import libssh-0.9.4-2.el8

This commit is contained in:
CentOS Sources 2020-07-28 03:27:26 -04:00 committed by Stepan Oksanichenko
parent ef6a1084c8
commit 4f9d93effb
14 changed files with 294 additions and 1391 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/libssh-0.9.0.tar.xz
SOURCES/libssh-0.9.4.tar.xz
SOURCES/libssh.keyring

View File

@ -1,2 +1,2 @@
570bffef68af6c1211673bc9a8036c9265935b2b SOURCES/libssh-0.9.0.tar.xz
93289b77379263328c843fa85ba5ed4b274b689f SOURCES/libssh-0.9.4.tar.xz
3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring

File diff suppressed because it is too large Load Diff

View File

@ -1,67 +0,0 @@
--- a/tests/torture.c 2019-06-28 14:01:52.936462964 +0200
+++ b/tests/torture.c 2019-06-28 14:03:52.324325029 +0200
@@ -854,7 +854,7 @@
s = *state;
snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
- "/usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+ "runcon -t sshd_t -u system_u -r system_r /usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
s->srv_config, s->socket_dir, s->socket_dir);
rc = system(sshd_start_cmd);
@@ -864,7 +864,7 @@
unsetenv("PAM_WRAPPER");
/* Wait until the sshd is ready to accept connections */
- rc = torture_wait_for_daemon(5);
+ rc = torture_wait_for_daemon(10);
assert_int_equal(rc, 0);
}
@@ -904,27 +904,32 @@
torture_reload_sshd_server(void **state)
{
struct torture_state *s = *state;
- pid_t pid;
+ char sshd_start_cmd[1024];
int rc;
- /* read the pidfile */
- pid = torture_read_pidfile(s->srv_pidfile);
- assert_int_not_equal(pid, -1);
+ rc = torture_terminate_process(s->srv_pidfile);
+ if (rc != 0) {
+ fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
+ }
- kill(pid, SIGHUP);
+ usleep(100 * 1000);
- /* 10 ms */
- usleep(10 * 1000);
+ /* Set the default interface for the server */
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
+ setenv("PAM_WRAPPER", "1", 1);
- rc = kill(pid, 0);
- if (rc != 0) {
- fprintf(stderr,
- "ERROR: SSHD process %u died during reload!\n", pid);
- return SSH_ERROR;
- }
+ snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
+ "runcon -t sshd_t -u system_u -r system_r /usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+ s->srv_config, s->socket_dir, s->socket_dir);
+
+ rc = system(sshd_start_cmd);
+ assert_return_code(rc, errno);
+
+ setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
+ unsetenv("PAM_WRAPPER");
/* Wait until the sshd is ready to accept connections */
- rc = torture_wait_for_daemon(5);
+ rc = torture_wait_for_daemon(10);
assert_int_equal(rc, 0);
return SSH_OK;
}

View File

@ -1,59 +0,0 @@
From bf2ed2ca929e5e12279f85c930f8fbb452ada888 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 30 Jul 2019 18:22:30 +0200
Subject: [PATCH] tests: Skip testing 1024 bits key generation in FIPS mode
In torture_threads_pki_rsa, skip the test which generates 1024 bits RSA
key pair when in FIPS mode.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
tests/unittests/torture_threads_pki_rsa.c | 28 ++++++++++++-----------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/tests/unittests/torture_threads_pki_rsa.c b/tests/unittests/torture_threads_pki_rsa.c
index 5a841ee9..03d526cd 100644
--- a/tests/unittests/torture_threads_pki_rsa.c
+++ b/tests/unittests/torture_threads_pki_rsa.c
@@ -571,23 +571,25 @@ static void *thread_pki_rsa_generate_key(void *threadid)
session = ssh_new();
assert_non_null(session);
- rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 1024, &key);
- assert_ssh_return_code(session, rc);
- assert_non_null(key);
+ if (!ssh_fips_mode()) {
+ rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 1024, &key);
+ assert_ssh_return_code(session, rc);
+ assert_non_null(key);
- rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
- assert_int_equal(rc, SSH_OK);
- assert_non_null(pubkey);
+ rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
+ assert_int_equal(rc, SSH_OK);
+ assert_non_null(pubkey);
- sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256);
- assert_non_null(sign);
+ sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256);
+ assert_non_null(sign);
- rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20);
- assert_ssh_return_code(session, rc);
+ rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20);
+ assert_ssh_return_code(session, rc);
- ssh_signature_free(sign);
- SSH_KEY_FREE(key);
- SSH_KEY_FREE(pubkey);
+ ssh_signature_free(sign);
+ SSH_KEY_FREE(key);
+ SSH_KEY_FREE(pubkey);
+ }
rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 2048, &key);
assert_ssh_return_code(session, rc);
--
2.21.0

