summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2021-03-02 11:01:02 +0100
committerRemi Collet <remi@remirepo.net>2021-03-02 11:01:02 +0100
commit2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 (patch)
tree2cc6c3d025aeafca8a378072f4db34ee1e3d7cd8
parentef20bb6b3d0272c8340b5e55347eeffa114c889b (diff)
import from RHEL 7.7
-rw-r--r--.gitignore9
-rw-r--r--0001-libssh2-1.8.0-CVE-2019-3855.patch33
-rw-r--r--0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch54
-rw-r--r--0002-libssh2-1.8.0-CVE-2019-3856.patch44
-rw-r--r--0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch26
-rw-r--r--0003-libssh2-1.8.0-CVE-2019-3857.patch124
-rw-r--r--0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch223
-rw-r--r--0004-libssh2-1.8.0-CVE-2019-3858.patch30
-rw-r--r--0004-partially-revert-window_size-explicit-adjustments-on.patch69
-rw-r--r--0005-channel.c-fix-a-use-after-free.patch26
-rw-r--r--0007-libssh2-1.8.0-CVE-2019-3861.patch28
-rw-r--r--0008-libssh2-1.8.0-CVE-2019-3862.patch75
-rw-r--r--0009-libssh2-1.8.0-CVE-2019-3863.patch40
-rw-r--r--0010-libssh2-1.8.0-CVE-2019-17498.patch232
-rw-r--r--0014-libssh2-1.4.3-scp-remote-exec.patch48
-rw-r--r--0015-libssh2-1.4.3-debug-msgs.patch70
-rw-r--r--Makefile2
-rw-r--r--libssh2-1.4.2-utf8.patch14
-rw-r--r--libssh2.spec331
19 files changed, 985 insertions, 493 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..01f0400
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,9 @@
+clog
+package-*.xml
+*.tgz
+*.tar.bz2
+*.tar.gz
+*.tar.xz
+*.tar.xz.asc
+*.src.rpm
+*/*rpm
diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch
new file mode 100644
index 0000000..746b515
--- /dev/null
+++ b/0001-libssh2-1.8.0-CVE-2019-3855.patch
@@ -0,0 +1,33 @@
+From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:16:53 +0100
+Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
+---
+ src/transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/transport.c b/src/transport.c
+index 8725da0..5349284 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+ * and we can extract packet and padding length from it
+ */
+ p->packet_length = _libssh2_ntohu32(block);
+- if (p->packet_length < 1)
++ if(p->packet_length < 1) {
+ return LIBSSH2_ERROR_DECRYPT;
++ }
++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++ }
+
+ p->padding_length = block[4];
+
+--
+2.17.2
+
diff --git a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch b/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch
deleted file mode 100644
index 9acbd6d..0000000
--- a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 486bb376218a37fe15318d7724d6eada36b81e6c Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 26 Mar 2013 17:58:04 +0100
-Subject: [PATCH 1/3] sftp: seek: Don't flush buffers on same offset
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
----
- src/sftp.c | 27 +++++++++++++++------------
- 1 file changed, 15 insertions(+), 12 deletions(-)
-
-diff --git a/src/sftp.c b/src/sftp.c
-index d0536dd..3760025 100644
---- a/src/sftp.c
-+++ b/src/sftp.c
-@@ -2132,21 +2132,24 @@ libssh2_sftp_fstat_ex(LIBSSH2_SFTP_HANDLE *hnd,
- LIBSSH2_API void
- libssh2_sftp_seek64(LIBSSH2_SFTP_HANDLE *handle, libssh2_uint64_t offset)
- {
-- if(handle) {
-- handle->u.file.offset = handle->u.file.offset_sent = offset;
-- /* discard all pending requests and currently read data */
-- sftp_packetlist_flush(handle);
-+ if(!handle)
-+ return;
-+ if(handle->u.file.offset == offset && handle->u.file.offset_sent == offset)
-+ return;
-
-- /* free the left received buffered data */
-- if (handle->u.file.data_left) {
-- LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data);
-- handle->u.file.data_left = handle->u.file.data_len = 0;
-- handle->u.file.data = NULL;
-- }
-+ handle->u.file.offset = handle->u.file.offset_sent = offset;
-+ /* discard all pending requests and currently read data */
-+ sftp_packetlist_flush(handle);
-
-- /* reset EOF to False */
-- handle->u.file.eof = FALSE;
-+ /* free the left received buffered data */
-+ if (handle->u.file.data_left) {
-+ LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data);
-+ handle->u.file.data_left = handle->u.file.data_len = 0;
-+ handle->u.file.data = NULL;
- }
-+
-+ /* reset EOF to False */
-+ handle->u.file.eof = FALSE;
- }
-
- /* libssh2_sftp_seek
---
-1.8.1.4
-
diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch
new file mode 100644
index 0000000..40c9e9b
--- /dev/null
+++ b/0002-libssh2-1.8.0-CVE-2019-3856.patch
@@ -0,0 +1,44 @@
+From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:22:24 +0100
+Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
+ interactive handling
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
+
+I believe that:
+
+ `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
+
+... can be simplified as:
+
+ `(session->userauth_kybd_num_prompts > 100)`
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/userauth.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index cdfa25e..3946cf9 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+ /* int num-prompts */
+ session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
+ s += 4;
++ if(session->userauth_kybd_num_prompts &&
++ session->userauth_kybd_num_prompts > 100) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Too many replies for "
++ "keyboard-interactive prompts");
++ goto cleanup;
++ }
+
+ if(session->userauth_kybd_num_prompts) {
+ session->userauth_kybd_prompts =
+--
+2.17.2
+
diff --git a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch b/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch
deleted file mode 100644
index 83ca15e..0000000
--- a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From a12f3ffab579b514eeb7fdfaca0ade271961cdb4 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Mon, 8 Apr 2013 17:30:10 +0100
-Subject: [PATCH 2/3] sftp: statvfs: Along error path, reset the correct
- 'state' variable.
