Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libssh for openSUSE:Factory checked
in at 2025-06-27 23:00:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libssh (Old)
and /work/SRC/openSUSE:Factory/.libssh.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh"
Fri Jun 27 23:00:44 2025 rev:79 rq:1288631 version:0.11.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libssh/libssh.changes 2025-06-04
20:27:57.147489128 +0200
+++ /work/SRC/openSUSE:Factory/.libssh.new.7067/libssh.changes 2025-06-27
23:01:45.802388595 +0200
@@ -1,0 +2,28 @@
+Tue Jun 24 14:36:44 UTC 2025 - Andreas Schneider <a...@cryptomilk.org>
+
+- Update to version 0.11.2
+ * Security:
+ * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion
(bsc#1245309)
+ * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file()
(bsc#1245310)
+ * CVE-2025-5318 - Likely read beyond bounds in sftp server handle
management (bsc#1245311)
+ * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312)
+ * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures
(bsc#1245314)
+ * CVE-2025-5449 - Likely read beyond bounds in sftp server message
decoding (bsc#1245316)
+ * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL
(bsc#1245317)
+ * Compatibility
+ * Fixed compatibility with CPM.cmake
+ * Compatibility with OpenSSH 10.0
+ * Tests compatibility with new Dropbear releases
+ * Removed p11-kit remoting from the pkcs11 testsuite
+ * Bugfixes
+ * Implement missing packet filter for DH GEX
+ * Properly process the SSH2_MSG_DEBUG message
+ * Allow escaping quotes in quoted arguments to ssh configuration
+ * Do not fail with unknown match keywords in ssh configuration
+ * Process packets before selecting signature algorithm during
authentication
+ * Do not fail hard when the SFTP status message is not sent by noncompliant
+ servers
+- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
+- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
+
+-------------------------------------------------------------------
Old:
----
libssh-0.11.1.tar.xz
libssh-0.11.1.tar.xz.asc
libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
libssh-misc-Fix-OpenSSH-banner-parsing.patch
New:
----
libssh-0.11.2.tar.xz
libssh-0.11.2.tar.xz.asc
----------(Old B)----------
Old: servers
- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
Old:- Removed
libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
----------(Old E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libssh.spec ++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.554419589 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.558419754 +0200
@@ -32,7 +32,7 @@
%endif
Name: libssh%{pkg_suffix}
-Version: 0.11.1
+Version: 0.11.2
Release: 0
Summary: The SSH library
License: LGPL-2.1-or-later
@@ -46,12 +46,8 @@
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies
location (bsc#1222716)
Patch0: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
-# PATCH-FIX-UPSTREAM: fix build with OpenSSH >= 10.0
-Patch1:
libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
-# PATCH-FIX-UPSTREAM: fix OpenSSH banner parsing
-Patch2: libssh-misc-Fix-OpenSSH-banner-parsing.patch
# PATCH-FIX-SUSE: fix hang in torture_channel tests (bsc#1243799)
-Patch3:
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
+Patch1:
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: krb5-devel
++++++ libssh-0.11.1.tar.xz -> libssh-0.11.2.tar.xz ++++++
++++ 5307 lines of diff (skipped)
++++++ libssh-cmake-Add-option-WITH_HERMETIC_USR.patch ++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.854431954 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.858432119 +0200
@@ -1,24 +1,31 @@
-From ae314e4a23178a355fb3e85e8a501efcbc1b9a74 Mon Sep 17 00:00:00 2001
+From d88dbc1e0fa6dab2de359f211792c0b5c3ec7664 Mon Sep 17 00:00:00 2001
From: Lucas Mulling <lucas.mull...@suse.com>
Date: Mon, 17 Feb 2025 14:13:53 -0300
Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR
+Add a cmake option to enable hermetic-usr, i.e., use of config files in /usr/.
+If turned on, GLOBAL_*_CONFIG is prepended with /usr/ and defined as
+USR_GLOBAL_*_CONFIG. Config lookup follows this path GLOBAL_*_CONFIG ->
+USR_GLOBAL_*_CONFIG.
+
Introduce a ssh_config_parse primitive. This avoids convoluted checks for file
presence (without modifing the behaviour of ssh_config_parse_file) and allows
marking whether the config is global at the call site.
