summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2022-06-26 17:42:09 +0200
committerRemi Collet <remi@php.net>2022-06-26 17:42:09 +0200
commit20e61c0a1471086c99fd346cfd200b865b30bf57 (patch)
tree629172d26f48a80e34e3b06866f7db5c19d2a2d2
parent6c2df6054475dd31fa2ce3f5ebeef77bc4537f4a (diff)
rename to remi-libssh2 for EL-7 and EL-8HEADmaster
update to 1.10.0
-rw-r--r--0001-libssh2-1.8.0-CVE-2019-3855.patch33
-rw-r--r--0002-libssh2-1.8.0-CVE-2019-3856.patch44
-rw-r--r--0003-libssh2-1.8.0-CVE-2019-3857.patch124
-rw-r--r--0004-libssh2-1.8.0-CVE-2019-3858.patch30
-rw-r--r--0007-libssh2-1.8.0-CVE-2019-3861.patch28
-rw-r--r--0008-libssh2-1.8.0-CVE-2019-3862.patch75
-rw-r--r--0009-libssh2-1.8.0-CVE-2019-3863.patch40
-rw-r--r--0010-libssh2-1.8.0-CVE-2019-17498.patch232
-rw-r--r--0014-libssh2-1.4.3-scp-remote-exec.patch48
-rw-r--r--0015-libssh2-1.4.3-debug-msgs.patch70
-rw-r--r--libssh2.spec144
11 files changed, 72 insertions, 796 deletions
diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch
deleted file mode 100644
index 746b515..0000000
--- a/0001-libssh2-1.8.0-CVE-2019-3855.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:16:53 +0100
-Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read
-
-... resulting in out of bounds write
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
----
- src/transport.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/transport.c b/src/transport.c
-index 8725da0..5349284 100644
---- a/src/transport.c
-+++ b/src/transport.c
-@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
- * and we can extract packet and padding length from it
- */
- p->packet_length = _libssh2_ntohu32(block);
-- if (p->packet_length < 1)
-+ if(p->packet_length < 1) {
- return LIBSSH2_ERROR_DECRYPT;
-+ }
-+ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
-+ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
-+ }
-
- p->padding_length = block[4];
-
---
-2.17.2
-
diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch
deleted file mode 100644
index 40c9e9b..0000000
--- a/0002-libssh2-1.8.0-CVE-2019-3856.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:22:24 +0100
-Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
- interactive handling
-
-... resulting in out of bounds write
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
-
-I believe that:
-
- `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
-
-... can be simplified as:
-
- `(session->userauth_kybd_num_prompts > 100)`
-
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/userauth.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/userauth.c b/src/userauth.c
-index cdfa25e..3946cf9 100644
---- a/src/userauth.c
-+++ b/src/userauth.c
-@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
- /* int num-prompts */
- session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
- s += 4;
-+ if(session->userauth_kybd_num_prompts &&
-+ session->userauth_kybd_num_prompts > 100) {
-+ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
-+ "Too many replies for "
-+ "keyboard-interactive prompts");
-+ goto cleanup;
-+ }
-
- if(session->userauth_kybd_num_prompts) {
- session->userauth_kybd_prompts =
---
-2.17.2
-
diff --git a/0003-libssh2-1.8.0-CVE-2019-3857.patch b/0003-libssh2-1.8.0-CVE-2019-3857.patch
deleted file mode 100644
index ea264d2..0000000
--- a/0003-libssh2-1.8.0-CVE-2019-3857.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:29:35 +0100
-Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH
- packet processing channel
-
-... resulting in out of bounds write
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
----
- include/libssh2.h | 12 ++++++++++++
- src/packet.c | 11 +++++++++--
- 2 files changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/include/libssh2.h b/include/libssh2.h
-index 34d2842..e25c380 100644
---- a/include/libssh2.h
-+++ b/include/libssh2.h
-@@ -145,6 +145,18 @@ typedef int libssh2_socket_t;
- #define LIBSSH2_INVALID_SOCKET -1
- #endif /* WIN32 */
-
-+#ifndef SIZE_MAX
-+#if _WIN64
-+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
-+#else
-+#define SIZE_MAX 0xFFFFFFFF
-+#endif
-+#endif
-+
-+#ifndef UINT_MAX
-+#define UINT_MAX 0xFFFFFFFF
-+#endif
-+
- /*
- * Determine whether there is small or large file support on windows.
