diff --git a/.gitignore b/.gitignore index d7bf14e..f89838b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libssh2-1.4.3.tar.gz +SOURCES/libssh2-1.8.0.tar.gz diff --git a/.libssh2.metadata b/.libssh2.metadata index 2c41b87..121a71c 100644 --- a/.libssh2.metadata +++ b/.libssh2.metadata @@ -1 +1 @@ -c27ca83e1ffeeac03be98b6eef54448701e044b0 SOURCES/libssh2-1.4.3.tar.gz +baf2d1fb338eee531ba9b6b121c64235e089e0f5 SOURCES/libssh2-1.8.0.tar.gz diff --git a/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch index ac66df3..746b515 100644 --- a/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch +++ b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch @@ -14,7 +14,7 @@ diff --git a/src/transport.c b/src/transport.c index 8725da0..5349284 100644 --- a/src/transport.c +++ b/src/transport.c -@@ -430,8 +430,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) +@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) * and we can extract packet and padding length from it */ p->packet_length = _libssh2_ntohu32(block); diff --git a/SOURCES/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch b/SOURCES/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch deleted file mode 100644 index 9acbd6d..0000000 --- a/SOURCES/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 486bb376218a37fe15318d7724d6eada36b81e6c Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Tue, 26 Mar 2013 17:58:04 +0100 -Subject: [PATCH 1/3] sftp: seek: Don't flush buffers on same offset - -Signed-off-by: Richard W.M. Jones ---- - src/sftp.c | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/src/sftp.c b/src/sftp.c -index d0536dd..3760025 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2132,21 +2132,24 @@ libssh2_sftp_fstat_ex(LIBSSH2_SFTP_HANDLE *hnd, - LIBSSH2_API void - libssh2_sftp_seek64(LIBSSH2_SFTP_HANDLE *handle, libssh2_uint64_t offset) - { -- if(handle) { -- handle->u.file.offset = handle->u.file.offset_sent = offset; -- /* discard all pending requests and currently read data */ -- sftp_packetlist_flush(handle); -+ if(!handle) -+ return; -+ if(handle->u.file.offset == offset && handle->u.file.offset_sent == offset) -+ return; - -- /* free the left received buffered data */ -- if (handle->u.file.data_left) { -- LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -- handle->u.file.data_left = handle->u.file.data_len = 0; -- handle->u.file.data = NULL; -- } -+ handle->u.file.offset = handle->u.file.offset_sent = offset; -+ /* discard all pending requests and currently read data */ -+ sftp_packetlist_flush(handle); - -- /* reset EOF to False */ -- handle->u.file.eof = FALSE; -+ /* free the left received buffered data */ -+ if (handle->u.file.data_left) { -+ LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -+ handle->u.file.data_left = handle->u.file.data_len = 0; -+ handle->u.file.data = NULL; - } -+ -+ /* reset EOF to False */ -+ handle->u.file.eof = FALSE; - } - - /* libssh2_sftp_seek --- -1.8.1.4 - diff --git a/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch index 076f08b..40c9e9b 100644 --- a/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch +++ b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch @@ -25,7 +25,7 @@ diff --git a/src/userauth.c b/src/userauth.c index cdfa25e..3946cf9 100644 --- a/src/userauth.c +++ b/src/userauth.c -@@ -1498,6 +1498,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, +@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, /* int num-prompts */ session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; diff --git a/SOURCES/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch b/SOURCES/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch deleted file mode 100644 index 83ca15e..0000000 --- a/SOURCES/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a12f3ffab579b514eeb7fdfaca0ade271961cdb4 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Mon, 8 Apr 2013 17:30:10 +0100 -Subject: [PATCH 2/3] sftp: statvfs: Along error path, reset the correct - 'state' variable. - ---- - src/sftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sftp.c b/src/sftp.c -index 3760025..65fa77a 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2752,7 +2752,7 @@ static int sftp_statvfs(LIBSSH2_SFTP *sftp, const char *path, - "Error waiting for FXP EXTENDED REPLY"); - } else if (data_len < 93) { - LIBSSH2_FREE(session, data); -- sftp->fstatvfs_state = libssh2_NB_state_idle; -+ sftp->statvfs_state = libssh2_NB_state_idle; - return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, - "SFTP Protocol Error: short response"); - } --- -1.8.1.4 - diff --git a/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch index fc14251..ea264d2 100644 --- a/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch +++ b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch @@ -16,9 +16,9 @@ diff --git a/include/libssh2.h b/include/libssh2.h index 34d2842..e25c380 100644 --- a/include/libssh2.h +++ b/include/libssh2.h -@@ -71,6 +71,18 @@ - */ - #define LIBSSH2_VERSION_NUM 0x010403 +@@ -145,6 +145,18 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ +#ifndef SIZE_MAX +#if _WIN64 @@ -33,13 +33,13 @@ index 34d2842..e25c380 100644 +#endif + /* - * This is the date and time when the full source package was created. The - * timestamp is not stored in the source code repo, as the timestamp is + * Determine whether there is small or large file support on windows. + */ diff --git a/src/packet.c b/src/packet.c index 5f1feb8..aa10633 100644 --- a/src/packet.c +++ b/src/packet.c -@@ -814,8 +814,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, /* set signal name (without SIG prefix) */ uint32_t namelen = _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); @@ -77,9 +77,9 @@ diff --git a/include/libssh2.h b/include/libssh2.h index e25c380..34d2842 100644 --- a/include/libssh2.h +++ b/include/libssh2.h -@@ -71,18 +71,6 @@ - */ - #define LIBSSH2_VERSION_NUM 0x010403 +@@ -145,18 +145,6 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ -#ifndef SIZE_MAX -#if _WIN64 @@ -94,13 +94,13 @@ index e25c380..34d2842 100644 -#endif - /* - * This is the date and time when the full source package was created. The - * timestamp is not stored in the source code repo, as the timestamp is + * Determine whether there is small or large file support on windows. + */ diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h index b4296a2..bb5d1a5 100644 --- a/src/libssh2_priv.h +++ b/src/libssh2_priv.h -@@ -144,6 +144,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) +@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) #endif diff --git a/SOURCES/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch b/SOURCES/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch deleted file mode 100644 index cc1cbb4..0000000 --- a/SOURCES/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 6e0d757f24a45252c4cae9ea09732eda2562c767 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" -Date: Tue, 9 Apr 2013 11:42:09 +0200 -Subject: [PATCH 3/3] sftp: Add support for fsync (OpenSSH extension). - -The new libssh2_sftp_fsync API causes data and metadata in the -currently open file to be committed to disk at the server. - -This is an OpenSSH extension to the SFTP protocol. See: - -https://bugzilla.mindrot.org/show_bug.cgi?id=1798 ---- - docs/Makefile.am | 1 + - docs/libssh2_sftp_fsync.3 | 39 +++++++++++++++++++ - include/libssh2_sftp.h | 1 + - src/sftp.