Hello community,

here is the log from the commit of package libssh2_org.3615 for 
openSUSE:13.1:Update checked in at 2015-03-19 07:56:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/libssh2_org.3615 (Old)
 and      /work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libssh2_org.3615"

Changes:
--------
New Changes file:

--- /dev/null   2015-03-12 01:14:30.992027505 +0100
+++ /work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new/libssh2_org.changes    
2015-03-19 07:56:06.000000000 +0100
@@ -0,0 +1,327 @@
+-------------------------------------------------------------------
+Wed Mar 11 14:00:34 UTC 2015 - vci...@suse.com
+
+- update to 1.5.0
+  * fixes CVE-2015-1782 (bnc#921070)
+Changes in 1.5.0:
+  Added Windows Cryptography API: Next Generation based backend
+Bug fixes:
+  Security Advisory: Using `SSH_MSG_KEXINIT` data unbounded, CVE-2015-1782
+  missing _libssh2_error in _libssh2_channel_write
+  knownhost: Fix DSS keys being detected as unknown.
+  knownhost: Restore behaviour of `libssh2_knownhost_writeline` with short 
buffer.
+  libssh2.h: on Windows, a socket is of type SOCKET, not int
+  libssh2_priv.h: a 1 bit bit-field should be unsigned
+  windows build: do not export externals from static library
+  Fixed two potential use-after-frees of the payload buffer
+  Fixed a few memory leaks in error paths
+  userauth: Fixed an attempt to free from stack on error
+  agent_list_identities: Fixed memory leak on OOM
+  knownhosts: Abort if the hosts buffer is too small
+  sftp_close_handle: ensure the handle is always closed
+  channel_close: Close the channel even in the case of errors
+  docs: added missing libssh2_session_handshake.3 file
+  docs: fixed a bunch of typos
+  userauth_password: pass on the underlying error code
+  _libssh2_channel_forward_cancel: accessed struct after free
+  _libssh2_packet_add: avoid using uninitialized memory
+  _libssh2_channel_forward_cancel: avoid memory leaks on error
+  _libssh2_channel_write: client spins on write when window full
+  windows build: fix build errors
+  publickey_packet_receive: avoid junk in returned pointers
+  channel_receive_window_adjust: store windows size always
+  userauth_hostbased_fromfile: zero assign to avoid uninitialized use
+  configure: change LIBS not LDFLAGS when checking for libs
+  agent_connect_unix: make sure there's a trailing zero
+  MinGW build: Fixed redefine warnings.
+  sftpdir.c: added authentication method detection.
+  Watcom build: added support for WinCNG build.
+  configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
+  sftp_statvfs: fix for servers not supporting statfvs extension
+  knownhost.c: use LIBSSH2_FREE macro instead of free
+  Fixed compilation using mingw-w64
+  knownhost.c: fixed that 'key_type_len' may be used uninitialized
+  configure: Display individual crypto backends on separate lines
+  examples on Windows: check for WSAStartup return code
+  examples on Windows: check for socket return code
+  agent.c: check return code of MapViewOfFile
+  kex.c: fix possible NULL pointer de-reference with session->kex
+  packet.c: fix possible NULL pointer de-reference within listen_state
+  tests on Windows: check for WSAStartup return code
+  userauth.c: improve readability and clarity of for-loops
+  examples on Windows: use native SOCKET-type instead of int
+  packet.c: i < 256 was always true and i would overflow to 0
+  kex.c: make sure mlist is not set to NULL
+  session.c: check return value of session_nonblock in debug mode
+  session.c: check return value of session_nonblock during startup
+  userauth.c: make sure that sp_len is positive and avoid overflows
+  knownhost.c: fix use of uninitialized argument variable wrote
+  openssl: initialise the digest context before calling EVP_DigestInit()
+  libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET
+  configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib
+  configure.ac: Rework crypto library detection
+  configure.ac: Reorder --with-* options in --help output
+  configure.ac: Call zlib zlib and not libz in text but keep option names
+  Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro
+  sftp: seek: Don't flush buffers on same offset
+  sftp: statvfs: Along error path, reset the correct 'state' variable.
+  sftp: Add support for fsync (OpenSSH extension).
+  _libssh2_channel_read: fix data drop when out of window
+  comp_method_zlib_decomp: Improve buffer growing algorithm
+  _libssh2_channel_read: Honour window_size_initial
+  window_size: redid window handling for flow control reasons
+  knownhosts: handle unknown key types
+
+-------------------------------------------------------------------
+Mon Jun 24 12:58:02 UTC 2013 - mvysko...@suse.com
+
+- ignore groff-full to remove factory build cycle
+- add groff to build requires to make tests passing
+
+-------------------------------------------------------------------
+Wed Apr 24 07:54:17 UTC 2013 - bo...@steki.net
+
+- fix building on older kernels and older OS / SLE 
