import from RHEL 7.7

author: Remi Collet <remi@remirepo.net> 2021-03-02 11:01:02 +0100
committer: Remi Collet <remi@remirepo.net> 2021-03-02 11:01:02 +0100
commit: 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 (patch)
tree: 2cc6c3d025aeafca8a378072f4db34ee1e3d7cd8 /libssh2.spec
parent: ef20bb6b3d0272c8340b5e55347eeffa114c889b (diff)
1 files changed, 251 insertions, 80 deletions
diff --git a/libssh2.spec b/libssh2.spec
index d9f88a4..f704268 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,42 +1,57 @@
-# Fedora 10 onwards support noarch subpackages; by using one, we can
-# put the arch-independent docs in a common subpackage and save lots
-# of space on the mirrors
-%if 0%{?fedora} > 9 || 0%{?rhel} > 5
-%global noarch_docs_package 1
-%else
-%global noarch_docs_package 0
-%endif
+Name:		libssh2
+Version:	1.8.0
+Release:	4%{?dist}
+Summary:	A library implementing the SSH2 protocol
+Group:		System Environment/Libraries
+License:	BSD
+URL:		http://www.libssh2.org/
+Source0:	http://libssh2.org/download/libssh2-%{version}.tar.gz
+
+# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+Patch1:     0001-libssh2-1.8.0-CVE-2019-3855.patch
+
+# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+Patch2:     0002-libssh2-1.8.0-CVE-2019-3856.patch
+
+# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+Patch3:     0003-libssh2-1.8.0-CVE-2019-3857.patch
+
+# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858)
+Patch4:     0004-libssh2-1.8.0-CVE-2019-3858.patch
+
+# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+Patch7:     0007-libssh2-1.8.0-CVE-2019-3861.patch
+
+# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+Patch8:     0008-libssh2-1.8.0-CVE-2019-3862.patch
 
-# Define %%{__isa_bits} for old releases
-%{!?__isa_bits: %global __isa_bits %((echo '#include <bits/wordsize.h>'; echo __WORDSIZE) | cpp - | grep -Ex '32|64')}
-
-Name:           libssh2
-Version:        1.4.3
-Release:        8%{?dist}.1
-Summary:        A library implementing the SSH2 protocol
-Group:          System Environment/Libraries
-License:        BSD
-URL:            http://www.libssh2.org/
-Source0:        http://libssh2.org/download/libssh2-%{version}.tar.gz
-Patch0:         libssh2-1.4.2-utf8.patch
-Patch1:         0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch
-Patch2:         0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch
-Patch3:         0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch
-Patch4:         0004-partially-revert-window_size-explicit-adjustments-on.patch
-Patch5:         0005-channel.c-fix-a-use-after-free.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
-BuildRequires:  openssl-devel
-BuildRequires:  zlib-devel
-BuildRequires:  /usr/bin/man
+# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+Patch9:     0009-libssh2-1.8.0-CVE-2019-3863.patch
+
+# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+Patch10:    0010-libssh2-1.8.0-CVE-2019-17498.patch
+
+Patch14:	0014-libssh2-1.4.3-scp-remote-exec.patch
+Patch15:	0015-libssh2-1.4.3-debug-msgs.patch
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+
+BuildRequires:	coreutils
+BuildRequires:	findutils
+BuildRequires:	gcc
+BuildRequires:	make
+BuildRequires:	openssl-devel
+BuildRequires:	sed
+BuildRequires:	zlib-devel
+BuildRequires:	/usr/bin/man
 
 # Test suite requirements - we run the OpenSSH server and try to connect to it
-BuildRequires:  openssh-server
+BuildRequires:	openssh-server
 # We use matchpathcon to get the correct SELinux context for the ssh server
 # initialization script so that it can transition correctly in an SELinux
-# environment; matchpathcon is only available from FC-4 and moved from the
-# libselinux to libselinux-utils package in F-10
-%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7)
-BuildRequires:  /usr/sbin/matchpathcon selinux-policy-targeted
+# environment
+%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
+BuildRequires:	libselinux-utils
+BuildRequires:	selinux-policy-targeted
 %endif
 
 %description
@@ -45,49 +60,46 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),
 SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*,
 SECSH-DHGEX(04), and SECSH-NUMBERS(10).
 
