From a826d69f74224d23ac5a46a340238b02c9347651 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2015 00:30:06 +0000 Subject: import libssh-0.7.1-1.el7 --- diff --git a/.gitignore b/.gitignore index 269dac9..f581039 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libssh-0.6.4.tar.gz +SOURCES/libssh-0.7.1.tar.xz diff --git a/.libssh.metadata b/.libssh.metadata index 63f5d23..771c2b3 100644 --- a/.libssh.metadata +++ b/.libssh.metadata @@ -1 +1 @@ -605227f39e94c1a186f30d164a64fdced0f22d98 SOURCES/libssh-0.6.4.tar.gz +112fdd5c10dd508a10e3c494fc79156a5ff24751 SOURCES/libssh-0.7.1.tar.xz diff --git a/SOURCES/CVE-2015-3145-libssh-0.6.x.patch b/SOURCES/CVE-2015-3145-libssh-0.6.x.patch deleted file mode 100644 index 66e245d..0000000 --- a/SOURCES/CVE-2015-3145-libssh-0.6.x.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001 -From: Aris Adamantiadis -Date: Wed, 15 Apr 2015 16:08:37 +0200 -Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers - -The state validation in the packet handlers for SSH_MSG_NEWKEYS and -SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. - -The issue has been found and reported by Mariusz Ziule. - -Signed-off-by: Aris Adamantiadis -Reviewed-by: Andreas Schneider -(cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe) ---- - src/packet_cb.c | 16 ++++++++++------ - src/server.c | 8 +++++--- - 2 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/src/packet_cb.c b/src/packet_cb.c -index a10dd1a..e6c613f 100644 ---- a/src/packet_cb.c -+++ b/src/packet_cb.c -@@ -94,7 +94,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ - (void)type; - (void)user; - SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); -- if(session->session_state!= SSH_SESSION_STATE_DH && -+ if (session->session_state != SSH_SESSION_STATE_DH || - session->dh_handshake_state != DH_STATE_INIT_SENT){ - ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", - session->session_state,session->dh_handshake_state); -@@ -135,12 +135,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ - (void)user; - (void)type; - SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS"); -- if(session->session_state!= SSH_SESSION_STATE_DH && -- session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){ -- ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d", -- session->session_state,session->dh_handshake_state); -- goto error; -+ -+ if (session->session_state != SSH_SESSION_STATE_DH || -+ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { -+ ssh_set_error(session, -+ SSH_FATAL, -+ "ssh_packet_newkeys called in wrong state : %d:%d", -+ session->session_state,session->dh_handshake_state); -+ goto error; - } -+ - if(session->server){ - /* server things are done in server.c */ - session->dh_handshake_state=DH_STATE_FINISHED; -diff --git a/src/server.c b/src/server.c -index 35281ca..1637cce 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){ - } - - SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ -- int rc; -+ int rc = SSH_ERROR; - (void)type; - (void)user; - -@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ - ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init"); - rc = SSH_ERROR; - } -- if (rc == SSH_ERROR) -+ -+error: -+ if (rc == SSH_ERROR) { - session->session_state = SSH_SESSION_STATE_ERROR; -- error: -+ } - - return SSH_PACKET_USED; - } --- -2.3.5 - - -From e9d16bd3439205ce7e75017405b1ac6ed5ead062 Mon Sep 17 00:00:00 2001 -From: Aris Adamantiadis -Date: Wed, 15 Apr 2015 16:25:29 +0200 -Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference - -This is an addition to CVE-2015-3146 to fix the null pointer -dereference. The patch is not required to fix the CVE but prevents -issues in future. - -Signed-off-by: Aris Adamantiadis -Reviewed-by: Andreas Schneider -(cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d) ---- - src/buffer.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/buffer.c b/src/buffer.c -index ca12086..3bb6ec4 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -188,6 +188,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) { - int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { - buffer_verify(buffer); - -+ if (data == NULL) { -+ return -1; -+ } -+ - if (buffer->used + len < len) { - return -1; - } -@@ -221,6 +225,10 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer, - struct ssh_string_struct *string) { - uint32_t len = 0; - -+ if (string == NULL) { -+ return -1; -+ } -+ - len = ssh_string_len(string); - if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) { - return -1; --- -2.3.5 - - diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec index 60d5b96..0c257e7 100644 --- a/SPECS/libssh.spec +++ b/SPECS/libssh.spec @@ -1,16 +1,15 @@ %define _hardened_build 1 Name: libssh -Version: 0.6.4 -Release: 4%{?dist} +Version: 0.7.1 +Release: 1%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org Group: System Environment/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Source0: https://red.libssh.org/attachments/download/107/libssh-0.6.4.tar.gz -Patch0: CVE-2015-3145-libssh-0.6.x.patch +Source0: https://red.libssh.org/attachments/download/154/libssh-0.7.1.tar.xz BuildRequires: cmake BuildRequires: doxygen @@ -39,7 +38,6 @@ applications that use %{name}. %prep %setup -q -%patch0 -p1 # Remove examples, they are not packaged and do not build on EPEL 5 sed -i -e 's|add_subdirectory(examples)||g' CMakeLists.txt @@ -81,6 +79,7 @@ rm -rf %{buildroot} %{_includedir}/libssh/callbacks.h %{_includedir}/libssh/legacy.h %{_includedir}/libssh/libssh.h +%{_includedir}/libssh/libsshpp.hpp %{_includedir}/libssh/server.h %{_includedir}/libssh/sftp.h %{_includedir}/libssh/ssh2.h @@ -93,6 +92,9 @@ rm -rf %{buildroot} %{_libdir}/libssh_threads.so %changelog +* Mon Jul 06 2015 - Stef Walter - 0.7.1-1 +- Updated to 0.7.1 release rhbz#1239085 + * Wed Apr 22 2015 - Stef Walter - 0.6.4-4 - Updated patch for CVE-2015-3146