GNU bug report logs - #53345
[PATCH core-updates] gnu: libssh2: Update to 1.10.0.

Previous Next

Package: guix-patches;

Reported by: Attila Lendvai <attila <at> lendvai.name>

Date: Tue, 18 Jan 2022 14:37:02 UTC

Severity: normal

Tags: patch

Done: Vagrant Cascadian <vagrant <at> debian.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53345 in the body.
You can then email your comments to 53345 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#53345; Package guix-patches. (Tue, 18 Jan 2022 14:37:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Attila Lendvai <attila <at> lendvai.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 18 Jan 2022 14:37:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Attila Lendvai <attila <at> lendvai.name>
To: guix-patches <at> gnu.org
Cc: Attila Lendvai <attila <at> lendvai.name>
Subject: [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
Date: Tue, 18 Jan 2022 15:34:48 +0100
Also change origin to git-fetch the project's git repository using git tags.
---

note: i have tested this to build cleanly, but nothing beyond that.

 gnu/local.mk                                  |   1 -
 .../patches/libssh2-CVE-2019-17498.patch      | 126 ------------------
 gnu/packages/ssh.scm                          |  16 ++-
 3 files changed, 9 insertions(+), 134 deletions(-)
 delete mode 100644 gnu/packages/patches/libssh2-CVE-2019-17498.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0bae6ffa63..cf9a602042 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,7 +1393,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch	\
   %D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch	\
   %D%/packages/patches/libquicktime-ffmpeg.patch 		\
-  %D%/packages/patches/libssh2-CVE-2019-17498.patch 		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtgvoip-disable-sse2.patch 		\
   %D%/packages/patches/libtgvoip-disable-webrtc.patch 		\
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
deleted file mode 100644
index 6f69e562e2..0000000000
--- a/gnu/packages/patches/libssh2-CVE-2019-17498.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
-
-From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
-From: Will Cosgrove <will <at> panic.com>
-Date: Fri, 30 Aug 2019 09:57:38 -0700
-Subject: [PATCH] packet.c: improve message parsing (#402)
-
-* packet.c: improve parsing of packets
-
-file: packet.c
-
-notes:
-Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
----
- src/packet.c | 68 ++++++++++++++++++++++------------------------------
- 1 file changed, 29 insertions(+), 39 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index 38ab62944..2e01bfc5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-                     size_t datalen, int macstate)
- {
-     int rc = 0;
--    char *message = NULL;
--    char *language = NULL;
-+    unsigned char *message = NULL;
-+    unsigned char *language = NULL;
-     size_t message_len = 0;
-     size_t language_len = 0;
-     LIBSSH2_CHANNEL *channelp = NULL;
-@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- 
-         case SSH_MSG_DISCONNECT:
-             if(datalen >= 5) {
--                size_t reason = _libssh2_ntohu32(data + 1);
-+                uint32_t reason = 0;
-+                struct string_buf buf;
-+                buf.data = (unsigned char *)data;
-+                buf.dataptr = buf.data;
-+                buf.len = datalen;
-+                buf.dataptr++; /* advance past type */
- 
--                if(datalen >= 9) {
--                    message_len = _libssh2_ntohu32(data + 5);
-+                _libssh2_get_u32(&buf, &reason);
-+                _libssh2_get_string(&buf, &message, &message_len);
-+                _libssh2_get_string(&buf, &language, &language_len);
- 
--                    if(message_len < datalen-13) {
--                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
--                        message = (char *) data + 9;
--
--                        language_len =
--                            _libssh2_ntohu32(data + 9 + message_len);
--                        language = (char *) data + 9 + message_len + 4;
--
--                        if(language_len > (datalen-13-message_len)) {
--                            /* bad input, clear info */
--                            language = message = NULL;
--                            language_len = message_len = 0;
--                        }
--                    }
--                    else
--                        /* bad size, clear it */
--                        message_len = 0;
--                }
-                 if(session->ssh_msg_disconnect) {
--                    LIBSSH2_DISCONNECT(session, reason, message,
--                                       message_len, language, language_len);
-+                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
-+                                       message_len, (const char *)language,
-+                                       language_len);
-                 }
-+
-                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
-                                "Disconnect(%d): %s(%s)", reason,
-                                message, language);
-@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-                 int always_display = data[1];
- 
-                 if(datalen >= 6) {
--                    message_len = _libssh2_ntohu32(data + 2);
--
--                    if(message_len <= (datalen - 10)) {
--                        /* 6 = packet_type(1) + display(1) + message_len(4) */
--                        message = (char *) data + 6;
--                        language_len = _libssh2_ntohu32(data + 6 +
--                                                        message_len);
--
--                        if(language_len <= (datalen - 10 - message_len))
--                            language = (char *) data + 10 + message_len;
--                    }
-+                    struct string_buf buf;
-+                    buf.data = (unsigned char *)data;
-+                    buf.dataptr = buf.data;
-+                    buf.len = datalen;
-+                    buf.dataptr += 2; /* advance past type & always display */
-+
-+                    _libssh2_get_string(&buf, &message, &message_len);
-+                    _libssh2_get_string(&buf, &language, &language_len);
-                 }
- 
-                 if(session->ssh_msg_debug) {
--                    LIBSSH2_DEBUG(session, always_display, message,
--                                  message_len, language, language_len);
-+                    LIBSSH2_DEBUG(session, always_display,
-+                                  (const char *)message,
-+                                  message_len, (const char *)language,
-+                                  language_len);
-                 }
-             }
-+
-             /*
-              * _libssh2_debug will actually truncate this for us so
-              * that it's not an inordinate about of data
-@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-                 uint32_t len = 0;
-                 unsigned char want_reply = 0;
-                 len = _libssh2_ntohu32(data + 1);
--                if(datalen >= (6 + len)) {
-+                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
-                     want_reply = data[5 + len];
-                     _libssh2_debug(session,
-                                    LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index ae64e99948..a3411c687f 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -157,17 +157,19 @@ (define-public libssh
 (define-public libssh2
   (package
    (name "libssh2")
-   (version "1.9.0")
+   (version "1.10.0")
    (source (origin
-            (method url-fetch)
-            (uri (string-append
-                   "https://www.libssh2.org/download/libssh2-"
-                   version ".tar.gz"))
+            (method git-fetch)
+            (uri (git-reference
+                  (url "https://github.com/libssh2/libssh2")
+                  (commit (string-append "libssh2-" version))))
             (sha256
              (base32
-              "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
-            (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
+              "0iiwdnvzq7mw1h1frbsszzhhf259jvjmzbp15mkgdfypnhgh3ri5"))))
    (build-system gnu-build-system)
+   (native-inputs (list autoconf
+                        automake
+                        libtool))
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
    (propagated-inputs (list libgcrypt zlib))
-- 
2.34.0





