From 227ab14da9d106d80b2923b8ae985f25628cd3e0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 14 2020 01:34:17 +0000
Subject: import libssh-0.9.4-2.el8


---

diff --git a/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch b/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch
new file mode 100644
index 0000000..ce149b4
--- /dev/null
+++ b/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch
@@ -0,0 +1,125 @@
+From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Fri, 19 Jun 2020 11:59:33 +0200
+Subject: [PATCH] tests: Add test for CVE-2019-14889
+
+The test checks if a command appended to the file path is not executed.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 84 insertions(+)
+
+diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
+index 8f080af3..59a00bae 100644
+--- a/tests/client/torture_scp.c
++++ b/tests/client/torture_scp.c
+@@ -37,6 +37,7 @@
+ #define BUF_SIZE 1024
+ 
+ #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
++#define ALICE_HOME BINARYDIR "/tests/home/alice"
+ 
+ struct scp_st {
+     struct torture_state *s;
+@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
+     fclose(file);
+ }
+ 
++static void torture_scp_upload_appended_command(void **state)
++{
++    struct scp_st *ts = NULL;
++    struct torture_state *s = NULL;
++
++    ssh_session session = NULL;
++    ssh_scp scp = NULL;
++
++    FILE *file = NULL;
++
++    char buf[1024];
++    char *rs = NULL;
++    int rc;
++
++    assert_non_null(state);
++    ts = *state;
++
++    assert_non_null(ts->s);
++    s = ts->s;
++
++    session = s->ssh.session;
++    assert_non_null(session);
++
++    assert_non_null(ts->tmp_dir_basename);
++    assert_non_null(ts->tmp_dir);
++
++    /* Upload a file path with a command appended */
++
++    /* Append a command to the file path */
++    snprintf(buf, BUF_SIZE, "%s"
++             "/;touch hack",
++             ts->tmp_dir);
++
++    /* When writing the file_name must be the directory name */
++    scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
++                      buf);
++    assert_non_null(scp);
++
++    rc = ssh_scp_init(scp);
++    assert_ssh_return_code(session, rc);
++
++    /* Push directory where the new file will be copied */
++    rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
++    assert_ssh_return_code(session, rc);
++
++    /* Try to push file */
++    rc = ssh_scp_push_file(scp, "original", 8, 0644);
++    assert_ssh_return_code(session, rc);
++
++    rc = ssh_scp_write(scp, "original", 8);
++    assert_ssh_return_code(session, rc);
++
++    /* Leave the directory */
++    rc = ssh_scp_leave_directory(scp);
++    assert_ssh_return_code(session, rc);
++
++    /* Cleanup */
++    ssh_scp_close(scp);
++    ssh_scp_free(scp);
++
++    /* Make sure the command was not executed */
++    snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
++    file = fopen(buf, "r");
++    assert_null(file);
++
++    /* Open the file and check content */
++    snprintf(buf, BUF_SIZE, "%s"
++             "/;touch hack/original",
++             ts->tmp_dir);
++
++    file = fopen(buf, "r");
++    assert_non_null(file);
++
++    rs = fgets(buf, 1024, file);
++    assert_non_null(rs);
++    assert_string_equal(buf, "original");
++
++    fclose(file);
++}
++
+ int torture_run_tests(void)
+ {
+     int rc;
+@@ -559,6 +640,9 @@ int torture_run_tests(void)
+         cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
+                                         session_setup,
+                                         session_teardown),
++        cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
++                                        session_setup,
++                                        session_teardown),
+     };
+ 
+     ssh_init();
+-- 
+2.26.2
+
diff --git a/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch b/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch
new file mode 100644
index 0000000..ac5ee0d
--- /dev/null
+++ b/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch
@@ -0,0 +1,58 @@
+From f10d80047c660e33f5c365bf3cf436a0c2a300f1 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Tue, 23 Jun 2020 18:31:47 +0200
+Subject: [PATCH] tests: Do not parse configuration file in torture_knownhosts
+
+The test might fail if there is a local configuration file that changes
+the location of the known_hosts file.  The test should not be affected
+by configuration files present in the testing environment.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/client/torture_knownhosts.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c
+index fcc54846..55aee217 100644
+--- a/tests/client/torture_knownhosts.c
++++ b/tests/client/torture_knownhosts.c
+@@ -307,6 +307,7 @@ static void torture_knownhosts_other_auto(void **state) {
+     char tmp_file[1024] = {0};
+     char *known_hosts_file = NULL;
+     int rc;
++    bool process_config = false;
+ 
+     snprintf(tmp_file,
+              sizeof(tmp_file),
+@@ -344,6 +345,9 @@ static void torture_knownhosts_other_auto(void **state) {
+ 
+     s->ssh.session = session;
+ 
++    rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
++    assert_ssh_return_code(session, rc);
++
+     rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
+     assert_ssh_return_code(session, rc);
+ 
+@@ -368,6 +372,7 @@ static void torture_knownhosts_conflict(void **state) {
+     char *known_hosts_file = NULL;
+     FILE *file;
+     int rc;
++    bool process_config = false;
+ 
+     snprintf(tmp_file,
+              sizeof(tmp_file),
+@@ -411,6 +416,9 @@ static void torture_knownhosts_conflict(void **state) {
+ 
+     s->ssh.session = session;
+ 
++    rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
++    assert_ssh_return_code(session, rc);
++
+     ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
+     ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file);
+     rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "rsa-sha2-256");
+-- 
+2.26.2
+
diff --git a/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch b/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch
new file mode 100644
index 0000000..387b9c0
--- /dev/null
+++ b/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch
@@ -0,0 +1,43 @@
+From 750e4f3f9d3ec879929801d65a500ec3ad84ff67 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 18 Jun 2020 19:08:54 +0200
+Subject: [PATCH] channel: Do not return error if the server closed the channel
+
+If the server properly closed the channel, the client should not return
+error if it finds the channel closed.
+
+Fixes T231
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/channels.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/channels.c b/src/channels.c
+index 9fe309d0..607bd568 100644
+--- a/src/channels.c
++++ b/src/channels.c
+@@ -2932,15 +2932,16 @@ int ssh_channel_read_timeout(ssh_channel channel,
+   if (session->session_state == SSH_SESSION_STATE_ERROR) {
+       return SSH_ERROR;
+   }
++  /* If the server closed the channel properly, there is nothing to do */
++  if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
++      return 0;
++  }
+   if (channel->state == SSH_CHANNEL_STATE_CLOSED) {
+       ssh_set_error(session,
+                     SSH_FATAL,
+                     "Remote channel is closed.");
+       return SSH_ERROR;
+   }
+-  if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
+-    return 0;
+-  }
+   len = ssh_buffer_get_len(stdbuf);
+   /* Read count bytes if len is greater, everything otherwise */
+   len = (len > count ? count : len);
+-- 
+2.26.2
+
diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec
index fa5ea10..c61df8b 100644
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -13,6 +13,9 @@ Source4:        libssh_server.config
 
 Patch0:         libssh-0.9.4-enable-sshd-sha1-algorithms.patch
 Patch1:         libssh-0.9.4-fix-version.patch
+Patch2:         libssh-0.9.4-do-not-return-error-server-closed-channel.patch
+Patch3:         libssh-0.9.4-add-cve-2019-14889-test.patch
+Patch4:         libssh-0.9.4-do-not-parse-config-during-tests.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
@@ -132,6 +135,11 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
+- Do not return error when server properly closed the channel (#1849071)
+- Add a test for CVE-2019-14889
+- Do not parse configuration file in torture_knownhosts test
+
 * Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
 - Update to version 0.9.4
   https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/