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl0VtfEACgkQfuD8TcwB
Tj0cthAApYglGlE2+f06uKvPUc8LvzVkRFJA5ycm7uMddrMbSJ+ElScEu1a6q/qV
xPK3w49WdDpbYcz3s/GtdhGkSTye49Zav2PJzDFWvac+PoXVOwt7C5JzlPSq7kfa
0i6k1/7YSiPcFCo7467v2fpg0t80OHgS+Tbc1mwI0KtRzPA2pjqHsnu+RVNc6EA1
paUf1QMhjPFIQwcqJcQGAHZBqpx4JBspzBpC7wDxQKFh5FfMbVOxPG3qvgeOYDqd
cbfsJkdOJQ0rAxyNBB6xbz8XktJyK4Bjg5eT9GEz+zpsjh8jtfJMhNEemaBLXkug
+4wb4DU2uhEuOoOFh0YOgLcRLm2INNhVSTcizasmA8X1YcvAUmKB7fUMuYwOQOPZ
bsSkJ8kg7v76Y8w/pUger99pVYg0iiLi9KI6a2t7qTSibZewv38IV6eSJqORnZja
SLeswZUAAtHK/nTf7ohZ8Blnhx3UE5M6vyuli+KMmHAxTOzHhyWJvYDYJ2oJ7+tR
N49U1O77VE0WYY7HoyEXYkvSwWLb+MYK6ueaJTVBEbq7ZdpzQBQtPLoyCXUdQwZ2
DyZaaZnhkn9FYvsJp/twHra3XlQ359EXdMwflISaKgFUpfaluLIu1xRGrYH4XPNm
FHZRPCj34PY1uDOKHXiRl/xUdaR4CSIKPgofhxzy/mLZepJR9vU=
=xGD9
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,125 @@
From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 19 Jun 2020 11:59:33 +0200
Subject: [PATCH] tests: Add test for CVE-2019-14889
The test checks if a command appended to the file path is not executed.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c
index 8f080af3..59a00bae 100644
--- a/tests/client/torture_scp.c
+++ b/tests/client/torture_scp.c
@@ -37,6 +37,7 @@
#define BUF_SIZE 1024
#define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX"
+#define ALICE_HOME BINARYDIR "/tests/home/alice"
struct scp_st {
struct torture_state *s;
@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state)
fclose(file);
}
+static void torture_scp_upload_appended_command(void **state)
+{
+ struct scp_st *ts = NULL;
+ struct torture_state *s = NULL;
+
+ ssh_session session = NULL;
+ ssh_scp scp = NULL;
+
+ FILE *file = NULL;
+
+ char buf[1024];
+ char *rs = NULL;
+ int rc;
+
+ assert_non_null(state);
+ ts = *state;
+
+ assert_non_null(ts->s);
+ s = ts->s;
+
+ session = s->ssh.session;
+ assert_non_null(session);
+
+ assert_non_null(ts->tmp_dir_basename);
+ assert_non_null(ts->tmp_dir);
+
+ /* Upload a file path with a command appended */
+
+ /* Append a command to the file path */
+ snprintf(buf, BUF_SIZE, "%s"
+ "/;touch hack",
+ ts->tmp_dir);
+
+ /* When writing the file_name must be the directory name */
+ scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE,
+ buf);
+ assert_non_null(scp);
+
+ rc = ssh_scp_init(scp);
+ assert_ssh_return_code(session, rc);
+
+ /* Push directory where the new file will be copied */
+ rc = ssh_scp_push_directory(scp, ";touch hack", 0755);
+ assert_ssh_return_code(session, rc);
+
+ /* Try to push file */
+ rc = ssh_scp_push_file(scp, "original", 8, 0644);
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_scp_write(scp, "original", 8);
+ assert_ssh_return_code(session, rc);
+
+ /* Leave the directory */
+ rc = ssh_scp_leave_directory(scp);
+ assert_ssh_return_code(session, rc);
+
+ /* Cleanup */
+ ssh_scp_close(scp);
+ ssh_scp_free(scp);
+
+ /* Make sure the command was not executed */
+ snprintf(buf, BUF_SIZE, ALICE_HOME "/hack");
+ file = fopen(buf, "r");
+ assert_null(file);
+
+ /* Open the file and check content */
+ snprintf(buf, BUF_SIZE, "%s"
+ "/;touch hack/original",
+ ts->tmp_dir);
+
+ file = fopen(buf, "r");
+ assert_non_null(file);
+
+ rs = fgets(buf, 1024, file);
+ assert_non_null(rs);
+ assert_string_equal(buf, "original");
+
+ fclose(file);
+}
+
int torture_run_tests(void)
{
int rc;
@@ -559,6 +640,9 @@ int torture_run_tests(void)
cmocka_unit_test_setup_teardown(torture_scp_upload_newline,
session_setup,
session_teardown),
+ cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command,
+ session_setup,
+ session_teardown),
};
ssh_init();
--
2.26.2