Signed-off-by: Lucas Mulling <lucas.mull...@suse.com>
+Reviewed-by: Jakub Jelen <jje...@redhat.com>
---
- CMakeLists.txt | 8 +++++-
- DefineOptions.cmake | 6 +++++
- config.h.cmake | 2 ++
- include/libssh/options.h | 1 +
- src/config.c | 57 ++++++++++++++++++++++++++++------------
- src/options.c | 28 +++++++++++++++++++-
- 6 files changed, 83 insertions(+), 19 deletions(-)
+ CMakeLists.txt | 8 ++-
+ DefineOptions.cmake | 6 +++
+ config.h.cmake | 2 +
+ include/libssh/libssh.h | 3 +-
+ include/libssh/options.h | 1 +
+ src/config.c | 56 ++++++++++++++-------
+ src/options.c | 106 ++++++++++++++++++++++++---------------
+ 7 files changed, 122 insertions(+), 60 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
-index d484bdfa..fee994cd 100644
+index 9877cd70..9a4ea9e3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
@@ -78,6 +85,22 @@
#cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
/************************** HEADER FILES *************************/
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index 3bddb019..28fe7396 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -49,9 +49,10 @@
+ #endif
+ #endif
+
++#include <inttypes.h>
+ #include <stdarg.h>
++#include <stdbool.h>
+ #include <stdint.h>
+-#include <inttypes.h>
+
+ #ifdef _MSC_VER
+ typedef int mode_t;
diff --git a/include/libssh/options.h b/include/libssh/options.h
index d32e1589..63b207fa 100644
--- a/include/libssh/options.h
@@ -91,25 +114,30 @@
int ssh_config_parse_string(ssh_session session, const char *input);
int ssh_options_set_algo(ssh_session session,
diff --git a/src/config.c b/src/config.c
-index 7bb0f50f..7ad3b620 100644
+index b4171efd..611c0349 100644
--- a/src/config.c
+++ b/src/config.c
-@@ -1449,6 +1449,31 @@ ssh_config_parse_line(ssh_session session,
+@@ -1451,45 +1451,67 @@ ssh_config_parse_line(ssh_session session,
return 0;
}
+-/* @brief Parse configuration file and set the options to the given session
+/* @brief Parse configuration from a file pointer
-+ *
-+ * @params[in] session The ssh session
+ *
+ * @params[in] session The ssh session
+- * @params[in] filename The path to the ssh configuration file
+ * @params[in] fp A valid file pointer
+ * @params[in] global Whether the config is global or not
-+ *
-+ * @returns 0 on successful parsing the configuration file, -1 on error
-+ */
-+int ssh_config_parse(ssh_session session, FILE *fp, bool global) {
-+ char line[MAX_LINE_SIZE] = {0};
-+ unsigned int count = 0;
-+ int parsing, rv;
+ *
+ * @returns 0 on successful parsing the configuration file, -1 on error
+ */
+-int ssh_config_parse_file(ssh_session session, const char *filename)
++int ssh_config_parse(ssh_session session, FILE *fp, bool global)
+ {
+ char line[MAX_LINE_SIZE] = {0};
+ unsigned int count = 0;
+- FILE *f = NULL;
+ int parsing, rv;
+
+ parsing = 1;
+ while (fgets(line, sizeof(line), fp)) {
@@ -123,18 +151,16 @@
+ return 0;
+}
+
- /* @brief Parse configuration file and set the options to the given session
- *
- * @params[in] session The ssh session
-@@ -1458,36 +1483,34 @@ ssh_config_parse_line(ssh_session session,
- */
- int ssh_config_parse_file(ssh_session session, const char *filename)
- {
-- char line[MAX_LINE_SIZE] = {0};
-- unsigned int count = 0;
-- FILE *f;
-- int parsing, rv;
-+ FILE *fp;
++/* @brief Parse configuration file and set the options to the given session
++ *
++ * @params[in] session The ssh session
++ * @params[in] filename The path to the ssh configuration file
++ *
++ * @returns 0 on successful parsing the configuration file, -1 on error
++ */
++int ssh_config_parse_file(ssh_session session, const char *filename)
++{
++ FILE *fp = NULL;
+ int rv;
bool global = 0;
@@ -145,13 +171,11 @@
return 0;
}
+ rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+ rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
+ if (rv != 0) {
-+ rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
++ rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
+ }
-+#else
- rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
+#endif
+
if (rv == 0) {
@@ -179,7 +203,7 @@
/* @brief Parse configuration string and set the options to the given session
diff --git a/src/options.c b/src/options.c
-index 55c7be39..45346fd1 100644
+index 785296dd..6a72e0e2 100644
--- a/src/options.c
+++ b/src/options.c
@@ -26,6 +26,7 @@
@@ -199,54 +223,126 @@
*
* @return 0 on success, < 0 on error.