+
+-------------------------------------------------------------------
+Thu Feb 28 21:13:29 UTC 2013 - crrodrig...@opensuse.org
+
+- Use AC_CONFIG_HEADERS instead of AM_CONFIG_HEADER, fixes 
+  build with new automake
+
+-------------------------------------------------------------------
+Tue Jan  8 15:24:25 UTC 2013 - vci...@suse.com
+
+- update to 1.4.3
+    compression: add support for z...@openssh.com
+    Bug fixes:
+    sftp_read: return error if a too large package arrives
+    libssh2_hostkey_hash.3: update the description of return value
+    examples: use stderr for messages, stdout for data
+    openssl: do not leak memory when handling errors
+    improved handling of disabled MD5 algorithm in OpenSSL
+    known_hosts: Fail when parsing unknown keys in known_hosts file
+    configure: gcrypt doesn't come with pkg-config support
+    session_free: wrong variable used for keeping state
+    libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL
+    comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating
+    Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner
+    userauth.c: fread() from public key file to correctly detect any errors
+    configure.ac: Add option to disable build of the example applications
+    Added 'Requires.private:' line to libssh2.pc
+    SFTP: filter off incoming "zombie" responses
+    gettimeofday: no need for a replacement under cygwin
+    SSH_MSG_CHANNEL_REQUEST: default to want_reply
+    win32/libssh2_config.h: Remove hardcoded #define LIBSSH2_HAVE_ZLIB
+    build error with gcrypt backend
+    always do "forced" window updates to avoid corner case stalls
+    aes: the init function fails when OpenSSL has AES support
+    transport_send: Finish in-progress key exchange before sending data
+    channel_write: acknowledge transport errors
+    examples/x11.c: Make sure sizeof passed to read operation is correct
+    examples/x11.c:,Fix suspicious sizeof usage
+    sftp_packet_add: verify the packet before accepting it
+    SFTP: preserve the original error code more
+    sftp_packet_read: adjust window size as necessary
+    Use safer snprintf rather then sprintf in several places
+    Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET
+    sftp_write: cannot return acked data *and* EAGAIN
+    sftp_read: avoid data *and* EAGAIN
+    libssh2.h: Add missing prototype for libssh2_session_banner_set()
+- dropped patches (already in the upstream)
+  0004-libssh2.h-Add-missing-prototype-for-libssh2_session_.patch
+  0005-Add-symbol-versioning.patch
+  0006-missing-libssh2_session_banner_set.patch
+
+-------------------------------------------------------------------
+Thu Feb  2 13:36:17 UTC 2012 - crrodrig...@opensuse.org
+
+- fix license 
+
+-------------------------------------------------------------------
+Thu Feb  2 04:27:50 UTC 2012 - crrodrig...@opensuse.org
+
+- Update to version 1.4.0 plus git bugfixes 
+
+-------------------------------------------------------------------
+Tue Dec 27 03:41:32 UTC 2011 - crrodrig...@opensuse.org
+
+- Refresh patches. 
+
+-------------------------------------------------------------------
+Thu Dec  1 03:41:02 UTC 2011 - jeng...@medozas.de
+
+- Remove redundant/unwanted tags/section (cf. specfile guidelines)
+
+-------------------------------------------------------------------
+Thu Dec  1 02:43:46 UTC 2011 - crrodrig...@opensuse.org
+
+- open library file descriptors with O_CLOEXEC 
+
+-------------------------------------------------------------------
+Fri Oct 21 18:15:49 UTC 2011 - crrodrig...@opensuse.org
+
+- Update to version 1.3.0
+* sftp_read: advance offset correctly for buffered copies
+* libssh2_sftp_seek64: flush packetlist and buffered data
+* _libssh2_packet_add: adjust window size when truncating
+* sftp_read: a short read is not end of file
+
+
+-------------------------------------------------------------------
+Sat Oct  1 14:19:34 CEST 2011 - dmuel...@suse.de
+
+- document the reason for the testsuite failure
+
+-------------------------------------------------------------------
+Fri Sep 30 17:36:36 UTC 2011 - crrodrig...@opensuse.org
+
+- Workaround qemu-arm problems. 
+
+-------------------------------------------------------------------
+Tue Sep  6 04:42:00 UTC 2011 - crrodrig...@opensuse.org
+
+- respect user's openssl.cnf engine configuration, might 
+ want to do crypto with aes-ni, intel-accell or use rdrand
+
+-------------------------------------------------------------------
+Wed Aug 17 21:08:57 UTC 2011 - crrodrig...@opensuse.org
+
+- Update to version 1.2.9
+* Added libssh2_session_set_timeout() and 
+  libssh2_session_get_timeout() to make blocking calls get a timeout
+* userauth_keyboard_interactive: fix buffer overflow 
+
+
+-------------------------------------------------------------------
+Fri Oct 29 17:09:09 UTC 2010 - cristian.rodrig...@opensuse.org
++++ 130 more lines (skipped)
++++ between /dev/null
++++ and 
/work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new/libssh2_org.changes

