Rebase to 0.12.0
Resolves: RHEL-70825 Resolves: RHEL-133421 Resolves: RHEL-130042
This commit is contained in:
Pavol Žáčik
parent
95ad6e369a
commit
9f672e8c1f
2
.gitignore
vendored
2
.gitignore
vendored
@ -72,3 +72,5 @@ libssh-0.4.4.tar.gz.asc
|
||||
/libssh-0.10.6.tar.xz.asc
|
||||
/libssh-0.11.1.tar.xz
|
||||
/libssh-0.11.1.tar.xz.asc
|
||||
/libssh-0.12.0.tar.xz
|
||||
/libssh-0.12.0.tar.xz.asc
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
From b47ccd17559f79bfb2d6b94d2bf84856cf06259e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 22 Apr 2025 21:18:44 +0200
|
||||
Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
---
|
||||
src/sftpserver.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sftpserver.c b/src/sftpserver.c
|
||||
index 1afd8b2f..2aa28baa 100644
|
||||
--- a/src/sftpserver.c
|
||||
+++ b/src/sftpserver.c
|
||||
@@ -704,7 +704,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle)
|
||||
|
||||
memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
|
||||
|
||||
- if (val > SFTP_HANDLES) {
|
||||
+ if (val >= SFTP_HANDLES) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
--
|
||||
2.50.1
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
diff -up libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp libssh-0.11.1/tests/client/torture_auth_pkcs11.c
|
||||
--- libssh-0.11.1/tests/client/torture_auth_pkcs11.c.tmp 2024-10-25 11:58:50.341126170 +0200
|
||||
+++ libssh-0.11.1/tests/client/torture_auth_pkcs11.c 2024-10-25 12:11:01.766453259 +0200
|
||||
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
|
||||
session_teardown),
|
||||
};
|
||||
|
||||
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||
+ * variables that are needed for the pkcs11 provider to access correct
|
||||
+ * tokens, causing unexpected failures.
|
||||
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||
+ */
|
||||
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||
+
|
||||
ssh_init();
|
||||
torture_filter_tests(tests);
|
||||
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
|
||||
diff -up libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c
|
||||
--- libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c.tmp 2024-10-25 11:59:22.964367137 +0200
|
||||
+++ libssh-0.11.1/tests/unittests/torture_pki_ecdsa_uri.c 2024-10-25 12:12:51.473625481 +0200
|
||||
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
|
||||
ssh_session session = ssh_new();
|
||||
int verbosity = SSH_LOG_FUNCTIONS;
|
||||
|
||||
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||
+ * variables that are needed for the pkcs11 provider to access correct
|
||||
+ * tokens, causing unexpected failures.
|
||||
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||
+ */
|
||||
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||
+
|
||||
ssh_init();
|
||||
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||
|
||||
diff -up libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c
|
||||
--- libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c.tmp 2024-10-25 11:59:49.241336178 +0200
|
||||
+++ libssh-0.11.1/tests/unittests/torture_pki_rsa_uri.c 2024-10-25 12:12:10.985614709 +0200
|
||||
@@ -285,6 +285,14 @@ torture_run_tests(void)
|
||||
ssh_session session = ssh_new();
|
||||
int verbosity = SSH_LOG_FUNCTIONS;
|
||||
|
||||
+ /* Do not use system openssl.cnf for the pkcs11 uri tests.
|
||||
+ * It can load a pkcs11 provider too early before we will set up environment
|
||||
+ * variables that are needed for the pkcs11 provider to access correct
|
||||
+ * tokens, causing unexpected failures.
|
||||
+ * Make sure this comes before ssh_init(), which initializes OpenSSL!
|
||||
+ */
|
||||
+ setenv("OPENSSL_CONF", "/dev/null", 1);
|
||||
+
|
||||
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||
ssh_init();
|
||||
|
||||
22
libssh.spec
22
libssh.spec
@ -1,21 +1,15 @@
|
||||
Name: libssh
|
||||
Version: 0.11.1
|
||||
Release: 3%{?dist}
|
||||
Version: 0.12.0
|
||||
Release: 1%{?dist}
|
||||
Summary: A library implementing the SSH protocol
|
||||
License: LGPL-2.1-or-later
|
||||
URL: http://www.libssh.org
|
||||
|
||||
Source0: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz
|
||||
Source1: https://www.libssh.org/files/0.11/%{name}-%{version}.tar.xz.asc
|
||||
Source0: https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz
|
||||
Source1: https://www.libssh.org/files/0.12/%{name}-%{version}.tar.xz.asc
|
||||
Source2: https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_org_gpgkey.asc#/%{name}.keyring
|
||||
Source3: libssh_client.config
|
||||
Source4: libssh_server.config
|
||||
# Don't use global openssl.cnf for PKCS#11 URI Tests
|
||||
# https://gitlab.com/libssh/libssh-mirror/-/commit/46d74176
|
||||
Patch1: libssh-0.11.1-fix-provider-loading.patch
|
||||
# Fix possible buffer overrun in the SFTP server
|
||||
# https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df
|
||||
Patch2: libssh-0.11.1-CVE-2025-5318.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: gcc-c++
|
||||
@ -42,6 +36,9 @@ BuildRequires: p11-kit-client
|
||||
BuildRequires: opensc
|
||||
BuildRequires: softhsm
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: libfido2-devel
|
||||
BuildRequires: openssh-sk-dummy
|
||||
BuildRequires: hostname
|
||||
|
||||
Requires: %{name}-config = %{version}-%{release}
|
||||
|
||||
@ -90,6 +87,7 @@ The %{name}-config package provides the default configuration files for %{name}.
|
||||
-DGSSAPI_TESTING=ON \
|
||||
-DWITH_PKCS11_URI=ON \
|
||||
-DWITH_PKCS11_PROVIDER=ON \
|
||||
-DWITH_FIDO2=ON \
|
||||
-DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
|
||||
-DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
|
||||
|
||||
@ -145,6 +143,10 @@ popd
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
|
||||
|
||||
%changelog
|
||||
* Tue Feb 10 2026 Pavol Žáčik <pzacik@redhat.com> - 0.12.0-1
|
||||
- Rebase to 0.12.0
|
||||
Resolves: RHEL-133421, RHEL-70825, RHEL-130042
|
||||
|
||||
* Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-3
|
||||
- Fix CVE-2025-5318
|
||||
Resolves: RHEL-111721
|
||||
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (libssh-0.11.1.tar.xz) = 284d376ad9ea30b0274b4ac754b27d168286dca862ece43ef15ca6d89e66865ad7a6703cc12dd4a8564a60b8449ae9b36e6496fd51d34cc27ac4030f6cf216d6
|
||||
SHA512 (libssh-0.11.1.tar.xz.asc) = 7d1a2f02a9abba5373b1a29a9097fef65e46ff3a22e36bcb3549066d69fbd8e2702ff3b6182bae931282d10256da2ca8a364935b068d6d5bc767d877572ee3e2
|
||||
SHA512 (libssh-0.12.0.tar.xz) = dd28483f391e36c9da0f0b8c469bc9e19f75dc1016d04e35930b1a28e0711fa02a1eae9ddeb95b9e48cb1fd3f2bc456789457bc092cf53d00d55b20257f082a2
|
||||
SHA512 (libssh-0.12.0.tar.xz.asc) = 2b24cc6d0a8accba4637978b9d9df49eaa432aa6394af7ee192e99df652049ec1a7b4c4e3951f6858ff2aa93a6cd9d48befbe1104724160d686eb2a20b6547ab
|
||||
|
||||
Loading…
Reference in New Issue
Block a user