Hello community, here is the log from the commit of package libssh2_org.3615 for openSUSE:13.1:Update checked in at 2015-03-19 07:56:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/libssh2_org.3615 (Old) and /work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org.3615" Changes: -------- New Changes file: --- /dev/null 2015-03-12 01:14:30.992027505 +0100 +++ /work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new/libssh2_org.changes 2015-03-19 07:56:06.000000000 +0100 @@ -0,0 +1,327 @@ +------------------------------------------------------------------- +Wed Mar 11 14:00:34 UTC 2015 - vci...@suse.com + +- update to 1.5.0 + * fixes CVE-2015-1782 (bnc#921070) +Changes in 1.5.0: + Added Windows Cryptography API: Next Generation based backend +Bug fixes: + Security Advisory: Using `SSH_MSG_KEXINIT` data unbounded, CVE-2015-1782 + missing _libssh2_error in _libssh2_channel_write + knownhost: Fix DSS keys being detected as unknown. + knownhost: Restore behaviour of `libssh2_knownhost_writeline` with short buffer. + libssh2.h: on Windows, a socket is of type SOCKET, not int + libssh2_priv.h: a 1 bit bit-field should be unsigned + windows build: do not export externals from static library + Fixed two potential use-after-frees of the payload buffer + Fixed a few memory leaks in error paths + userauth: Fixed an attempt to free from stack on error + agent_list_identities: Fixed memory leak on OOM + knownhosts: Abort if the hosts buffer is too small + sftp_close_handle: ensure the handle is always closed + channel_close: Close the channel even in the case of errors + docs: added missing libssh2_session_handshake.3 file + docs: fixed a bunch of typos + userauth_password: pass on the underlying error code + _libssh2_channel_forward_cancel: accessed struct after free + _libssh2_packet_add: avoid using uninitialized memory + _libssh2_channel_forward_cancel: avoid memory leaks on error + _libssh2_channel_write: client spins on write when window full + windows build: fix build errors + publickey_packet_receive: avoid junk in returned pointers + channel_receive_window_adjust: store windows size always + userauth_hostbased_fromfile: zero assign to avoid uninitialized use + configure: change LIBS not LDFLAGS when checking for libs + agent_connect_unix: make sure there's a trailing zero + MinGW build: Fixed redefine warnings. + sftpdir.c: added authentication method detection. + Watcom build: added support for WinCNG build. + configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS + sftp_statvfs: fix for servers not supporting statfvs extension + knownhost.c: use LIBSSH2_FREE macro instead of free + Fixed compilation using mingw-w64 + knownhost.c: fixed that 'key_type_len' may be used uninitialized + configure: Display individual crypto backends on separate lines + examples on Windows: check for WSAStartup return code + examples on Windows: check for socket return code + agent.c: check return code of MapViewOfFile + kex.c: fix possible NULL pointer de-reference with session->kex + packet.c: fix possible NULL pointer de-reference within listen_state + tests on Windows: check for WSAStartup return code + userauth.c: improve readability and clarity of for-loops + examples on Windows: use native SOCKET-type instead of int + packet.c: i < 256 was always true and i would overflow to 0 + kex.c: make sure mlist is not set to NULL + session.c: check return value of session_nonblock in debug mode + session.c: check return value of session_nonblock during startup + userauth.c: make sure that sp_len is positive and avoid overflows + knownhost.c: fix use of uninitialized argument variable wrote + openssl: initialise the digest context before calling EVP_DigestInit() + libssh2_agent_init: init ->fd to LIBSSH2_INVALID_SOCKET + configure.ac: Add zlib to Requires.private in libssh2.pc if using zlib + configure.ac: Rework crypto library detection + configure.ac: Reorder --with-* options in --help output + configure.ac: Call zlib zlib and not libz in text but keep option names + Fix non-autotools builds: Always define the LIBSSH2_OPENSSL CPP macro + sftp: seek: Don't flush buffers on same offset + sftp: statvfs: Along error path, reset the correct 'state' variable. + sftp: Add support for fsync (OpenSSH extension). + _libssh2_channel_read: fix data drop when out of window + comp_method_zlib_decomp: Improve buffer growing algorithm + _libssh2_channel_read: Honour window_size_initial + window_size: redid window handling for flow control reasons + knownhosts: handle unknown key types + +------------------------------------------------------------------- +Mon Jun 24 12:58:02 UTC 2013 - mvysko...@suse.com + +- ignore groff-full to remove factory build cycle +- add groff to build requires to make tests passing + +------------------------------------------------------------------- +Wed Apr 24 07:54:17 UTC 2013 - bo...