diff options
| author |   Andreas Sturmlechner <asturm@gentoo.org> | 2018-10-31 19:13:40 +0100 |
|---|---|---|
| committer | Andreas Sturmlechner <asturm@gentoo.org> | 2018-10-31 19:13:40 +0100 |
| commit | a06e9e74689c4f3bc82716c870d9502b1349dc71 (patch) | |
| tree | 1b9d0ece6cd9d52b5d0ae2dfdc50fed32cb48828 | |
| parent | app-emulation/docker-compose: 1.23.0 (diff) | |
| download | gentoo-a06e9e74689c4f3bc82716c870d9502b1349dc71.tar.gz gentoo-a06e9e74689c4f3bc82716c870d9502b1349dc71.tar.bz2 gentoo-a06e9e74689c4f3bc82716c870d9502b1349dc71.zip | |
net-libs/libssh: Security cleanup
Bug: https://bugs.gentoo.org/668788
Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
| -rw-r--r-- | net-libs/libssh/Manifest | 2 | ||||
| -rw-r--r-- | net-libs/libssh/files/libssh-0.5.0-tests.patch | 11 | ||||
| -rw-r--r-- | net-libs/libssh/files/libssh-0.7.5-add-macro-for-MAX.patch | 30 | ||||
| -rw-r--r-- | net-libs/libssh/files/libssh-0.7.5-fix-config-buffer-underflow.patch | 25 | ||||
| -rw-r--r-- | net-libs/libssh/files/libssh-0.7.5-fix-config-parsing.patch | 32 | ||||
| -rw-r--r-- | net-libs/libssh/files/libssh-0.7.5-fix-internal-algo-selection.patch | 156 | ||||
| -rw-r--r-- | net-libs/libssh/libssh-0.7.4.ebuild | 100 | ||||
| -rw-r--r-- | net-libs/libssh/libssh-0.7.5-r2.ebuild | 103 | ||||
| -rw-r--r-- | net-libs/libssh/metadata.xml | 1 |
9 files changed, 0 insertions, 460 deletions
diff --git a/net-libs/libssh/Manifest b/net-libs/libssh/Manifest index c0cd95c47bbd..76c95b0b2c84 100644 --- a/net-libs/libssh/Manifest +++ b/net-libs/libssh/Manifest @@ -1,4 +1,2 @@ -DIST libssh-0.7.4.tar.xz 351892 BLAKE2B 5427faa04eac7b57f73909f113d933daf667f8311c30364bbf06d4f01121a58f5b560e0a1d9071655ce9b310fa3f3f801e11e880ca3eacde66efa0f49dc51b2b SHA512 94b8183e5c83e339303c1a160c92ccff6159471ac7d189ab66cf6d606d2e803fd616519f079aef1577c947d3a14e315332b05ea08e44d0ab550edbcb768dbea7 -DIST libssh-0.7.5.tar.xz 351632 BLAKE2B b41cccb6215c5b7e66742171d91e1081d3c1bf44455b65a5992093d31b28db7a6375e815303e115e02b2458c734d9c61e4b1528ba905bf8a421ca2bbb7221ce6 SHA512 6c7f539899caaedf13d66fa2e0fac1a475ecdfe389131abcbdf908bdebc50a0b9e6b0d43e67e52aea85c32f6aa68e46ca2f50695992f82ded83489f445a8e775 DIST libssh-0.8.4.tar.xz 425848 BLAKE2B 8ca913e4c9e2ffa231bb437ac6a4de695bbdf8720a7619f3fc310a3d724cb7e85bcf81d31761c3fe4e3c29010b67d3fc81cf391d5c2f7e051cb8cc2400763248 SHA512 73d685bab2e88ff6b03c95cc13f1bd341bce4c527353c7e4870865d236cfbe23dfd2d198a1ec1531aed1afd700ce8e5b738ec68ca9152a4b6ae63dd6cbbf0d51 DIST libssh-0.8.5.tar.xz 427372 BLAKE2B d1cd94a50f09b1562f7267ff435b2d180b84d4132a589e053f43f5de64bb764d9263910837a53be594e64595483ed9516dcbf20abc5071e9a8154b8bb75f6f4c SHA512 f1e90a5046e006d44a48ab36675167761d8e308ada7a1d7a1f7ba2825d222a2fab7e19dbc78b1371fee9ba74d9c55d9856a623f97842c9b9ad4c79215e344124 diff --git a/net-libs/libssh/files/libssh-0.5.0-tests.patch b/net-libs/libssh/files/libssh-0.5.0-tests.patch deleted file mode 100644 index dde770ce5b2a..000000000000 --- a/net-libs/libssh/files/libssh-0.5.0-tests.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tests/unittests/torture_misc.c -+++ b/tests/unittests/torture_misc.c -@@ -195,7 +195,7 @@ - #ifdef _WIN32 - unit_test(torture_path_expand_tilde_win), - #else -- unit_test(torture_path_expand_tilde_unix), -+ //unit_test(torture_path_expand_tilde_unix), - #endif - unit_test_setup_teardown(torture_path_expand_escape, setup, teardown), - unit_test_setup_teardown(torture_path_expand_known_hosts, setup, teardown), diff --git a/net-libs/libssh/files/libssh-0.7.5-add-macro-for-MAX.patch b/net-libs/libssh/files/libssh-0.7.5-add-macro-for-MAX.patch deleted file mode 100644 index d9226d697000..000000000000 --- a/net-libs/libssh/files/libssh-0.7.5-add-macro-for-MAX.