GNU bug report logs -
#53345
[PATCH core-updates] gnu: libssh2: Update to 1.10.0.
Previous Next
Reported by: Attila Lendvai <attila <at> lendvai.name>
Date: Tue, 18 Jan 2022 14:37:02 UTC
Severity: normal
Tags: patch
Done: Vagrant Cascadian <vagrant <at> debian.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53345 in the body.
You can then email your comments to 53345 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#53345; Package
guix-patches.
(Tue, 18 Jan 2022 14:37:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Attila Lendvai <attila <at> lendvai.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 18 Jan 2022 14:37:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Also change origin to git-fetch the project's git repository using git tags.
---
note: i have tested this to build cleanly, but nothing beyond that.
gnu/local.mk | 1 -
.../patches/libssh2-CVE-2019-17498.patch | 126 ------------------
gnu/packages/ssh.scm | 16 ++-
3 files changed, 9 insertions(+), 134 deletions(-)
delete mode 100644 gnu/packages/patches/libssh2-CVE-2019-17498.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0bae6ffa63..cf9a602042 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1393,7 +1393,6 @@ dist_patch_DATA = \
%D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch \
%D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch \
%D%/packages/patches/libquicktime-ffmpeg.patch \
- %D%/packages/patches/libssh2-CVE-2019-17498.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtgvoip-disable-sse2.patch \
%D%/packages/patches/libtgvoip-disable-webrtc.patch \
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
deleted file mode 100644
index 6f69e562e2..0000000000
--- a/gnu/packages/patches/libssh2-CVE-2019-17498.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
-
-From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
-From: Will Cosgrove <will <at> panic.com>
-Date: Fri, 30 Aug 2019 09:57:38 -0700
-Subject: [PATCH] packet.c: improve message parsing (#402)
-
-* packet.c: improve parsing of packets
-
-file: packet.c
-
-notes:
-Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
----
- src/packet.c | 68 ++++++++++++++++++++++------------------------------
- 1 file changed, 29 insertions(+), 39 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index 38ab62944..2e01bfc5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- size_t datalen, int macstate)
- {
- int rc = 0;
-- char *message = NULL;
-- char *language = NULL;
-+ unsigned char *message = NULL;
-+ unsigned char *language = NULL;
- size_t message_len = 0;
- size_t language_len = 0;
- LIBSSH2_CHANNEL *channelp = NULL;
-@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- case SSH_MSG_DISCONNECT:
- if(datalen >= 5) {
-- size_t reason = _libssh2_ntohu32(data + 1);
-+ uint32_t reason = 0;
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr++; /* advance past type */
-
-- if(datalen >= 9) {
-- message_len = _libssh2_ntohu32(data + 5);
-+ _libssh2_get_u32(&buf, &reason);
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
-
-- if(message_len < datalen-13) {
-- /* 9 = packet_type(1) + reason(4) + message_len(4) */
-- message = (char *) data + 9;
--
-- language_len =
-- _libssh2_ntohu32(data + 9 + message_len);
-- language = (char *) data + 9 + message_len + 4;
--
-- if(language_len > (datalen-13-message_len)) {
-- /* bad input, clear info */
-- language = message = NULL;
-- language_len = message_len = 0;
-- }
-- }
-- else
-- /* bad size, clear it */
-- message_len = 0;
-- }
- if(session->ssh_msg_disconnect) {
-- LIBSSH2_DISCONNECT(session, reason, message,
-- message_len, language, language_len);
-+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
-+
- _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
- "Disconnect(%d): %s(%s)", reason,
- message, language);
-@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- int always_display = data[1];
-
- if(datalen >= 6) {
-- message_len = _libssh2_ntohu32(data + 2);
--
-- if(message_len <= (datalen - 10)) {
-- /* 6 = packet_type(1) + display(1) + message_len(4) */
-- message = (char *) data + 6;
-- language_len = _libssh2_ntohu32(data + 6 +
-- message_len);
--
-- if(language_len <= (datalen - 10 - message_len))
-- language = (char *) data + 10 + message_len;
-- }
-+ struct string_buf buf;
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr += 2; /* advance past type & always display */
-+
-+ _libssh2_get_string(&buf, &message, &message_len);
-+ _libssh2_get_string(&buf, &language, &language_len);
- }
-
- if(session->ssh_msg_debug) {
-- LIBSSH2_DEBUG(session, always_display, message,
-- message_len, language, language_len);
-+ LIBSSH2_DEBUG(session, always_display,
-+ (const char *)message,
-+ message_len, (const char *)language,
-+ language_len);
- }
- }
-+
- /*
- * _libssh2_debug will actually truncate this for us so
- * that it's not an inordinate about of data
-@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len = 0;
- unsigned char want_reply = 0;
- len = _libssh2_ntohu32(data + 1);
-- if(datalen >= (6 + len)) {
-+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
- want_reply = data[5 + len];
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index ae64e99948..a3411c687f 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -157,17 +157,19 @@ (define-public libssh
(define-public libssh2
(package
(name "libssh2")
- (version "1.9.0")
+ (version "1.10.0")
(source (origin
- (method url-fetch)
- (uri (string-append
- "https://www.libssh2.org/download/libssh2-"
- version ".tar.gz"))
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/libssh2/libssh2")
+ (commit (string-append "libssh2-" version))))
(sha256
(base32
- "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
- (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
+ "0iiwdnvzq7mw1h1frbsszzhhf259jvjmzbp15mkgdfypnhgh3ri5"))))
(build-system gnu-build-system)
+ (native-inputs (list autoconf
+ automake
+ libtool))
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
(propagated-inputs (list libgcrypt zlib))
--
2.34.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#53345; Package
guix-patches.
(Mon, 28 Mar 2022 07:46:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 53345 <at> debbugs.gnu.org (full text, mbox):
Hi Attila,
Finally getting around to this patch…
Attila Lendvai <attila <at> lendvai.name> skribis:
> Also change origin to git-fetch the project's git repository using git tags.
I think we can stick to tarballs for now, which avoids the extra
autotools dependencies.
Could you send an updated patch? Bonus points if you can add a commit
log that follows our conventions:
https://guix.gnu.org/manual/devel/en/html_node/Submitting-Patches.html
> note: i have tested this to build cleanly, but nothing beyond that.
Would be great if you could check some of the “important” direct
dependents as shown by:
guix graph -t reverse-package -M1 libssh2 | xdot -f fdp -
Thanks!
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#53345; Package
guix-patches.
(Mon, 04 Apr 2022 07:08:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 53345 <at> debbugs.gnu.org (full text, mbox):
FTR, i'm abandoning this because i have realized that a change like this, and to a package this central, is beyond my current level of understanding of Guix internals and development processes.
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“A man sees in the world what he carries in his heart.”
— Johann Wolfgang von Goethe (1749–1832), 'Faust'
Reply sent
to
Vagrant Cascadian <vagrant <at> debian.org>:
You have taken responsibility.
(Fri, 01 Sep 2023 22:09:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Attila Lendvai <attila <at> lendvai.name>:
bug acknowledged by developer.
(Fri, 01 Sep 2023 22:09:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 53345-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2022-01-18, Attila Lendvai wrote:
> (define-public libssh2
> (package
> (name "libssh2")
> - (version "1.9.0")
> + (version "1.10.0")
libssh2 was updated to 1.10.0:
09a3f7c6fcbb5c63ecd402daef7fd9714d3720d3 gnu: libssh2: Update to 1.10.0.
Marking as done.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 30 Sep 2023 11:24:17 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 224 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.