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++ - src/sftp.h | 5 +++ - 5 files changed, 143 insertions(+) - create mode 100644 docs/libssh2_sftp_fsync.3 - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index e4cf487..e6ab394 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -120,6 +120,7 @@ dist_man_MANS = \ - libssh2_sftp_fstat.3 \ - libssh2_sftp_fstat_ex.3 \ - libssh2_sftp_fstatvfs.3 \ -+ libssh2_sftp_fsync.3 \ - libssh2_sftp_get_channel.3 \ - libssh2_sftp_init.3 \ - libssh2_sftp_last_error.3 \ -diff --git a/docs/libssh2_sftp_fsync.3 b/docs/libssh2_sftp_fsync.3 -new file mode 100644 -index 0000000..646760a ---- /dev/null -+++ b/docs/libssh2_sftp_fsync.3 -@@ -0,0 +1,39 @@ -+.TH libssh2_sftp_fsync 3 "8 Apr 2013" "libssh2 1.4.4" "libssh2 manual" -+.SH NAME -+libssh2_sftp_fsync - synchronize file to disk -+.SH SYNOPSIS -+.nf -+#include -+#include -+ -+int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+.fi -+.SH DESCRIPTION -+This function causes the remote server to synchronize the file -+data and metadata to disk (like fsync(2)). -+ -+For this to work requires fsync@openssh.com support on the server. -+ -+\fIhandle\fP - SFTP File Handle as returned by -+.BR libssh2_sftp_open_ex(3) -+ -+.SH RETURN VALUE -+Returns 0 on success or negative on failure. If used in non-blocking mode, it -+returns LIBSSH2_ERROR_EAGAIN when it would otherwise block. While -+LIBSSH2_ERROR_EAGAIN is a negative number, it isn't really a failure per se. -+.SH ERRORS -+\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed. -+ -+\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket. -+ -+\fILIBSSH2_ERROR_SFTP_PROTOCOL\fP - An invalid SFTP protocol response -+was received on the socket, or an SFTP operation caused an errorcode -+to be returned by the server. In particular, this can be returned if -+the SSH server does not support the fsync operation: the SFTP subcode -+\fILIBSSH2_FX_OP_UNSUPPORTED\fP will be returned in this case. -+ -+.SH AVAILABILITY -+Added in libssh2 1.4.4 and OpenSSH 6.3. -+.SH SEE ALSO -+.BR fsync(2) -diff --git a/include/libssh2_sftp.h b/include/libssh2_sftp.h -index 74884fb..677faf2 100644 ---- a/include/libssh2_sftp.h -+++ b/include/libssh2_sftp.h -@@ -247,6 +247,7 @@ LIBSSH2_API int libssh2_sftp_readdir_ex(LIBSSH2_SFTP_HANDLE *handle, \ - - LIBSSH2_API ssize_t libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *handle, - const char *buffer, size_t count); -+LIBSSH2_API int libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle); - - LIBSSH2_API int libssh2_sftp_close_handle(LIBSSH2_SFTP_HANDLE *handle); - #define libssh2_sftp_close(handle) libssh2_sftp_close_handle(handle) -diff --git a/src/sftp.c b/src/sftp.c -index 65fa77a..01017fd 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -986,6 +986,10 @@ sftp_shutdown(LIBSSH2_SFTP *sftp) - LIBSSH2_FREE(session, sftp->symlink_packet); - sftp->symlink_packet = NULL; - } -+ if (sftp->fsync_packet) { -+ LIBSSH2_FREE(session, sftp->fsync_packet); -+ sftp->fsync_packet = NULL; -+ } - - sftp_packet_flush(sftp); - -@@ -2014,6 +2018,99 @@ libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *hnd, const char *buffer, - - } - -+static int sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+{ -+ LIBSSH2_SFTP *sftp = handle->sftp; -+ LIBSSH2_CHANNEL *channel = sftp->channel; -+ LIBSSH2_SESSION *session = channel->session; -+ /* 34 = packet_len(4) + packet_type(1) + request_id(4) + -+ string_len(4) + strlen("fsync@openssh.com")(17) + handle_len(4) */ -+ uint32_t packet_len = handle->handle_len + 34; -+ size_t data_len; -+ unsigned char *packet, *s, *data; -+ ssize_t rc; -+ uint32_t retcode; -+ -+ if (sftp->fsync_state == libssh2_NB_state_idle) { -+ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, -+ "Issuing fsync command"); -+ s = packet = LIBSSH2_ALLOC(session, packet_len); -+ if (!packet) { -+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC, -+ "Unable to allocate memory for FXP_EXTENDED " -+ "packet"); -+ } -+ -+ _libssh2_store_u32(&s, packet_len - 4); -+ *(s++) = SSH_FXP_EXTENDED; -+ sftp->fsync_request_id = sftp->request_id++; -+ _libssh2_store_u32(&s, sftp->fsync_request_id); -+ _libssh2_store_str(&s, "fsync@openssh.com", 17); -+ _libssh2_store_str(&s, handle->handle, handle->handle_len); -+ -+ sftp->fsync_state = libssh2_NB_state_created; -+ } else { -+ packet = sftp->fsync_packet; -+ } -+ -+ if (sftp->fsync_state == libssh2_NB_state_created) { -+ rc = _libssh2_channel_write(channel, 0, packet, packet_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN || -+ (0 <= rc && rc < (ssize_t)packet_len)) { -+ sftp->fsync_packet = packet; -+ return LIBSSH2_ERROR_EAGAIN; -+ } -+ -+ LIBSSH2_FREE(session, packet); -+ sftp->fsync_packet = NULL; -+ -+ if (rc < 0) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, -+ "_libssh2_channel_write() failed"); -+ } -+ sftp->fsync_state = libssh2_NB_state_sent; -+ } -+ -+ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, -+ sftp->fsync_request_id, &data, &data_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN) { -+ return rc; -+ } else if (rc) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, rc, -+ "Error waiting for FXP EXTENDED REPLY"); -+ } -+ -+ sftp->fsync_state = libssh2_NB_state_idle; -+ -+ retcode = _libssh2_ntohu32(data + 5); -+ LIBSSH2_FREE(session, data); -+ -+ if (retcode != LIBSSH2_FX_OK) { -+ sftp->last_errno = retcode; -+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, -+ "fsync failed"); -+ } -+ -+ return 0; -+} -+ -+/* libssh2_sftp_fsync -+ * Commit data on the handle to disk. -+ */ -+LIBSSH2_API int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *hnd) -+{ -+ int rc; -+ if(!hnd) -+ return LIBSSH2_ERROR_BAD_USE; -+ BLOCK_ADJUST(rc, hnd->sftp->channel->session, -+ sftp_fsync(hnd)); -+ return rc; -+} -+ -+ - /* - * sftp_fstat - * -diff --git a/src/sftp.h b/src/sftp.h -index 55bdb46..63e8139 100644 ---- a/src/sftp.h -+++ b/src/sftp.h -@@ -175,6 +175,11 @@ struct _LIBSSH2_SFTP - /* State variable used in sftp_write() */ - libssh2_nonblocking_states write_state; - -+ /* State variables used in sftp_fsync() */ -+ libssh2_nonblocking_states fsync_state; -+ unsigned char *fsync_packet; -+ uint32_t fsync_request_id; -+ - /* State variables used in libssh2_sftp_readdir() */ - libssh2_nonblocking_states readdir_state; - unsigned char *readdir_packet; --- -1.8.1.4 - diff --git a/SOURCES/0004-libssh2-1.8.0-CVE-2019-3858.patch b/SOURCES/0004-libssh2-1.8.0-CVE-2019-3858.patch new file mode 100644 index 0000000..04914c5 --- /dev/null +++ b/SOURCES/0004-libssh2-1.8.0-CVE-2019-3858.patch @@ -0,0 +1,30 @@ +From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:32:05 +0100 +Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation + +... with a specially crafted SFTP packet leading to an out-of-bounds read + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch +--- + src/sftp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/sftp.c b/src/sftp.c +index 7c44116..65cef85 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp) + return _libssh2_error(session, + LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED, + "SFTP packet too large"); ++ if (sftp->partial_len == 0) ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate empty SFTP packet"); + + _libssh2_debug(session, LIBSSH2_TRACE_SFTP, + "Data begin - Packet Length: %lu", +-- +2.17.2 + diff --git a/SOURCES/0004-partially-revert-window_size-explicit-adjustments-on.patch b/SOURCES/0004-partially-revert-window_size-explicit-adjustments-on.patch deleted file mode 100644 index fe7751a..0000000 --- a/SOURCES/0004-partially-revert-window_size-explicit-adjustments-on.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 9e56b84c41efcaf3349f82a93c3dc854e172e5c4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 9 Aug 2013 16:22:08 +0200 -Subject: [PATCH 4/5] partially revert "window_size: explicit adjustments only" - -This partially reverts commit 03ca9020756a4e16f0294e5b35e9826ee6af2364 -in order to fix extreme slowdown when uploading to localhost via SFTP. - -I was able to repeat the issue on RHEL-7 on localhost only. It did not -occur when uploading via network and it did not occur on a RHEL-6 box -with the same version of libssh2. - -The problem was that sftp_read() used a read-ahead logic to figure out -the window_size, but sftp_packet_read() called indirectly from -sftp_write() did not use any read-ahead logic. ---- - src/channel.c | 29 +++++++++++++++++++++++++++++ - 1 files changed, 29 insertions(+), 0 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 4f41e1f..d4ffdce 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1759,6 +1759,15 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - channel->read_state = libssh2_NB_state_created; - } - -+ /* -+ * =============================== NOTE =============================== -+ * I know this is very ugly and not a really good use of "goto", but -+ * this case statement would be even uglier to do it any other way -+ */ -+ if (channel->read_state == libssh2_NB_state_jump1) { -+ goto