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 310d423d36ae7bb6dac5a2ae2fb7b57bda72dcb5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@cryptomilk.org> -Date: Thu, 24 Aug 2017 17:27:08 +0200 -Subject: [PATCH 1/2] priv: Add macro for MAX - -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> -(cherry picked from commit de35212789d11086621e176a11399de0d75ab3a6) -Signed-off-by: Mihai Moldovan <ionic@ionic.de> ---- - include/libssh/priv.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/include/libssh/priv.h b/include/libssh/priv.h -index 5a74915e..c3373c00 100644 ---- a/include/libssh/priv.h -+++ b/include/libssh/priv.h -@@ -263,6 +263,10 @@ int match_hostname(const char *host, const char *pattern, unsigned int len); - #define MIN(a,b) ((a) < (b) ? (a) : (b)) - #endif - -+#ifndef MAX -+#define MAX(a,b) ((a) > (b) ? (a) : (b)) -+#endif -+ - /** Free memory space */ - #define SAFE_FREE(x) do { if ((x) != NULL) {free(x); x=NULL;} } while(0) - --- -2.15.1 - diff --git a/net-libs/libssh/files/libssh-0.7.5-fix-config-buffer-underflow.patch b/net-libs/libssh/files/libssh-0.7.5-fix-config-buffer-underflow.patch deleted file mode 100644 index 7ff03263d198..000000000000 --- a/net-libs/libssh/files/libssh-0.7.5-fix-config-buffer-underflow.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0cffb88b80b1e8b7e292646b955e9b9ca02315c4 Mon Sep 17 00:00:00 2001 -From: Aris Adamantiadis <aris@0xbadc0de.be> -Date: Thu, 8 Jun 2017 00:22:02 +0200 -Subject: config: fix buffer underflow with unrecognized opcodes - ---- - src/config.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/config.c b/src/config.c -index 519926e7..6187c90f 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -218,7 +218,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line, - } - - opcode = ssh_config_get_opcode(keyword); -- if (*parsing == 1 && opcode != SOC_HOST) { -+ if (*parsing == 1 && opcode != SOC_HOST && opcode != SOC_UNSUPPORTED) { - if (seen[opcode] != 0) { - return 0; - } --- -cgit v1.1 - diff --git a/net-libs/libssh/files/libssh-0.7.5-fix-config-parsing.patch b/net-libs/libssh/files/libssh-0.7.5-fix-config-parsing.patch deleted file mode 100644 index 3596cf02105d..000000000000 --- a/net-libs/libssh/files/libssh-0.7.5-fix-config-parsing.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 5333be5988c3789e7011598995f4df90d50d84d0 Mon Sep 17 00:00:00 2001 -From: "Artyom V. Poptsov" <poptsov.artyom@gmail.com> -Date: Sun, 4 Jun 2017 11:54:55 +0300 -Subject: config: Bugfix: Don't skip unseen opcodes - -libssh fails to read the configuration from a config file due to a -wrong check in 'ssh_config_parse_line' procedure in 'config.c'; it's -effectively skipping every opcode (and therefore every option) from -the file. The change fixes that behaviour. - -Signed-off-by: Artyom V. Poptsov <poptsov.artyom@gmail.com> -Reviewed-by: Andreas Schneider <asn@cryptomilk.org> ---- - src/config.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/config.c b/src/config.c -index 6478fc5f..519926e7 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -219,7 +219,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line, - - opcode = ssh_config_get_opcode(keyword); - if (*parsing == 1 && opcode != SOC_HOST) { -- if (seen[opcode] == 0) { -+ if (seen[opcode] != 0) { - return 0; - } - seen[opcode] = 1; --- -cgit v1.1 - diff --git a/net-libs/libssh/files/libssh-0.7.5-fix-internal-algo-selection.patch b/net-libs/libssh/files/libssh-0.7.5-fix-internal-algo-selection.patch deleted file mode 100644 index 931d63360a12..000000000000 --- a/net-libs/libssh/files/libssh-0.7.5-fix-internal-algo-selection.patch +++ /dev/null @@ -1,156 +0,0 @@ -From 4893f9515da2696490e6bbe9aaf51f2ef9678b0f Mon Sep 17 00:00:00 2001 -From: Nikos Mavrogiannopoulos <nmav@redhat.com> -Date: Thu, 24 Aug 2017 16:28:39 +0200 -Subject: [PATCH 2/2] ssh_options_set_algo: ensure we only set known algorithms - internally - -That way, we will not fail later on key exchange phase when something -unknown is negotiated. - -Fixes T37 - -Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> -Reviewed-by: Andreas Schneider <asn@samba.org> -(cherry picked from commit 895055ab38e7716390019aae5e11771a88b99d26) -Signed-off-by: Mihai Moldovan <ionic@ionic.de> ---- - include/libssh/kex.h | 1 + - src/kex.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - src/options.c | 11 ++++---- - 3 files changed, 81 insertions(+), 6 deletions(-) - -diff --git a/include/libssh/kex.h b/include/libssh/kex.h -index 1a5b6d41..23594985 100644 ---- a/include/libssh/kex.h -+++ b/include/libssh/kex.h -@@ -41,6 +41,7 @@ void ssh_list_kex(struct ssh_kex_struct *kex); - int set_client_kex(ssh_session session); - int ssh_kex_select_methods(ssh_session session); - int verify_existing_algo(int algo, const char *name); -+char *keep_known_algos(int algo, const char *list); - char **space_tokenize(const char *chain); - int ssh_get_kex1(ssh_session session); - char *ssh_find_matching(const char *in_d, const char *what_d); -diff --git a/src/kex.c b/src/kex.c -index 519d79ce..f0c9d067 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -281,6 +281,71 @@ char *ssh_find_matching(const char *available_d, const char *preferred_d){ - return NULL; - } - -+static char *ssh_find_all_matching(const char *available_d, -+ const char *preferred_d) -+{ -+ char **tok_available, **tok_preferred; -+ int i_avail, i_pref; -+ char *ret; -+ unsigned max, len, pos = 0; -+ -+ if ((available_d == NULL) || (preferred_d == NULL)) { -+ return NULL; /* don't deal with null args */ -+ } -+ -+ max = MAX(strlen(available_d), strlen(preferred_d)); -+ -+ ret = malloc(max+1); -+ if (ret == NULL) { -+ return NULL; -+ } -+ ret[0] = 0; -+ -+ tok_available = tokenize(available_d); -+ if (tok_available == NULL) { -+ SAFE_FREE(ret); -+ return NULL; -+ } -+ -+ tok_preferred = tokenize(preferred_d); -+ if (tok_preferred == NULL) { -+ SAFE_FREE(ret); -+ SAFE_FREE(tok_available[0]); -+ SAFE_FREE(tok_available); -+ return NULL; -+ } -+ -+ for (i_pref = 0; tok_preferred[i_pref] ; ++i_pref) { -+ for (i_avail = 0; tok_available[i_avail]; ++i_avail) { -+ int cmp = strcmp(tok_available[i_avail],tok_preferred[i_pref]); -+ if (cmp == 0) { -+ /* match */ -+ if (pos != 0) { -+ ret[pos] = ','; -+ pos++; -+ } -+ -+ len = strlen(tok_available[i_avail]); -+ memcpy(&ret[pos], tok_available[i_avail], len); -+ pos += len; -+ ret[pos] = '\0'; -+ } -+ } -+ } -+ -+ if (ret[0] == '\0') { -+ SAFE_FREE(ret); -+ ret = NULL; -+ } -+ -+ SAFE_FREE(tok_available[0]); -+ SAFE_FREE(tok_preferred[0]); -+ SAFE_FREE(tok_available); -+ SAFE_FREE(tok_preferred); -+ -+ return ret; -+} -+ - /** - * @internal - * @brief returns whether the first client key exchange algorithm or -@@ -668,4 +733,14 @@ int verify_existing_algo(int algo, const char *name){ - return 0; - } - -+/* returns a copy of the provided list if everything is supported, -+ * otherwise a new list of the supported algorithms */ -+char *keep_known_algos(int algo, const char *list) -+{ -+ if ((algo > 9) || (algo < 0)) { -+ return