-%package        devel
-Summary:        Development files for libssh2
-Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release}
-Requires:       openssl-devel
-Requires:       pkgconfig
+%package	devel
+Summary:	Development files for libssh2
+Group:		Development/Libraries
+Requires:	%{name}%{?_isa} = %{version}-%{release}
+Requires:	pkgconfig
 
-%description    devel
+%description	devel
 The libssh2-devel package contains libraries and header files for
 developing applications that use libssh2.
 
-%package        docs
-Summary:        Documentation for libssh2
-Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release}
-%if %{noarch_docs_package}
-BuildArch:      noarch
-%endif
+%package	docs
+Summary:	Documentation for libssh2
+Group:		Development/Libraries
+Requires:	%{name} = %{version}-%{release}
+BuildArch:	noarch
 
-%description    docs
+%description	docs
 The libssh2-docs package contains man pages and examples for
 developing applications that use libssh2.
 
 %prep
 %setup -q
-
-# Replace hard wired port number in the test suite to avoid collisions
-# between 32-bit and 64-bit builds running on a single build-host
-sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
-
-# Make sure things are UTF-8...
-%patch0 -p1
-
-# Three upstream patches required for qemu ssh block driver.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-
-# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428
 %patch4 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+
+# Replace hard wired port number in the test suite to avoid collisions
+# between 32-bit and 64-bit builds running on a single build-host
+sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh}
+
+# scp: send valid commands for remote execution (#1489733)
+%patch14 -p1
 
-# https://trac.libssh2.org/ticket/268
-%patch5 -p1
+# session: avoid printing misleading debug messages (#1503294)
+%patch15 -p1
 
 # Make sshd transition appropriately if building in an SELinux environment
 %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
@@ -97,7 +109,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} |
 %endif
 
 %build
-%configure --disable-static --enable-shared
+%configure --disable-silent-rules --disable-static --enable-shared
 make %{?_smp_mflags}
 
 # Avoid polluting libssh2.pc with linker options (#947813)
@@ -106,17 +118,18 @@ sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc
 %install
 rm -rf %{buildroot}
 make install DESTDIR=%{buildroot} INSTALL="install -p"
-find %{buildroot} -name '*.la' -exec rm -f {} \;
+find %{buildroot} -name '*.la' -delete
 
 # clean things up a bit for packaging
 make -C example clean
 rm -rf example/.deps
-find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \;
+find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete
 
 # avoid multilib conflict on libssh2-devel
 mv -v example example.%{_arch}
 
 %check
+echo "Running tests for %{_arch}"
 # The SSH test will fail if we don't have /dev/tty, as is the case in some
 # versions of mock (#672713)
 if [ ! -c /dev/tty ]; then
@@ -128,6 +141,11 @@ fi
 echo Skipping SSH test on sparc/arm
 echo "exit 0" > tests/ssh2.sh
 %endif
+# mansyntax check fails on PPC* and aarch64 with some strange locale error
+%ifarch ppc %{power64} aarch64
+echo "Skipping mansyntax test on PPC* and aarch64"
+echo "exit 0" > tests/mansyntax.sh
+%endif
 make -C tests check
 
 %clean
@@ -138,18 +156,15 @@ rm -rf %{buildroot}
 %postun -p /sbin/ldconfig
 
 %files
-%defattr(-,root,root,-)
-%doc AUTHORS ChangeLog COPYING README NEWS
+%doc COPYING docs/AUTHORS README RELEASE-NOTES
 %{_libdir}/libssh2.so.1
 %{_libdir}/libssh2.so.1.*
 
 %files docs
-%defattr(-,root,root,-)
-%doc HACKING
+%doc docs/BINDINGS docs/HACKING docs/TODO NEWS
 %{_mandir}/man3/libssh2_*.3*
 