- */
-diff --git a/src/packet.c b/src/packet.c
-index 5f1feb8..aa10633 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- /* set signal name (without SIG prefix) */
- uint32_t namelen =
- _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-- channelp->exit_signal =
-- LIBSSH2_ALLOC(session, namelen + 1);
-+
-+ if(namelen <= UINT_MAX - 1) {
-+ channelp->exit_signal =
-+ LIBSSH2_ALLOC(session, namelen + 1);
-+ }
-+ else {
-+ channelp->exit_signal = NULL;
-+ }
-+
- if (!channelp->exit_signal)
- rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
- "memory for signal name");
---
-2.17.2
-
-
-From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001
-From: Michael Buckley <michael@buckleyisms.com>
-Date: Mon, 18 Mar 2019 15:07:12 -0700
-Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h
-
-Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- include/libssh2.h | 12 ------------
- src/libssh2_priv.h | 12 ++++++++++++
- 2 files changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/include/libssh2.h b/include/libssh2.h
-index e25c380..34d2842 100644
---- a/include/libssh2.h
-+++ b/include/libssh2.h
-@@ -145,18 +145,6 @@ typedef int libssh2_socket_t;
- #define LIBSSH2_INVALID_SOCKET -1
- #endif /* WIN32 */
-
--#ifndef SIZE_MAX
--#if _WIN64
--#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
--#else
--#define SIZE_MAX 0xFFFFFFFF
--#endif
--#endif
--
--#ifndef UINT_MAX
--#define UINT_MAX 0xFFFFFFFF
--#endif
--
- /*
- * Determine whether there is small or large file support on windows.
- */
-diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
-index b4296a2..bb5d1a5 100644
---- a/src/libssh2_priv.h
-+++ b/src/libssh2_priv.h
-@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
-
- #endif
-
-+#ifndef SIZE_MAX
-+#if _WIN64
-+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
-+#else
-+#define SIZE_MAX 0xFFFFFFFF
-+#endif
-+#endif
-+
-+#ifndef UINT_MAX
-+#define UINT_MAX 0xFFFFFFFF
-+#endif
-+
- /* RFC4253 section 6.1 Maximum Packet Length says:
- *
- * "All implementations MUST be able to process packets with
---
-2.17.2
-
diff --git a/0004-libssh2-1.8.0-CVE-2019-3858.patch b/0004-libssh2-1.8.0-CVE-2019-3858.patch
deleted file mode 100644
index 04914c5..0000000
--- a/0004-libssh2-1.8.0-CVE-2019-3858.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:32:05 +0100
-Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation
-
-... with a specially crafted SFTP packet leading to an out-of-bounds read
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
----
- src/sftp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/sftp.c b/src/sftp.c
-index 7c44116..65cef85 100644
---- a/src/sftp.c
-+++ b/src/sftp.c
-@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp)
- return _libssh2_error(session,
- LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED,
- "SFTP packet too large");
-+ if (sftp->partial_len == 0)
-+ return _libssh2_error(session,
-+ LIBSSH2_ERROR_ALLOC,
-+ "Unable to allocate empty SFTP packet");
-
- _libssh2_debug(session, LIBSSH2_TRACE_SFTP,
- "Data begin - Packet Length: %lu",
---
-2.17.2
-
diff --git a/0007-libssh2-1.8.0-CVE-2019-3861.patch b/0007-libssh2-1.8.0-CVE-2019-3861.patch
deleted file mode 100644
index d40bb71..0000000
--- a/0007-libssh2-1.8.0-CVE-2019-3861.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:43:34 +0100
-Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with
- specially crafted SSH packets
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
----
- src/transport.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/transport.c b/src/transport.c
-index 5349284..6224c4f 100644
---- a/src/transport.c
-+++ b/src/transport.c
-@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
- }
-
- p->padding_length = block[4];
-+ if ( p->padding_length > p->packet_length - 1 ) {
-+ return LIBSSH2_ERROR_DECRYPT;
-+ }
-
- /* total_num is the number of bytes following the initial
- (5 bytes) packet length and padding length fields */
---
-2.17.2
-
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch
deleted file mode 100644
index f1632a5..0000000
