Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libssh2_org for openSUSE:Factory
checked in at 2024-04-03 17:18:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libssh2_org (Old)
and /work/SRC/openSUSE:Factory/.libssh2_org.new.1905 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org"
Wed Apr 3 17:18:24 2024 rev:45 rq:1164239 version:1.11.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/libssh2_org/libssh2_org.changes 2023-12-20
21:01:24.036598931 +0100
+++ /work/SRC/openSUSE:Factory/.libssh2_org.new.1905/libssh2_org.changes
2024-04-03 17:18:42.881735109 +0200
@@ -1,0 +2,18 @@
+Tue Apr 2 16:48:26 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
+ * Test the ETM feature in the remote end's configuration when
+ receiving data. Upstream issue: #1331.
+ * Add libssh2_org-ETM-remote.patch
+
+-------------------------------------------------------------------
+Fri Feb 9 14:55:47 UTC 2024 - Pedro Monreal <pmonr...@suse.com>
+
+- Always add the KEX pseudo-methods "ext-info-c" and
"kex-strict-c-...@openssh.com"
+ when configuring custom method list. [bsc#1218971, CVE-2023-48795]
+ * The strict-kex extension is announced in the list of available
+ KEX methods. However, when the default KEX method list is modified
+ or replaced, the extension is not added back automatically.
+ * Add libssh2_org-CVE-2023-48795-ext.patch
+
+-------------------------------------------------------------------
New:
----
libssh2_org-CVE-2023-48795-ext.patch
libssh2_org-ETM-remote.patch
BETA DEBUG BEGIN:
New: or replaced, the extension is not added back automatically.
* Add libssh2_org-CVE-2023-48795-ext.patch
New: receiving data. Upstream issue: #1331.
* Add libssh2_org-ETM-remote.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libssh2_org.spec ++++++
--- /var/tmp/diff_new_pack.8TDnwx/_old 2024-04-03 17:18:43.449756039 +0200
+++ /var/tmp/diff_new_pack.8TDnwx/_new 2024-04-03 17:18:43.449756039 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libssh2_org
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,10 @@
Patch0: libssh2-ocloexec.patch
# PATCH-FIX-UPSTREAM bsc#1218127 CVE-2023-48795: Add 'strict KEX' to fix
Terrapin Attack
Patch1: libssh2_org-CVE-2023-48795.patch
+# PATCH-FIX-SUSE bsc#1218971 Always add extension indicators to kex_algorithms
+Patch2: libssh2_org-CVE-2023-48795-ext.patch
+# PATCH-FIX-UPSTREAM bsc#1221622 Test ETM feature in remote end's config when
receiving data
+Patch3: libssh2_org-ETM-remote.patch
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig
@@ -83,10 +87,10 @@
--with-libssl-prefix=%{_prefix} \
--with-libz=%{_prefix}
-make %{?_smp_mflags}
+%make_build
%check
-make %{?_smp_mflags} check
+%make_build check
%install
%make_install
@@ -96,11 +100,9 @@
%postun -n libssh2-1 -p /sbin/ldconfig
%files -n libssh2-1
-%defattr(-,root,root)
%{_libdir}/libssh2.so.1*
%files -n libssh2-devel
-%defattr(-,root,root)
%doc NEWS docs/BINDINGS.md docs/HACKING.md docs/TODO
%{_libdir}/libssh2.so
%{_includedir}/*.h
++++++ libssh2_org-CVE-2023-48795-ext.patch ++++++
>From 59786b186d4de8fd6cd5aeebedbce2362a849566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20=C4=8Cejka?= <jce...@suse.cz>
Date: Tue, 6 Feb 2024 15:14:29 +0100
Subject: [PATCH] Always add extension indicators to kex_algorithms
KEX pseudo-methods "ext-info-c" and "kex-strict-c-...@openssh.com"
are in default kex method list but they were lost
after configuring custom kex method list in libssh2_session_method_pref().
---
src/kex.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/kex.c b/src/kex.c
index 8c65a0fe..1d1dadfa 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -4027,13 +4027,25 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session,
int method_type,
const char *prefs)
{
char **prefvar, *s, *newprefs;
+ char *tmpprefs = NULL;
size_t prefs_len = strlen(prefs);
const LIBSSH2_COMMON_METHOD **mlist;
+ const char *kex_extensions = "ext-info-c,kex-strict-c-...@openssh.com,";
+ size_t kex_extensions_len = strlen(kex_extensions);
switch(method_type) {
case LIBSSH2_METHOD_KEX:
prefvar = &session->kex_prefs;
mlist = (const LIBSSH2_COMMON_METHOD **)libssh2_kex_methods;
+ tmpprefs = LIBSSH2_ALLOC(session, kex_extensions_len + prefs_len + 1);
+ if(!tmpprefs) {
+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "Error allocated space for kex method
preferences");
+ }
+ memcpy(tmpprefs, kex_extensions, kex_extensions_len);
+ memcpy(tmpprefs + kex_extensions_len, prefs, prefs_len + 1);
+ prefs = tmpprefs;
+ prefs_len = strlen(prefs);
break;
case LIBSSH2_METHOD_HOSTKEY:
@@ -4093,6 +4105,9 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session,
int method_type,
s = newprefs = LIBSSH2_ALLOC(session, prefs_len + 1);
if(!newprefs) {
+ if (tmpprefs) {
+ LIBSSH2_FREE(session, tmpprefs);
+ }
return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
"Error allocated space for method preferences");
}
@@ -4121,6 +4136,10 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session,
int method_type,
}
}
+ if (tmpprefs) {
+ LIBSSH2_FREE(session, tmpprefs);
+ }
+
if(!*newprefs) {
LIBSSH2_FREE(session, newprefs);
return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED,
--
2.26.2
++++++ libssh2_org-ETM-remote.patch ++++++
>From bde10825f1271769d56a0e99793da61d37abc23c Mon Sep 17 00:00:00 2001
From: Josef Cejka <jce...@suse.com>
Date: Thu, 28 Mar 2024 23:38:47 +0100
Subject: [PATCH] transport: check ETM on remote end when receiving (#1332)
We should check if encrypt-then-MAC feature is enabled in remote end's
configuration.
Fixes #1331
---
src/transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/transport.c b/src/transport.c
index 531f5aa15a..af175d3fa1 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -425,7 +425,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
make the checks below work fine still */
}
- etm = encrypted && session->local.mac ? session->local.mac->etm : 0;
+ etm = encrypted && session->remote.mac ? session->remote.mac->etm : 0;
/* read/use a whole big chunk into a temporary area stored in
the LIBSSH2_SESSION struct. We will decrypt data from that