*
-@@ -1823,6 +1826,9 @@ int ssh_options_parse_config(ssh_session session, const
char *filename)
+@@ -1821,48 +1824,63 @@ int ssh_options_getopt(ssh_session session, int
*argcptr, char **argv)
+ */
+ int ssh_options_parse_config(ssh_session session, const char *filename)
{
- char *expanded_filename;
- int r;
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+ FILE *fp;
-+#endif
-
- if (session == NULL) {
- return -1;
-@@ -1855,7 +1861,19 @@ int ssh_options_parse_config(ssh_session session, const
char *filename)
- goto out;
- }
- if (filename == NULL) {
+- char *expanded_filename = NULL;
+- int r;
++ char *expanded_filename = NULL;
++ int r;
++ FILE *fp = NULL;
+
+- if (session == NULL) {
+- return -1;
+- }
+- if (session->opts.host == NULL) {
+- ssh_set_error_invalid(session);
+- return -1;
+- }
+-
+- if (session->opts.sshdir == NULL) {
+- r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
+- if (r < 0) {
+- ssh_set_error_oom(session);
+- return -1;
+- }
+- }
+-
+- /* set default filename */
+- if (filename == NULL) {
+- expanded_filename = ssh_path_expand_escape(session, "%d/config");
+- } else {
+- expanded_filename = ssh_path_expand_escape(session, filename);
+- }
+- if (expanded_filename == NULL) {
+- return -1;
+- }
+-
+- r = ssh_config_parse_file(session, expanded_filename);
+- if (r < 0) {
+- goto out;
+- }
+- if (filename == NULL) {
- r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+ if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s",
GLOBAL_CLIENT_CONFIG);
-+ r = ssh_config_parse(session, fp, true);
-+ fclose(fp);
-+ } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s",
USR_GLOBAL_CLIENT_CONFIG);
-+ r = ssh_config_parse(session, fp, true);
-+ fclose(fp);
+- }
+-
+- /* Do not process the default configuration as part of connection again */
+- session->opts.config_processed = true;
++ if (session == NULL) {
++ return -1;
+ }
-+#else
-+ r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
++ if (session->opts.host == NULL) {
++ ssh_set_error_invalid(session);
++ return -1;
++ }
++
++ if (session->opts.sshdir == NULL) {
++ r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
++ if (r < 0) {
++ ssh_set_error_oom(session);
++ return -1;
++ }
++ }
++
++ /* set default filename */
++ if (filename == NULL) {
++ expanded_filename = ssh_path_expand_escape(session, "%d/config");
++ } else {
++ expanded_filename = ssh_path_expand_escape(session, filename);
++ }
++ if (expanded_filename == NULL) {
++ return -1;
++ }
++
++ r = ssh_config_parse_file(session, expanded_filename);
++ if (r < 0) {
++ goto out;
++ }
++ if (filename == NULL) {
++ if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++ filename = GLOBAL_CLIENT_CONFIG;
++#ifdef USR_GLOBAL_CLIENT_CONFIG
++ } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++ filename = USR_GLOBAL_CLIENT_CONFIG;
+#endif
- }
++ }
++
++ if (fp) {
++ SSH_LOG(SSH_LOG_PACKET,
++ "Reading configuration data from %s",
++ filename);
++ r = ssh_config_parse(session, fp, true);
++ fclose(fp);
++ }
++ }
++
++ /* Do not process the default configuration as part of connection again */
++ session->opts.config_processed = true;
+ out:
+- free(expanded_filename);
+- return r;
++ free(expanded_filename);
++ return r;
+ }
- /* Do not process the default configuration as part of connection again */
-@@ -2706,7 +2724,15 @@ int ssh_bind_options_parse_config(ssh_bind sshbind,
const char *filename)
+ int ssh_options_apply(ssh_session session)
+@@ -2706,7 +2724,13 @@ int ssh_bind_options_parse_config(ssh_bind sshbind,
const char *filename)
/* If the global default configuration hasn't been processed yet, process
it
* before the provided configuration. */
if (!(sshbind->config_processed)) {
-+#ifdef USR_GLOBAL_BIND_CONFIG
+- rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
+ if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) {
+ rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
++#ifdef USR_GLOBAL_BIND_CONFIG
+ } else {
+ rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG);
-+ }
-+#else
- rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
+#endif
++ }
if (rc != 0) {
return rc;
}
--
-2.48.1
+2.50.0
++++++
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.870432613 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.874432778 +0200
@@ -10,10 +10,10 @@
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/tests/client/torture_session.c b/tests/client/torture_session.c
-index f95002f4..93d86995 100644
+index cc83578f..6c10dee1 100644
--- a/tests/client/torture_session.c
+++ b/tests/client/torture_session.c
-@@ -447,15 +447,25 @@ static void torture_channel_exit_signal(void **state)
+@@ -447,6 +447,16 @@ static void torture_channel_exit_signal(void **state)
/* Make the request, read parts with close */
rc = ssh_channel_request_exec(channel, request);
assert_ssh_return_code(session, rc);
@@ -30,17 +30,6 @@
rc = ssh_channel_request_send_signal(channel, "TERM");
assert_ssh_return_code(session, rc);
-- exit_status = ssh_channel_get_exit_state(channel,
-+ rc = ssh_channel_get_exit_state(channel,
- &exit_status,
- &exit_signal,
- &core_dumped);
- assert_ssh_return_code(session, rc);
-- assert_int_equal(exit_status, 0);
-+ assert_int_equal(exit_status, (uint32_t)-1);
- assert_string_equal(exit_signal, "TERM");
- SAFE_FREE(exit_signal);
- }
--
2.49.0
