From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Mar 2021 11:01:02 +0100 Subject: import from RHEL 7.7 --- libssh2.spec | 331 ++++++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 251 insertions(+), 80 deletions(-) (limited to 'libssh2.spec') diff --git a/libssh2.spec b/libssh2.spec index d9f88a4..f704268 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,42 +1,57 @@ -# Fedora 10 onwards support noarch subpackages; by using one, we can -# put the arch-independent docs in a common subpackage and save lots -# of space on the mirrors -%if 0%{?fedora} > 9 || 0%{?rhel} > 5 -%global noarch_docs_package 1 -%else -%global noarch_docs_package 0 -%endif +Name: libssh2 +Version: 1.8.0 +Release: 4%{?dist} +Summary: A library implementing the SSH2 protocol +Group: System Environment/Libraries +License: BSD +URL: http://www.libssh2.org/ +Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz + +# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) +Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch + +# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch + +# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch + +# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) +Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch + +# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch + +# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) +Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch -# Define %%{__isa_bits} for old releases -%{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} - -Name: libssh2 -Version: 1.4.3 -Release: 8%{?dist}.1 -Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries -License: BSD -URL: http://www.libssh2.org/ -Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.4.2-utf8.patch -Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch -Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch -Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch -Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch -Patch5: 0005-channel.c-fix-a-use-after-free.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) -BuildRequires: openssl-devel -BuildRequires: zlib-devel -BuildRequires: /usr/bin/man +# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch + +# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) +Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch + +Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch +Patch15: 0015-libssh2-1.4.3-debug-msgs.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) + +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: gcc +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: sed +BuildRequires: zlib-devel +BuildRequires: /usr/bin/man # Test suite requirements - we run the OpenSSH server and try to connect to it -BuildRequires: openssh-server +BuildRequires: openssh-server # We use matchpathcon to get the correct SELinux context for the ssh server # initialization script so that it can transition correctly in an SELinux -# environment; matchpathcon is only available from FC-4 and moved from the -# libselinux to libselinux-utils package in F-10 -%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7) -BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted +# environment +%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) +BuildRequires: libselinux-utils +BuildRequires: selinux-policy-targeted %endif %description @@ -45,49 +60,46 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10). -%package devel -Summary: Development files for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: openssl-devel -Requires: pkgconfig +%package devel +Summary: Development files for libssh2 +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig -%description devel +%description devel The libssh2-devel package contains libraries and header files for developing applications that use libssh2. -%package docs -Summary: Documentation for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -%if %{noarch_docs_package} -BuildArch: noarch -%endif +%package docs +Summary: Documentation for libssh2 +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +BuildArch: noarch -%description docs +%description docs The libssh2-docs package contains man pages and examples for developing applications that use libssh2. %prep %setup -q - -# Replace hard wired port number in the test suite to avoid collisions -# between 32-bit and 64-bit builds running on a single build-host -sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} - -# Make sure things are UTF-8... -%patch0 -p1 - -# Three upstream patches required for qemu ssh block driver. %patch1 -p1 %patch2 -p1 %patch3 -p1 - -# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 %patch4 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 + +# Replace hard wired port number in the test suite to avoid collisions +# between 32-bit and 64-bit builds running on a single build-host +sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} + +# scp: send valid commands for remote execution (#1489733) +%patch14 -p1 -# https://trac.libssh2.org/ticket/268 -%patch5 -p1 +# session: avoid printing misleading debug messages (#1503294) +%patch15 -p1 # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) @@ -97,7 +109,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %endif %build -%configure --disable-static --enable-shared +%configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} # Avoid polluting libssh2.pc with linker options (#947813) @@ -106,17 +118,18 @@ sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} \; +find %{buildroot} -name '*.la' -delete # clean things up a bit for packaging make -C example clean rm -rf example/.deps -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete # avoid multilib conflict on libssh2-devel mv -v example example.%{_arch} %check +echo "Running tests for %{_arch}" # The SSH test will fail if we don't have /dev/tty, as is the case in some # versions of mock (#672713) if [ ! -c /dev/tty ]; then @@ -128,6 +141,11 @@ fi echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif +# mansyntax check fails on PPC* and aarch64 with some strange locale error +%ifarch ppc %{power64} aarch64 +echo "Skipping mansyntax test on PPC* and aarch64" +echo "exit 0" > tests/mansyntax.sh +%endif make -C tests check %clean @@ -138,18 +156,15 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) -%doc AUTHORS ChangeLog COPYING README NEWS +%doc COPYING docs/AUTHORS README RELEASE-NOTES %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs -%defattr(-,root,root,-) -%doc HACKING +%doc docs/BINDINGS docs/HACKING docs/TODO NEWS %{_mandir}/man3/libssh2_*.3* %files devel -%defattr(-,root,root,-) %doc example.%{_arch}/ %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h @@ -158,16 +173,172 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog -* Sat Dec 20 2014 Remi Collet 1.4.3-8.1 -- libssh2-devel requires openssl-devel - -* Sat Dec 20 2014 Remi Collet 1.4.3-8 -- sync with 1.4.3-8 from RHEL-7 -- ABI is compatible according to ABI compliance checker - http://upstream.rosalinux.ru/versions/libssh2.html - -* Sun Jul 24 2011 Remi Collet 1.2.7-1 -- rebuild for remi repo (EL-5) +* Wed Oct 30 2019 Kamil Dudka - 1.8.0-4 +- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) + +* Wed Mar 20 2019 Kamil Dudka 1.8.0-3 +- sanitize public header file (detected by rpmdiff) + +* Tue Mar 19 2019 Kamil Dudka 1.8.0-2 +- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) +- fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +- fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) +- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) + +* Wed Nov 21 2018 Kamil Dudka 1.8.0-1 +- rebase to 1.8.0 (#1592784) + +* Tue Sep 26 2017 Kamil Dudka 1.4.3-12 +- session: avoid printing misleading debug messages (#1503294) +- scp: send valid commands for remote execution (#1489733) + +* Fri Feb 19 2016 Kamil Dudka 1.4.3-11 +- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) + +* Mon Jun 01 2015 Kamil Dudka 1.4.3-10 +- check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782) + +* Tue May 05 2015 Kamil Dudka 1.4.3-9 +- curl consumes too much memory during scp download (#1080459) +- prevent a not-connected agent from closing STDIN (#1147717) + +* Fri Jan 24 2014 Daniel Mach - 1.4.3-8 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.4.3-7 +- Mass rebuild 2013-12-27 + +* Wed Aug 14 2013 Kamil Dudka 1.4.3-6 +- fix very slow sftp upload to localhost +- fix a use after free in channel.c + +* Tue Apr 9 2013 Richard W.M. Jones 1.4.3-5 +- Add three patches from upstream git required for qemu ssh block driver. + +* Wed Apr 3 2013 Paul Howarth 1.4.3-4 +- Avoid polluting libssh2.pc with linker options (#947813) + +* Tue Mar 26 2013 Kamil Dudka 1.4.3-3 +- Avoid collisions between 32-bit and 64-bit builds running on a single build + host + +* Thu Feb 14 2013 Fedora Release Engineering - 1.