[PATCH core-updates] gnu: libssh2: Update to 1.10.0.

  • Done
  • quality assurance status badge
Details
3 participants
  • Attila Lendvai
  • Ludovic Courtès
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Attila Lendvai
Severity
normal
A
A
Attila Lendvai wrote on 18 Jan 2022 15:34
(address . guix-patches@gnu.org)(name . Attila Lendvai)(address . attila@lendvai.name)
20220118143447.14183-1-attila@lendvai.name
Also change origin to git-fetch the project's git repository using git tags.
---

note: i have tested this to build cleanly, but nothing beyond that.

gnu/local.mk | 1 -
.../patches/libssh2-CVE-2019-17498.patch | 126 ------------------
gnu/packages/ssh.scm | 16 ++-
3 files changed, 9 insertions(+), 134 deletions(-)
delete mode 100644 gnu/packages/patches/libssh2-CVE-2019-17498.patch

Toggle diff (71 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 0bae6ffa63..cf9a602042 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,7 +1393,6 @@ dist_patch_DATA = \
%D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch \
%D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch \
%D%/packages/patches/libquicktime-ffmpeg.patch \
- %D%/packages/patches/libssh2-CVE-2019-17498.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
deleted file mode 100644
index 6f69e562e2..0000000000
--- a/gnu/packages/patches/libssh2-CVE-2019-17498.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
-
-From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
-From: Will Cosgrove <will@panic.com>
-Date: Fri, 30 Aug 2019 09:57:38 -0700
-Subject: [PATCH] packet.c: improve message parsing (#402)
-
-* packet.c: improve parsing of packets
-
-file: packet.c
-
-notes:
-Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
----
- src/packet.c | 68 ++++++++++++++++++++++------------------------------
- 1 file changed, 29 insertions(+), 39 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index 38ab62944..2e01bfc5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- size_t datalen, int macstate)
- {
- int rc = 0;
-- char *message = NULL;
-- char *language = NULL;
-+ unsigned char *message = NULL;
-+ unsigned char *language = NULL;
- size_t message_len = 0;
- size_t language_len = 0;
- LIBSSH2_CHANNEL *channelp = NULL;
-@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- case SSH_MSG_DISCONNECT:
- if(datalen >= 5) {
-- size_t reason = _libssh2_ntohu32(data + 1);
-+ uint32_t reason = 0;
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr++; /* advance past type */
-
-- if(datalen >= 9) {
-- message_len = _libssh2_ntohu32(data + 5);
-+ _libssh2_get_u32(&buf, &reason);
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
-
-- if(message_len < datalen-13) {
-- /* 9 = packet_type(1) + reason(4) + message_len(4) */
-- message = (char *) data + 9;
--
-- language_len =
-- _libssh2_ntohu32(data + 9 + message_len);
-- language = (char *) data + 9 + message_len + 4;
--
-- if(language_len > (datalen-13-message_len)) {
-- /* bad input, clear info */
-- language = message = NULL;
-- language_len = message_len = 0;
-- }
-- }
-- else
-- /* bad size, clear it */
-- message_len = 0;
-- }
- if(session->ssh_msg_disconnect) {
-- LIBSSH2_DISCONNECT(session, reason, message,
-- message_len, language, language_len);
-+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
-+
- _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
- "Disconnect(%d): %s(%s)", reason,
- message, language);
-@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- int always_display = data[1];
-
- if(datalen >= 6) {
-- message_len = _libssh2_ntohu32(data + 2);
--
-- if(message_len <= (datalen - 10)) {
-- /* 6 = packet_type(1) + display(1) + message_len(4) */
-- message = (char *) data + 6;
-- language_len = _libssh2_ntohu32(data + 6 +
-- message_len);
--
-- if(language_len <= (datalen - 10 - message_len))
-- language = (char *) data + 10 + message_len;
-- }
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr += 2; /* advance past type & always display */
-+
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
- }
-
- if(session->ssh_msg_debug) {
-- LIBSSH2_DEBUG(session, always_display, message,
-- message_len, language, language_len);
-+ LIBSSH2_DEBUG(session, always_display,
-+ (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
- }
-+
- /*
- * _libssh2_debug will actually truncate this for us so
- * that it's not an inordinate about of data
-@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len = 0;
- unsigned char want_reply = 0;
- len = _libssh2_ntohu32(data + 1);
-- if(datalen >= (6 + len)) {
-+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
- want_reply = data[5 + len];
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
Toggle diff (33 lines)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index ae64e99948..a3411c687f 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -157,17 +157,19 @@ (define-public libssh
(define-public libssh2
(package
(name "libssh2")
- (version "1.9.0")
+ (version "1.10.0")
(source (origin
- (method url-fetch)
- (uri (string-append
- "https://www.libssh2.org/download/libssh2-"
- version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libssh2/libssh2")
+ (commit (string-append "libssh2-" version))))
(sha256
(base32
- "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
- (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
+ "0iiwdnvzq7mw1h1frbsszzhhf259jvjmzbp15mkgdfypnhgh3ri5"))))
(build-system gnu-build-system)
+ (native-inputs (list autoconf
+ automake
+ libtool))
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
(propagated-inputs (list libgcrypt zlib))
--
2.34.0
L
L
Ludovic Courtès wrote on 28 Mar 2022 09:45
(name . Attila Lendvai)(address . attila@lendvai.name)(address . 53345@debbugs.gnu.org)
87zgla4j24.fsf@gnu.org
Hi Attila,

Finally getting around to this patch…

Attila Lendvai <attila@lendvai.name> skribis:

Toggle quote (2 lines)
> Also change origin to git-fetch the project's git repository using git tags.

I think we can stick to tarballs for now, which avoids the extra
autotools dependencies.

Could you send an updated patch? Bonus points if you can add a commit
log that follows our conventions:


Toggle quote (2 lines)
> note: i have tested this to build cleanly, but nothing beyond that.

Would be great if you could check some of the “important” direct
dependents as shown by:

guix graph -t reverse-package -M1 libssh2 | xdot -f fdp -

Thanks!

Ludo’.
A
A
Attila Lendvai wrote on 4 Apr 2022 09:07
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53345@debbugs.gnu.org)
w1F7cVyvTU26F2Dwz3wdCWSqp4DgBVWCBDPEX1boHFVPZc2ipHi73m5K6JP7hjopTsLuWRoPSPbYdnzb5L6hPW4nFo_G9kDC6_XRvMpRA-E=@lendvai.name
FTR, i'm abandoning this because i have realized that a change like this, and to a package this central, is beyond my current level of understanding of Guix internals and development processes.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“A man sees in the world what he carries in his heart.”
— Johann Wolfgang von Goethe (1749–1832), 'Faust'
V
V
Vagrant Cascadian wrote on 2 Sep 2023 00:07
Re: [bug#53345] [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
87bkelsg28.fsf@wireframe
On 2022-01-18, Attila Lendvai wrote:
Toggle quote (6 lines)
> (define-public libssh2
> (package
> (name "libssh2")
> - (version "1.9.0")
> + (version "1.10.0")

libssh2 was updated to 1.10.0:

09a3f7c6fcbb5c63ecd402daef7fd9714d3720d3 gnu: libssh2: Update to 1.10.0.

Marking as done.

live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZPJgrwAKCRDcUY/If5cW
qp0zAP4+ASSYaRJlSM9rfMpxwskuIubwQVLx55xzYcYZSfvSbAD/bILm1MO5Xm+D
5zTYzsRqBXNRlTQRVfj5D7DGgW97ngk=
=p3yv
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 53345@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53345
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch