From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 2/2] gnu: libssh: Update to 0.7.3. Date: Tue, 23 Feb 2016 18:32:15 -0500 Message-ID: <6d41aa88327a3df921554a53251a0ba385e9530f.1456270087.git.leo@famulari.name> References: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYMRL-0000dF-Nb for guix-devel@gnu.org; Tue, 23 Feb 2016 18:32:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aYMRH-0002Hh-2f for guix-devel@gnu.org; Tue, 23 Feb 2016 18:32:23 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:49373) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYMRG-0002Hd-Uz for guix-devel@gnu.org; Tue, 23 Feb 2016 18:32:19 -0500 Received: from jasmine.lan (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 4320FC00013 for ; Tue, 23 Feb 2016 18:32:18 -0500 (EST) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org Fixes CVE-2016-0739. * gnu/packages/ssh.scm (libssh): Update to 0.7.3. (libssh-0.5): Update to 0.6.5 and rename to libssh-0.6. (guile-ssh): Specify dependency on libssh-0.6. * gnu/packages/patches/libssh-CVE-2014-0017.patch: Delete file. * gnu-system.am: Remove it. --- gnu-system.am | 1 - gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 ------------------------- gnu/packages/ssh.scm | 20 +++--- 3 files changed, 10 insertions(+), 100 deletions(-) delete mode 100644 gnu/packages/patches/libssh-CVE-2014-0017.patch diff --git a/gnu-system.am b/gnu-system.am index a93b005..d2e90ed 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -571,7 +571,6 @@ dist_patch_DATA = \ gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \ gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \ gnu/packages/patches/libtool-skip-tests2.patch \ - gnu/packages/patches/libssh-CVE-2014-0017.patch \ gnu/packages/patches/libunwind-CVE-2015-3239.patch \ gnu/packages/patches/libwmf-CAN-2004-0941.patch \ gnu/packages/patches/libwmf-CVE-2006-3376.patch \ diff --git a/gnu/packages/patches/libssh-CVE-2014-0017.patch b/gnu/packages/patches/libssh-CVE-2014-0017.patch deleted file mode 100644 index 94d8cc3..0000000 --- a/gnu/packages/patches/libssh-CVE-2014-0017.patch +++ /dev/null @@ -1,89 +0,0 @@ -Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5. - -From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001 -From: Aris Adamantiadis -Date: Wed, 05 Feb 2014 20:24:12 +0000 -Subject: security: fix for vulnerability CVE-2014-0017 - -When accepting a new connection, a forking server based on libssh forks -and the child process handles the request. The RAND_bytes() function of -openssl doesn't reset its state after the fork, but simply adds the -current process id (getpid) to the PRNG state, which is not guaranteed -to be unique. -This can cause several children to end up with same PRNG state which is -a security issue. ---- -diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h -index 7374a88..e8ff32c 100644 ---- a/include/libssh/wrapper.h -+++ b/include/libssh/wrapper.h -@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session); - struct ssh_crypto_struct *crypto_new(void); - void crypto_free(struct ssh_crypto_struct *crypto); - -+void ssh_reseed(void); - - #endif /* WRAPPER_H_ */ -diff --git a/src/bind.c b/src/bind.c -index 8d82d0d..03d3403 100644 ---- a/src/bind.c -+++ b/src/bind.c -@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss - session->dsa_key = dsa; - session->rsa_key = rsa; - -+ /* force PRNG to change state in case we fork after ssh_bind_accept */ -+ ssh_reseed(); - return SSH_OK; - } - -diff --git a/src/libcrypto.c b/src/libcrypto.c -index bb1d96a..d8cc795 100644 ---- a/src/libcrypto.c -+++ b/src/libcrypto.c -@@ -23,6 +23,7 @@ - #include - #include - #include -+#include - - #include "libssh/priv.h" - #include "libssh/session.h" -@@ -38,6 +39,8 @@ - #include - #include - #include -+#include -+ - #ifdef HAVE_OPENSSL_AES_H - #define HAS_AES - #include -@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { - return 0; - } - -+void ssh_reseed(void){ -+ struct timeval tv; -+ gettimeofday(&tv, NULL); -+ RAND_add(&tv, sizeof(tv), 0.0); -+} -+ - SHACTX sha1_init(void) { - SHACTX c = malloc(sizeof(*c)); - if (c == NULL) { -diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index 899bccd..4617901 100644 ---- a/src/libgcrypt.c -+++ b/src/libgcrypt.c -@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { - return 0; - } - -+void ssh_reseed(void){ -+ } -+ - SHACTX sha1_init(void) { - SHACTX ctx = NULL; - gcry_md_open(&ctx, GCRY_MD_SHA1, 0); --- -cgit v0.9.1 diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 2b0693b..062f7fd 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -45,15 +45,15 @@ (define-public libssh (package (name "libssh") - (version "0.6.5") + (version "0.7.3") (source (origin (method url-fetch) (uri (string-append - "https://red.libssh.org/attachments/download/121/libssh-" + "https://red.libssh.org/attachments/download/195/libssh-" version ".tar.xz")) (sha256 (base32 - "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g")))) + "165g49i4kmm3bfsjm0n8hm21kadv79g9yjqyq09138jxanz4dvr6")))) (build-system cmake-build-system) (arguments '(#:configure-flags '("-DWITH_GCRYPT=ON") @@ -71,17 +71,17 @@ remote applications.") (home-page "http://www.libssh.org") (license license:lgpl2.1+))) -(define libssh-0.5 ; kept private +(define libssh-0.6 ; kept private for use in guile-ssh (package (inherit libssh) - (version "0.5.5") + (version "0.6.5") (source (origin (method url-fetch) - (uri (string-append "https://red.libssh.org/attachments/download/51/libssh-" - version ".tar.gz")) + (uri (string-append "https://red.libssh.org/attachments/" + "download/121/libssh-" + version ".tar.xz")) (sha256 (base32 - "17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0")) - (patches (list (search-patch "libssh-CVE-2014-0017.patch"))))))) + "0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g")))))) (define-public libssh2 (package @@ -255,7 +255,7 @@ Additionally, various channel-specific options can be negotiated.") ("pkg-config" ,pkg-config) ("which" ,which))) (inputs `(("guile" ,guile-2.0) - ("libssh" ,libssh) + ("libssh" ,libssh-0.6) ("libgcrypt" ,libgcrypt))) (synopsis "Guile bindings to libssh") (description -- 2.7.1