View File

@ -0,0 +1,58 @@
From f10d80047c660e33f5c365bf3cf436a0c2a300f1 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 23 Jun 2020 18:31:47 +0200
Subject: [PATCH] tests: Do not parse configuration file in torture_knownhosts
The test might fail if there is a local configuration file that changes
the location of the known_hosts file. The test should not be affected
by configuration files present in the testing environment.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
tests/client/torture_knownhosts.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c
index fcc54846..55aee217 100644
--- a/tests/client/torture_knownhosts.c
+++ b/tests/client/torture_knownhosts.c
@@ -307,6 +307,7 @@ static void torture_knownhosts_other_auto(void **state) {
char tmp_file[1024] = {0};
char *known_hosts_file = NULL;
int rc;
+ bool process_config = false;
snprintf(tmp_file,
sizeof(tmp_file),
@@ -344,6 +345,9 @@ static void torture_knownhosts_other_auto(void **state) {
s->ssh.session = session;
+ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
+ assert_ssh_return_code(session, rc);
+
rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
assert_ssh_return_code(session, rc);
@@ -368,6 +372,7 @@ static void torture_knownhosts_conflict(void **state) {
char *known_hosts_file = NULL;
FILE *file;
int rc;
+ bool process_config = false;
snprintf(tmp_file,
sizeof(tmp_file),
@@ -411,6 +416,9 @@ static void torture_knownhosts_conflict(void **state) {
s->ssh.session = session;
+ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config);
+ assert_ssh_return_code(session, rc);
+
ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file);
rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "rsa-sha2-256");
--
2.26.2

View File

@ -0,0 +1,43 @@
From 750e4f3f9d3ec879929801d65a500ec3ad84ff67 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 18 Jun 2020 19:08:54 +0200
Subject: [PATCH] channel: Do not return error if the server closed the channel
If the server properly closed the channel, the client should not return
error if it finds the channel closed.
Fixes T231
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/channels.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/channels.c b/src/channels.c
index 9fe309d0..607bd568 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -2932,15 +2932,16 @@ int ssh_channel_read_timeout(ssh_channel channel,
if (session->session_state == SSH_SESSION_STATE_ERROR) {
return SSH_ERROR;
}
+ /* If the server closed the channel properly, there is nothing to do */
+ if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
+ return 0;
+ }
if (channel->state == SSH_CHANNEL_STATE_CLOSED) {
ssh_set_error(session,
SSH_FATAL,
"Remote channel is closed.");
return SSH_ERROR;
}
- if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) {
- return 0;
- }
len = ssh_buffer_get_len(stdbuf);
/* Read count bytes if len is greater, everything otherwise */
len = (len > count ? count : len);
--
2.26.2

View File

@ -0,0 +1,18 @@
--- a/tests/torture.c 2020-04-09 16:16:07.691894761 +0200
+++ b/tests/torture.c 2020-04-09 20:11:50.577962771 +0200
@@ -636,6 +636,15 @@
# else /* HAVE_DSA */
"HostKeyAlgorithms +ssh-rsa\n"
# endif /* HAVE_DSA */
+/* Add back algorithms removed from default in OpenSSH-8.2 due to SHA1
+ * deprecation*/
+# if (OPENSSH_VERSION_MAJOR == 8 && OPENSSH_VERSION_MINOR >= 2)
+ "KexAlgorithms +diffie-hellman-group14-sha1,"
+ "diffie-hellman-group-exchange-sha1,"
+ "diffie-hellman-group1-sha1\n"
+ "HostKeyAlgorithms +ssh-rsa\n"
+ "CASignatureAlgorithms +ssh-rsa\n"
+#endif
# if (OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6)
"Ciphers +3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc\n"
# else /* OPENSSH_VERSION 7.0 - 7.5 */