@steki.net + +- fix building on older kernels and older OS / SLE + +------------------------------------------------------------------- +Thu Feb 28 21:13:29 UTC 2013 - crrodrig...@opensuse.org + +- Use AC_CONFIG_HEADERS instead of AM_CONFIG_HEADER, fixes + build with new automake + +------------------------------------------------------------------- +Tue Jan 8 15:24:25 UTC 2013 - vci...@suse.com + +- update to 1.4.3 + compression: add support for z...@openssh.com + Bug fixes: + sftp_read: return error if a too large package arrives + libssh2_hostkey_hash.3: update the description of return value + examples: use stderr for messages, stdout for data + openssl: do not leak memory when handling errors + improved handling of disabled MD5 algorithm in OpenSSL + known_hosts: Fail when parsing unknown keys in known_hosts file + configure: gcrypt doesn't come with pkg-config support + session_free: wrong variable used for keeping state + libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL + comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating + Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner + userauth.c: fread() from public key file to correctly detect any errors + configure.ac: Add option to disable build of the example applications + Added 'Requires.private:' line to libssh2.pc + SFTP: filter off incoming "zombie" responses + gettimeofday: no need for a replacement under cygwin + SSH_MSG_CHANNEL_REQUEST: default to want_reply + win32/libssh2_config.h: Remove hardcoded #define LIBSSH2_HAVE_ZLIB + build error with gcrypt backend + always do "forced" window updates to avoid corner case stalls + aes: the init function fails when OpenSSL has AES support + transport_send: Finish in-progress key exchange before sending data + channel_write: acknowledge transport errors + examples/x11.c: Make sure sizeof passed to read operation is correct + examples/x11.c:,Fix suspicious sizeof usage + sftp_packet_add: verify the packet before accepting it + SFTP: preserve the original error code more + sftp_packet_read: adjust window size as necessary + Use safer snprintf rather then sprintf in several places + Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET + sftp_write: cannot return acked data *and* EAGAIN + sftp_read: avoid data *and* EAGAIN + libssh2.h: Add missing prototype for libssh2_session_banner_set() +- dropped patches (already in the upstream) + 0004-libssh2.h-Add-missing-prototype-for-libssh2_session_.patch + 0005-Add-symbol-versioning.patch + 0006-missing-libssh2_session_banner_set.patch + +------------------------------------------------------------------- +Thu Feb 2 13:36:17 UTC 2012 - crrodrig...@opensuse.org + +- fix license + +------------------------------------------------------------------- +Thu Feb 2 04:27:50 UTC 2012 - crrodrig...@opensuse.org + +- Update to version 1.4.0 plus git bugfixes + +------------------------------------------------------------------- +Tue Dec 27 03:41:32 UTC 2011 - crrodrig...@opensuse.org + +- Refresh patches. + +------------------------------------------------------------------- +Thu Dec 1 03:41:02 UTC 2011 - jeng...@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Thu Dec 1 02:43:46 UTC 2011 - crrodrig...@opensuse.org + +- open library file descriptors with O_CLOEXEC + +------------------------------------------------------------------- +Fri Oct 21 18:15:49 UTC 2011 - crrodrig...@opensuse.org + +- Update to version 1.3.0 +* sftp_read: advance offset correctly for buffered copies +* libssh2_sftp_seek64: flush packetlist and buffered data +* _libssh2_packet_add: adjust window size when truncating +* sftp_read: a short read is not end of file + + +------------------------------------------------------------------- +Sat Oct 1 14:19:34 CEST 2011 - dmuel...@suse.de + +- document the reason for the testsuite failure + +------------------------------------------------------------------- +Fri Sep 30 17:36:36 UTC 2011 - crrodrig...@opensuse.org + +- Workaround qemu-arm problems. + +------------------------------------------------------------------- +Tue Sep 6 04:42:00 UTC 2011 - crrodrig...@opensuse.org + +- respect user's openssl.cnf engine configuration, might + want to do crypto with aes-ni, intel-accell or use rdrand + +------------------------------------------------------------------- +Wed Aug 17 21:08:57 UTC 2011 - crrodrig...@opensuse.org + +- Update to version 1.2.9 +* Added libssh2_session_set_timeout() and + libssh2_session_get_timeout() to make blocking calls get a timeout +* userauth_keyboard_interactive: fix buffer overflow + + +------------------------------------------------------------------- +Fri Oct 29 17:09:09 UTC 2010 - cristian.rodrig...@opensuse.org ++++ 130 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.libssh2_org.3615.new/libssh2_org.changes New: ---- baselibs.conf libssh2-1.4.3.tar.gz libssh2-1.5.0.tar.gz libssh2-ocloexec.patch libssh2_org.changes libssh2_org.