NULL; -+ } -+ -+ return ssh_find_all_matching(supported_methods[algo], list); -+} - /* vim: set ts=2 sw=2 et cindent: */ -diff --git a/src/options.c b/src/options.c -index aed2dda5..34fe9cc7 100644 ---- a/src/options.c -+++ b/src/options.c -@@ -164,7 +164,10 @@ int ssh_options_copy(ssh_session src, ssh_session *dest) { - - int ssh_options_set_algo(ssh_session session, int algo, - const char *list) { -- if (!verify_existing_algo(algo, list)) { -+ char *p = NULL; -+ -+ p = keep_known_algos(algo, list); -+ if (p == NULL) { - ssh_set_error(session, SSH_REQUEST_DENIED, - "Setting method: no algorithm for method \"%s\" (%s)\n", - ssh_kex_get_description(algo), list); -@@ -172,11 +175,7 @@ int ssh_options_set_algo(ssh_session session, int algo, - } - - SAFE_FREE(session->opts.wanted_methods[algo]); -- session->opts.wanted_methods[algo] = strdup(list); -- if (session->opts.wanted_methods[algo] == NULL) { -- ssh_set_error_oom(session); -- return -1; -- } -+ session->opts.wanted_methods[algo] = p; - - return 0; - } --- -2.15.1 - diff --git a/net-libs/libssh/libssh-0.7.4.ebuild b/net-libs/libssh/libssh-0.7.4.ebuild deleted file mode 100644 index f33086923326..000000000000 --- a/net-libs/libssh/libssh-0.7.4.ebuild +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -MY_P=${PN}-${PV/_rc/rc} -inherit eutils cmake-multilib multilib - -DESCRIPTION="Access a working SSH implementation by means of a library" -HOMEPAGE="http://www.libssh.org/" -SRC_URI="https://red.libssh.org/attachments/download/210/${MY_P}.tar.xz -> ${P}.tar.xz" - -LICENSE="LGPL-2.1" -KEYWORDS="alpha amd64 arm ~arm64 ~hppa ia64 ppc ppc64 ~s390 sparc x86 ~amd64-linux ~x86-linux" -SLOT="0/4" # subslot = soname major version -IUSE="debug doc examples gcrypt gssapi libressl pcap +sftp ssh1 server static-libs test zlib" -# Maintainer: check IUSE-defaults at DefineOptions.cmake - -RDEPEND=" - zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) - !gcrypt? ( - !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) - libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] ) - ) - gcrypt? ( >=dev-libs/libgcrypt-1.5.3:0[${MULTILIB_USEDEP}] ) - gssapi? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) -" -DEPEND=" - ${RDEPEND} - doc? ( app-doc/doxygen ) - test? ( >=dev-util/cmocka-0.3.1[${MULTILIB_USEDEP}] ) -" - -DOCS=( AUTHORS README ChangeLog ) - -S=${WORKDIR}/${MY_P} - -PATCHES=( - "${FILESDIR}"/${PN}-0.5.0-tests.patch -) - -src_prepare() { - # just install the examples do not compile them - sed -i \ - -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' \ - CMakeLists.txt || die - - # keyfile torture test is currently broken - sed \ - -e '/torture_keyfiles/d' \ - -i tests/unittests/CMakeLists.txt || die - - cmake-utils_src_prepare -} - -multilib_src_configure() { - local mycmakeargs=( - -DWITH_DEBUG_CALLTRACE="$(usex debug)" - -DWITH_DEBUG_CRYPTO="$(usex debug)" - -DWITH_GCRYPT="$(usex gcrypt)" - -DWITH_GSSAPI="$(usex gssapi)" - -DWITH_NACL=no - -DWITH_PCAP="$(usex pcap)" - -DWITH_SERVER="$(usex server)" - -DWITH_SFTP="$(usex sftp)" - -DWITH_SSH1="$(usex ssh1)" - -DWITH_STACK_PROTECTOR=OFF - -DWITH_STATIC_LIB="$(usex static-libs)" - -DWITH_STATIC_LIB="$(usex test)" - -DWITH_TESTING="$(usex test)" - -DWITH_ZLIB="$(usex zlib)" - ) - - cmake-utils_src_configure -} - -multilib_src_compile() { - cmake-utils_src_compile - multilib_is_native_abi && use doc && cmake-utils_src_compile doc -} - -multilib_src_install() { - cmake-utils_src_install - - if multilib_is_native_abi && use doc ; then - docinto html - dodoc -r doc/html/. - fi - - use static-libs || rm -f "${D}"/usr/$(get_libdir)/libssh{,_threads}.a -} - -multilib_src_install_all() { - einstalldocs - - if use examples; then - docinto examples - dodoc examples/*.