--- a/0008-libssh2-1.8.0-CVE-2019-3862.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:45:22 +0100
-Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
-
-... with specially crafted message channel request
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
----
- src/packet.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index aa10633..c950b5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len = _libssh2_ntohu32(data + 5);
- unsigned char want_reply = 1;
-
-- if(len < (datalen - 10))
-- want_reply = data[9 + len];
-+ if((len + 9) < datalen)
-+ want_reply = data[len + 9];
-
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
-@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- channel, len, data + 9, want_reply);
-
- if (len == sizeof("exit-status") - 1
-+ && (sizeof("exit-status") - 1 + 9) <= datalen
- && !memcmp("exit-status", data + 9,
- sizeof("exit-status") - 1)) {
-
-@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- channelp =
- _libssh2_channel_locate(session, channel);
-
-- if (channelp) {
-+ if (channelp && (sizeof("exit-status") + 13) <= datalen) {
- channelp->exit_status =
- _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
- _libssh2_debug(session, LIBSSH2_TRACE_CONN,
-@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- }
- else if (len == sizeof("exit-signal") - 1
-+ && (sizeof("exit-signal") - 1 + 9) <= datalen
- && !memcmp("exit-signal", data + 9,
- sizeof("exit-signal") - 1)) {
- /* command terminated due to signal */
- if(datalen >= 20)
- channelp = _libssh2_channel_locate(session, channel);
-
-- if (channelp) {
-+ if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
- /* set signal name (without SIG prefix) */
- uint32_t namelen =
- _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- if (!channelp->exit_signal)
- rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
- "memory for signal name");
-- else {
-+ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
- memcpy(channelp->exit_signal,
-- data + 13 + sizeof("exit_signal"), namelen);
-+ data + 13 + sizeof("exit-signal"), namelen);
- channelp->exit_signal[namelen] = '\0';
- /* TODO: save error message and language tag */
- _libssh2_debug(session, LIBSSH2_TRACE_CONN,
---
-2.17.2
-
diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch
deleted file mode 100644
index 77615fd..0000000
--- a/0009-libssh2-1.8.0-CVE-2019-3863.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:47:41 +0100
-Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
- authenticate keyboard interactive
-
-... that allows out-of-bounds writes
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
----
- src/userauth.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/userauth.c b/src/userauth.c
-index 3946cf9..ee924c5 100644
---- a/src/userauth.c
-+++ b/src/userauth.c
-@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
-
- for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
- /* string response[1] (ISO-10646 UTF-8) */
-- session->userauth_kybd_packet_len +=
-- 4 + session->userauth_kybd_responses[i].length;
-+ if(session->userauth_kybd_responses[i].length <=
-+ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
-+ session->userauth_kybd_packet_len +=
-+ 4 + session->userauth_kybd_responses[i].length;
-+ }
-+ else {
-+ _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-+ "Unable to allocate memory for keyboard-"
-+ "interactive response packet");
-+ goto cleanup;
-+ }
- }
-
- /* A new userauth_kybd_data area is to be allocated, free the
---
-2.17.2
-
diff --git a/0010-libssh2-1.8.0-CVE-2019-17498.patch b/0010-libssh2-1.8.0-CVE-2019-17498.patch
deleted file mode 100644
index 319e1fd..0000000
--- a/0010-libssh2-1.8.0-CVE-2019-17498.patch
+++ /dev/null
@@ -1,232 +0,0 @@
-From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001
-From: Will Cosgrove <will@panic.com>
-Date: Fri, 30 Aug 2019 09:57:38 -0700
-Subject: [PATCH] packet.c: improve message parsing (#402)
-
-* packet.c: improve parsing of packets
-
-file: packet.c
-
-notes:
-Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
-
-Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/misc.c | 37 +++++++++++++++++++++++
- src/misc.h | 10 +++++++
- src/packet.c | 84 ++++++++++++++++++++++++----------------------------
- 3 files changed, 85 insertions(+), 46 deletions(-)
-
-diff --git a/src/misc.c b/src/misc.c
-index f7faae7..1b2682f 100644
---- a/src/misc.c
-+++ b/src/misc.c
-@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size)
- }
- return p;
- }
-+
-+int _libssh2_check_length(struct string_buf *buf, size_t len)
-+{
-+ unsigned char *endp = &buf->data[buf->len];
-+ size_t left = endp - buf->dataptr;
-+ return ((len <= left) && (left <= buf->len));
-+}
-+
-+int _libssh2_get_u32(struct string_buf *buf, uint32_t *out)
-+{
-+ if(!_libssh2_check_length(buf, 4)) {
-+ return -1;
-+ }
-+
-+ *out = _libssh2_ntohu32(buf->dataptr);
-+ buf->dataptr += 4;
-+ return 0;
-+}
-+
-+int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
-+ size_t *outlen)
-+{
-+ uint32_t data_len;
-+ if(_libssh2_get_u32(buf, &data_len) != 0) {
-+ return -1;
-+ }
-+ if(!_libssh2_check_length(buf, data_len)) {
-+ return -1;
-+ }
-+ *outbuf = buf->dataptr;
-+ buf->dataptr += data_len;
-+
-+ if(outlen)
-+ *outlen = (size_t)data_len;
-+
-+ return 0;
-+}
-diff --git a/src/misc.h b/src/misc.h
-index 54ae546..cf5abb5 100644
---- a/src/misc.h
-+++ b/src/misc.h
-@@ -49,6 +49,12 @@ struct list_node {
- struct list_head *head;
- };
-
-+struct string_buf {
-+ unsigned char *data;
-+ unsigned char *dataptr;
-+ size_t len;
-+};
-+
- int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags);
- int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg);
-
-@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value);
- void _libssh2_store_str(unsigned char **buf, const char *str, size_t len);
- void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size);
-
-+int _libssh2_get_u32(struct string_buf *buf, uint32_t *out);
-+int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
-+ size_t *outlen);
-+
- #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__)
- /* provide a private one */
- #undef HAVE_GETTIMEOFDAY
-diff --git a/src/packet.c b/src/packet.c
-index c950b5d..f180b77 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- size_t datalen, int macstate)
- {
- int rc = 0;
-- char *message=NULL;
-- char *language=NULL;
-- size_t message_len=0;
-- size_t language_len=0;
-+ unsigned char *message = NULL;
-+ unsigned char *language = NULL;
-+ size_t message_len = 0;
-+ size_t language_len = 0;
- LIBSSH2_CHANNEL *channelp = NULL;
- size_t data_head = 0;
- unsigned char msg = data[0];
-@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- "Packet type %d received, length=%d",
- (int) msg, (int) datalen);
-
-- if ((macstate == LIBSSH2_MAC_INVALID) &&
-+ if((macstate == LIBSSH2_MAC_INVALID) &&
- (!session->macerror ||
- LIBSSH2_MACERROR(session, (char *) data, datalen))) {
- /* Bad MAC input, but no callback set or non-zero return from the
-@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- break;
- }
-
-- if (session->packAdd_state == libssh2_NB_state_allocated) {
-+ if(session->packAdd_state == libssh2_NB_state_allocated) {
- /* A couple exceptions to the packet adding rule: */
-- switch (msg) {
-+ switch(msg) {
-
- /*
- byte SSH_MSG_DISCONNECT
-@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- case SSH_MSG_DISCONNECT:
- if(datalen >= 5) {
-- size_t reason = _libssh2_ntohu32(data + 1);
--
-- if(datalen >= 9) {
-- message_len = _libssh2_ntohu32(data + 5);
--
-- if(message_len < datalen-13) {
-- /* 9 = packet_type(1) + reason(4) + message_len(4) */
-- message = (char *) data + 9;
--
-- language_len = _libssh2_ntohu32(data + 9 + message_len);
-- language = (char *) data + 9 + message_len + 4;
--
-- if(language_len > (datalen-13-message_len)) {
-- /* bad input, clear info */
-- language = message = NULL;
-- language_len = message_len = 0;
-- }
-- }
-- else
-- /* bad size, clear it */
-- message_len=0;
-- }
-- if (session->ssh_msg_disconnect) {
-- LIBSSH2_DISCONNECT(session, reason, message,
-- message_len, language, language_len);
-+ uint32_t reason = 0;