 %files devel
-%defattr(-,root,root,-)
 %doc example.%{_arch}/
 %{_includedir}/libssh2.h
 %{_includedir}/libssh2_publickey.h
@@ -158,16 +173,172 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
-* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8.1
-- libssh2-devel requires openssl-devel
-
-* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8
-- sync with 1.4.3-8 from RHEL-7
-- ABI is compatible according to ABI compliance checker
-  http://upstream.rosalinux.ru/versions/libssh2.html
-
-* Sun Jul 24 2011 Remi Collet <RPMS@FamilleCollet.com> 1.2.7-1
-- rebuild for remi repo (EL-5)
+* Wed Oct 30 2019 Kamil Dudka <kdudka@redhat.com> - 1.8.0-4
+- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+
+* Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-3
+- sanitize public header file (detected by rpmdiff)
+
+* Tue Mar 19 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-2
+- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+- fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+- fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858)
+- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+
+* Wed Nov 21 2018 Kamil Dudka <kdudka@redhat.com> 1.8.0-1
+- rebase to 1.8.0 (#1592784)
+
+* Tue Sep 26 2017 Kamil Dudka <kdudka@redhat.com> 1.4.3-12
+- session: avoid printing misleading debug messages (#1503294)
+- scp: send valid commands for remote execution (#1489733)
+
+* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-11
+- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
+
+* Mon Jun 01 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-10
+- check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782)
+
+* Tue May 05 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-9
+- curl consumes too much memory during scp download (#1080459)
+- prevent a not-connected agent from closing STDIN (#1147717)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.4.3-8
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.4.3-7
+- Mass rebuild 2013-12-27
+
+* Wed Aug 14 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-6
+- fix very slow sftp upload to localhost
+- fix a use after free in channel.c
+
+* Tue Apr  9 2013 Richard W.M. Jones <rjones@redhat.com> 1.4.3-5
+- Add three patches from upstream git required for qemu ssh block driver.
+
+* Wed Apr  3 2013 Paul Howarth <paul@city-fan.org> 1.4.3-4
+- Avoid polluting libssh2.pc with linker options (#947813)
+
+* Tue Mar 26 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-3
+- Avoid collisions between 32-bit and 64-bit builds running on a single build
+  host
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Nov 28 2012 Paul Howarth <paul@city-fan.org> 1.4.3-1
+- Update to 1.4.3
+  - compression: add support for zlib@openssh.com
+  - sftp_read: return error if a too large package arrives
+  - libssh2_hostkey_hash.3: update the description of return value
+  - Fixed MSVC NMakefile
+  - examples: use stderr for messages, stdout for data
+  - openssl: do not leak memory when handling errors
+  - improved handling of disabled MD5 algorithm in OpenSSL
+  - known_hosts: Fail when parsing unknown keys in known_hosts file
+  - configure: gcrypt doesn't come with pkg-config support
+  - session_free: wrong variable used for keeping state
+  - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL
+  - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating
+- Drop upstreamed patches
+
+* Wed Nov 07 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-4
+- examples: use stderr for messages, stdout for data (upstream commit b31e35ab)
+- Update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb)
+
+* Wed Sep 26 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-3
+- Fix basic functionality of libssh2 in FIPS mode
+- Skip SELinux-related quirks on recent distros to prevent a test-suite failure
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun May 20 2012 Paul Howarth <paul@city-fan.org> 1.4.2-1
+- Update to 1.4.2
+  - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner
+  - userauth.c: fread() from public key file to correctly detect any errors
+  - configure.ac: add option to disable build of the example applications
