); +- } catch (InvalidKeyException e) { +- throw new IOException(e); +- } +- } +- +- @Override +- public String getHashAlgo() { +- return "SHA-256"; +- } +-} +diff --git a/src/com/trilead/ssh2/crypto/dh/GenericDhExchange.java b/src/com/trilead/ssh2/crypto/dh/GenericDhExchange.java +index c2436e3..a63b9fd 100644 +--- a/src/com/trilead/ssh2/crypto/dh/GenericDhExchange.java ++++ b/src/com/trilead/ssh2/crypto/dh/GenericDhExchange.java +@@ -29,9 +29,6 @@ public abstract class GenericDhExchange + } + + public static GenericDhExchange getInstance(String algo) { +- if (Curve25519Exchange.NAME.equals(algo) || Curve25519Exchange.ALT_NAME.equals(algo)) { +- return new Curve25519Exchange(); +- } + if (algo.startsWith("ecdh-sha2-")) { + return new EcDhExchange(); + } else { +diff --git a/src/com/trilead/ssh2/transport/KexManager.java b/src/com/trilead/ssh2/transport/KexManager.java +index c2ec2b0..2c8056a 100644 +--- a/src/com/trilead/ssh2/transport/KexManager.java ++++ b/src/com/trilead/ssh2/transport/KexManager.java +@@ -17,7 +17,6 @@ import com.trilead.ssh2.crypto.CryptoWishList; + import com.trilead.ssh2.crypto.KeyMaterial; + import com.trilead.ssh2.crypto.cipher.BlockCipher; + import com.trilead.ssh2.crypto.cipher.BlockCipherFactory; +-import com.trilead.ssh2.crypto.dh.Curve25519Exchange; + import com.trilead.ssh2.crypto.dh.DhGroupExchange; + import com.trilead.ssh2.crypto.dh.GenericDhExchange; + import com.trilead.ssh2.crypto.digest.MessageMac; +@@ -397,8 +396,6 @@ public class KexManager implements MessageHandler + + if ("ecdh-sha2-nistp521".equals(algo)) + continue; +- if (Curve25519Exchange.NAME.equals(algo)||Curve25519Exchange.ALT_NAME.equals(algo)) +- continue; + throw new IllegalArgumentException("Unknown kex algorithm '" + algo + "'"); + } + } +@@ -489,8 +486,6 @@ public class KexManager implements MessageHandler + } + + if (kxs.np.kex_algo.equals("diffie-hellman-group1-sha1") +- || kxs.np.kex_algo.equals(Curve25519Exchange.NAME) +- || kxs.np.kex_algo.equals(Curve25519Exchange.ALT_NAME) + || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1") + || kxs.np.kex_algo.equals("ecdh-sha2-nistp521") + || kxs.np.kex_algo.equals("ecdh-sha2-nistp384") +@@ -630,9 +625,7 @@ public class KexManager implements MessageHandler + || kxs.np.kex_algo.equals("diffie-hellman-group14-sha1") + || kxs.np.kex_algo.equals("ecdh-sha2-nistp256") + || kxs.np.kex_algo.equals("ecdh-sha2-nistp384") +- || kxs.np.kex_algo.equals("ecdh-sha2-nistp521") +- || kxs.np.kex_algo.equals(Curve25519Exchange.NAME) +- || kxs.np.kex_algo.equals(Curve25519Exchange.ALT_NAME)) ++ || kxs.np.kex_algo.equals("ecdh-sha2-nistp521")) + { + if (kxs.state == 1) + { +-- +2.44.0 + diff --git a/build-217-jenkins-293.v56de4d4d3515.tar.gz b/build-217-jenkins-293.v56de4d4d3515.tar.gz new file mode 100644 index 0000000..abad563 --- /dev/null +++ b/build-217-jenkins-293.v56de4d4d3515.