import UBI libssh-0.10.4-13.el9

SOURCES/escape-brackets-in-proxycommand.patch

@@ -0,0 +1,94 @@
+From bccb8513fa4a836aef0519d65eb33bb212606fe1 Mon Sep 17 00:00:00 2001
+From: Thomas Baag <libssh-git@spam.b2ag.de>
+Date: Wed, 21 Sep 2022 20:55:27 +0200
+Subject: [PATCH] config: Escape brackets in ProxyCommand build from ProxyJump
+
+Missing escaping results in syntax errors in Zsh shell because of square
+brackets getting interpreted as being a pattern for globbing.
+
+Signed-off-by: Thomas Baag <libssh-git@spam.b2ag.de>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/config.c                     |  2 +-
+ tests/unittests/torture_config.c | 14 +++++++-------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/config.c b/src/config.c
+index c048418ec..308928429 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -491,7 +491,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing)
+     if (hostname != NULL && do_parsing) {
+         char com[512] = {0};
+ 
+-        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W [%%h]:%%p %s",
++        rv = snprintf(com, sizeof(com), "ssh%s%s%s%s%s%s -W '[%%h]:%%p' %s",
+                       username ? " -l " : "",
+                       username ? username : "",
+                       port ? " -p " : "",
+diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c
+index 31dadae37..5ff20c99a 100644
+--- a/tests/unittests/torture_config.c
++++ b/tests/unittests/torture_config.c
+@@ -649,7 +649,7 @@ static void torture_config_unknown(void **state,
+     /* test corner cases */
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-            "ssh -W [%h]:%p many-spaces.com");
++            "ssh -W '[%h]:%p' many-spaces.com");
+     assert_string_equal(session->opts.host, "equal.sign");
+ 
+     ret = ssh_config_parse_file(session, "/etc/ssh/ssh_config");
+@@ -945,28 +945,28 @@ static void torture_config_proxyjump(void **state,
+     torture_reset_config(session);
+     ssh_options_set(session, SSH_OPTIONS_HOST, "simple");
+     _parse_config(session, file, string, SSH_OK);
+-    assert_string_equal(session->opts.ProxyCommand, "ssh -W [%h]:%p jumpbox");
++    assert_string_equal(session->opts.ProxyCommand, "ssh -W '[%h]:%p' jumpbox");
+ 
+     /* With username */
+     torture_reset_config(session);
+     ssh_options_set(session, SSH_OPTIONS_HOST, "user");
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-                        "ssh -l user -W [%h]:%p jumpbox");
++                        "ssh -l user -W '[%h]:%p' jumpbox");
+ 
+     /* With port */
+     torture_reset_config(session);
+     ssh_options_set(session, SSH_OPTIONS_HOST, "port");
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-                        "ssh -p 2222 -W [%h]:%p jumpbox");
++                        "ssh -p 2222 -W '[%h]:%p' jumpbox");
+ 
+     /* Two step jump */
+     torture_reset_config(session);
+     ssh_options_set(session, SSH_OPTIONS_HOST, "two-step");
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-                        "ssh -l u1 -p 222 -J u2@second:33 -W [%h]:%p first");
++                        "ssh -l u1 -p 222 -J u2@second:33 -W '[%h]:%p' first");
+ 
+     /* none */
+     torture_reset_config(session);
+@@ -985,14 +985,14 @@ static void torture_config_proxyjump(void **state,
+     ssh_options_set(session, SSH_OPTIONS_HOST, "only-jump");
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-                        "ssh -W [%h]:%p jumpbox");
++                        "ssh -W '[%h]:%p' jumpbox");
+ 
+     /* IPv6 address */
+     torture_reset_config(session);
+     ssh_options_set(session, SSH_OPTIONS_HOST, "ipv6");
+     _parse_config(session, file, string, SSH_OK);
+     assert_string_equal(session->opts.ProxyCommand,
+-                        "ssh -W [%h]:%p 2620:52:0::fed");
++                        "ssh -W '[%h]:%p' 2620:52:0::fed");
+ 
+     /* Multiple @ is allowed in second jump */
+     config = "Host allowed-hostname\n"
+-- 
+GitLab
+

SPECS/libssh.spec

@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.10.4
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -51,7 +51,10 @@ Patch9: auth_bypass.patch
 Patch10: covscan23.patch
 Patch11: rekey_test_fixup.patch
 Patch12: covscan23_1.patch
-Patch13: CVE-2023-48795.patch
+Patch13: CVE-2023-6004.patch
+Patch14: CVE-2023-48795.patch
+Patch15: CVE-2023-6918.patch
+Patch16: escape-brackets-in-proxycommand.patch
 
 %description
 The ssh library was designed to be used by programmers needing a working SSH
@@ -144,9 +147,16 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
-* Mon Jan 15 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-12
+* Mon Feb 19 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-13
+- Bump up the version so that the version in 9.3 is lower.
+- Resolves: RHEL-19310, RHEL-19691, RHEL-17245
+
+* Tue Jan 09 2024 Sahana Prasad <sahana@redhat.com> - 0.10.4-12
 - Fix CVE-2023-48795 Prefix truncation attack on Binary Packet Protocol (BPP)
-- Resolves: RHEL-20939
+- Fix CVE-2023-6918 Missing checks for return values for digests
+- Fix CVE-2023-6004 ProxyCommand/ProxyJump features allow injection
+  of malicious code through hostname
+- Resolves: RHEL-19310, RHEL-19691, RHEL-17245
 
 * Wed Jun 21 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-11
 - Fix loglevel regression