New:
----
  baselibs.conf
  libssh2-1.4.3.tar.gz
  libssh2-1.5.0.tar.gz
  libssh2-ocloexec.patch
  libssh2_org.changes
  libssh2_org.spec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libssh2_org.spec ++++++
#
# spec file for package libssh2_org
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Summary:        A library implementing the SSH2 protocol
License:        BSD-3-Clause
Group:          Development/Libraries/C and C++

Name:           libssh2_org
Version:        1.5.0
Release:        0
Url:            http://www.libssh2.org/
%define pkg_name libssh2
Source0:        http://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz
Source2:        baselibs.conf
BuildRequires:  openssl-devel
BuildRequires:  pkgconfig
BuildRequires:  zlib-devel
#for the test suite
BuildRequires:  groff
BuildRequires:  libtool
BuildRequires:  man
BuildRequires:  openssh
# drops build cycle in Factory
#!BuildIgnore:  groff-full
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
Patch0:         libssh2-ocloexec.patch

%description
libssh2 is a library implementing the SSH2 protocol as defined by
Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION,
SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and
SECSH-PUBLICKEY.

%package -n libssh2-1
Summary:        A library implementing the SSH2 protocol
Group:          Development/Libraries/C and C++

%description -n libssh2-1
libssh2 is a library implementing the SSH2 protocol as defined by
Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION,
SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and
SECSH-PUBLICKEY.

%package -n libssh2-devel
Summary:        A library implementing the SSH2 protocol
Group:          Development/Libraries/C and C++
Requires:       glibc-devel
Requires:       libssh2-1 = %{version}

%description -n libssh2-devel
libssh2 is a library implementing the SSH2 protocol as defined by
Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION,
SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and
SECSH-PUBLICKEY.

%prep
%setup -q -n %{pkg_name}-%{version}
# problem with sle 11 sp1 target as it has older kernel and as such fail this
%if 0%{?suse_version} > 1110
%patch0 -p1
%endif

%build
sed -i -e 's@AM_CONFIG_HEADER@AC_CONFIG_HEADERS@g' configure.ac
cp src/libssh2_config.h.in example/libssh2_config.h
# remove m4 macro files for libtool as they should be picked up by 
# autoreconf
rm -v m4/libtool.m4 m4/lt*
autoreconf -fiv
export CFLAGS="%optflags -DOPENSSL_LOAD_CONF"
%configure      \
                        --disable-static --with-pic \
                        --disable-rpath --with-libz=%{_prefix} \
                        --with-openssl=%{_prefix}
make %{?_smp_mflags}