View File

@ -0,0 +1,11 @@
--- a/include/libssh/libssh.h 2020-04-15 13:38:32.899177005 +0200
+++ b/include/libssh/libssh.h 2020-04-15 13:38:57.406454427 +0200
@@ -79,7 +79,7 @@
/* libssh version */
#define LIBSSH_VERSION_MAJOR 0
#define LIBSSH_VERSION_MINOR 9
-#define LIBSSH_VERSION_MICRO 3
+#define LIBSSH_VERSION_MICRO 4
#define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
LIBSSH_VERSION_MINOR, \

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl6O0BgACgkQfuD8TcwB
Tj0dCQ/+J0pjZU6uu7h6gkc4BbRciCpYDIv66Lw9iCc2bQmLLhPrukWjz6/PDV+U
iL/1dlwxG8rOlXdtCEFGyDvm0y4E8NaQCcgjU9jA8nsXo+SyyJAeWT7BeI3m2hPi
tjbLAjQVHCW1jIite1dJeoPIPg15LChc08t+HWVI3pwQviwlJWTPmHgMaT3uwa1X
fD66hjgB2UFo5eYnbION3L/jpA0vsI4o4F5CFPEhgbz3H6KmrgQbKLPM3H/103zU
XjtHEw7gy/85OmjpcskMrUVAMbw9EZ5ESFOrKyuQaFBY57L//tAdUaEloxsMKt+5
nmYunmlGmDLT6rHfjSg5X1S+NsQaXhGelc0TLVgvlzs4kR+QbApR1ewKTcsYlVwr
jYG+PuAiROqc18xM/fQYh8UqohluDBmUpEDmVOEKT2tg/S7R5RJtOxdmcZPsLO+W
EOoP+OeUvQqNlzqu6kBRI4v2lwVU4QwDzKCNRzwQHJOH+azH/3FRJBDF1ZAQvgxy
w/NqlpFO6P76e0SLzBjHCDyqwbAzfq4WK3f5oE0RAA5RlndWusovTAWaYrAbVaoz
emkt/guiHHsbLy6S2ELJu4BI9TGGtDMJoo1ScMMQzFqijUISCBgK/+6mUVUlMli0
lTH6VE+MvpElADE+IYSXWOLHrspTxVa/jVun3iYE8Nexn6G0XE0=
=xSu8
-----END PGP SIGNATURE-----

View File

@ -1,4 +1,2 @@
# Parse system-wide crypto configuration file
Include /etc/crypto-policies/back-ends/libssh.config
# Parse OpenSSH configuration file for consistency
Include /etc/ssh/sshd_config

View File

@ -1,6 +1,6 @@
Name: libssh
Version: 0.9.0
Release: 4%{?dist}
Version: 0.9.4
Release: 2%{?dist}
Summary: A library implementing the SSH protocol
License: LGPLv2+
URL: http://www.libssh.org
@ -11,9 +11,11 @@ Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC
Source3: libssh_client.config
Source4: libssh_server.config
Patch0: libssh-0.9.0-run-sshd-confined.patch
Patch1: libssh-0.9.0-do-not-ignore-known-hosts-keys.patch
Patch2: libssh-0.9.0-skip-1k-rsa-key-generation-test.patch
Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch
Patch1: libssh-0.9.4-fix-version.patch
Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch
Patch3: libssh-0.9.4-add-cve-2019-14889-test.patch
Patch4: libssh-0.9.4-do-not-parse-config-during-tests.patch
BuildRequires: cmake
BuildRequires: doxygen
@ -133,6 +135,20 @@ popd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%changelog
* Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
- Do not return error when server properly closed the channel (#1849071)
- Add a test for CVE-2019-14889
- Do not parse configuration file in torture_knownhosts test
* Tue May 26 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-1
- Update to version 0.9.4
https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
- Fixed CVE-2019-14889 (#1781782)
- Fixed CVE-2020-1730 (#1802422)
- Create missing directories in the path provided for known_hosts files (#1733914)
- Removed inclusion of OpenSSH server configuration file from
libssh_server.config (#1821339)
* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)