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d60069b24166f8ab767cff1c6e29ab863ea8e58bf75d7c0a91dede6fb4616ebf +size 209493 diff --git a/trilead-ssh2-build.xml b/trilead-ssh2-build.xml new file mode 100644 index 0000000..2898751 --- /dev/null +++ b/trilead-ssh2-build.xml @@ -0,0 +1,113 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/trilead-ssh2-build217-jenkins-8.tar.gz b/trilead-ssh2-build217-jenkins-8.tar.gz deleted file mode 100644 index a01d6e3..0000000 --- a/trilead-ssh2-build217-jenkins-8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2ad363bbeba25f4e53c2d7a0c3755ba7e531ef074408a61369a01bf2170076bf -size 153463 diff --git a/trilead-ssh2.changes b/trilead-ssh2.changes index 8e4bbec..0f69d77 100644 --- a/trilead-ssh2.changes +++ b/trilead-ssh2.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Thu Mar 14 09:09:47 UTC 2024 - Gus Kenion + +- bsc#1218198, CVE-2023-48795 +- Upgrade to version build-217-jenkins-293.v56de4d4d3515 + * Trilead ssh2 fix big integer removes leading zero (#178) @mpet + Addresses CVE-2023-48795 + * JENKINS-72466 - : Upgrades jbcrypt dependency (#173) @andham +- Includes changes from previous version updates: + * build-217-jenkins-274.va_969b_d35f933 + + JENKINS-71798 - : TimeoutService threads are left after + closing connection (#155) @mpet + * build-217-jenkins-255.vc65d8d1d158f + + Giving threads names for easier troubleshooting (#135) + @Elisedlund-ericsson + * build-217-jenkins-247.v708a_8b_14f4b_a + + Update parent POM (#123) @basil + * build-217-jenkins-231.vda_87ca_d57ecf + + There is no guarantee that the plugin works with Java 8 + anymore, and it is not tested. If you still run Jenkins + on Java 8 do not update. JENKINS-69229 + + Removal of unnecessary protobuf-java (#104) + @Elisedlund-ericsson + + fix: bump protobuff due to CVE 2021 22569 (#102) + @kuisathaverat + * build-217-jenkins-227.vb_d92894b_3b_65 + + JENKINS-69018 - use constant MAX_PACKET_SIZE (#99) + @kuisathaverat + * build-217-jenkins-223.v546f979619d4 + + add support for hmac-sha2-512-etm@openssh.com + hmac-sha2-256-etm@open… (#93) @mpet + + Create CODEOWNERS (#95) @halkeye + + chore: use jenkins infra maven cd reusable workflow (#92) + @jetersen + * build-217-jenkins-211.vbb42cae44b18 + + feat: enable continuous delivery workflow (#65) + @kuisathaverat + * trilead-ssh2-build-217-jenkins-27 + + additional kex algorithms (#60) @mpet + * trilead-ssh2-build-217-jenkins-26 + + [Revert]JENKINS-62552 - Use standard crypto APIs (#57) + @kuisathaverat + + feat: enable incrementals (#51) @kuisathaverat + + ci: grab correct incremental artifacts (#54) @kuisathaverat + * trilead-ssh2-build-217-jenkins-25 + + Retry userauth when multiple algs (#48) @jvz + + Known Issue: JENKINS-63790 causes SSH agent connections to + fail in some configurations + + fix: allow to use password encrypted keys (#49) + @kuisathaverat + * trilead-ssh2-build-217-jenkins-23 + + Known Issue: trilead api 1.0.9 fails clone from ssh + repository using 3DES/MD5-encrypted private key JENKINS-63601 + * trilead-ssh2-build-217-jenkins-22 + + JENKINS-62552 - Use standard crypto APIs (#45) @jvz + + Resolve several possible infinite hangings because of wait() + (#44) @Elisedlund-ericsson + * trilead-ssh2-build-217-jenkins-21 + + Revert "JENKINS-62311 - Add support for RFC 8332" (#46) + @kuisathaverat + * trilead-ssh2-build-217-jenkins-20 + + [SECURITY] Use HTTPS to resolve dependencies in Maven Build + (#39) @JLLeitschuh + + JENKINS-62311 - Add support for RFC 8332 (#43) @jvz + * trilead-ssh2-build-217-jenkins-19 + + Support for port=0 which means automatically allocated port. + (#40) @Elisedlund-ericsson + + JENKINS-59857 - Kerberos support updated (#38) + @Emil-Gustafsson + ------------------------------------------------------------------- Fri Mar 18 16:41:59 UTC 2022 - Fridrich Strba diff --git a/trilead-ssh2.spec b/trilead-ssh2.spec index c064a76..f422606 100644 --- a/trilead-ssh2.spec +++ b/trilead-ssh2.spec @@ -1,7 +1,7 @@ # # spec file for package trilead-ssh2 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,18 +17,25 @@ %global buildver 217 -%global patchlvl 8 +%global patchlvl 293 +%global githash v56de4d4d3515 + Name: trilead-ssh2 -Version: %{buildver}.%{patchlvl} +Version: %{buildver}.%{patchlvl}.%{githash} Release: 0 Summary: SSH-2 protocol implementation in pure Java License: BSD-3-Clause AND MIT Group: Development/Libraries/Java URL: https://github.com/jenkinsci/trilead-ssh2 -Source0: https://github.com/jenkinsci/%{name}/archive/%{name}-build%{buildver}-jenkins-%{patchlvl}.tar.gz +Source0: https://github.com/jenkinsci/%{name}/archive/refs/tags/build-%{buildver}-jenkins-%{patchlvl}.%{githash}.tar.gz +Source1: %{name}-build.xml +Patch0: 0001-Remove-the-dependency-on-google-tink.patch +BuildRequires: ant +BuildRequires: ed25519-java BuildRequires: fdupes BuildRequires: java-devel >= 1.8 BuildRequires: javapackages-local +BuildRequires: jbcrypt BuildArch: noarch %description @@ -47,28 +54,31 @@ Group: Documentation/HTML API documentation for %{name}. %prep -%setup -q -n %{name}-%{name}-build%{buildver}-jenkins-%{patchlvl} +%setup -q -n %{name}-build-%{buildver}-jenkins-%{patchlvl}.%{githash} +%patch -P 0 -p1 +cp %{SOURCE1} build.xml + +%pom_remove_dep :tink +%pom_xpath_set pom:project/pom:version "build-%{buildver}-jenkins-%{patchlvl}.%{githash}" %build -mkdir -p build/classes -javac -d build/classes -source 8 -target 8 $(find src -name \*.java | xargs) -(cd build/classes && jar cf ../%{name}-%{version}.jar $(find . -name \*.class)) -mkdir -p build/docs -javadoc -d build/docs -source 8 $(find src -name \*.java | xargs) +mkdir -p lib +build-jar-repository -s lib eddsa jbcrypt +%{ant} package javadoc %install # jars install -d -m 0755 %{buildroot}%{_javadir} -install -m 644 build/%{name}-%{version}.jar %{buildroot}%{_javadir}/%{name}.jar +install -m 644 target/%{name}-*.jar %{buildroot}%{_javadir}/%{name}.jar # pom install -d -m 755 %{buildroot}%{_mavenpomdir} -install -pm 644 pom.xml %{buildroot}%{_mavenpomdir}/%{name}.pom +%{mvn_install_pom} pom.xml %{buildroot}%{_mavenpomdir}/%{name}.pom %add_maven_depmap %{name}.pom %{name}.jar -a "org.tmatesoft.svnkit:trilead-ssh2","com.trilead:trilead-ssh2" # javadoc install -d -m 755 %{buildroot}%{_javadocdir}/%{name} -cp -aL build/docs/* %{buildroot}%{_javadocdir}/%{name} +cp -aL target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name} %fdupes -s %{buildroot}%{_javadocdir}/%{name} %files -f .mfiles