-
----
- src/sftp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/sftp.c b/src/sftp.c
-index 3760025..65fa77a 100644
---- a/src/sftp.c
-+++ b/src/sftp.c
-@@ -2752,7 +2752,7 @@ static int sftp_statvfs(LIBSSH2_SFTP *sftp, const char *path,
- "Error waiting for FXP EXTENDED REPLY");
- } else if (data_len < 93) {
- LIBSSH2_FREE(session, data);
-- sftp->fstatvfs_state = libssh2_NB_state_idle;
-+ sftp->statvfs_state = libssh2_NB_state_idle;
- return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
- "SFTP Protocol Error: short response");
- }
---
-1.8.1.4
-
diff --git a/0003-libssh2-1.8.0-CVE-2019-3857.patch b/0003-libssh2-1.8.0-CVE-2019-3857.patch
new file mode 100644
index 0000000..ea264d2
--- /dev/null
+++ b/0003-libssh2-1.8.0-CVE-2019-3857.patch
@@ -0,0 +1,124 @@
+From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:29:35 +0100
+Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH
+ packet processing channel
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
+---
+ include/libssh2.h | 12 ++++++++++++
+ src/packet.c | 11 +++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/include/libssh2.h b/include/libssh2.h
+index 34d2842..e25c380 100644
+--- a/include/libssh2.h
++++ b/include/libssh2.h
+@@ -145,6 +145,18 @@ typedef int libssh2_socket_t;
+ #define LIBSSH2_INVALID_SOCKET -1
+ #endif /* WIN32 */
+
++#ifndef SIZE_MAX
++#if _WIN64
++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
++#else
++#define SIZE_MAX 0xFFFFFFFF
++#endif
++#endif
++
++#ifndef UINT_MAX
++#define UINT_MAX 0xFFFFFFFF
++#endif
++
+ /*
+ * Determine whether there is small or large file support on windows.
+ */
+diff --git a/src/packet.c b/src/packet.c
+index 5f1feb8..aa10633 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ /* set signal name (without SIG prefix) */
+ uint32_t namelen =
+ _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
+- channelp->exit_signal =
+- LIBSSH2_ALLOC(session, namelen + 1);
++
++ if(namelen <= UINT_MAX - 1) {
++ channelp->exit_signal =
++ LIBSSH2_ALLOC(session, namelen + 1);
++ }
++ else {
++ channelp->exit_signal = NULL;
++ }
++
+ if (!channelp->exit_signal)
+ rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "memory for signal name");
+--
+2.17.2
+
+
+From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001
+From: Michael Buckley <michael@buckleyisms.com>
+Date: Mon, 18 Mar 2019 15:07:12 -0700
+Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h
+
+Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ include/libssh2.h | 12 ------------
+ src/libssh2_priv.h | 12 ++++++++++++
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/include/libssh2.h b/include/libssh2.h
+index e25c380..34d2842 100644
+--- a/include/libssh2.h
++++ b/include/libssh2.h
+@@ -145,18 +145,6 @@ typedef int libssh2_socket_t;
+ #define LIBSSH2_INVALID_SOCKET -1
+ #endif /* WIN32 */
+
+-#ifndef SIZE_MAX
+-#if _WIN64
+-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+-#else
+-#define SIZE_MAX 0xFFFFFFFF
+-#endif
+-#endif
+-
+-#ifndef UINT_MAX
+-#define UINT_MAX 0xFFFFFFFF
+-#endif
+-
+ /*
+ * Determine whether there is small or large file support on windows.
+ */
+diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
+index b4296a2..bb5d1a5 100644
+--- a/src/libssh2_priv.h
++++ b/src/libssh2_priv.h
+@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
+
+ #endif
+
++#ifndef SIZE_MAX
++#if _WIN64
++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
++#else
++#define SIZE_MAX 0xFFFFFFFF
++#endif
++#endif
++
++#ifndef UINT_MAX
++#define UINT_MAX 0xFFFFFFFF
++#endif
++
+ /* RFC4253 section 6.1 Maximum Packet Length says:
+ *
+ * "All implementations MUST be able to process packets with
+--
+2.17.2
+
diff --git a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch b/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch
deleted file mode 100644
index cc1cbb4..0000000
--- a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch
+++ /dev/null
@@ -1,223 +0,0 @@
-From 6e0d757f24a45252c4cae9ea09732eda2562c767 Mon Sep 17 00:00:00 2001
-From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 9 Apr 2013 11:42:09 +0200
-Subject: [PATCH 3/3] sftp: Add support for fsync (OpenSSH extension).
-
-The new libssh2_sftp_fsync API causes data and metadata in the
-currently open file to be committed to disk at the server.
-
-This is an OpenSSH extension to the SFTP protocol. See:
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=1798
----
- docs/Makefile.am | 1 +
- docs/libssh2_sftp_fsync.3 | 39 +++++++++++++++++++
- include/libssh2_sftp.h | 1 +
- src/sftp.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++
- src/sftp.h | 5 +++
- 5 files changed, 143 insertions(+)
- create mode 100644 docs/libssh2_sftp_fsync.3
-
-diff --git a/docs/Makefile.am b/docs/Makefile.am
-index e4cf487..e6ab394 100644
---- a/docs/Makefile.am
-+++ b/docs/Makefile.am
-@@ -120,6 +120,7 @@ dist_man_MANS = \
- libssh2_sftp_fstat.3 \
- libssh2_sftp_fstat_ex.3 \
- libssh2_sftp_fstatvfs.3 \
-+ libssh2_sftp_fsync.3 \
- libssh2_sftp_get_channel.3 \
- libssh2_sftp_init.3 \
- libssh2_sftp_last_error.3 \
-diff --git a/docs/libssh2_sftp_fsync.3 b/docs/libssh2_sftp_fsync.3
-new file mode 100644
-index 0000000..646760a
---- /dev/null
-+++ b/docs/libssh2_sftp_fsync.3
-@@ -0,0 +1,39 @@
-+.TH libssh2_sftp_fsync 3 "8 Apr 2013" "libssh2 1.4.4" "libssh2 manual"
-+.SH NAME
-+libssh2_sftp_fsync - synchronize file to disk
-+.SH SYNOPSIS
-+.nf
-+#include <libssh2.h>
-+#include <libssh2_sftp.h>
-+
-+int
-+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle)
-+.fi
-+.SH DESCRIPTION
-+This function causes the remote server to synchronize the file
-+data and metadata to disk (like fsync(2)).
-+
-+For this to work requires fsync@openssh.com support on the server.
-+
-+\fIhandle\fP - SFTP File Handle as returned by
-+.BR libssh2_sftp_open_ex(3)
-+
-+.SH RETURN VALUE
-+Returns 0 on success or negative on failure. If used in non-blocking mode, it
-+returns LIBSSH2_ERROR_EAGAIN when it would otherwise block. While
-+LIBSSH2_ERROR_EAGAIN is a negative number, it isn't really a failure per se.