channel_read_window_adjust; -+ } -+ - rc = 1; /* set to >0 to let the while loop start */ - - /* Process all pending incoming packets in all states in order to "even -@@ -1867,6 +1876,26 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - more off the network again */ - channel->read_state = libssh2_NB_state_created; - -+ if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { -+ /* the window is getting too narrow, expand it! */ -+ -+ channel_read_window_adjust: -+ channel->read_state = libssh2_NB_state_jump1; -+ /* the actual window adjusting may not finish so we need to deal with -+ this special state here */ -+ rc = _libssh2_channel_receive_window_adjust(channel, -+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); -+ if (rc) -+ return rc; -+ -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "channel_read() filled %d adjusted %d", -+ bytes_read, buflen); -+ /* continue in 'created' state to drain the already read packages -+ first before starting to empty the socket further */ -+ channel->read_state = libssh2_NB_state_created; -+ } -+ - return bytes_read; - } - --- -1.7.1 - diff --git a/SOURCES/0005-channel.c-fix-a-use-after-free.patch b/SOURCES/0005-channel.c-fix-a-use-after-free.patch deleted file mode 100644 index 8fa0a05..0000000 --- a/SOURCES/0005-channel.c-fix-a-use-after-free.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 96e1078fced70e39e4163857ad8345ae9d24573f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 14 Aug 2013 17:37:00 +0200 -Subject: [PATCH 5/5] channel.c: fix a use after free - -Bug: https://trac.libssh2.org/ticket/268 ---- - src/channel.c | 2 -- - 1 files changed, 0 insertions(+), 2 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index d4ffdce..9f2c241 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -670,8 +670,6 @@ int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER *listener) - - LIBSSH2_FREE(session, listener); - -- listener->chanFwdCncl_state = libssh2_NB_state_idle; -- - return 0; - } - --- -1.7.1 - diff --git a/SOURCES/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch b/SOURCES/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch deleted file mode 100644 index 4389e5e..0000000 --- a/SOURCES/0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d0a263ef805244245afd9b709bdd3dc733113a6c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 7 Sep 2013 13:41:14 +0200 -Subject: [PATCH 06/11] _libssh2_channel_write: client spins on write when window full - -When there's no window to "write to", there's no point in waiting for -the socket to become writable since it most likely just will continue to -be. - -Patch-by: ncm -Fixes #258 - -[upstream commit e6c46cc249227de7b7cd136d72eded5dcb3f9381] - -Signed-off-by: Kamil Dudka ---- - src/channel.c | 10 +++++++++- - 1 files changed, 9 insertions(+), 1 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 9f2c241..74262d8 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -2039,9 +2039,17 @@ _libssh2_channel_write(LIBSSH2_CHANNEL *channel, int stream_id, - if((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) - return rc; - -- if(channel->local.window_size <= 0) -+ if(channel->local.window_size <= 0) { - /* there's no room for data so we stop */ -+ -+ /* Waiting on the socket to be writable would be wrong because we -+ * would be back here immediately, but a readable socket might -+ * herald an incoming window adjustment. -+ */ -+ session->socket_block_directions = LIBSSH2_SESSION_BLOCK_INBOUND; -+ - return (rc==LIBSSH2_ERROR_EAGAIN?rc:0); -+ } - - channel->write_bufwrite = buflen; - --- -1.7.1 - diff --git a/SOURCES/0007-libssh2-1.8.0-CVE-2019-3861.patch b/SOURCES/0007-libssh2-1.8.0-CVE-2019-3861.patch new file mode 100644 index 0000000..d40bb71 --- /dev/null +++ b/SOURCES/0007-libssh2-1.8.0-CVE-2019-3861.patch @@ -0,0 +1,28 @@ +From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:43:34 +0100 +Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with + specially crafted SSH packets + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch +--- + src/transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transport.c b/src/transport.c +index 5349284..6224c4f 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + } + + p->padding_length = block[4]; ++ if ( p->padding_length > p->packet_length - 1 ) { ++ return LIBSSH2_ERROR_DECRYPT; ++ } + + /* total_num is the number of bytes following the initial + (5 bytes) packet length and padding length fields */ +-- +2.17.2 + diff --git a/SOURCES/0007-window_size-redid-window-handling-for-flow-control-r.patch b/SOURCES/0007-window_size-redid-window-handling-for-flow-control-r.patch deleted file mode 100644 index 64b7607..0000000 --- a/SOURCES/0007-window_size-redid-window-handling-for-flow-control-r.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 8af6637d86b6a85e8889c286f7ff3d841fc5621c Mon Sep 17 00:00:00 2001 -From: Salvador Fandino -Date: Sat, 12 Oct 2013 02:51:46 +0200 -Subject: [PATCH 07/11] window_size: redid window handling for flow control reasons - -Until now, the window size (channel->remote.window_size) was being -updated just after receiving the packet from the transport layer. - -That behaviour is wrong because the channel queue may grow uncontrolled -when data arrives from the network faster that the upper layer consumes -it. - -This patch adds a new counter, read_avail, which keeps a count of the -bytes available from the packet queue for reading. Also, now the window -size is adjusted when the data is actually read by an upper layer. - -That way, if the upper layer stops reading data, the window will -eventually fill and the remote host will stop sending data. When the -upper layers reads enough data, a window adjust packet is delivered and -the transfer resumes. - -The read_avail counter is used to detect the situation when the remote -server tries to send data surpassing the window size. In that case, the -extra data is discarded. - -Signed-off-by: Salvador - -[upstream commit cdeef54967ed5b7d5bd8fa6da5851aa3d173faa0] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 8 +++++++- - src/libssh2_priv.h | 2 ++ - src/packet.c | 35 ++++++++++++++++++++++++++++------- - 3 files changed, 37 insertions(+), 8 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 74262d8..499d815 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1411,6 +1411,9 @@ _libssh2_channel_flush(LIBSSH2_CHANNEL *channel, int streamid) - channel->flush_state = libssh2_NB_state_created; - } - -+ channel->read_avail -= channel->flush_flush_bytes; -+ channel->remote.window_size -= channel->flush_flush_bytes; -+ - if (channel->flush_refund_bytes) { - int rc; - -@@ -1868,11 +1871,14 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - /* if the transport layer said EAGAIN then we say so as well */ - return _libssh2_error(session, rc, "would block"); - } -- else -+ else { -+ channel->read_avail -= bytes_read; -+ channel->remote.window_size -= bytes_read; - /* make sure we remain in the created state to focus on emptying the - data we already have in the packet brigade before we try to read - more off the network again */ - channel->read_state = libssh2_NB_state_created; -+ } - - if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { - /* the window is getting too narrow, expand it! */ -diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h -index 4ec9f73..fcf4370 100644 ---- a/src/libssh2_priv.h -+++ b/src/libssh2_priv.h -@@ -357,6 +357,8 @@ struct _LIBSSH2_CHANNEL - libssh2_channel_data local, remote; - /* Amount of bytes to be refunded to receive window (but not yet sent) */ - uint32_t adjust_queue; -+ /* Data immediately available for reading */ -+ uint32_t read_avail; - - LIBSSH2_SESSION *session; - -diff --git a/src/packet.c b/src/packet.c -index bfbd56a..d2e758c 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -653,6 +653,18 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - _libssh2_debug(session, LIBSSH2_TRACE_CONN, - "Ignoring extended data and refunding %d bytes", - (int) (datalen - 13)); -+ if (channelp->read_avail + datalen - data_head >= -+ channelp->remote.window_size) -+ datalen = channelp->remote.window_size - -+ channelp->read_avail + data_head; -+ -+ channelp->remote.window_size -= datalen - data_head; -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "shrinking window size by %lu bytes to %lu, read_avail %lu", -+ datalen - data_head, -+ channelp->remote.window_size, -+ channelp->read_avail); -+ - session->packAdd_channelp = channelp; - - /* Adjust the window based on the block we just freed */ -@@ -684,7 +696,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - " to receive, truncating"); - datalen = channelp->remote.packet_size + data_head; - } -- if (channelp->remote.window_size <= 0) { -+ if (channelp->remote.window_size <= channelp->read_avail) { - /* - * Spec says we MAY ignore bytes sent beyond - * window_size -@@ -700,17 +712,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - /* Reset EOF status */ - channelp->remote.eof = 0; - -- if ((datalen - data_head) > channelp->remote.window_size) { -+ if (channelp->read_avail + datalen - data_head > -+ channelp->remote.window_size) { - _libssh2_error(session, - LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED, - "Remote sent more data than current " - "window allows, truncating"); -- datalen = channelp->remote.window_size + data_head; -- channelp->remote.window_size = 0; -+ datalen = channelp->remote.window_size - -+ channelp->read_avail + data_head; - } -- else -- /* Now that we've received it, shrink our window */ -- channelp->remote.window_size -= datalen - data_head; -+ -+ /* Update the read_avail counter. The window size will be -+ * updated once the data is actually read from the queue -+ * from an upper layer */ -+ channelp->read_avail += datalen - data_head; -+ -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "increasing read_avail by %lu bytes to %lu/%lu", -+ (long)(datalen - data_head), -+ (long)channelp->read_avail, -+ (long)channelp->remote.window_size); - - break; - --- -1.7.1 - diff --git a/SOURCES/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch b/SOURCES/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch deleted file mode 100644 index f06b7ad..0000000 --- a/SOURCES/0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch +++ /dev/null @@ -1,140 +0,0 @@ -From cae2385ba898f71038ed4dd00ddae02f85e588e7 Mon Sep 17 00:00:00 2001 -From: Salvador -Date: Tue, 15 Oct 2013 11:45:10 +0200 -Subject: [PATCH 08/11] _libssh2_channel_read: fix data drop when out of window - -After filling the read buffer with data from the read queue, when the -window size was too small, "libssh2_channel_receive_window_adjust" was -called to increase it. In non-blocking mode that function could return -EAGAIN and, in that case, the EAGAIN was propagated upwards and the data -already read on the buffer lost. - -The function was also moving between the two read states -"libssh2_NB_state_idle" and "libssh2_NB_state_created" both of which -behave in the same way (excepting a debug statment). - -This commit modifies "_libssh2_channel_read" so that the -"libssh2_channel_receive_window_adjust" call is performed first (when -required) and if everything goes well, then it reads the data from the -queued packets into the read buffer. - -It also removes the useless "libssh2_NB_state_created" read state. - -Some rotted comments have also been updated. - -Signed-off-by: Salvador - -[upstream commit 27f9ac2549b7721cf9d857022c0e7a311830b367] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 75 +++++++++++++++++++-------------------------------------- - 1 files changed, 25 insertions(+), 50 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 499d815..82f6980 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1751,31 +1751,33 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - LIBSSH2_PACKET *read_packet; - LIBSSH2_PACKET *read_next; - -- if (channel->read_state == libssh2_NB_state_idle) { -- _libssh2_debug(session, LIBSSH2_TRACE_CONN, -- "channel_read() wants %d bytes from channel %lu/%lu " -- "stream #%d", -- (int) buflen, channel->local.id, channel->remote.id, -- stream_id); -- channel->read_state = libssh2_NB_state_created; -- } -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "channel_read() wants %d bytes from channel %lu/%lu " -+ "stream #%d", -+ (int) buflen, channel->local.id, channel->remote.id, -+ stream_id); - -- /* -- * =============================== NOTE =============================== -- * I know this is very ugly and not a really good use of "goto", but -- * this case statement would be even uglier to do it any other way -- */ -- if (channel->read_state == libssh2_NB_state_jump1) { -- goto channel_read_window_adjust; -- } -+ /* expand the receiving window first if it has become too narrow */ -+ if((channel->read_state == libssh2_NB_state_jump1) || -+ (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { -+ -+ /* the actual window adjusting may not finish so we need to deal with -+ this special state here */ -+ channel->read_state = libssh2_NB_state_jump1; -+ rc = _libssh2_channel_receive_window_adjust(channel, -+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), -+ 0, NULL); -+ if (rc) -+ return rc; - -- rc = 1; /* set to >0 to let the while loop start */ -+ channel->read_state = libssh2_NB_state_idle; -+ } - -- /* Process all pending incoming packets in all states in order to "even -- out" the network readings. Tests prove that this way produces faster -- transfers. */ -- while (rc > 0) -+ /* Process all pending incoming packets. Tests prove that this way -+ produces faster transfers. */ -+ do { - rc = _libssh2_transport_read(session); -+ } while (rc > 0); - - if ((rc < 0) && (rc != LIBSSH2_ERROR_EAGAIN)) - return _libssh2_error(session, rc, "transport read"); -@@ -1857,8 +1859,6 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - } - - if (!bytes_read) { -- channel->read_state = libssh2_NB_state_idle; -- - /* If the channel is already at EOF or even closed, we need to signal - that back. We may have gotten that info while draining the incoming - transport layer until EAGAIN so we must not be fooled by that -@@ -1871,34 +1871,9 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - /* if the transport layer said EAGAIN then we say so as well */ - return _libssh2_error(session, rc, "would block"); - } -- else { -- channel->read_avail -= bytes_read; -- channel->remote.window_size -= bytes_read; -- /* make sure we remain in the created state to focus on emptying the -- data we already have in the packet brigade before we try to read -- more off the network again */ -- channel->read_state = libssh2_NB_state_created; -- } -- -- if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { -- /* the window is getting too narrow, expand it! */ -- -- channel_read_window_adjust: -- channel->read_state = libssh2_NB_state_jump1; -- /* the actual window adjusting may not finish so we need to deal with -- this special state here */ -- rc = _libssh2_channel_receive_window_adjust(channel, -- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); -- if (rc) -- return rc; - -- _libssh2_debug(session, LIBSSH2_TRACE_CONN, -- "channel_read() filled %d adjusted %d", -- bytes_read, buflen); -- /* continue in 'created' state to drain the already read packages -- first before starting to empty the socket further */ -- channel->read_state = libssh2_NB_state_created; -- } -+ channel->read_avail -= bytes_read; -+ channel->remote.window_size -= bytes_read; - - return bytes_read; - } --- -1.7.1 - diff --git a/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch b/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch index d25f99b..f1632a5 100644 --- a/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch +++ b/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch @@ -14,7 +14,7 @@ diff --git a/src/packet.c b/src/packet.c index aa10633..c950b5d 100644 --- a/src/packet.c +++ b/src/packet.c -@@ -774,8 +774,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, uint32_t len = _libssh2_ntohu32(data + 5); unsigned char want_reply = 1; @@ -25,7 +25,7 @@ index aa10633..c950b5d 100644 _libssh2_debug(session, LIBSSH2_TRACE_CONN, -@@ -783,6 +783,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, channel, len, data + 9, want_reply); if (len == sizeof("exit-status") - 1 @@ -33,7 +33,7 @@ index aa10633..c950b5d 100644 && !memcmp("exit-status", data + 9, sizeof("exit-status") - 1)) { -@@ -791,7 +792,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, channelp = _libssh2_channel_locate(session, channel); @@ -42,7 +42,7 @@ index aa10633..c950b5d 100644 channelp->exit_status = _libssh2_ntohu32(data + 9 + sizeof("exit-status")); _libssh2_debug(session, LIBSSH2_TRACE_CONN, -@@ -804,13 +805,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, } else if (len == sizeof("exit-signal") - 1 @@ -58,7 +58,7 @@ index aa10633..c950b5d 100644 /* set signal name (without SIG prefix) */ uint32_t namelen = _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); -@@ -826,9 +828,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, +@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, if (!channelp->exit_signal) rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, "memory for signal name"); diff --git a/SOURCES/0009-_libssh2_channel_read-Honour-window_size_initial.patch b/SOURCES/0009-_libssh2_channel_read-Honour-window_size_initial.patch deleted file mode 100644 index eea48df..0000000 --- a/SOURCES/0009-_libssh2_channel_read-Honour-window_size_initial.