[PATCH core-updates] gnu: libssh2: Update to 1.10.0.

  • Done
  • quality assurance status badge
Details
3 participants
  • Attila Lendvai
  • Ludovic Courtès
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Attila Lendvai
Severity
normal
A
A
Attila Lendvai wrote on 18 Jan 2022 15:34
(address . guix-patches@gnu.org)(name . Attila Lendvai)(address . attila@lendvai.name)
20220118143447.14183-1-attila@lendvai.name
Also change origin to git-fetch the project's git repository using git tags.
---

note: i have tested this to build cleanly, but nothing beyond that.

gnu/local.mk | 1 -
.../patches/libssh2-CVE-2019-17498.patch | 126 ------------------
gnu/packages/ssh.scm | 16 ++-
3 files changed, 9 insertions(+), 134 deletions(-)
delete mode 100644 gnu/packages/patches/libssh2-CVE-2019-17498.patch

Toggle diff (71 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 0bae6ffa63..cf9a602042 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,7 +1393,6 @@ dist_patch_DATA = \
%D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch \
%D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch \
%D%/packages/patches/libquicktime-ffmpeg.patch \
- %D%/packages/patches/libssh2-CVE-2019-17498.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
deleted file mode 100644
index 6f69e562e2..0000000000
--- a/gnu/packages/patches/libssh2-CVE-2019-17498.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
-
-From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
-From: Will Cosgrove <will@panic.com>
-Date: Fri, 30 Aug 2019 09:57:38 -0700
-Subject: [PATCH] packet.c: improve message parsing (#402)
-
-* packet.c: improve parsing of packets
-
-file: packet.c
-
-notes:
-Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
----
- src/packet.c | 68 ++++++++++++++++++++++------------------------------
- 1 file changed, 29 insertions(+), 39 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index 38ab62944..2e01bfc5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- size_t datalen, int macstate)
- {
- int rc = 0;
-- char *message = NULL;
-- char *language = NULL;
-+ unsigned char *message = NULL;
-+ unsigned char *language = NULL;
- size_t message_len = 0;
- size_t language_len = 0;
- LIBSSH2_CHANNEL *channelp = NULL;
-@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- case SSH_MSG_DISCONNECT:
- if(datalen >= 5) {
-- size_t reason = _libssh2_ntohu32(data + 1);
-+ uint32_t reason = 0;
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr++; /* advance past type */
-
-- if(datalen >= 9) {
-- message_len = _libssh2_ntohu32(data + 5);
-+ _libssh2_get_u32(&buf, &reason);
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
-
-- if(message_len < datalen-13) {
-- /* 9 = packet_type(1) + reason(4) + message_len(4) */
-- message = (char *) data + 9;
--
-- language_len =
-- _libssh2_ntohu32(data + 9 + message_len);
-- language = (char *) data + 9 + message_len + 4;
--
-- if(language_len > (datalen-13-message_len)) {
-- /* bad input, clear info */
-- language = message = NULL;
-- language_len = message_len = 0;
-- }
-- }
-- else
-- /* bad size, clear it */
-- message_len = 0;
-- }
- if(session->ssh_msg_disconnect) {
-- LIBSSH2_DISCONNECT(session, reason, message,
-- message_len, language, language_len);
-+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
-+
- _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
- "Disconnect(%d): %s(%s)", reason,
- message, language);
-@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- int always_display = data[1];
-
- if(datalen >= 6) {
-- message_len = _libssh2_ntohu32(data + 2);
--
-- if(message_len <= (datalen - 10)) {
-- /* 6 = packet_type(1) + display(1) + message_len(4) */
-- message = (char *) data + 6;
-- language_len = _libssh2_ntohu32(data + 6 +
-- message_len);
--
-- if(language_len <= (datalen - 10 - message_len))
-- language = (char *) data + 10 + message_len;
-- }
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr += 2; /* advance past type & always display */
-+
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
- }
-
- if(session->ssh_msg_debug) {
-- LIBSSH2_DEBUG(session, always_display, message,
-- message_len, language, language_len);
-+ LIBSSH2_DEBUG(session, always_display,
-+ (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
- }
-+
- /*
- * _libssh2_debug will actually truncate this for us so
- * that it's not an inordinate about of data
-@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len = 0;
- unsigned char want_reply = 0;
- len = _libssh2_ntohu32(data + 1);
-- if(datalen >= (6 + len)) {
-+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
- want_reply = data[5 + len];
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
Toggle diff (33 lines)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index ae64e99948..a3411c687f 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -157,17 +157,19 @@ (define-public libssh
(define-public libssh2
(package
(name "libssh2")
- (version "1.9.0")
+ (version "1.10.0")
(source (origin
- (method url-fetch)
- (uri (string-append
- "https://www.libssh2.org/download/libssh2-"
- version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libssh2/libssh2")
+ (commit (string-append "libssh2-" version))))
(sha256
(base32
- "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
- (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
+ "0iiwdnvzq7mw1h1frbsszzhhf259jvjmzbp15mkgdfypnhgh3ri5"))))
(build-system gnu-build-system)
+ (native-inputs (list autoconf
+ automake
+ libtool))
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
(propagated-inputs (list libgcrypt zlib))
--
2.34.0
L
L
Ludovic Courtès wrote on 28 Mar 2022 09:45
(name . Attila Lendvai)(address . attila@lendvai.name)(address . 53345@debbugs.gnu.org)
87zgla4j24.fsf@gnu.org
Hi Attila,

Finally getting around to this patch…

Attila Lendvai <attila@lendvai.name> skribis:

Toggle quote (2 lines)
> Also change origin to git-fetch the project's git repository using git tags.

I think we can stick to tarballs for now, which avoids the extra
autotools dependencies.

Could you send an updated patch? Bonus points if you can add a commit
log that follows our conventions:


Toggle quote (2 lines)
> note: i have tested this to build cleanly, but nothing beyond that.

Would be great if you could check some of the “important” direct
dependents as shown by:

guix graph -t reverse-package -M1 libssh2 | xdot -f fdp -

Thanks!

Ludo’.
A
A
Attila Lendvai wrote on 4 Apr 2022 09:07
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 53345@debbugs.gnu.org)
w1F7cVyvTU26F2Dwz3wdCWSqp4DgBVWCBDPEX1boHFVPZc2ipHi73m5K6JP7hjopTsLuWRoPSPbYdnzb5L6hPW4nFo_G9kDC6_XRvMpRA-E=@lendvai.name
FTR, i'm abandoning this because i have realized that a change like this, and to a package this central, is beyond my current level of understanding of Guix internals and development processes.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“A man sees in the world what he carries in his heart.”
— Johann Wolfgang von Goethe (1749–1832), 'Faust'
V
V
Vagrant Cascadian wrote on 2 Sep 2023 00:07
Re: [bug#53345] [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
87bkelsg28.fsf@wireframe
On 2022-01-18, Attila Lendvai wrote:
Toggle quote (6 lines)
> (define-public libssh2
> (package
> (name "libssh2")
> - (version "1.9.0")
> + (version "1.10.0")

libssh2 was updated to 1.10.0:

09a3f7c6fcbb5c63ecd402daef7fd9714d3720d3 gnu: libssh2: Update to 1.10.0.

Marking as done.

live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZPJgrwAKCRDcUY/If5cW
qp0zAP4+ASSYaRJlSM9rfMpxwskuIubwQVLx55xzYcYZSfvSbAD/bILm1MO5Xm+D
5zTYzsRqBXNRlTQRVfj5D7DGgW97ngk=
=p3yv
-----END PGP SIGNATURE-----

Closed
?