Information forwarded to guix-patches <at> gnu.org:
bug#53345; Package guix-patches. (Mon, 28 Mar 2022 07:46:02 GMT) Full text and rfc822 format available.

Message #8 received at 53345 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Attila Lendvai <attila <at> lendvai.name>
Cc: 53345 <at> debbugs.gnu.org
Subject: Re: bug#53345: [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
Date: Mon, 28 Mar 2022 09:45:07 +0200
Hi Attila,

Finally getting around to this patch…

Attila Lendvai <attila <at> lendvai.name> skribis:

> Also change origin to git-fetch the project's git repository using git tags.

I think we can stick to tarballs for now, which avoids the extra
autotools dependencies.

Could you send an updated patch?  Bonus points if you can add a commit
log that follows our conventions:

  https://guix.gnu.org/manual/devel/en/html_node/Submitting-Patches.html

> note: i have tested this to build cleanly, but nothing beyond that.

Would be great if you could check some of the “important” direct
dependents as shown by:

  guix graph -t reverse-package -M1 libssh2 | xdot -f fdp -

Thanks!

Ludo’.




Information forwarded to guix-patches <at> gnu.org:
bug#53345; Package guix-patches. (Mon, 04 Apr 2022 07:08:01 GMT) Full text and rfc822 format available.

Message #11 received at 53345 <at> debbugs.gnu.org (full text, mbox):

From: Attila Lendvai <attila <at> lendvai.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 53345 <at> debbugs.gnu.org
Subject: Re: bug#53345: [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
Date: Mon, 04 Apr 2022 07:07:33 +0000
FTR, i'm abandoning this because i have realized that a change like this, and to a package this central, is beyond my current level of understanding of Guix internals and development processes.

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“A man sees in the world what he carries in his heart.”
	— Johann Wolfgang von Goethe (1749–1832), 'Faust'





Reply sent to Vagrant Cascadian <vagrant <at> debian.org>:
You have taken responsibility. (Fri, 01 Sep 2023 22:09:02 GMT) Full text and rfc822 format available.

Notification sent to Attila Lendvai <attila <at> lendvai.name>:
bug acknowledged by developer. (Fri, 01 Sep 2023 22:09:02 GMT) Full text and rfc822 format available.

Message #16 received at 53345-done <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> debian.org>
To: Attila Lendvai <attila <at> lendvai.name>, 53345-done <at> debbugs.gnu.org
Subject: Re: [bug#53345] [PATCH core-updates] gnu: libssh2: Update to 1.10.0.
Date: Fri, 01 Sep 2023 15:07:43 -0700
[Message part 1 (text/plain, inline)]
On 2022-01-18, Attila Lendvai wrote:
>  (define-public libssh2
>    (package
>     (name "libssh2")
> -   (version "1.9.0")
> +   (version "1.10.0")

libssh2 was updated to 1.10.0:

09a3f7c6fcbb5c63ecd402daef7fd9714d3720d3 gnu: libssh2: Update to 1.10.0.

Marking as done.

live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 30 Sep 2023 11:24:17 GMT) Full text and rfc822 format available.

This bug report was last modified 181 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.