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5c14f0e6ecfe73da86d3ad20edd60c4756037935 Mon Sep 17 00:00:00 2001 -From: Salvador -Date: Wed, 16 Oct 2013 13:31:31 +0200 -Subject: [PATCH 09/11] _libssh2_channel_read: Honour window_size_initial - -_libssh2_channel_read was using an arbitrary hard-coded limit to trigger -the window adjusting code. The adjustment used was also hard-coded and -arbitrary, 15MB actually, which would limit the usability of libssh2 on -systems with little RAM. - -This patch, uses the window_size parameter passed to -libssh2_channel_open_ex (stored as remote.window_size_initial) plus the -buflen as the base for the trigger and the adjustment calculation. - -The memory usage when using the default window size is reduced from 22MB -to 256KB per channel (actually, if compression is used, these numbers -should be incremented by ~50% to account for the errors between the -decompressed packet sizes and the predicted sizes). - -My tests indicate that this change does not impact the performance of -transfers across localhost or a LAN, being it on par with that of -OpenSSH. On the other hand, it will probably slow down transfers on -networks with high bandwidth*delay when the default window size -(LIBSSH2_CHANNEL_WINDOW_DEFAULT=256KB) is used. - -Signed-off-by: Salvador Fandino - -[upstream commit 1b3307dda0c58d9023a657747592ac86703b1ff4] -Signed-off-by: Kamil Dudka ---- - src/channel.c | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 82f6980..36c75d2 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1758,14 +1758,17 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - stream_id); - - /* expand the receiving window first if it has become too narrow */ -- if((channel->read_state == libssh2_NB_state_jump1) || -- (channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30))) { -+ if( (channel->read_state == libssh2_NB_state_jump1) || -+ (channel->remote.window_size < channel->remote.window_size_initial / 4 * 3 + buflen) ) { -+ -+ uint32_t adjustment = channel->remote.window_size_initial + buflen - channel->remote.window_size; -+ if (adjustment < LIBSSH2_CHANNEL_MINADJUST) -+ adjustment = LIBSSH2_CHANNEL_MINADJUST; - - /* the actual window adjusting may not finish so we need to deal with - this special state here */ - channel->read_state = libssh2_NB_state_jump1; -- rc = _libssh2_channel_receive_window_adjust(channel, -- (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), -+ rc = _libssh2_channel_receive_window_adjust(channel, adjustment, - 0, NULL); - if (rc) - return rc; --- -1.7.1 - diff --git a/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch index db3ab3c..77615fd 100644 --- a/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch +++ b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch @@ -15,9 +15,9 @@ diff --git a/src/userauth.c b/src/userauth.c index 3946cf9..ee924c5 100644 --- a/src/userauth.c +++ b/src/userauth.c -@@ -1578,8 +1578,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, +@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, - for(i = 0; i != session->userauth_kybd_num_prompts; ++i) { + for(i = 0; i < session->userauth_kybd_num_prompts; i++) { /* string response[1] (ISO-10646 UTF-8) */ - session->userauth_kybd_packet_len += - 4 + session->userauth_kybd_responses[i].length; diff --git a/SOURCES/0010-Set-default-window-size-to-2MB.patch b/SOURCES/0010-Set-default-window-size-to-2MB.patch deleted file mode 100644 index 0b8f693..0000000 --- a/SOURCES/0010-Set-default-window-size-to-2MB.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 0a758095c40ae1b32dc5052a706a16c2d9ac5742 Mon Sep 17 00:00:00 2001 -From: Salvador Fandino -Date: Mon, 21 Oct 2013 11:58:55 +0200 -Subject: [PATCH 10/11] Set default window size to 2MB - -The default channel window size used until now was 256KB. This value is -too small and results on a bottleneck on real-life networks where -round-trip delays can easily reach 300ms. - -The issue was not visible because the configured channel window size -was being ignored and a hard-coded value of ~22MB being used instead, -but that was fixed on a previous commit. - -This patch just changes the default window size -(LIBSSH2_CHANNEL_WINDOW_DEFAULT) to 2MB. It is the same value used by -OpenSSH and in our opinion represents a good compromise between memory -used and transfer speed. - -Performance tests were run to determine the optimum value. The details -and related discussion are available from the following thread on the -libssh2 mailing-list: - -http://www.libssh2.org/mail/libssh2-devel-archive-2013-10/0018.shtml -http://article.gmane.org/gmane.network.ssh.libssh2.devel/6543 - -An excerpt follows: - -"I have been running some transfer test and measuring their speed. - -My setup was composed of a quad-core Linux machine running Ubuntu 13.10 -x86_64 with a LXC container inside. The data transfers were performed -from the container to the host (never crossing through a physical -network device). - -Network delays were simulated using the tc tool. And ping was used to -verify that they worked as intended during the tests. - -The operation performed was the equivalent to the following ssh command: - - $ ssh container "dd bs=16K count=8K if=/dev/zero" >/dev/null - -Though, establishment and closing of the SSH connection was excluded -from the timings. - -I run the tests several times transferring files of sizes up to 128MB -and the results were consistent between runs. - -The results corresponding to the 128MB transfer are available here: - -https://docs.google.com/spreadsheet/ccc?key=0Ao1yRmX6PQQzdG5wSFlrZl9HRWNET3ZyN0hnaGo5ZFE&usp=sharing - -It clearly shows that 256KB is too small as the default window size. -Moving to a 512MB generates a great improvement and after the 1MB mark -the returns rapidly diminish. Other factors (TCP window size, probably) -become more limiting than the channel window size - -For comparison I also performed the same transfers using OpenSSH. Its -speed is usually on par with that of libssh2 using a window size of 1MB -(even if it uses a 2MB window, maybe it is less aggressive sending the -window adjust msgs)." - -Signed-off-by: Salvador Fandino - -[upstream commit 85a827d1bceb9abd4442f225dd7c65ef5cefdc32] -Signed-off-by: Kamil Dudka ---- - include/libssh2.h | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/include/libssh2.h b/include/libssh2.h -index 9b1a6e1..df873fc 100644 ---- a/include/libssh2.h -+++ b/include/libssh2.h -@@ -587,7 +587,7 @@ LIBSSH2_API int libssh2_poll(LIBSSH2_POLLFD *fds, unsigned int nfds, - long timeout); - - /* Channel API */ --#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (256*1024) -+#define LIBSSH2_CHANNEL_WINDOW_DEFAULT (2*1024*1024) - #define LIBSSH2_CHANNEL_PACKET_DEFAULT 32768 - #define LIBSSH2_CHANNEL_MINADJUST 1024 - --- -1.7.1 - diff --git a/SOURCES/0011-channel_receive_window_adjust-store-windows-size-alw.patch b/SOURCES/0011-channel_receive_window_adjust-store-windows-size-alw.patch deleted file mode 100644 index b14f844..0000000 --- a/SOURCES/0011-channel_receive_window_adjust-store-windows-size-alw.patch +++ /dev/null @@ -1,66 +0,0 @@ -From baadc811a703b9a6dec655c7afb3218d8cff51fa Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 16 Mar 2014 20:02:37 +0100 -Subject: [PATCH 11/11] channel_receive_window_adjust: store windows size always - -Avoid it sometimes returning without storing it, leaving calling -functions with unknown content! - -Detected by clang-analyzer - -[upstream commit fcb601da7b37c6e9bbcd264199597e2ddb7bc347] - -Signed-off-by: Kamil Dudka ---- - src/channel.c | 11 ++++------- - 1 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 36c75d2..1d074df 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1,6 +1,6 @@ - /* Copyright (c) 2004-2007 Sara Golemon - * Copyright (c) 2005 Mikhail Gusarov -- * Copyright (c) 2008-2011 by Daniel Stenberg -+ * Copyright (c) 2008-2014 by Daniel Stenberg - * - * All rights reserved. - * -@@ -1544,6 +1544,9 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - { - int rc; - -+ if(store) -+ *store = channel->remote.window_size; -+ - if (channel->adjust_state == libssh2_NB_state_idle) { - if (!force - && (adjustment + channel->adjust_queue < -@@ -1553,14 +1556,10 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - "for channel %lu/%lu", - adjustment, channel->local.id, channel->remote.id); - channel->adjust_queue += adjustment; -- if(store) -- *store = channel->remote.window_size; - return 0; - } - - if (!adjustment && !channel->adjust_queue) { -- if(store) -- *store = channel->remote.window_size; - return 0; - } - -@@ -1598,8 +1597,6 @@ _libssh2_channel_receive_window_adjust(LIBSSH2_CHANNEL * channel, - - channel->adjust_state = libssh2_NB_state_idle; - -- if(store) -- *store = channel->remote.window_size; - return 0; - } - --- -1.7.1 - diff --git a/SOURCES/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch b/SOURCES/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch deleted file mode 100644 index 48a62e8..0000000 --- a/SOURCES/0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a958624be229315ab57017040ef15c5ae072d1ac Mon Sep 17 00:00:00 2001 -From: Matthias Kerestesch -Date: Sat, 18 May 2013 23:01:35 +0200 -Subject: [PATCH] libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET - -... previously it was left at 0 which is a valid file descriptor! - -Bug: https://trac.libssh2.org/ticket/265 - -Fixes #265 - -Upstream-commit: 1ad20ac7d3e21d091e7cfec58fda0afdc359360a ---- - src/agent.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/agent.c b/src/agent.c -index 1c65149..a8a5025 100644 ---- a/src/agent.c -+++ b/src/agent.c -@@ -652,6 +652,7 @@ libssh2_agent_init(LIBSSH2_SESSION *session) - return NULL; - } - memset(agent, 0, sizeof *agent); -+ agent->fd = LIBSSH2_INVALID_SOCKET; - agent->session = session; - _libssh2_list_init(&agent->head); - --- -2.1.0 - diff --git a/SOURCES/0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch b/SOURCES/0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch deleted file mode 100644 index 6ebca01..0000000 --- a/SOURCES/0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch +++ /dev/null @@ -1,109 +0,0 @@ -From d62ed72daacc95e75bd0a617af9e4d88829b2e77 Mon Sep 17 00:00:00 2001 -From: Mariusz Ziulek -Date: Sat, 21 Feb 2015 23:31:36 +0100 -Subject: [PATCH] kex: bail out on rubbish in the incoming packet - -CVE-2015-1782 - -Bug: http://www.libssh2.org/adv_20150311.html - -Upstream-commit: 7d94b69b802c03e8d7726f4ae61baba52cb7d871 -Signed-off-by: Kamil Dudka ---- - src/kex.c | 73 +++++++++++++++++++++++++++++++++++---------------------------- - 1 file changed, 41 insertions(+), 32 deletions(-) - -diff --git a/src/kex.c b/src/kex.c -index fa4c4e1..ad7498a 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -1549,6 +1549,30 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, - * The Client gets to make the final call on "agreed methods" - */ - -+/* -+ * kex_string_pair() extracts a string from the packet and makes sure it fits -+ * within the given packet. -+ */ -+static int kex_string_pair(unsigned char **sp, /* parsing position */ -+ unsigned char *data, /* start pointer to packet */ -+ size_t data_len, /* size of total packet */ -+ size_t *lenp, /* length of the string */ -+ unsigned char **strp) /* pointer to string start */ -+{ -+ unsigned char *s = *sp; -+ *lenp = _libssh2_ntohu32(s); -+ -+ /* the length of the string must fit within the current pointer and the -+ end of the packet */ -+ if (*lenp > (data_len - (s - data) -4)) -+ return 1; -+ *strp = s + 4; -+ s += 4 + *lenp; -+ -+ *sp = s; -+ return 0; -+} -+ - /* kex_agree_methods - * Decide which specific method to use of the methods offered by each party - */ -@@ -1568,38 +1592,23 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data, - s += 16; - - /* Locate each string */ -- kex_len = _libssh2_ntohu32(s); -- kex = s + 4; -- s += 4 + kex_len; -- hostkey_len = _libssh2_ntohu32(s); -- hostkey = s + 4; -- s += 4 + hostkey_len; -- crypt_cs_len = _libssh2_ntohu32(s); -- crypt_cs = s + 4; -- s += 4 + crypt_cs_len; -- crypt_sc_len = _libssh2_ntohu32(s); -- crypt_sc = s + 4; -- s += 4 + crypt_sc_len; -- mac_cs_len = _libssh2_ntohu32(s); -- mac_cs = s + 4; -- s += 4 + mac_cs_len; -- mac_sc_len = _libssh2_ntohu32(s); -- mac_sc = s + 4; -- s += 4 + mac_sc_len; -- comp_cs_len = _libssh2_ntohu32(s); -- comp_cs = s + 4; -- s += 4 + comp_cs_len; -- comp_sc_len = _libssh2_ntohu32(s); -- comp_sc = s + 4; --#if 0 -- s += 4 + comp_sc_len; -- lang_cs_len = _libssh2_ntohu32(s); -- lang_cs = s + 4; -- s += 4 + lang_cs_len; -- lang_sc_len = _libssh2_ntohu32(s); -- lang_sc = s + 4; -- s += 4 + lang_sc_len; --#endif -+ if(kex_string_pair(&s, data, data_len, &kex_len, &kex)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs)) -+ return -1; -+ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc)) -+ return -1; -+ - /* If the server sent an optimistic packet, assume that it guessed wrong. - * If the guess is determined to be right (by kex_agree_kex_hostkey) - * This flag will be reset to zero so that it's not ignored */ --- -2.4.2 - diff --git a/SOURCES/0014-libssh2-1.4.3-scp-remote-exec.patch b/SOURCES/0014-libssh2-1.4.3-scp-remote-exec.patch index 96040bc..971a7c9 100644 --- a/SOURCES/0014-libssh2-1.4.3-scp-remote-exec.patch +++ b/SOURCES/0014-libssh2-1.4.3-scp-remote-exec.patch @@ -1,220 +1,7 @@ -From 3893140b1ff88d70407d5ab902022ab36d7305d7 Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Mon, 23 Mar 2015 22:47:46 +0100 -Subject: [PATCH 1/5] scp.c: fix that scp_send may transmit not initialised - memory - -Fixes ticket 244. Thanks Torsten. - -Upstream-commit: b99204f2896b0cdafa3ecc0736f0252ce44c32c7 -Signed-off-by: Kamil Dudka ---- - src/scp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/scp.c b/src/scp.c -index 63d181e..2f92804 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -801,12 +801,18 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, - - cmd_len = strlen((char *)session->scpSend_command); - -+ memset(&session->scpSend_command[cmd_len], 0, -+ session->scpSend_command_len - cmd_len); -+ - (void)shell_quotearg(path, - &session->scpSend_command[cmd_len], - session->scpSend_command_len - cmd_len); - - session->scpSend_command[session->scpSend_command_len - 1] = '\0'; - -+ session->scpSend_command_len = -+ strlen((char *)session->scpSend_command); -+ - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP send"); - /* Allocate a channel */ --- -2.13.5 - - -From 2ecb8c5d6e116fcc71a31360115c9c2b4b0ca1d2 Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Mon, 23 Mar 2015 23:04:24 +0100 -Subject: [PATCH 2/5] scp.c: fix that scp_recv may transmit not initialised - memory - -Upstream-commit: 1e7988cb0d8dae32148b04dd93e919a770599f30 -Signed-off-by: Kamil Dudka ---- - src/scp.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/scp.c b/src/scp.c -index 2f92804..d0c0d26 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -299,10 +299,17 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb) - - cmd_len = strlen((char *)session->scpRecv_command); - -+ memset(&session->scpRecv_command[cmd_len], 0, -+ session->scpRecv_command_len - cmd_len); -+ - (void) shell_quotearg(path, - &session->scpRecv_command[cmd_len], - session->scpRecv_command_len - cmd_len); - -+ session->scpRecv_command[session->scpRecv_command_len - 1] = '\0'; -+ -+ session->scpRecv_command_len = -+ strlen((char *)session->scpRecv_command); - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP receive"); --- -2.13.5 - - -From 5b23e9e9875302791f5c190cf0e4f61fd9879ff0 Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Mon, 23 Mar 2015 23:05:41 +0100 -Subject: [PATCH 3/5] scp.c: improved and streamlined formatting - -Upstream-commit: 2d59b41daa3925645a26e6406fc318e6c2bfaae6 -Signed-off-by: Kamil Dudka ---- - src/scp.