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh2_org.spec ++++++ # # spec file for package libssh2_org # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Summary: A library implementing the SSH2 protocol License: BSD-3-Clause Group: Development/Libraries/C and C++ Name: libssh2_org Version: 1.5.0 Release: 0 Url: http://www.libssh2.org/ %define pkg_name libssh2 Source0: http://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz Source2: baselibs.conf BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: zlib-devel #for the test suite BuildRequires: groff BuildRequires: libtool BuildRequires: man BuildRequires: openssh # drops build cycle in Factory #!BuildIgnore: groff-full BuildRoot: %{_tmppath}/%{name}-%{version}-build Patch0: libssh2-ocloexec.patch %description libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and SECSH-PUBLICKEY. %package -n libssh2-1 Summary: A library implementing the SSH2 protocol Group: Development/Libraries/C and C++ %description -n libssh2-1 libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and SECSH-PUBLICKEY. %package -n libssh2-devel Summary: A library implementing the SSH2 protocol Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libssh2-1 = %{version} %description -n libssh2-devel libssh2 is a library implementing the SSH2 protocol as defined by Internet Drafts: SECSH-TRANS, SECSH-USERAUTH, SECSH-CONNECTION, SECSH-ARCH, SECSH-FILEXFER, SECSH-DHGEX, SECSH-NUMBERS, and SECSH-PUBLICKEY. %prep %setup -q -n %{pkg_name}-%{version} # problem with sle 11 sp1 target as it has older kernel and as such fail this %if 0%{?suse_version} > 1110 %patch0 -p1 %endif %build sed -i -e 's@AM_CONFIG_HEADER@AC_CONFIG_HEADERS@g' configure.ac cp src/libssh2_config.h.in example/libssh2_config.h # remove m4 macro files for libtool as they should be picked up by # autoreconf rm -v m4/libtool.m4 m4/lt* autoreconf -fiv export CFLAGS="%optflags -DOPENSSL_LOAD_CONF" %configure \ --disable-static --with-pic \ --disable-rpath --with-libz=%{_prefix} \ --with-openssl=%{_prefix} make %{?_smp_mflags} %if !0%{?sles_version} %if 0%{?suse_version} >= 1230 %check make check %endif %endif %install make install DESTDIR=%{buildroot} rm -f %{buildroot}%{_libdir}/*.la %{buildroot}%{_libdir}/*.a %post -n libssh2-1 -p /sbin/ldconfig %postun -n libssh2-1 -p /sbin/ldconfig %files -n libssh2-1 %defattr(-,root,root) %{_libdir}/libssh2.so.1* %files -n libssh2-devel %defattr(-,root,root) %doc NEWS %{_libdir}/libssh2.so %{_includedir}/*.h %{_mandir}/man3/* %{_libdir}/pkgconfig/libssh2.pc %changelog ++++++ baselibs.conf ++++++ libssh2-1 obsoletes "libssh2-<targettype> <= <version>" provides "libssh2-<targettype> = <version>" ++++++ libssh2-ocloexec.patch ++++++ >From 33a59a1905feb5d786e9d457f287dd9e81a9f747 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodrig...@opensuse.org> Date: Tue, 27 Dec 2011 00:33:28 -0300 Subject: [PATCH] Use O_CLOEXEC where needed --- src/agent.c | 2 +- src/knownhost.c | 4 ++-- src/userauth.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) Index: libssh2-1.4.3/src/agent.c =================================================================== --- libssh2-1.4.3.orig/src/agent.c 2012-03-05 20:04:56.000000000 +0100 +++ libssh2-1.4.3/src/agent.c 2013-01-08 16:24:07.572195659 +0100 @@ -152,7 +152,7 @@ agent_connect_unix(LIBSSH2_AGENT *agent) return _libssh2_error(agent->session, LIBSSH2_ERROR_BAD_USE, "no auth sock variable"); - agent->fd = socket(PF_UNIX, SOCK_STREAM, 0); + agent->fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0); if (agent->fd < 0) return _libssh2_error(agent->session, LIBSSH2_ERROR_BAD_SOCKET, "failed creating socket"); Index: libssh2-1.4.3/src/knownhost.c =================================================================== --- libssh2-1.4.3.orig/src/knownhost.c 2012-08-21 20:27:22.000000000 +0200 +++ libssh2-1.4.3/src/knownhost.c 2013-01-08 16:24:07.573195691 +0100 @@ -907,7 +907,7 @@ libssh2_knownhost_readfile(LIBSSH2_KNOWN "Unsupported type of known-host information " "store"); - file = fopen(filename, "r"); + file = fopen(filename, "re"); if(file) { while(fgets(buf, sizeof(buf), file)) { if(libssh2_knownhost_readline(hosts, buf, strlen(buf), type)) { @@ -1082,7 +1082,7 @@ libssh2_knownhost_writefile(LIBSSH2_KNOW "Unsupported type of known-host information " "store"); - file = fopen(filename, "w"); + file = fopen(filename, "we"); if(!file) return _libssh2_error(hosts->session, LIBSSH2_ERROR_FILE, "Failed to open file"); Index: libssh2-1.4.3/src/userauth.c =================================================================== --- libssh2-1.4.3.orig/src/userauth.c 2012-04-18 22:24:04.000000000 +0200 +++ libssh2-1.4.3/src/userauth.c 2013-01-08 16:24:07.573195691 +0100 @@ -467,7 +467,7 @@ file_read_publickey(LIBSSH2_SESSION * se _libssh2_debug(session, LIBSSH2_TRACE_AUTH, "Loading public key file: %s", pubkeyfile); /* Read Public Key */ - fd = fopen(pubkeyfile, "r"); + fd = fopen(pubkeyfile, "re"); if (!fd) { return _libssh2_error(session, LIBSSH2_ERROR_FILE, "Unable to open public key file"); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org