Hello community, here is the log from the commit of package libssh2_org for openSUSE:Factory checked in at 2019-04-12 09:13:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh2_org (Old) and /work/SRC/openSUSE:Factory/.libssh2_org.new.27019 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org" Fri Apr 12 09:13:02 2019 rev:38 rq:692646 version:1.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh2_org/libssh2_org.changes 2019-03-24 14:55:56.903208736 +0100 +++ /work/SRC/openSUSE:Factory/.libssh2_org.new.27019/libssh2_org.changes 2019-04-12 09:13:06.385631691 +0200 @@ -1,0 +2,8 @@ +Tue Apr 9 09:10:26 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- Version update to 1.8.2: [bsc#1130103] + Bug fixes: + * Fixed the misapplied userauth patch that broke 1.8.1 + * moved the MAX size declarations from the public header + +------------------------------------------------------------------- Old: ---- libssh2-1.8.1.tar.gz libssh2-1.8.1.tar.gz.asc New: ---- libssh2-1.8.2.tar.gz libssh2-1.8.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh2_org.spec ++++++ --- /var/tmp/diff_new_pack.Zml8hk/_old 2019-04-12 09:13:07.145632018 +0200 +++ /var/tmp/diff_new_pack.Zml8hk/_new 2019-04-12 09:13:07.145632018 +0200 @@ -18,7 +18,7 @@ %define pkg_name libssh2 Name: libssh2_org -Version: 1.8.1 +Version: 1.8.2 Release: 0 Summary: A library implementing the SSH2 protocol License: BSD-3-Clause ++++++ libssh2-1.8.1.tar.gz -> libssh2-1.8.2.tar.gz ++++++ ++++ 3684 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/NEWS new/libssh2-1.8.2/NEWS --- old/libssh2-1.8.1/NEWS 2019-03-18 22:30:26.000000000 +0100 +++ new/libssh2-1.8.2/NEWS 2019-03-25 20:29:58.000000000 +0100 @@ -1,5 +1,20 @@ Changelog for the libssh2 project. Generated with git2news.pl +Version 1.8.2 (25 Mar 2019) + +Daniel Stenberg (25 Mar 2019) +- RELEASE-NOTES: version 1.8.2 + +- [Will Cosgrove brought this change] + + moved MAX size declarations #330 + +- [Will Cosgrove brought this change] + + Fixed misapplied patch (#327) + + Fixes for user auth + Version 1.8.1 (14 Mar 2019) Will Cosgrove (14 Mar 2019) @@ -5521,12 +5536,3 @@ Reported by Steven Van Ingelgem <ste...@vaningelgem.be> in <http://thread.gmane.org/gmane.network.ssh.libssh2.devel/2566>. - -- Mention libssh2-style.el. - -- Use memmove instead of memcpy on overlapping memory areas. - - Reported by Bob Alexander <balexan...@expressor-software.com> in - <http://thread.gmane.org/gmane.network.ssh.libssh2.devel/2530>. - -- Add. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/RELEASE-NOTES new/libssh2-1.8.2/RELEASE-NOTES --- old/libssh2-1.8.1/RELEASE-NOTES 2019-03-18 22:03:35.000000000 +0100 +++ new/libssh2-1.8.2/RELEASE-NOTES 2019-03-25 20:28:55.000000000 +0100 @@ -1,29 +1,12 @@ -libssh2 1.8.1 +libssh2 1.8.2 This release includes the following bugfixes: - - o fixed possible integer overflow when reading a specially crafted packet - (https://www.libssh2.org/CVE-2019-3855.html) - o fixed possible integer overflow in userauth_keyboard_interactive with a - number of extremely long prompt strings - (https://www.libssh2.org/CVE-2019-3863.html) - o fixed possible integer overflow if the server sent an extremely large number - of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html) - o fixed possible out of bounds read when processing a specially crafted packet - (https://www.libssh2.org/CVE-2019-3861.html) - o fixed possible integer overflow when receiving a specially crafted exit - signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html) - o fixed possible out of bounds read when receiving a specially crafted exit - status message channel packet (https://www.libssh2.org/CVE-2019-3862.html) - o fixed possible zero byte allocation when reading a specially crafted SFTP - packet (https://www.libssh2.org/CVE-2019-3858.html) - o fixed possible out of bounds reads when processing specially crafted SFTP - packets (https://www.libssh2.org/CVE-2019-3860.html) - o fixed possible out of bounds reads in _libssh2_packet_require(v) - (https://www.libssh2.org/CVE-2019-3859.html) + + o Fixed the misapplied userauth patch that broke 1.8.1 + o moved the MAX size declarations from the public header This release would not have looked like this without help, code, reports and advice from friends like these: - Chris Coulson, Michael Buckley, Will Cosgrove, Daniel Stenberg - (4 contributors) + Will Cosgrove + (1 contributors) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/include/libssh2.h new/libssh2-1.8.2/include/libssh2.h --- old/libssh2-1.8.1/include/libssh2.h 2019-03-18 22:30:26.000000000 +0100 +++ new/libssh2-1.8.2/include/libssh2.h 2019-03-25 20:29:58.000000000 +0100 @@ -46,13 +46,13 @@ to make the BANNER define (used by src/session.c) be a valid SSH banner. Release versions have no appended strings and may of course not have dashes either. */ -#define LIBSSH2_VERSION "1.8.1" +#define LIBSSH2_VERSION "1.8.2" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBSSH2_VERSION_MAJOR 1 #define LIBSSH2_VERSION_MINOR 8 -#define LIBSSH2_VERSION_PATCH 1 +#define LIBSSH2_VERSION_PATCH 2 /* This is the numeric version of the libssh2 version number, meant for easier parsing and comparions by programs. The LIBSSH2_VERSION_NUM define will @@ -69,7 +69,7 @@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBSSH2_VERSION_NUM 0x010801 +#define LIBSSH2_VERSION_NUM 0x010802 /* * This is the date and time when the full source package was created. The @@ -80,7 +80,7 @@ * * "Mon Feb 12 11:35:33 UTC 2007" */ -#define LIBSSH2_TIMESTAMP "Mon Mar 18 21:30:25 UTC 2019" +#define LIBSSH2_TIMESTAMP "Mon Mar 25 19:29:57 UTC 2019" #ifndef RC_INVOKED @@ -145,18 +145,6 @@ #define LIBSSH2_INVALID_SOCKET -1 #endif /* WIN32 */ -#ifndef SIZE_MAX -#if _WIN64 -#define SIZE_MAX 0xFFFFFFFFFFFFFFFF -#else -#define SIZE_MAX 0xFFFFFFFF -#endif -#endif - -#ifndef UINT_MAX -#define UINT_MAX 0xFFFFFFFF -#endif - /* * Determine whether there is small or large file support on windows. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/src/libssh2_priv.h new/libssh2-1.8.2/src/libssh2_priv.h --- old/libssh2-1.8.1/src/libssh2_priv.h 2019-03-18 22:30:01.000000000 +0100 +++ new/libssh2-1.8.2/src/libssh2_priv.h 2019-03-25 20:26:48.000000000 +0100 @@ -146,6 +146,18 @@ #endif +#ifndef SIZE_MAX +#if _WIN64 +#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +#else +#define SIZE_MAX 0xFFFFFFFF +#endif +#endif + +#ifndef UINT_MAX +#define UINT_MAX 0xFFFFFFFF +#endif + /* RFC4253 section 6.1 Maximum Packet Length says: * * "All implementations MUST be able to process packets with diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/src/userauth.c new/libssh2-1.8.2/src/userauth.c --- old/libssh2-1.8.1/src/userauth.c 2019-03-18 22:30:01.000000000 +0100 +++ new/libssh2-1.8.2/src/userauth.c 2019-03-25 20:26:48.000000000 +0100 @@ -107,7 +107,7 @@ LIBSSH2_FREE(session, session->userauth_list_data); session->userauth_list_data = NULL; - if (rc || (session->userauth_list_data_len < 1)) { + if (rc) { _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, "Unable to send userauth-none request"); session->userauth_list_state = libssh2_NB_state_idle; @@ -127,7 +127,7 @@ _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block requesting userauth list"); return NULL; - } else if (rc) { + } else