{c,h,cpp} - fi -} diff --git a/net-libs/libssh/libssh-0.7.5-r2.ebuild b/net-libs/libssh/libssh-0.7.5-r2.ebuild deleted file mode 100644 index 95aba9f77ea6..000000000000 --- a/net-libs/libssh/libssh-0.7.5-r2.ebuild +++ /dev/null @@ -1,103 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -MY_P="${PN}-${PV/_rc/rc}" -inherit cmake-multilib - -DESCRIPTION="Access a working SSH implementation by means of a library" -HOMEPAGE="https://www.libssh.org/" -SRC_URI="https://red.libssh.org/attachments/download/218/${MY_P}.tar.xz -> ${P}.tar.xz" - -LICENSE="LGPL-2.1" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux" -SLOT="0/4" # subslot = soname major version -IUSE="debug doc examples gcrypt gssapi libressl pcap server +sftp ssh1 static-libs test zlib" -# Maintainer: check IUSE-defaults at DefineOptions.cmake - -RDEPEND=" - !gcrypt? ( - !libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] ) - libressl? ( dev-libs/libressl:=[${MULTILIB_USEDEP}] ) - ) - gcrypt? ( >=dev-libs/libgcrypt-1.5.3:0[${MULTILIB_USEDEP}] ) - gssapi? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] ) - zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) -" -DEPEND="${RDEPEND} - doc? ( app-doc/doxygen ) - test? ( >=dev-util/cmocka-0.3.1[${MULTILIB_USEDEP}] ) -" - -DOCS=( AUTHORS README ChangeLog ) - -S="${WORKDIR}/${MY_P}" - -PATCHES=( - "${FILESDIR}"/${PN}-0.5.0-tests.patch - "${FILESDIR}"/${P}-fix-config-parsing.patch - "${FILESDIR}"/${P}-fix-config-buffer-underflow.patch - "${FILESDIR}"/${P}-add-macro-for-MAX.patch - "${FILESDIR}"/${P}-fix-internal-algo-selection.patch -) - -src_prepare() { - cmake-utils_src_prepare - - # just install the examples do not compile them - sed -i \ - -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' \ - CMakeLists.txt || die - - # keyfile torture test is currently broken - sed -i \ - -e '/torture_keyfiles/d' \ - tests/unittests/CMakeLists.txt || die -} - -multilib_src_configure() { - local mycmakeargs=( - -DWITH_DEBUG_CALLTRACE="$(usex debug)" - -DWITH_DEBUG_CRYPTO="$(usex debug)" - -DWITH_GCRYPT="$(usex gcrypt)" - -DWITH_GSSAPI="$(usex gssapi)" - -DWITH_NACL=no - -DWITH_PCAP="$(usex pcap)" - -DWITH_SERVER="$(usex server)" - -DWITH_SFTP="$(usex sftp)" - -DWITH_SSH1="$(usex ssh1)" - -DWITH_STACK_PROTECTOR=OFF - -DWITH_STATIC_LIB="$(usex static-libs)" - -DWITH_STATIC_LIB="$(usex test)" - -DWITH_TESTING="$(usex test)" - -DWITH_ZLIB="$(usex zlib)" - ) - - cmake-utils_src_configure -} - -multilib_src_compile() { - cmake-utils_src_compile - multilib_is_native_abi && use doc && cmake-utils_src_compile doc -} - -multilib_src_install() { - cmake-utils_src_install - - if multilib_is_native_abi && use doc ; then - docinto html - dodoc -r doc/html/. - fi - - use static-libs || rm -f "${D}"/usr/$(get_libdir)/libssh{,_threads}.a -} - -multilib_src_install_all() { - einstalldocs - - if use examples; then - docinto examples - dodoc examples/*.{c,h,cpp} - fi -} diff --git a/net-libs/libssh/metadata.xml b/net-libs/libssh/metadata.xml index fa9ac337d5e8..6eba5670e2e7 100644 --- a/net-libs/libssh/metadata.xml +++ b/net-libs/libssh/metadata.xml @@ -11,7 +11,6 @@ <flag name="mbedtls">Use <pkg>net-libs/mbedtls</pkg> as TLS provider</flag> <flag name="pcap">Build with PCAP output support</flag> <flag name="sftp">Build with SFTP support</flag> - <flag name="ssh1">Build with SSH1 support</flag> <flag name="server">Build with SSH server support</flag> </use> </pkgmetadata> |