-+.SH ERRORS
-+\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed.
-+
-+\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket.
-+
-+\fILIBSSH2_ERROR_SFTP_PROTOCOL\fP - An invalid SFTP protocol response
-+was received on the socket, or an SFTP operation caused an errorcode
-+to be returned by the server. In particular, this can be returned if
-+the SSH server does not support the fsync operation: the SFTP subcode
-+\fILIBSSH2_FX_OP_UNSUPPORTED\fP will be returned in this case.
-+
-+.SH AVAILABILITY
-+Added in libssh2 1.4.4 and OpenSSH 6.3.
-+.SH SEE ALSO
-+.BR fsync(2)
-diff --git a/include/libssh2_sftp.h b/include/libssh2_sftp.h
-index 74884fb..677faf2 100644
---- a/include/libssh2_sftp.h
-+++ b/include/libssh2_sftp.h
-@@ -247,6 +247,7 @@ LIBSSH2_API int libssh2_sftp_readdir_ex(LIBSSH2_SFTP_HANDLE *handle, \
-
- LIBSSH2_API ssize_t libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *handle,
- const char *buffer, size_t count);
-+LIBSSH2_API int libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle);
-
- LIBSSH2_API int libssh2_sftp_close_handle(LIBSSH2_SFTP_HANDLE *handle);
- #define libssh2_sftp_close(handle) libssh2_sftp_close_handle(handle)
-diff --git a/src/sftp.c b/src/sftp.c
-index 65fa77a..01017fd 100644
---- a/src/sftp.c
-+++ b/src/sftp.c
-@@ -986,6 +986,10 @@ sftp_shutdown(LIBSSH2_SFTP *sftp)
- LIBSSH2_FREE(session, sftp->symlink_packet);
- sftp->symlink_packet = NULL;
- }
-+ if (sftp->fsync_packet) {
-+ LIBSSH2_FREE(session, sftp->fsync_packet);
-+ sftp->fsync_packet = NULL;
-+ }
-
- sftp_packet_flush(sftp);
-
-@@ -2014,6 +2018,99 @@ libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *hnd, const char *buffer,
-
- }
-
-+static int sftp_fsync(LIBSSH2_SFTP_HANDLE *handle)
-+{
-+ LIBSSH2_SFTP *sftp = handle->sftp;
-+ LIBSSH2_CHANNEL *channel = sftp->channel;
-+ LIBSSH2_SESSION *session = channel->session;
-+ /* 34 = packet_len(4) + packet_type(1) + request_id(4) +
-+ string_len(4) + strlen("fsync@openssh.com")(17) + handle_len(4) */
-+ uint32_t packet_len = handle->handle_len + 34;
-+ size_t data_len;
-+ unsigned char *packet, *s, *data;
-+ ssize_t rc;
-+ uint32_t retcode;
-+
-+ if (sftp->fsync_state == libssh2_NB_state_idle) {
-+ _libssh2_debug(session, LIBSSH2_TRACE_SFTP,
-+ "Issuing fsync command");
-+ s = packet = LIBSSH2_ALLOC(session, packet_len);
-+ if (!packet) {
-+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
-+ "Unable to allocate memory for FXP_EXTENDED "
-+ "packet");
-+ }
-+
-+ _libssh2_store_u32(&s, packet_len - 4);
-+ *(s++) = SSH_FXP_EXTENDED;
-+ sftp->fsync_request_id = sftp->request_id++;
-+ _libssh2_store_u32(&s, sftp->fsync_request_id);
-+ _libssh2_store_str(&s, "fsync@openssh.com", 17);
-+ _libssh2_store_str(&s, handle->handle, handle->handle_len);
-+
-+ sftp->fsync_state = libssh2_NB_state_created;
-+ } else {
-+ packet = sftp->fsync_packet;
-+ }
-+
-+ if (sftp->fsync_state == libssh2_NB_state_created) {
-+ rc = _libssh2_channel_write(channel, 0, packet, packet_len);
-+ if (rc == LIBSSH2_ERROR_EAGAIN ||
-+ (0 <= rc && rc < (ssize_t)packet_len)) {
-+ sftp->fsync_packet = packet;
-+ return LIBSSH2_ERROR_EAGAIN;
-+ }
-+
-+ LIBSSH2_FREE(session, packet);
-+ sftp->fsync_packet = NULL;
-+
-+ if (rc < 0) {
-+ sftp->fsync_state = libssh2_NB_state_idle;
-+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND,
-+ "_libssh2_channel_write() failed");
-+ }
-+ sftp->fsync_state = libssh2_NB_state_sent;
-+ }
-+
-+ rc = sftp_packet_require(sftp, SSH_FXP_STATUS,
-+ sftp->fsync_request_id, &data, &data_len);
-+ if (rc == LIBSSH2_ERROR_EAGAIN) {
-+ return rc;
-+ } else if (rc) {
-+ sftp->fsync_state = libssh2_NB_state_idle;
-+ return _libssh2_error(session, rc,
-+ "Error waiting for FXP EXTENDED REPLY");
-+ }
-+
-+ sftp->fsync_state = libssh2_NB_state_idle;
-+
-+ retcode = _libssh2_ntohu32(data + 5);
-+ LIBSSH2_FREE(session, data);
-+
-+ if (retcode != LIBSSH2_FX_OK) {
-+ sftp->last_errno = retcode;
-+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL,
-+ "fsync failed");
-+ }
-+
-+ return 0;
-+}
-+
-+/* libssh2_sftp_fsync
-+ * Commit data on the handle to disk.