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr++; /* advance past type */
-+
-+ _libssh2_get_u32(&buf, &reason);
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
-+
-+ if(session->ssh_msg_disconnect) {
-+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
-+
- _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
- "Disconnect(%d): %s(%s)", reason,
- message, language);
-@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- int always_display= data[1];
-
- if(datalen >= 6) {
-- message_len = _libssh2_ntohu32(data + 2);
--
-- if(message_len <= (datalen - 10)) {
-- /* 6 = packet_type(1) + display(1) + message_len(4) */
-- message = (char *) data + 6;
-- language_len = _libssh2_ntohu32(data + 6 + message_len);
--
-- if(language_len <= (datalen - 10 - message_len))
-- language = (char *) data + 10 + message_len;
-- }
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr += 2; /* advance past type & always display */
-+
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
- }
-
-- if (session->ssh_msg_debug) {
-- LIBSSH2_DEBUG(session, always_display, message,
-- message_len, language, language_len);
-+ if(session->ssh_msg_debug) {
-+ LIBSSH2_DEBUG(session, always_display,
-+ (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
- }
-+
- /*
- * _libssh2_debug will actually truncate this for us so
- * that it's not an inordinate about of data
-@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len =0;
- unsigned char want_reply=0;
- len = _libssh2_ntohu32(data + 1);
-- if(datalen >= (6 + len)) {
-+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
- want_reply = data[5 + len];
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
---
-2.20.1
-
diff --git a/0014-libssh2-1.4.3-scp-remote-exec.patch b/0014-libssh2-1.4.3-scp-remote-exec.patch
deleted file mode 100644
index 971a7c9..0000000
--- a/0014-libssh2-1.4.3-scp-remote-exec.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 11 Sep 2017 21:13:45 +0200
-Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208)
-
-It breaks SCP download/upload from/to certain server implementations.
-
-The bug does not manifest with OpenSSH, which silently drops the NUL
-byte (eventually with any garbage that follows the NUL byte) before
-executing it.
-
-Bug: https://bugzilla.redhat.com/1489736
-
-Upstream-commit: 819ef4f2037490b6aa2e870aea851b6364184090
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/scp.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/scp.c b/src/scp.c
-index f3d4995..c6451bc 100644
---- a/src/scp.c
-+++ b/src/scp.c
-@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb)
- &session->scpRecv_command[cmd_len],
- session->scpRecv_command_len - cmd_len);
-
-- session->scpRecv_command[cmd_len] = '\0';
-- session->scpRecv_command_len = cmd_len + 1;
-+ /* the command to exec should _not_ be NUL-terminated */
-+ session->scpRecv_command_len = cmd_len;
-
- _libssh2_debug(session, LIBSSH2_TRACE_SCP,
- "Opening channel for SCP receive");
-@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
- &session->scpSend_command[cmd_len],
- session->scpSend_command_len - cmd_len);
-
-- session->scpSend_command[cmd_len] = '\0';
-- session->scpSend_command_len = cmd_len + 1;
-+ /* the command to exec should _not_ be NUL-terminated */
-+ session->scpSend_command_len = cmd_len;
-
- _libssh2_debug(session, LIBSSH2_TRACE_SCP,
- "Opening channel for SCP send");
---
-2.13.5
-
diff --git a/0015-libssh2-1.4.3-debug-msgs.patch b/0015-libssh2-1.4.3-debug-msgs.patch
deleted file mode 100644
index 034f337..0000000
--- a/0015-libssh2-1.4.3-debug-msgs.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From c1bbc2d6b0708dcb1fd014554585296b0ba25a43 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 9 Oct 2017 17:35:51 +0200
-Subject: [PATCH] session: avoid printing misleading debug messages
-
-... while throwing LIBSSH2_ERROR_EAGAIN out of session_startup()
-
-If the session runs in blocking mode, LIBSSH2_ERROR_EAGAIN never reaches
-the libssh2 API boundary and, in non-blocking mode, these messages are
-suppressed by the condition in _libssh2_error_flags() anyway.