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/src/scp.c b/src/scp.c -index d0c0d26..30d46af 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -295,16 +295,17 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb) - } - - snprintf((char *)session->scpRecv_command, -- session->scpRecv_command_len, "scp -%sf ", sb?"p":""); -+ session->scpRecv_command_len, -+ "scp -%sf ", sb?"p":""); - - cmd_len = strlen((char *)session->scpRecv_command); - - memset(&session->scpRecv_command[cmd_len], 0, - session->scpRecv_command_len - cmd_len); - -- (void) shell_quotearg(path, -- &session->scpRecv_command[cmd_len], -- session->scpRecv_command_len - cmd_len); -+ (void)shell_quotearg(path, -+ &session->scpRecv_command[cmd_len], -+ session->scpRecv_command_len - cmd_len); - - session->scpRecv_command[session->scpRecv_command_len - 1] = '\0'; - -@@ -797,13 +798,16 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, - - session->scpSend_command = - LIBSSH2_ALLOC(session, session->scpSend_command_len); -+ - if (!session->scpSend_command) { - _libssh2_error(session, LIBSSH2_ERROR_ALLOC, -- "Unable to allocate a command buffer for scp session"); -+ "Unable to allocate a command buffer for " -+ "SCP session"); - return NULL; - } - -- snprintf((char *)session->scpSend_command, session->scpSend_command_len, -+ snprintf((char *)session->scpSend_command, -+ session->scpSend_command_len, - "scp -%st ", (mtime || atime)?"p":""); - - cmd_len = strlen((char *)session->scpSend_command); --- -2.13.5 - - -From fc0d9df034e8701cdcf6c24fd40b1dbc8bc3e084 Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Mon, 23 Mar 2015 23:17:31 +0100 -Subject: [PATCH 4/5] scp.c: improved command length calculation - -Reduced number of calls to strlen, because shell_quotearg already -returns the length of the resulting string (e.q. quoted path) -which we can add to the existing and known cmd_len. -Removed obsolete call to memset again, because we can put a final -NULL-byte at the end of the string using the calculated length. - -Upstream-commit: 3d3347c0625ce29b5581a0aa45e6e3be580769f1 -Signed-off-by: Kamil Dudka ---- - src/scp.c | 32 ++++++++++---------------------- - 1 file changed, 10 insertions(+), 22 deletions(-) - -diff --git a/src/scp.c b/src/scp.c -index 30d46af..f3d4995 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -299,18 +299,12 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb) - "scp -%sf ", sb?"p":""); - - cmd_len = strlen((char *)session->scpRecv_command); -+ cmd_len += shell_quotearg(path, -+ &session->scpRecv_command[cmd_len], -+ session->scpRecv_command_len - cmd_len); - -- memset(&session->scpRecv_command[cmd_len], 0, -- session->scpRecv_command_len - cmd_len); -- -- (void)shell_quotearg(path, -- &session->scpRecv_command[cmd_len], -- session->scpRecv_command_len - cmd_len); -- -- session->scpRecv_command[session->scpRecv_command_len - 1] = '\0'; -- -- session->scpRecv_command_len = -- strlen((char *)session->scpRecv_command); -+ session->scpRecv_command[cmd_len] = '\0'; -+ session->scpRecv_command_len = cmd_len + 1; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP receive"); -@@ -811,18 +805,12 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, - "scp -%st ", (mtime || atime)?"p":""); - - cmd_len = strlen((char *)session->scpSend_command); -+ cmd_len += shell_quotearg(path, -+ &session->scpSend_command[cmd_len], -+ session->scpSend_command_len - cmd_len); - -- memset(&session->scpSend_command[cmd_len], 0, -- session->scpSend_command_len - cmd_len); -- -- (void)shell_quotearg(path, -- &session->scpSend_command[cmd_len], -- session->scpSend_command_len - cmd_len); -- -- session->scpSend_command[session->scpSend_command_len - 1] = '\0'; -- -- session->scpSend_command_len = -- strlen((char *)session->scpSend_command); -+ session->scpSend_command[cmd_len] = '\0'; -+ session->scpSend_command_len = cmd_len + 1; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP send"); --- -2.13.5 - - From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 11 Sep 2017 21:13:45 +0200 -Subject: [PATCH 5/5] scp: do not NUL-terminate the command for remote exec - (#208) +Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208) It breaks SCP download/upload from/to certain server implementations. @@ -234,7 +21,7 @@ diff --git a/src/scp.c b/src/scp.c index f3d4995..c6451bc 100644 --- a/src/scp.c +++ b/src/scp.c -@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, struct stat * sb) +@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb) &session->scpRecv_command[cmd_len], session->scpRecv_command_len - cmd_len); @@ -245,7 +32,7 @@ index f3d4995..c6451bc 100644 _libssh2_debug(session, LIBSSH2_TRACE_SCP, "Opening channel for SCP receive"); -@@ -809,8 +809,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, +@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, &session->scpSend_command[cmd_len], session->scpSend_command_len - cmd_len); diff --git a/SOURCES/0015-libssh2-1.4.3-debug-msgs.patch b/SOURCES/0015-libssh2-1.4.3-debug-msgs.patch index 70f6596..034f337 100644 --- a/SOURCES/0015-libssh2-1.4.3-debug-msgs.patch +++ b/SOURCES/0015-libssh2-1.4.3-debug-msgs.patch @@ -21,7 +21,7 @@ diff --git a/src/session.c b/src/session.c index 9838d2b..62ef70d 100644 --- a/src/session.c +++ b/src/session.c -@@ -695,7 +695,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) +@@ -703,7 +703,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) if (session->startup_state == libssh2_NB_state_created) { rc = banner_send(session); @@ -32,7 +32,7 @@ index 9838d2b..62ef70d 100644 return _libssh2_error(session, rc, "Failed sending banner"); } -@@ -706,7 +708,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) +@@ -714,7 +716,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) if (session->startup_state == libssh2_NB_state_sent) { do { rc = banner_receive(session); @@ -43,7 +43,7 @@ index 9838d2b..62ef70d 100644 return _libssh2_error(session, rc, "Failed getting banner"); } while(strncmp("SSH-", (char *)session->remote.banner, 4)); -@@ -716,7 +720,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) +@@ -724,7 +728,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) if (session->startup_state == libssh2_NB_state_sent1) { rc = _libssh2_kex_exchange(session, 0, &session->startup_key_state); @@ -54,7 +54,7 @@ index 9838d2b..62ef70d 100644 return _libssh2_error(session, rc, "Unable to exchange encryption keys"); -@@ -741,7 +747,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) +@@ -749,7 +755,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) rc = _libssh2_transport_send(session, session->startup_service, sizeof("ssh-userauth") + 5 - 1, NULL, 0); diff --git a/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch b/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch deleted file mode 100644 index ec7b1b6..0000000 --- a/SOURCES/0101-libssh2-1.4.3-CVE-2016-0787.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 7046d670d3803d484b7af490e529dc4619145cc2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 11 Feb 2016 13:52:20 +0100 -Subject: [PATCH] diffie_hellman_sha256: convert bytes to bits - -As otherwise we get far too small numbers. - -CVE-2016-0787 - -Signed-off-by: Kamil Dudka ---- - src/kex.