if (rc || (session->userauth_list_data_len < 1)) { _libssh2_error(session, rc, "Failed getting response"); session->userauth_list_state = libssh2_NB_state_idle; return NULL; @@ -1172,7 +1172,7 @@ NULL, 0); if (rc == LIBSSH2_ERROR_EAGAIN) return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); - else if (rc || (session->userauth_pblc_data_len < 1)) { + else if (rc) { LIBSSH2_FREE(session, session->userauth_pblc_packet); session->userauth_pblc_packet = NULL; LIBSSH2_FREE(session, session->userauth_pblc_method); @@ -1195,7 +1195,7 @@ if (rc == LIBSSH2_ERROR_EAGAIN) { return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); } - else if (rc) { + else if (rc || (session->userauth_pblc_data_len < 1)) { LIBSSH2_FREE(session, session->userauth_pblc_packet); session->userauth_pblc_packet = NULL; LIBSSH2_FREE(session, session->userauth_pblc_method); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.1/test-driver new/libssh2-1.8.2/test-driver --- old/libssh2-1.8.1/test-driver 2013-09-17 23:36:24.000000000 +0200 +++ new/libssh2-1.8.2/test-driver 2019-03-21 10:27:09.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # test-driver - basic testsuite driver script. -scriptversion=2012-06-27.10; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2013 Free Software Foundation, Inc. +# Copyright (C) 2011-2018 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -44,13 +44,12 @@ Usage: test-driver --test-name=NAME --log-file=PATH --trs-file=PATH [--expect-failure={yes|no}] [--color-tests={yes|no}] - [--enable-hard-errors={yes|no}] [--] TEST-SCRIPT + [--enable-hard-errors={yes|no}] [--] + TEST-SCRIPT [TEST-SCRIPT-ARGUMENTS] The '--test-name', '--log-file' and '--trs-file' options are mandatory. END } -# TODO: better error handling in option parsing (in particular, ensure -# TODO: $log_file, $trs_file and $test_name are defined). test_name= # Used for reporting. log_file= # Where to save the output of the test script. trs_file= # Where to save the metadata of the test run. @@ -69,10 +68,23 @@ --enable-hard-errors) enable_hard_errors=$2; shift;; --) shift; break;; -*) usage_error "invalid option: '$1'";; + *) break;; esac shift done +missing_opts= +test x"$test_name" = x && missing_opts="$missing_opts --test-name" +test x"$log_file" = x && missing_opts="$missing_opts --log-file" +test x"$trs_file" = x && missing_opts="$missing_opts --trs-file" +if test x"$missing_opts" != x; then + usage_error "the following mandatory options are missing:$missing_opts" +fi + +if test $# -eq 0; then + usage_error "missing argument" +fi + if test $color_tests = yes; then # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'. red='[0;31m' # Red. @@ -94,11 +106,14 @@ # Test script is run here. "$@" >$log_file 2>&1 estatus=$? + if test $enable_hard_errors = no && test $estatus -eq 99; then - estatus=1 + tweaked_estatus=1 +else + tweaked_estatus=$estatus fi -case $estatus:$expect_failure in +case $tweaked_estatus:$expect_failure in 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; 0:*) col=$grn res=PASS recheck=no gcopy=no;; 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; @@ -107,6 +122,12 @@ *:*) col=$red res=FAIL recheck=yes gcopy=yes;; esac +# Report the test outcome and exit status in the logs, so that one can +# know whether the test passed or failed simply by looking at the '.log' +# file, without the need of also peaking into the corresponding '.trs' +# file (automake bug#11814). +echo "$res $test_name (exit status: $estatus)" >>$log_file + # Report outcome to console. echo "${col}${res}${std}: $test_name" @@ -119,9 +140,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: