GNU bug report logs - #33067
[PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33067 in the body.
You can then email your comments to 33067 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Cc: ludo <at> gnu.org
Subject: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
Date: Tue, 16 Oct 2018 14:22:09 -0400

This update should be tested with users of guile-ssh.

Also, Ludo, the bug report of the patch removed here is no longer online
(they have a new bug tracker at <https://bugs.libssh.org/>). The patch
doesn't apply, but since I can't read the bug report, I don't know if
the problem is fixed upstream, or if we should adapt our patch.

* gnu/packages/ssh.scm (libssh): Update to 0.7.6.
[source]: Remove 'libssh-hostname-parser-bug.patch'.
* gnu/packages/patches/libssh-hostname-parser-bug.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                  |  1 -
 .../patches/libssh-hostname-parser-bug.patch  | 31 ---------
 gnu/packages/ssh.scm                          | 63 +++++++++----------
 3 files changed, 29 insertions(+), 66 deletions(-)
 delete mode 100644 gnu/packages/patches/libssh-hostname-parser-bug.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b8248e8da..8171fb2db 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -901,7 +901,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
   %D%/packages/patches/libsndfile-CVE-2017-12562.patch		\
-  %D%/packages/patches/libssh-hostname-parser-bug.patch		\
   %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch	\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtheora-config-guess.patch		\
diff --git a/gnu/packages/patches/libssh-hostname-parser-bug.patch b/gnu/packages/patches/libssh-hostname-parser-bug.patch
deleted file mode 100644
index 69f46cbdd..000000000
--- a/gnu/packages/patches/libssh-hostname-parser-bug.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix "Hostname" parsing in OpenSSH config files, as reported
-at <https://red.libssh.org/issues/260>.
-
-From: Niels Ole Salscheider <niels_ole <at> salscheider-online.de>
-Date: Mon, 8 May 2017 17:36:13 +0200
-Subject: [PATCH] Fix reading of the first parameter
-
-This is a fixup for 7b8b5eb4eac314a3a29be812bef0264c6611f6e7.
-Previously, it would return as long as the parameter was _not_ seen
-before. It also did not handle the case for the unsupported opcode (-1)
-which would cause a segfault when accessing the "seen" array.
----
- src/config.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/config.c b/src/config.c
-index 7c03b27..238a655 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -218,8 +218,9 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
-   }
- 
-   opcode = ssh_config_get_opcode(keyword);
--  if (*parsing == 1 && opcode != SOC_HOST) {
--      if (seen[opcode] == 0) {
-+  if (*parsing == 1 && opcode != SOC_HOST &&
-+      opcode > SOC_UNSUPPORTED && opcode < SOC_END) {
-+      if (seen[opcode] == 1) {
-           return 0;
-       }
-       seen[opcode] = 1;
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 362d427a2..6ade3e55b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -65,40 +65,35 @@
   #:use-module (srfi srfi-1))
 
 (define-public libssh
-  ;; This commit from the 'v0-7' branch contains 7 memory-management-related
-  ;; bug fixes that we'd rather have.
-  (let ((commit "239d0f75b5f909174c2ef7fb08d23bcfa6b20ba0")
-        (revision "0"))
-    (package
-      (name "libssh")
-      (version (git-version "0.7.5" revision commit))
-      (source (origin
-                (method git-fetch)
-                (uri (git-reference
-                      (url "https://git.libssh.org/projects/libssh.git")
-                      (commit commit)))
-                (sha256
-                 (base32
-                  "01w72w1jsgs9ilj3n1gp6qkmdxr9n74i5h2nipi3x1vzm7bv8na1"))
-                (patches (search-patches "libssh-hostname-parser-bug.patch"))
-                (file-name (git-file-name name version))))
-      (build-system cmake-build-system)
-      (outputs '("out" "debug"))
-      (arguments
-       '(#:configure-flags '("-DWITH_GCRYPT=ON")
-
-         ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
-         #:tests? #f))
-      (inputs `(("zlib" ,zlib)
-                ("libgcrypt" ,libgcrypt)))
-      (synopsis "SSH client library")
-      (description
-       "libssh is a C library implementing the SSHv2 and SSHv1 protocol for
-client and server implementations.  With libssh, you can remotely execute
-programs, transfer files, and use a secure and transparent tunnel for your
-remote applications.")
-      (home-page "https://www.libssh.org")
-      (license license:lgpl2.1+))))
+  (package
+    (name "libssh")
+    (version "0.7.6")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://git.libssh.org/projects/libssh.git")
+                    (commit (string-append "libssh-" version))))
+              (sha256
+               (base32
+                "0slwqa36mhyb6brdv2jvb9fxp7rvsv3ziv67kaxx615jxn52l5pa"))
+              (file-name (git-file-name name version))))
+    (build-system cmake-build-system)
+    (outputs '("out" "debug"))
+    (arguments
+     '(#:configure-flags '("-DWITH_GCRYPT=ON")
+
+       ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite.
+       #:tests? #f))
+    (inputs `(("zlib" ,zlib)
+              ("libgcrypt" ,libgcrypt)))
+    (synopsis "SSH client library")
+    (description
+     "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client
+and server implementations.  With libssh, you can remotely execute programs,
+transfer files, and use a secure and transparent tunnel for your remote
+applications.")
+    (home-page "https://www.libssh.org")
+    (license license:lgpl2.1+)))
 
 (define-public libssh2
   (package
-- 
2.19.1

Message #10 received at 33067-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 33067-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
Date: Wed, 17 Oct 2018 18:50:30 -0400

[Message part 1 (text/plain, inline)]

Pushed as a42648d858155930c078f7720c42a47765b2d0ee

[signature.asc (application/pgp-signature, inline)]

Message #13 received at submit <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: guix-patches <at> gnu.org
Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
Date: Thu, 18 Oct 2018 01:11:12 +0200

Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> This update should be tested with users of guile-ssh.
>
> Also, Ludo, the bug report of the patch removed here is no longer online
> (they have a new bug tracker at <https://bugs.libssh.org/>). The patch
> doesn't apply, but since I can't read the bug report, I don't know if
> the problem is fixed upstream, or if we should adapt our patch.

The patch changes just one ‘if’ condition.  Could you check in 0.7.6 if
that condition matches what the patch changed?

I haven’t yet been able to test the change with Guile-SSH and Guix.

Thanks!

Ludo’.

Message #16 received at 33067 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 33067 <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933].
Date: Fri, 19 Oct 2018 10:29:40 +0200

Hello!

Leo Famulari <leo <at> famulari.name> skribis:

> Previously I reported the patch pushed and closed the bug. However, the
> push must have failed without me noticing. Now that I saw your message,
> I had more time to look at the patch and update it. Now pushed as
> eed00f93e8999712191e39c59c15e23461520f43
>
> On Thu, Oct 18, 2018 at 01:11:12AM +0200, Ludovic Courtès wrote:
>> The patch changes just one ‘if’ condition.  Could you check in 0.7.6 if
>> that condition matches what the patch changed?
>
> The only upstream change was to fix the bug which would make it ignore
> valid configuration data when parsing the config file.
>
> Our patch also tightened the conditional that led to that point, so that
> the previously faulty check would not be passed some "dummy" constants.
>
> Not being able to read the original bug report, I can't tell if these
> extra changes were made in response to a bug that was actually
> experienced, or if we were just being cautious.
>
> Since nothing else changed upstream, it seems like the tightening can't
> hurt, at least the one regarding the SOC_END constant, which I think
> could still be used erroneously. But we should send it upstream.

Sounds good, thanks for checking!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.