-+ */
-+LIBSSH2_API int
-+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *hnd)
-+{
-+ int rc;
-+ if(!hnd)
-+ return LIBSSH2_ERROR_BAD_USE;
-+ BLOCK_ADJUST(rc, hnd->sftp->channel->session,
-+ sftp_fsync(hnd));
-+ return rc;
-+}
-+
-+
- /*
- * sftp_fstat
- *
-diff --git a/src/sftp.h b/src/sftp.h
-index 55bdb46..63e8139 100644
---- a/src/sftp.h
-+++ b/src/sftp.h
-@@ -175,6 +175,11 @@ struct _LIBSSH2_SFTP
- /* State variable used in sftp_write() */
- libssh2_nonblocking_states write_state;
-
-+ /* State variables used in sftp_fsync() */
-+ libssh2_nonblocking_states fsync_state;
-+ unsigned char *fsync_packet;
-+ uint32_t fsync_request_id;
-+
- /* State variables used in libssh2_sftp_readdir() */
- libssh2_nonblocking_states readdir_state;
- unsigned char *readdir_packet;
---
-1.8.1.4
-
diff --git a/0004-libssh2-1.8.0-CVE-2019-3858.patch b/0004-libssh2-1.8.0-CVE-2019-3858.patch
new file mode 100644
index 0000000..04914c5
--- /dev/null
+++ b/0004-libssh2-1.8.0-CVE-2019-3858.patch
@@ -0,0 +1,30 @@
+From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:32:05 +0100
+Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation
+
+... with a specially crafted SFTP packet leading to an out-of-bounds read
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
+---
+ src/sftp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/sftp.c b/src/sftp.c
+index 7c44116..65cef85 100644
+--- a/src/sftp.c
++++ b/src/sftp.c
+@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp)
+ return _libssh2_error(session,
+ LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED,
+ "SFTP packet too large");
++ if (sftp->partial_len == 0)
++ return _libssh2_error(session,
++ LIBSSH2_ERROR_ALLOC,
++ "Unable to allocate empty SFTP packet");
+
+ _libssh2_debug(session, LIBSSH2_TRACE_SFTP,
+ "Data begin - Packet Length: %lu",
+--
+2.17.2
+
diff --git a/0004-partially-revert-window_size-explicit-adjustments-on.patch b/0004-partially-revert-window_size-explicit-adjustments-on.patch
deleted file mode 100644
index fe7751a..0000000
--- a/0004-partially-revert-window_size-explicit-adjustments-on.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 9e56b84c41efcaf3349f82a93c3dc854e172e5c4 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 9 Aug 2013 16:22:08 +0200
-Subject: [PATCH 4/5] partially revert "window_size: explicit adjustments only"
-
-This partially reverts commit 03ca9020756a4e16f0294e5b35e9826ee6af2364
-in order to fix extreme slowdown when uploading to localhost via SFTP.
-
-I was able to repeat the issue on RHEL-7 on localhost only. It did not
-occur when uploading via network and it did not occur on a RHEL-6 box
-with the same version of libssh2.
-
-The problem was that sftp_read() used a read-ahead logic to figure out
-the window_size, but sftp_packet_read() called indirectly from
-sftp_write() did not use any read-ahead logic.
----
- src/channel.c | 29 +++++++++++++++++++++++++++++
- 1 files changed, 29 insertions(+), 0 deletions(-)
-
-diff --git a/src/channel.c b/src/channel.c
-index 4f41e1f..d4ffdce 100644
---- a/src/channel.c
-+++ b/src/channel.c
-@@ -1759,6 +1759,15 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id,
- channel->read_state = libssh2_NB_state_created;
- }
-
-+ /*
-+ * =============================== NOTE ===============================
-+ * I know this is very ugly and not a really good use of "goto", but
-+ * this case statement would be even uglier to do it any other way
-+ */
-+ if (channel->read_state == libssh2_NB_state_jump1) {
-+ goto channel_read_window_adjust;
-+ }
-+
- rc = 1; /* set to >0 to let the while loop start */
-
- /* Process all pending incoming packets in all states in order to "even
-@@ -1867,6 +1876,26 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id,
- more off the network again */
- channel->read_state = libssh2_NB_state_created;
-
-+ if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) {
-+ /* the window is getting too narrow, expand it! */
-+
-+ channel_read_window_adjust:
-+ channel->read_state = libssh2_NB_state_jump1;
-+ /* the actual window adjusting may not finish so we need to deal with
-+ this special state here */
-+ rc = _libssh2_channel_receive_window_adjust(channel,
-+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL);
-+ if (rc)
-+ return rc;
-+
-+ _libssh2_debug(session, LIBSSH2_TRACE_CONN,
-+ "channel_read() filled %d adjusted %d",
-+ bytes_read, buflen);
-+ /* continue in 'created' state to drain the already read packages
-+ first before starting to empty the socket further */
-+ channel->read_state = libssh2_NB_state_created;
-+ }
-+
- return bytes_read;
- }
-
---
-1.7.1
-
diff --git a/0005-channel.c-fix-a-use-after-free.patch b/0005-channel.c-fix-a-use-after-free.patch
deleted file mode 100644
index 8fa0a05..0000000
--- a/0005-channel.c-fix-a-use-after-free.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 96e1078fced70e39e4163857ad8345ae9d24573f Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 14 Aug 2013 17:37:00 +0200
-Subject: [PATCH 5/5] channel.c: fix a use after free
-
-Bug: https://trac.libssh2.org/ticket/268
----
- src/channel.c | 2 --
- 1 files changed, 0 insertions(+), 2 deletions(-)
-
-diff --git a/src/channel.c b/src/channel.c
-index d4ffdce..9f2c241 100644
---- a/src/channel.c
-+++ b/src/channel.c
-@@ -670,8 +670,6 @@ int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER *listener)
-
- LIBSSH2_FREE(session, listener);
-
-- listener->chanFwdCncl_state = libssh2_NB_state_idle;
--
- return 0;
- }
-
---
-1.7.1
-
diff --git a/0007-libssh2-1.8.0-CVE-2019-3861.patch b/0007-libssh2-1.8.0-CVE-2019-3861.patch
new file mode 100644
index 0000000..d40bb71
--- /dev/null
+++ b/0007-libssh2-1.8.0-CVE-2019-3861.patch
@@ -0,0 +1,28 @@
+From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:43:34 +0100
+Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with
+ specially crafted SSH packets
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
+---
+ src/transport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/transport.c b/src/transport.c
+index 5349284..6224c4f 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+ }
+
+ p->padding_length = block[4];
++ if ( p->padding_length > p->packet_length - 1 ) {
++ return LIBSSH2_ERROR_DECRYPT;
++ }
+
+ /* total_num is the number of bytes following the initial
+ (5 bytes) packet length and padding length fields */
+--
+2.17.2
+
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch
new file mode 100644
index 0000000..f1632a5
--- /dev/null
+++ b/0008-libssh2-1.8.0-CVE-2019-3862.patch
@@ -0,0 +1,75 @@
+From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:45:22 +0100
+Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
+
+... with specially crafted message channel request
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
+---
+ src/packet.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index aa10633..c950b5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = _libssh2_ntohu32(data + 5);
+ unsigned char want_reply = 1;
+
+- if(len < (datalen - 10))
+- want_reply = data[9 + len];
++ if((len + 9) < datalen)
++ want_reply = data[len + 9];
+
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ channel, len, data + 9, want_reply);
+
+ if (len == sizeof("exit-status") - 1
++ && (sizeof("exit-status") - 1 + 9) <= datalen