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Nov 28 2012 Paul Howarth 1.4.3-1 +- Update to 1.4.3 + - compression: add support for zlib@openssh.com + - sftp_read: return error if a too large package arrives + - libssh2_hostkey_hash.3: update the description of return value + - Fixed MSVC NMakefile + - examples: use stderr for messages, stdout for data + - openssl: do not leak memory when handling errors + - improved handling of disabled MD5 algorithm in OpenSSL + - known_hosts: Fail when parsing unknown keys in known_hosts file + - configure: gcrypt doesn't come with pkg-config support + - session_free: wrong variable used for keeping state + - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL + - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating +- Drop upstreamed patches + +* Wed Nov 07 2012 Kamil Dudka 1.4.2-4 +- examples: use stderr for messages, stdout for data (upstream commit b31e35ab) +- Update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb) + +* Wed Sep 26 2012 Kamil Dudka 1.4.2-3 +- Fix basic functionality of libssh2 in FIPS mode +- Skip SELinux-related quirks on recent distros to prevent a test-suite failure + +* Thu Jul 19 2012 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun May 20 2012 Paul Howarth 1.4.2-1 +- Update to 1.4.2 + - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner + - userauth.c: fread() from public key file to correctly detect any errors + - configure.ac: add option to disable build of the example applications + - added 'Requires.private:' line to libssh2.pc + - SFTP: filter off incoming "zombie" responses + - gettimeofday: no need for a replacement under cygwin + - SSH_MSG_CHANNEL_REQUEST: default to want_reply + - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB + +* Fri Apr 27 2012 Paul Howarth 1.4.1-2 +- Fix multi-arch conflict again (#816969) + +* Thu Apr 5 2012 Paul Howarth 1.4.1-1 +- Update to 1.4.1 + - Build error with gcrypt backend + - Always do "forced" window updates to avoid corner case stalls + - aes: the init function fails when OpenSSL has AES support + - transport_send: finish in-progress key exchange before sending data + - channel_write: acknowledge transport errors + - examples/x11.c: make sure sizeof passed to read operation is correct + - examples/x11.c: fix suspicious sizeof usage + - sftp_packet_add: verify the packet before accepting it + - SFTP: preserve the original error code more + - sftp_packet_read: adjust window size as necessary + - Use safer snprintf rather then sprintf in several places + - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET + - sftp_write: cannot return acked data *and* EAGAIN + - sftp_read: avoid data *and* EAGAIN + - libssh2.h: add missing prototype for libssh2_session_banner_set() +- Drop upstream patches now included in release tarball + +* Mon Mar 19 2012 Kamil Dudka 1.4.0-4 +- Don't ignore transport errors when writing to channel (#804150) + +* Sun Mar 18 2012 Paul Howarth 1.4.0-3 +- Don't try to use openssl's AES-CTR functions + (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml) + +* Fri Mar 16 2012 Paul Howarth 1.4.0-2 +- fix libssh2 failing key re-exchange when write channel is saturated (#804156) +- drop %%defattr, redundant since rpm 4.4 + +* Wed Feb 1 2012 Paul Howarth 1.4.0-1 +- update to 1.4.0 + - added libssh2_session_supported_algs() + - added libssh2_session_banner_get() + - added libssh2_sftp_get_channel() + - libssh2.h: bump the default window size to 256K + - sftp-seek: clear EOF flag + - userauth: provide more informations if ssh pub key extraction fails + - ssh2_exec: skip error outputs for EAGAIN + - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000 + - knownhost_check(): don't dereference ext if NULL is passed + - knownhost_add: avoid dereferencing uninitialized memory on error path + - OpenSSL EVP: fix threaded use of structs + - _libssh2_channel_read: react on errors from receive_window_adjust + - sftp_read: cap the read ahead maximum amount + - _libssh2_channel_read: fix non-blocking window adjusting +- add upstream patch fixing undefined function reference in libgcrypt backend +- BR: /usr/bin/man for test suite + +* Sun Jan 15 2012 Peter Robinson 1.3.0-4 +- skip the ssh test on ARM too + +* Fri Jan 13 2012 Paul Howarth 1.3.0-3 +- make docs package noarch where possible +- example includes arch-specific bits, so move to devel package +- use patch rather than scripted iconv to fix character encoding +- don't make assumptions about SELinux context types used for the ssh server + in the test suite +- skip the ssh test if /dev/tty isn't present, as in some versions of mock +- make the %%files list more explicit +- use tabs for indentation + +* Fri Jan 13 2012 Fedora Release Engineering 1.3.0-2 +- rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Sep 08 2011 Kamil Dudka 1.3.0-1 +- update to 1.3.0 + +* Sat Jun 25 2011 Dennis Gilmore 1.2.7-2 +- sshd/loopback test fails in the sparc buildsystem * Tue Oct 12 2010 Kamil Dudka 1.2.7-1 - update to 1.2.7 (#632916) -- cgit