%if !0%{?sles_version}
 %if 0%{?suse_version} >= 1230

%check
make check

 %endif
%endif

%install
make install DESTDIR=%{buildroot}
rm -f  %{buildroot}%{_libdir}/*.la %{buildroot}%{_libdir}/*.a

%post -n libssh2-1 -p /sbin/ldconfig

%postun -n libssh2-1 -p /sbin/ldconfig

%files -n libssh2-1
%defattr(-,root,root)
%{_libdir}/libssh2.so.1*

%files -n libssh2-devel
%defattr(-,root,root)
%doc NEWS
%{_libdir}/libssh2.so
%{_includedir}/*.h
%{_mandir}/man3/*
%{_libdir}/pkgconfig/libssh2.pc

%changelog
++++++ baselibs.conf ++++++
libssh2-1
  obsoletes "libssh2-<targettype> <= <version>"
  provides "libssh2-<targettype> = <version>"

++++++ libssh2-ocloexec.patch ++++++
>From 33a59a1905feb5d786e9d457f287dd9e81a9f747 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodrig...@opensuse.org>
Date: Tue, 27 Dec 2011 00:33:28 -0300
Subject: [PATCH] Use O_CLOEXEC where needed

---
 src/agent.c     |    2 +-
 src/knownhost.c |    4 ++--
 src/userauth.c  |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

Index: libssh2-1.4.3/src/agent.c
===================================================================
--- libssh2-1.4.3.orig/src/agent.c      2012-03-05 20:04:56.000000000 +0100
+++ libssh2-1.4.3/src/agent.c   2013-01-08 16:24:07.572195659 +0100
@@ -152,7 +152,7 @@ agent_connect_unix(LIBSSH2_AGENT *agent)
         return _libssh2_error(agent->session, LIBSSH2_ERROR_BAD_USE,
                               "no auth sock variable");
 
-    agent->fd = socket(PF_UNIX, SOCK_STREAM, 0);
+    agent->fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
     if (agent->fd < 0)
         return _libssh2_error(agent->session, LIBSSH2_ERROR_BAD_SOCKET,
                               "failed creating socket");
Index: libssh2-1.4.3/src/knownhost.c
===================================================================
--- libssh2-1.4.3.orig/src/knownhost.c  2012-08-21 20:27:22.000000000 +0200
+++ libssh2-1.4.3/src/knownhost.c       2013-01-08 16:24:07.573195691 +0100
@@ -907,7 +907,7 @@ libssh2_knownhost_readfile(LIBSSH2_KNOWN
                               "Unsupported type of known-host information "
                               "store");
 
-    file = fopen(filename, "r");
+    file = fopen(filename, "re");
     if(file) {
         while(fgets(buf, sizeof(buf), file)) {
             if(libssh2_knownhost_readline(hosts, buf, strlen(buf), type)) {
@@ -1082,7 +1082,7 @@ libssh2_knownhost_writefile(LIBSSH2_KNOW
                               "Unsupported type of known-host information "
                               "store");
 
-    file = fopen(filename, "w");
+    file = fopen(filename, "we");
     if(!file)
         return _libssh2_error(hosts->session, LIBSSH2_ERROR_FILE,
                               "Failed to open file");
Index: libssh2-1.4.3/src/userauth.c
===================================================================
--- libssh2-1.4.3.orig/src/userauth.c   2012-04-18 22:24:04.000000000 +0200
+++ libssh2-1.4.3/src/userauth.c        2013-01-08 16:24:07.573195691 +0100
@@ -467,7 +467,7 @@ file_read_publickey(LIBSSH2_SESSION * se
     _libssh2_debug(session, LIBSSH2_TRACE_AUTH, "Loading public key file: %s",
                    pubkeyfile);
     /* Read Public Key */
-    fd = fopen(pubkeyfile, "r");
+    fd = fopen(pubkeyfile, "re");
     if (!fd) {
         return _libssh2_error(session, LIBSSH2_ERROR_FILE,
                               "Unable to open public key file");
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to