-
-Closes #211
-
-Upstream-commit: 712c6cbdd2f1b509f586aea5889a5c1deb7c9bda
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/session.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/src/session.c b/src/session.c
-index 9838d2b..62ef70d 100644
---- a/src/session.c
-+++ b/src/session.c
-@@ -703,7 +703,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
-
- if (session->startup_state == libssh2_NB_state_created) {
- rc = banner_send(session);
-- if (rc) {
-+ if (rc == LIBSSH2_ERROR_EAGAIN)
-+ return rc;
-+ else if (rc) {
- return _libssh2_error(session, rc,
- "Failed sending banner");
- }
-@@ -714,7 +716,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
- if (session->startup_state == libssh2_NB_state_sent) {
- do {
- rc = banner_receive(session);
-- if (rc)
-+ if (rc == LIBSSH2_ERROR_EAGAIN)
-+ return rc;
-+ else if (rc)
- return _libssh2_error(session, rc,
- "Failed getting banner");
- } while(strncmp("SSH-", (char *)session->remote.banner, 4));
-@@ -724,7 +728,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
-
- if (session->startup_state == libssh2_NB_state_sent1) {
- rc = _libssh2_kex_exchange(session, 0, &session->startup_key_state);
-- if (rc)
-+ if (rc == LIBSSH2_ERROR_EAGAIN)
-+ return rc;
-+ else if (rc)
- return _libssh2_error(session, rc,
- "Unable to exchange encryption keys");
-
-@@ -749,7 +755,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
- rc = _libssh2_transport_send(session, session->startup_service,
- sizeof("ssh-userauth") + 5 - 1,
- NULL, 0);
-- if (rc) {
-+ if (rc == LIBSSH2_ERROR_EAGAIN)
-+ return rc;
-+ else if (rc) {
- return _libssh2_error(session, rc,
- "Unable to ask for ssh-userauth service");
- }
---
-2.13.6
-
diff --git a/libssh2.spec b/libssh2.spec
index be8598e..e807f62 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,39 +1,32 @@
-Name: libssh2
-Version: 1.8.0
-Release: 0%{?dist}
+# remirepo spec file for remi-libssh2
+# renamed for parallel installation, from:
+#
+# Fedora spec file for libssh2
+#
+# License: MIT
+# http://opensource.org/licenses/MIT
+#
+# Please preserve changelog entries
+#
+
+%global projname libssh2
+
+%if 0%{?vendeur:1} && 0%{?fedora} < 35 && 0%{?rhel} < 9
+%global move_to_opt 1
+%global _prefix /opt/%{vendeur}/%{projname}
+%global __arch_install_post /bin/true
+Name: %{vendeur}-%{projname}
+%else
+%global move_to_opt 0
+Name: %{projname}
+%endif
+
+Version: 1.10.0
+Release: 1%{?dist}
Summary: A library implementing the SSH2 protocol
-Group: System Environment/Libraries
License: BSD
-URL: http://www.libssh2.org/
-Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
-
-# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
-Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch
-
-# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
-Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch
-
-# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
-Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch
-
-# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858)
-Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch
-
-# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
-Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch
-
-# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
-Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch
-
-# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
-Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch
-
-# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
-Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch
-
-Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch
-Patch15: 0015-libssh2-1.4.3-debug-msgs.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+URL: https://www.libssh2.org/
+Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz
BuildRequires: coreutils
BuildRequires: findutils
@@ -44,14 +37,14 @@ BuildRequires: sed
BuildRequires: zlib-devel
BuildRequires: /usr/bin/man
-# Test suite requirements - we run the OpenSSH server and try to connect to it
+# Test suite requirements
+# Full groff (not just groff-base) needed for the mansyntax check
+BuildRequires: groff
+# We run the OpenSSH server and try to connect to it
BuildRequires: openssh-server
-# We use matchpathcon to get the correct SELinux context for the ssh server
-# initialization script so that it can transition correctly in an SELinux
-# environment
-%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
-BuildRequires: libselinux-utils
-BuildRequires: selinux-policy-targeted
+# Need a valid locale to run the mansyntax check
+%if 0%{?fedora} > 23 || 0%{?rhel} > 7
+BuildRequires: glibc-langpack-en
%endif
%description
@@ -62,7 +55,6 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10).
%package devel
Summary: Development files for libssh2
-Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
@@ -72,7 +64,6 @@ developing applications that use libssh2.
%package docs
Summary: Documentation for libssh2
-Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
@@ -80,43 +71,29 @@ BuildArch: noarch
The libssh2-docs package contains man pages and examples for
developing applications that use libssh2.
+
+%if %{move_to_opt}
+# Filter in the /opt installation
+%{?filter_from_provides: %filter_from_provides /libssh2/d}
+%{?filter_from_requires: %filter_from_requires /libssh2/d}
+%{?filter_setup}
+%endif
+
+
%prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
+%setup -q -n %{projname}-%{version}
# Replace hard wired port number in the test suite to avoid collisions
# between 32-bit and 64-bit builds running on a single build-host
sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh}
-# scp: send valid commands for remote execution (#1489733)
-%patch14 -p1
-
-# session: avoid printing misleading debug messages (#1503294)
-%patch15 -p1
-
-# Make sshd transition appropriately if building in an SELinux environment
-%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
-chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || :
-chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || :
-chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} || :
-%endif
%build
%configure --disable-silent-rules --disable-static --enable-shared
make %{?_smp_mflags}
-# Avoid polluting libssh2.pc with linker options (#947813)
-sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc
%install
-rm -rf %{buildroot}
make install DESTDIR=%{buildroot} INSTALL="install -p"
find %{buildroot} -name '*.la' -delete
@@ -146,26 +123,45 @@ echo "exit 0" > tests/ssh2.sh
echo "Skipping mansyntax test on PPC* and aarch64"
echo "exit 0" > tests/mansyntax.sh
%endif
-make -C tests check
+LC_ALL=en_US.UTF-8 make -C tests check
-%clean
-rm -rf %{buildroot}
+%if 0%{?fedora} < 28 && 0%{?rhel} < 8
%post -p /sbin/ldconfig
-
%postun -p /sbin/ldconfig
+%endif
+
%files
-%doc COPYING docs/AUTHORS README RELEASE-NOTES
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc docs/AUTHORS README RELEASE-NOTES
+%if %{move_to_opt}
+%dir %{_libdir}
+%dir %{_prefix}
+%dir %{_datadir}
+%ghost %{_datadir}/doc
+%ghost %{_docdir}
+%{?_licensedir:%ghost %{_datadir}/licenses}
+%{?_licensedir:%ghost %{_licensedir}}
+%endif
%{_libdir}/libssh2.so.1
%{_libdir}/libssh2.so.1.*
%files docs
%doc docs/BINDINGS docs/HACKING docs/TODO NEWS
+%if %{move_to_opt}
+%dir %{_mandir}
+%dir %{_mandir}/man3
+%endif
%{_mandir}/man3/libssh2_*.3*
%files devel
%doc example.%{_arch}/
+%if %{move_to_opt}
+%dir %{_includedir}
+%dir %{_libdir}/pkgconfig/
+%endif
%{_includedir}/libssh2.h
%{_includedir}/libssh2_publickey.h
%{_includedir}/libssh2_sftp.h
@@ -173,6 +169,10 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/libssh2.pc
%changelog
+* Sun Jun 26 2022 Remi Collet <remi@remirepo.net> - 1.10.0-1
+- rename to remi-libssh2 for EL-7 and EL-8
+- update to 1.10.0
+
* Tue Mar 2 2021 Remi Collet <remi@remirepo.net> - 1.8.0-0
- rebuild with lower release for amazon