+ && !memcmp("exit-status", data + 9,
+ sizeof("exit-status") - 1)) {
+
+@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ channelp =
+ _libssh2_channel_locate(session, channel);
+
+- if (channelp) {
++ if (channelp && (sizeof("exit-status") + 13) <= datalen) {
+ channelp->exit_status =
+ _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
+ _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ }
+ else if (len == sizeof("exit-signal") - 1
++ && (sizeof("exit-signal") - 1 + 9) <= datalen
+ && !memcmp("exit-signal", data + 9,
+ sizeof("exit-signal") - 1)) {
+ /* command terminated due to signal */
+ if(datalen >= 20)
+ channelp = _libssh2_channel_locate(session, channel);
+
+- if (channelp) {
++ if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
+ /* set signal name (without SIG prefix) */
+ uint32_t namelen =
+ _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
+@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ if (!channelp->exit_signal)
+ rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "memory for signal name");
+- else {
++ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
+ memcpy(channelp->exit_signal,
+- data + 13 + sizeof("exit_signal"), namelen);
++ data + 13 + sizeof("exit-signal"), namelen);
+ channelp->exit_signal[namelen] = '\0';
+ /* TODO: save error message and language tag */
+ _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+--
+2.17.2
+
diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch
new file mode 100644
index 0000000..77615fd
--- /dev/null
+++ b/0009-libssh2-1.8.0-CVE-2019-3863.patch
@@ -0,0 +1,40 @@
+From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:47:41 +0100
+Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
+ authenticate keyboard interactive
+
+... that allows out-of-bounds writes
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
+---
+ src/userauth.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index 3946cf9..ee924c5 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+
+ for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
+ /* string response[1] (ISO-10646 UTF-8) */
+- session->userauth_kybd_packet_len +=
+- 4 + session->userauth_kybd_responses[i].length;
++ if(session->userauth_kybd_responses[i].length <=
++ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
++ session->userauth_kybd_packet_len +=
++ 4 + session->userauth_kybd_responses[i].length;
++ }
++ else {
++ _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
++ "Unable to allocate memory for keyboard-"
++ "interactive response packet");
++ goto cleanup;
++ }
+ }
+
+ /* A new userauth_kybd_data area is to be allocated, free the
+--
+2.17.2
+
diff --git a/0010-libssh2-1.8.0-CVE-2019-17498.patch b/0010-libssh2-1.8.0-CVE-2019-17498.patch
new file mode 100644
index 0000000..319e1fd
--- /dev/null
+++ b/0010-libssh2-1.8.0-CVE-2019-17498.patch
@@ -0,0 +1,232 @@
+From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+
+Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/misc.c | 37 +++++++++++++++++++++++
+ src/misc.h | 10 +++++++
+ src/packet.c | 84 ++++++++++++++++++++++++----------------------------
+ 3 files changed, 85 insertions(+), 46 deletions(-)
+
+diff --git a/src/misc.c b/src/misc.c
+index f7faae7..1b2682f 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size)
+ }
+ return p;
+ }
++
++int _libssh2_check_length(struct string_buf *buf, size_t len)
++{
++ unsigned char *endp = &buf->data[buf->len];
++ size_t left = endp - buf->dataptr;
++ return ((len <= left) && (left <= buf->len));
++}
++
++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out)
++{
++ if(!_libssh2_check_length(buf, 4)) {
++ return -1;
++ }
++
++ *out = _libssh2_ntohu32(buf->dataptr);
++ buf->dataptr += 4;
++ return 0;
++}
++
++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
++ size_t *outlen)
++{
++ uint32_t data_len;
++ if(_libssh2_get_u32(buf, &data_len) != 0) {
++ return -1;
++ }
++ if(!_libssh2_check_length(buf, data_len)) {
++ return -1;
++ }
++ *outbuf = buf->dataptr;
++ buf->dataptr += data_len;
++
++ if(outlen)
++ *outlen = (size_t)data_len;
++
++ return 0;
++}
+diff --git a/src/misc.h b/src/misc.h
+index 54ae546..cf5abb5 100644
+--- a/src/misc.h
++++ b/src/misc.h
+@@ -49,6 +49,12 @@ struct list_node {
+ struct list_head *head;
+ };
+
++struct string_buf {
++ unsigned char *data;
++ unsigned char *dataptr;
++ size_t len;
++};
++
+ int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags);
+ int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg);
+
+@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value);
+ void _libssh2_store_str(unsigned char **buf, const char *str, size_t len);
+ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size);
+
++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out);
++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
++ size_t *outlen);
++
+ #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__)
+ /* provide a private one */
+ #undef HAVE_GETTIMEOFDAY
+diff --git a/src/packet.c b/src/packet.c
+index c950b5d..f180b77 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message=NULL;
+- char *language=NULL;
+- size_t message_len=0;
+- size_t language_len=0;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
++ size_t message_len = 0;
++ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+ size_t data_head = 0;
+ unsigned char msg = data[0];
+@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ "Packet type %d received, length=%d",
+ (int) msg, (int) datalen);
+
+- if ((macstate == LIBSSH2_MAC_INVALID) &&
++ if((macstate == LIBSSH2_MAC_INVALID) &&
+ (!session->macerror ||
+ LIBSSH2_MACERROR(session, (char *) data, datalen))) {
+ /* Bad MAC input, but no callback set or non-zero return from the
+@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ break;
+ }
+
+- if (session->packAdd_state == libssh2_NB_state_allocated) {
++ if(session->packAdd_state == libssh2_NB_state_allocated) {
+ /* A couple exceptions to the packet adding rule: */
+- switch (msg) {
++ switch(msg) {
+
+ /*
+ byte SSH_MSG_DISCONNECT
+@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
+-
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
+-
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len = _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len=0;
+- }
+- if (session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
++
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
++
++ if(session->ssh_msg_disconnect) {
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ int always_display= data[1];
+
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 + message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+- if (session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ if(session->ssh_msg_debug) {
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len =0;
+ unsigned char want_reply=0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+--
+2.20.1
+
diff --git a/0014-libssh2-1.4.3-scp-remote-exec.patch b/0014-libssh2-1.4.3-scp-remote-exec.patch
new file mode 100644
index 0000000..971a7c9
--- /dev/null
+++ b/0014-libssh2-1.4.3-scp-remote-exec.patch
@@ -0,0 +1,48 @@
+From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 11 Sep 2017 21:13:45 +0200
+Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208)
+
+It breaks SCP download/upload from/to certain server implementations.