+  - added 'Requires.private:' line to libssh2.pc
+  - SFTP: filter off incoming "zombie" responses
+  - gettimeofday: no need for a replacement under cygwin
+  - SSH_MSG_CHANNEL_REQUEST: default to want_reply
+  - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB
+
+* Fri Apr 27 2012 Paul Howarth <paul@city-fan.org> 1.4.1-2
+- Fix multi-arch conflict again (#816969)
+
+* Thu Apr  5 2012 Paul Howarth <paul@city-fan.org> 1.4.1-1
+- Update to 1.4.1
+  - Build error with gcrypt backend
+  - Always do "forced" window updates to avoid corner case stalls
+  - aes: the init function fails when OpenSSL has AES support
+  - transport_send: finish in-progress key exchange before sending data
+  - channel_write: acknowledge transport errors
+  - examples/x11.c: make sure sizeof passed to read operation is correct
+  - examples/x11.c: fix suspicious sizeof usage
+  - sftp_packet_add: verify the packet before accepting it
+  - SFTP: preserve the original error code more
+  - sftp_packet_read: adjust window size as necessary
+  - Use safer snprintf rather then sprintf in several places
+  - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET
+  - sftp_write: cannot return acked data *and* EAGAIN
+  - sftp_read: avoid data *and* EAGAIN
+  - libssh2.h: add missing prototype for libssh2_session_banner_set()
+- Drop upstream patches now included in release tarball
+
+* Mon Mar 19 2012 Kamil Dudka <kdudka@redhat.com> 1.4.0-4
+- Don't ignore transport errors when writing to channel (#804150)
+
+* Sun Mar 18 2012 Paul Howarth <paul@city-fan.org> 1.4.0-3
+- Don't try to use openssl's AES-CTR functions
+  (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml)
+
+* Fri Mar 16 2012 Paul Howarth <paul@city-fan.org> 1.4.0-2
+- fix libssh2 failing key re-exchange when write channel is saturated (#804156)
+- drop %%defattr, redundant since rpm 4.4
+
+* Wed Feb  1 2012 Paul Howarth <paul@city-fan.org> 1.4.0-1
+- update to 1.4.0
+  - added libssh2_session_supported_algs()
+  - added libssh2_session_banner_get()
+  - added libssh2_sftp_get_channel()
+  - libssh2.h: bump the default window size to 256K
+  - sftp-seek: clear EOF flag
+  - userauth: provide more informations if ssh pub key extraction fails
+  - ssh2_exec: skip error outputs for EAGAIN
+  - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000
+  - knownhost_check(): don't dereference ext if NULL is passed
+  - knownhost_add: avoid dereferencing uninitialized memory on error path
+  - OpenSSL EVP: fix threaded use of structs
+  - _libssh2_channel_read: react on errors from receive_window_adjust
+  - sftp_read: cap the read ahead maximum amount
+  - _libssh2_channel_read: fix non-blocking window adjusting 
+- add upstream patch fixing undefined function reference in libgcrypt backend
+- BR: /usr/bin/man for test suite
+
+* Sun Jan 15 2012 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.0-4
+- skip the ssh test on ARM too
+
+* Fri Jan 13 2012 Paul Howarth <paul@city-fan.org> 1.3.0-3
+- make docs package noarch where possible
+- example includes arch-specific bits, so move to devel package
+- use patch rather than scripted iconv to fix character encoding
+- don't make assumptions about SELinux context types used for the ssh server
+  in the test suite
+- skip the ssh test if /dev/tty isn't present, as in some versions of mock
+- make the %%files list more explicit
+- use tabs for indentation
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.3.0-2
+- rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Sep 08 2011 Kamil Dudka <kdudka@redhat.com> 1.3.0-1
+- update to 1.3.0
+
+* Sat Jun 25 2011 Dennis Gilmore <dennis@ausil.us> 1.2.7-2
+- sshd/loopback test fails in the sparc buildsystem
 
 * Tue Oct 12 2010 Kamil Dudka <kdudka@redhat.com> 1.2.7-1
 - update to 1.2.7 (#632916)
author	Remi Collet <remi@remirepo.net>	2021-03-02 11:01:02 +0100
committer	Remi Collet <remi@remirepo.net>	2021-03-02 11:01:02 +0100
commit	2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 (patch)
tree	2cc6c3d025aeafca8a378072f4db34ee1e3d7cd8 /libssh2.spec
parent	ef20bb6b3d0272c8340b5e55347eeffa114c889b (diff)