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/kex.c b/src/kex.c -index 5649248..f12797c 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, - memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t)); - - /* Generate x and e */ -- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1); -+ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1); - _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p, - exchange_state->ctx); - --- -2.5.0 - diff --git a/SOURCES/libssh2-1.4.2-utf8.patch b/SOURCES/libssh2-1.4.2-utf8.patch deleted file mode 100644 index 9177691..0000000 --- a/SOURCES/libssh2-1.4.2-utf8.patch +++ /dev/null @@ -1,14 +0,0 @@ - NEWS | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - ---- libssh2/NEWS -+++ libssh2/NEWS -@@ -3552,7 +3552,7 @@ Simon Josefsson (16 Nov 2009) - - support arcfour128 cipher per RFC 4345 - - Daniel Stenberg (21 Oct 2009) --- [Cristian Rodríguez brought this change] -+- [Cristian Rodríguez brought this change] - - add support for GCC visibility features - diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec index 6873bb3..302f94c 100644 --- a/SPECS/libssh2.spec +++ b/SPECS/libssh2.spec @@ -1,58 +1,43 @@ -# Fedora 10 onwards support noarch subpackages; by using one, we can -# put the arch-independent docs in a common subpackage and save lots -# of space on the mirrors -%if 0%{?fedora} > 9 || 0%{?rhel} > 5 -%global noarch_docs_package 1 -%else -%global noarch_docs_package 0 -%endif - -# Define %%{__isa_bits} for old releases -%{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} - Name: libssh2 -Version: 1.4.3 -Release: 12%{?dist}.3 +Version: 1.8.0 +Release: 3%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.4.2-utf8.patch -Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch -Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch -Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch -Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch -Patch5: 0005-channel.c-fix-a-use-after-free.patch -Patch6: 0006-_libssh2_channel_write-client-spins-on-write-when-wi.patch -Patch7: 0007-window_size-redid-window-handling-for-flow-control-r.patch -Patch8: 0008-_libssh2_channel_read-fix-data-drop-when-out-of-wind.patch -Patch9: 0009-_libssh2_channel_read-Honour-window_size_initial.patch -Patch10: 0010-Set-default-window-size-to-2MB.patch -Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch -Patch12: 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch -Patch13: 0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch # fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) -Patch201: 0001-libssh2-1.8.0-CVE-2019-3855.patch +Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch # fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) -Patch202: 0002-libssh2-1.8.0-CVE-2019-3856.patch +Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch # fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) -Patch203: 0003-libssh2-1.8.0-CVE-2019-3857.patch +Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch + +# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) +Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch + +# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch # fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) -Patch208: 0008-libssh2-1.8.0-CVE-2019-3862.patch +Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch # fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) -Patch209: 0009-libssh2-1.8.0-CVE-2019-3863.patch +Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch Patch15: 0015-libssh2-1.4.3-debug-msgs.patch -Patch101: 0101-libssh2-1.4.3-CVE-2016-0787.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) + +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: gcc +BuildRequires: make BuildRequires: openssl-devel +BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man @@ -60,10 +45,10 @@ BuildRequires: /usr/bin/man BuildRequires: openssh-server # We use matchpathcon to get the correct SELinux context for the ssh server # initialization script so that it can transition correctly in an SELinux -# environment; matchpathcon is only available from FC-4 and moved from the -# libselinux to libselinux-utils package in F-10 -%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7) -BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted +# environment +%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) +BuildRequires: libselinux-utils +BuildRequires: selinux-policy-targeted %endif %description @@ -75,7 +60,7 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). %package devel Summary: Development files for libssh2 Group: Development/Libraries -Requires: %{name} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{version}-%{release} Requires: pkgconfig %description devel @@ -86,9 +71,7 @@ developing applications that use libssh2. Summary: Documentation for libssh2 Group: Development/Libraries Requires: %{name} = %{version}-%{release} -%if %{noarch_docs_package} BuildArch: noarch -%endif %description docs The libssh2-docs package contains man pages and examples for @@ -96,48 +79,17 @@ developing applications that use libssh2. %prep %setup -q - -# Replace hard wired port number in the test suite to avoid collisions -# between 32-bit and 64-bit builds running on a single build-host -sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} - -# Make sure things are UTF-8... -%patch0 -p1 - -# Three upstream patches required for qemu ssh block driver. %patch1 -p1 %patch2 -p1 %patch3 -p1 - -# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 %patch4 -p1 - -# https://trac.libssh2.org/ticket/268 -%patch5 -p1 - -# Resolves: #1080459 - curl consumes too much memory during scp download -%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 -%patch11 -p1 - -# prevent a not-connected agent from closing STDIN (#1147717) -%patch12 -p1 -# check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782) -%patch13 -p1 - -# use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) -%patch101 -p1 - -# rhel-7.6.z patches -%patch201 -p1 -%patch202 -p1 -%patch203 -p1 -%patch208 -p1 -%patch209 -p1 +# Replace hard wired port number in the test suite to avoid collisions +# between 32-bit and 64-bit builds running on a single build-host +sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} # scp: send valid commands for remote execution (#1489733) %patch14 -p1 @@ -153,7 +105,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %endif %build -%configure --disable-static --enable-shared +%configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} # Avoid polluting libssh2.pc with linker options (#947813) @@ -162,17 +114,18 @@ sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} \; +find %{buildroot} -name '*.la' -delete # clean things up a bit for packaging make -C example clean rm -rf example/.deps -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete # avoid multilib conflict on libssh2-devel mv -v example example.%{_arch} %check +echo "Running tests for %{_arch}" # The SSH test will fail if we don't have /dev/tty, as is the case in some # versions of mock (#672713) if [ ! -c /dev/tty ]; then @@ -184,6 +137,11 @@ fi echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif +# mansyntax check fails on PPC* and aarch64 with some strange locale error +%ifarch ppc %{power64} aarch64 +echo "Skipping mansyntax test on PPC* and aarch64" +echo "exit 0" > tests/mansyntax.sh +%endif make -C tests check %clean @@ -194,12 +152,12 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%doc AUTHORS ChangeLog COPYING README NEWS +%doc COPYING docs/AUTHORS README RELEASE-NOTES %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs -%doc HACKING +%doc docs/BINDINGS docs/HACKING docs/TODO NEWS %{_mandir}/man3/libssh2_*.3* %files devel @@ -211,18 +169,21 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog -* Mon May 27 2019 Kamil Dudka 1.4.3-12.el7_6.3 -- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) - -* Wed Mar 20 2019 Kamil Dudka 1.4.3-12.el7_6.2 +* Wed Mar 20 2019 Kamil Dudka 1.8.0-3 - sanitize public header file (detected by rpmdiff) -* Tue Mar 19 2019 Kamil Dudka 1.4.3-12.el7_6.1 +* Tue Mar 19 2019 Kamil Dudka 1.8.0-2 - fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) +- fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +- fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) - fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) - fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) - fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) +* Wed Nov 21 2018 Kamil Dudka 1.8.0-1 +- rebase to 1.8.0 (#1592784) + * Tue Sep 26 2017 Kamil Dudka 1.4.3-12 - session: avoid printing misleading debug messages (#1503294) - scp: send valid commands for remote execution (#1489733)