+
+The bug does not manifest with OpenSSH, which silently drops the NUL
+byte (eventually with any garbage that follows the NUL byte) before
+executing it.
+
+Bug: https://bugzilla.redhat.com/1489736
+
+Upstream-commit: 819ef4f2037490b6aa2e870aea851b6364184090
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/scp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/scp.c b/src/scp.c
+index f3d4995..c6451bc 100644
+--- a/src/scp.c
++++ b/src/scp.c
+@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb)
+ &session->scpRecv_command[cmd_len],
+ session->scpRecv_command_len - cmd_len);
+
+- session->scpRecv_command[cmd_len] = '\0';
+- session->scpRecv_command_len = cmd_len + 1;
++ /* the command to exec should _not_ be NUL-terminated */
++ session->scpRecv_command_len = cmd_len;
+
+ _libssh2_debug(session, LIBSSH2_TRACE_SCP,
+ "Opening channel for SCP receive");
+@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode,
+ &session->scpSend_command[cmd_len],
+ session->scpSend_command_len - cmd_len);
+
+- session->scpSend_command[cmd_len] = '\0';
+- session->scpSend_command_len = cmd_len + 1;
++ /* the command to exec should _not_ be NUL-terminated */
++ session->scpSend_command_len = cmd_len;
+
+ _libssh2_debug(session, LIBSSH2_TRACE_SCP,
+ "Opening channel for SCP send");
+--
+2.13.5
+
diff --git a/0015-libssh2-1.4.3-debug-msgs.patch b/0015-libssh2-1.4.3-debug-msgs.patch
new file mode 100644
index 0000000..034f337
--- /dev/null
+++ b/0015-libssh2-1.4.3-debug-msgs.patch
@@ -0,0 +1,70 @@
+From c1bbc2d6b0708dcb1fd014554585296b0ba25a43 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 9 Oct 2017 17:35:51 +0200
+Subject: [PATCH] session: avoid printing misleading debug messages
+
+... while throwing LIBSSH2_ERROR_EAGAIN out of session_startup()
+
+If the session runs in blocking mode, LIBSSH2_ERROR_EAGAIN never reaches
+the libssh2 API boundary and, in non-blocking mode, these messages are
+suppressed by the condition in _libssh2_error_flags() anyway.
+
+Closes #211
+
+Upstream-commit: 712c6cbdd2f1b509f586aea5889a5c1deb7c9bda
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/session.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/session.c b/src/session.c
+index 9838d2b..62ef70d 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -703,7 +703,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
+
+ if (session->startup_state == libssh2_NB_state_created) {
+ rc = banner_send(session);
+- if (rc) {
++ if (rc == LIBSSH2_ERROR_EAGAIN)
++ return rc;
++ else if (rc) {
+ return _libssh2_error(session, rc,
+ "Failed sending banner");
+ }
+@@ -714,7 +716,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
+ if (session->startup_state == libssh2_NB_state_sent) {
+ do {
+ rc = banner_receive(session);
+- if (rc)
++ if (rc == LIBSSH2_ERROR_EAGAIN)
++ return rc;
++ else if (rc)
+ return _libssh2_error(session, rc,
+ "Failed getting banner");
+ } while(strncmp("SSH-", (char *)session->remote.banner, 4));
+@@ -724,7 +728,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
+
+ if (session->startup_state == libssh2_NB_state_sent1) {
+ rc = _libssh2_kex_exchange(session, 0, &session->startup_key_state);
+- if (rc)
++ if (rc == LIBSSH2_ERROR_EAGAIN)
++ return rc;
++ else if (rc)
+ return _libssh2_error(session, rc,
+ "Unable to exchange encryption keys");
+
+@@ -749,7 +755,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock)
+ rc = _libssh2_transport_send(session, session->startup_service,
+ sizeof("ssh-userauth") + 5 - 1,
+ NULL, 0);
+- if (rc) {
++ if (rc == LIBSSH2_ERROR_EAGAIN)
++ return rc;
++ else if (rc) {
+ return _libssh2_error(session, rc,
+ "Unable to ask for ssh-userauth service");
+ }
+--
+2.13.6
+
diff --git a/Makefile b/Makefile
index 1e65467..91b0fd5 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
SRCDIR := $(shell pwd)
NAME := $(shell basename $(SRCDIR))
-include ../common/Makefile
+include ../../common/Makefile
diff --git a/libssh2-1.4.2-utf8.patch b/libssh2-1.4.2-utf8.patch
deleted file mode 100644
index 9177691..0000000
--- a/libssh2-1.4.2-utf8.patch
+++ /dev/null
@@ -1,14 +0,0 @@
- NEWS | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
---- libssh2/NEWS
-+++ libssh2/NEWS
-@@ -3552,7 +3552,7 @@ Simon Josefsson (16 Nov 2009)
- - support arcfour128 cipher per RFC 4345
-
- Daniel Stenberg (21 Oct 2009)
--- [Cristian Rodríguez brought this change]
-+- [Cristian Rodríguez brought this change]
-
- add support for GCC visibility features
-
diff --git a/libssh2.spec b/libssh2.spec
index d9f88a4..f704268 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,42 +1,57 @@
-# Fedora 10 onwards support noarch subpackages; by using one, we can
-# put the arch-independent docs in a common subpackage and save lots
-# of space on the mirrors
-%if 0%{?fedora} > 9 || 0%{?rhel} > 5
-%global noarch_docs_package 1
-%else
-%global noarch_docs_package 0
-%endif
+Name: libssh2
+Version: 1.8.0
+Release: 4%{?dist}
+Summary: A library implementing the SSH2 protocol
+Group: System Environment/Libraries
+License: BSD
+URL: http://www.libssh2.org/
+Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
+
+# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch
+
+# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch
+
+# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch
+
+# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858)
+Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch
+
+# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch
+
+# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch
-# Define %%{__isa_bits} for old releases
-%{!?__isa_bits: %global __isa_bits %((echo '#include <bits/wordsize.h>'; echo __WORDSIZE) | cpp - | grep -Ex '32|64')}
-
-Name: libssh2
-Version: 1.4.3
-Release: 8%{?dist}.1
-Summary: A library implementing the SSH2 protocol
-Group: System Environment/Libraries
-License: BSD
-URL: http://www.libssh2.org/
-Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
-Patch0: libssh2-1.4.2-utf8.patch
-Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch
-Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch
-Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch
-Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch
-Patch5: 0005-channel.c-fix-a-use-after-free.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
-BuildRequires: openssl-devel
-BuildRequires: zlib-devel
-BuildRequires: /usr/bin/man
+# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch
+
+# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch
+
+Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch
+Patch15: 0015-libssh2-1.4.3-debug-msgs.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+
+BuildRequires: coreutils
+BuildRequires: findutils
+BuildRequires: gcc
+BuildRequires: make
+BuildRequires: openssl-devel
+BuildRequires: sed
+BuildRequires: zlib-devel
+BuildRequires: /usr/bin/man
# Test suite requirements - we run the OpenSSH server and try to connect to it
-BuildRequires: openssh-server
+BuildRequires: openssh-server
# We use matchpathcon to get the correct SELinux context for the ssh server
# initialization script so that it can transition correctly in an SELinux
-# environment; matchpathcon is only available from FC-4 and moved from the
-# libselinux to libselinux-utils package in F-10
-%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7)
-BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted
+# environment
+%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
+BuildRequires: libselinux-utils
+BuildRequires: selinux-policy-targeted
%endif
%description
@@ -45,49 +60,46 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25),
SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*,
SECSH-DHGEX(04), and SECSH-NUMBERS(10).
-%package devel
-Summary: Development files for libssh2
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-Requires: openssl-devel
-Requires: pkgconfig
+%package devel
+Summary: Development files for libssh2
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
-%description devel
+%description devel
The libssh2-devel package contains libraries and header files for
developing applications that use libssh2.
-%package docs
-Summary: Documentation for libssh2
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-%if %{noarch_docs_package}
-BuildArch: noarch
-%endif
+%package docs
+Summary: Documentation for libssh2
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+BuildArch: noarch
-%description docs
+%description docs
The libssh2-docs package contains man pages and examples for
developing applications that use libssh2.
%prep
%setup -q
-
-# Replace hard wired port number in the test suite to avoid collisions
-# between 32-bit and 64-bit builds running on a single build-host
-sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
-
-# Make sure things are UTF-8...
-%patch0 -p1
-
-# Three upstream patches required for qemu ssh block driver.
%patch1 -p1
%patch2 -p1
%patch3 -p1
-
-# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428
%patch4 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+
+# Replace hard wired port number in the test suite to avoid collisions
+# between 32-bit and 64-bit builds running on a single build-host
+sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh}
+
+# scp: send valid commands for remote execution (#1489733)
+%patch14 -p1
-# https://trac.libssh2.org/ticket/268
-%patch5 -p1
+# session: avoid printing misleading debug messages (#1503294)
+%patch15 -p1
# Make sshd transition appropriately if building in an SELinux environment
%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
@@ -97,7 +109,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} |
%endif
%build
-%configure --disable-static --enable-shared
+%configure --disable-silent-rules --disable-static --enable-shared
make %{?_smp_mflags}
# Avoid polluting libssh2.pc with linker options (#947813)
@@ -106,17 +118,18 @@ sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot} INSTALL="install -p"
-find %{buildroot} -name '*.la' -exec rm -f {} \;
+find %{buildroot} -name '*.la' -delete
# clean things up a bit for packaging
make -C example clean
rm -rf example/.deps
-find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \;
+find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete
# avoid multilib conflict on libssh2-devel
mv -v example example.%{_arch}
%check
+echo "Running tests for %{_arch}"
# The SSH test will fail if we don't have /dev/tty, as is the case in some
# versions of mock (#672713)
if [ ! -c /dev/tty ]; then
@@ -128,6 +141,11 @@ fi
echo Skipping SSH test on sparc/arm
echo "exit 0" > tests/ssh2.sh
%endif
+# mansyntax check fails on PPC* and aarch64 with some strange locale error
+%ifarch ppc %{power64} aarch64
+echo "Skipping mansyntax test on PPC* and aarch64"
+echo "exit 0" > tests/mansyntax.sh
+%endif
make -C tests check
%clean
@@ -138,18 +156,15 @@ rm -rf %{buildroot}
%postun -p /sbin/ldconfig
%files
-%defattr(-,root,root,-)
-%doc AUTHORS ChangeLog COPYING README NEWS
+%doc COPYING docs/AUTHORS README RELEASE-NOTES
%{_libdir}/libssh2.so.1
%{_libdir}/libssh2.so.1.*
%files docs
-%defattr(-,root,root,-)
-%doc HACKING
+%doc docs/BINDINGS docs/HACKING docs/TODO NEWS
%{_mandir}/man3/libssh2_*.3*
%files devel
-%defattr(-,root,root,-)
%doc example.%{_arch}/
%{_includedir}/libssh2.h
%{_includedir}/libssh2_publickey.h
@@ -158,16 +173,172 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/libssh2.pc
%changelog
-* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8.1
-- libssh2-devel requires openssl-devel
-
-* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8
-- sync with 1.4.3-8 from RHEL-7
-- ABI is compatible according to ABI compliance checker
- http://upstream.rosalinux.ru/versions/libssh2.html
-
-* Sun Jul 24 2011 Remi Collet <RPMS@FamilleCollet.com> 1.2.7-1
-- rebuild for remi repo (EL-5)
+* Wed Oct 30 2019 Kamil Dudka <kdudka@redhat.com> - 1.8.0-4
+- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+
+* Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-3
+- sanitize public header file (detected by rpmdiff)
+
+* Tue Mar 19 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-2
+- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+- fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+- fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858)
+- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+
+* Wed Nov 21 2018 Kamil Dudka <kdudka@redhat.com> 1.8.0-1
+- rebase to 1.8.0 (#1592784)
+
+* Tue Sep 26 2017 Kamil Dudka <kdudka@redhat.com> 1.4.3-12
+- session: avoid printing misleading debug messages (#1503294)
+- scp: send valid commands for remote execution (#1489733)
+
+* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-11
+- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
+
+* Mon Jun 01 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-10
+- check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782)
+
+* Tue May 05 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-9
+- curl consumes too much memory during scp download (#1080459)
+- prevent a not-connected agent from closing STDIN (#1147717)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.4.3-8
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.4.3-7
+- Mass rebuild 2013-12-27
+
+* Wed Aug 14 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-6
+- fix very slow sftp upload to localhost
+- fix a use after free in channel.c
+
+* Tue Apr 9 2013 Richard W.M. Jones <rjones@redhat.com> 1.4.3-5
+- Add three patches from upstream git required for qemu ssh block driver.
+
+* Wed Apr 3 2013 Paul Howarth <paul@city-fan.org> 1.4.3-4
+- Avoid polluting libssh2.pc with linker options (#947813)
+
+* Tue Mar 26 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-3
+- Avoid collisions between 32-bit and 64-bit builds running on a single build
+ host
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Nov 28 2012 Paul Howarth <paul@city-fan.org> 1.4.3-1
+- Update to 1.4.3
+ - compression: add support for zlib@openssh.com
+ - sftp_read: return error if a too large package arrives
+ - libssh2_hostkey_hash.3: update the description of return value
+ - Fixed MSVC NMakefile
+ - examples: use stderr for messages, stdout for data
+ - openssl: do not leak memory when handling errors
+ - improved handling of disabled MD5 algorithm in OpenSSL
+ - known_hosts: Fail when parsing unknown keys in known_hosts file
+ - configure: gcrypt doesn't come with pkg-config support
+ - session_free: wrong variable used for keeping state
+ - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL
+ - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating
+- Drop upstreamed patches
+
+* Wed Nov 07 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-4
+- examples: use stderr for messages, stdout for data (upstream commit b31e35ab)
+- Update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb)
+
+* Wed Sep 26 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-3
+- Fix basic functionality of libssh2 in FIPS mode
+- Skip SELinux-related quirks on recent distros to prevent a test-suite failure
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun May 20 2012 Paul Howarth <paul@city-fan.org> 1.4.2-1
+- Update to 1.4.2
+ - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner
+ - userauth.c: fread() from public key file to correctly detect any errors
+ - configure.ac: add option to disable build of the example applications
+ - added 'Requires.private:' line to libssh2.pc
+ - SFTP: filter off incoming "zombie" responses
+ - gettimeofday: no need for a replacement under cygwin
+ - SSH_MSG_CHANNEL_REQUEST: default to want_reply
+ - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB
+
+* Fri Apr 27 2012 Paul Howarth <paul@city-fan.org> 1.4.1-2
+- Fix multi-arch conflict again (#816969)
+
+* Thu Apr 5 2012 Paul Howarth <paul@city-fan.org> 1.4.1-1
+- Update to 1.4.1
+ - Build error with gcrypt backend
+ - Always do "forced" window updates to avoid corner case stalls
+ - aes: the init function fails when OpenSSL has AES support
+ - transport_send: finish in-progress key exchange before sending data
+ - channel_write: acknowledge transport errors
+ - examples/x11.c: make sure sizeof passed to read operation is correct
+ - examples/x11.c: fix suspicious sizeof usage
+ - sftp_packet_add: verify the packet before accepting it
+ - SFTP: preserve the original error code more
+ - sftp_packet_read: adjust window size as necessary
+ - Use safer snprintf rather then sprintf in several places
+ - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET
+ - sftp_write: cannot return acked data *and* EAGAIN
+ - sftp_read: avoid data *and* EAGAIN
+ - libssh2.h: add missing prototype for libssh2_session_banner_set()
+- Drop upstream patches now included in release tarball
+
+* Mon Mar 19 2012 Kamil Dudka <kdudka@redhat.com> 1.4.0-4
+- Don't ignore transport errors when writing to channel (#804150)
+
+* Sun Mar 18 2012 Paul Howarth <paul@city-fan.org> 1.4.0-3
+- Don't try to use openssl's AES-CTR functions
+ (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml)
+
+* Fri Mar 16 2012 Paul Howarth <paul@city-fan.org> 1.4.0-2
+- fix libssh2 failing key re-exchange when write channel is saturated (#804156)
+- drop %%defattr, redundant since rpm 4.4
+
+* Wed Feb 1 2012 Paul Howarth <paul@city-fan.org> 1.4.0-1
+- update to 1.4.0
+ - added libssh2_session_supported_algs()
+ - added libssh2_session_banner_get()
+ - added libssh2_sftp_get_channel()
+ - libssh2.h: bump the default window size to 256K
+ - sftp-seek: clear EOF flag
+ - userauth: provide more informations if ssh pub key extraction fails
+ - ssh2_exec: skip error outputs for EAGAIN
+ - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000
+ - knownhost_check(): don't dereference ext if NULL is passed
+ - knownhost_add: avoid dereferencing uninitialized memory on error path
+ - OpenSSL EVP: fix threaded use of structs
+ - _libssh2_channel_read: react on errors from receive_window_adjust
+ - sftp_read: cap the read ahead maximum amount
+ - _libssh2_channel_read: fix non-blocking window adjusting
+- add upstream patch fixing undefined function reference in libgcrypt backend
+- BR: /usr/bin/man for test suite
+
+* Sun Jan 15 2012 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.0-4
+- skip the ssh test on ARM too
+
+* Fri Jan 13 2012 Paul Howarth <paul@city-fan.org> 1.3.0-3
+- make docs package noarch where possible
+- example includes arch-specific bits, so move to devel package
+- use patch rather than scripted iconv to fix character encoding
+- don't make assumptions about SELinux context types used for the ssh server
+ in the test suite
+- skip the ssh test if /dev/tty isn't present, as in some versions of mock
+- make the %%files list more explicit
+- use tabs for indentation
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.3.0-2
+- rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Sep 08 2011 Kamil Dudka <kdudka@redhat.com> 1.3.0-1
+- update to 1.3.0
+
+* Sat Jun 25 2011 Dennis Gilmore <dennis@ausil.us> 1.2.7-2
+- sshd/loopback test fails in the sparc buildsystem
* Tue Oct 12 2010 Kamil Dudka <kdudka@redhat.com> 1.2.7-1
- update to 1.2.7 (#632916)