Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libssh for openSUSE:Factory checked in at 2025-06-27 23:00:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh (Old) and /work/SRC/openSUSE:Factory/.libssh.new.7067 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh" Fri Jun 27 23:00:44 2025 rev:79 rq:1288631 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh/libssh.changes 2025-06-04 20:27:57.147489128 +0200 +++ /work/SRC/openSUSE:Factory/.libssh.new.7067/libssh.changes 2025-06-27 23:01:45.802388595 +0200 @@ -1,0 +2,28 @@ +Tue Jun 24 14:36:44 UTC 2025 - Andreas Schneider <a...@cryptomilk.org> + +- Update to version 0.11.2 + * Security: + * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion (bsc#1245309) + * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() (bsc#1245310) + * CVE-2025-5318 - Likely read beyond bounds in sftp server handle management (bsc#1245311) + * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312) + * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures (bsc#1245314) + * CVE-2025-5449 - Likely read beyond bounds in sftp server message decoding (bsc#1245316) + * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL (bsc#1245317) + * Compatibility + * Fixed compatibility with CPM.cmake + * Compatibility with OpenSSH 10.0 + * Tests compatibility with new Dropbear releases + * Removed p11-kit remoting from the pkcs11 testsuite + * Bugfixes + * Implement missing packet filter for DH GEX + * Properly process the SSH2_MSG_DEBUG message + * Allow escaping quotes in quoted arguments to ssh configuration + * Do not fail with unknown match keywords in ssh configuration + * Process packets before selecting signature algorithm during authentication + * Do not fail hard when the SFTP status message is not sent by noncompliant + servers +- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch +- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch + +------------------------------------------------------------------- Old: ---- libssh-0.11.1.tar.xz libssh-0.11.1.tar.xz.asc libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch libssh-misc-Fix-OpenSSH-banner-parsing.patch New: ---- libssh-0.11.2.tar.xz libssh-0.11.2.tar.xz.asc ----------(Old B)---------- Old: servers - Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch Old:- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch - Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh.spec ++++++ --- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.554419589 +0200 +++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.558419754 +0200 @@ -32,7 +32,7 @@ %endif Name: libssh%{pkg_suffix} -Version: 0.11.1 +Version: 0.11.2 Release: 0 Summary: The SSH library License: LGPL-2.1-or-later @@ -46,12 +46,8 @@ Source99: baselibs.conf # PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies location (bsc#1222716) Patch0: libssh-cmake-Add-option-WITH_HERMETIC_USR.patch -# PATCH-FIX-UPSTREAM: fix build with OpenSSH >= 10.0 -Patch1: libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch -# PATCH-FIX-UPSTREAM: fix OpenSSH banner parsing -Patch2: libssh-misc-Fix-OpenSSH-banner-parsing.patch # PATCH-FIX-SUSE: fix hang in torture_channel tests (bsc#1243799) -Patch3: libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch +Patch1: libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: krb5-devel ++++++ libssh-0.11.1.tar.xz -> libssh-0.11.2.tar.xz ++++++ ++++ 5307 lines of diff (skipped) ++++++ libssh-cmake-Add-option-WITH_HERMETIC_USR.patch ++++++ --- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.854431954 +0200 +++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.858432119 +0200 @@ -1,24 +1,31 @@ -From ae314e4a23178a355fb3e85e8a501efcbc1b9a74 Mon Sep 17 00:00:00 2001 +From d88dbc1e0fa6dab2de359f211792c0b5c3ec7664 Mon Sep 17 00:00:00 2001 From: Lucas Mulling <lucas.mull...@suse.com> Date: Mon, 17 Feb 2025 14:13:53 -0300 Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR +Add a cmake option to enable hermetic-usr, i.e., use of config files in /usr/. +If turned on, GLOBAL_*_CONFIG is prepended with /usr/ and defined as +USR_GLOBAL_*_CONFIG. Config lookup follows this path GLOBAL_*_CONFIG -> +USR_GLOBAL_*_CONFIG. + Introduce a ssh_config_parse primitive. This avoids convoluted checks for file presence (without modifing the behaviour of ssh_config_parse_file) and allows marking whether the config is global at the call site. Signed-off-by: Lucas Mulling <lucas.mull...@suse.com> +Reviewed-by: Jakub Jelen <jje...@redhat.com> --- - CMakeLists.txt | 8 +++++- - DefineOptions.cmake | 6 +++++ - config.h.cmake | 2 ++ - include/libssh/options.h | 1 + - src/config.c | 57 ++++++++++++++++++++++++++++------------ - src/options.c | 28 +++++++++++++++++++- - 6 files changed, 83 insertions(+), 19 deletions(-) + CMakeLists.txt | 8 ++- + DefineOptions.cmake | 6 +++ + config.h.cmake | 2 + + include/libssh/libssh.h | 3 +- + include/libssh/options.h | 1 + + src/config.c | 56 ++++++++++++++------- + src/options.c | 106 ++++++++++++++++++++++++--------------- + 7 files changed, 122 insertions(+), 60 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index d484bdfa..fee994cd 100644 +index 9877cd70..9a4ea9e3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}") @@ -78,6 +85,22 @@ #cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}" /************************** HEADER FILES *************************/ +diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h +index 3bddb019..28fe7396 100644 +--- a/include/libssh/libssh.h ++++ b/include/libssh/libssh.h +@@ -49,9 +49,10 @@ + #endif + #endif + ++#include <inttypes.h> + #include <stdarg.h> ++#include <stdbool.h> + #include <stdint.h> +-#include <inttypes.h> + + #ifdef _MSC_VER + typedef int mode_t; diff --git a/include/libssh/options.h b/include/libssh/options.h index d32e1589..63b207fa 100644 --- a/include/libssh/options.h @@ -91,25 +114,30 @@ int ssh_config_parse_string(ssh_session session, const char *input); int ssh_options_set_algo(ssh_session session, diff --git a/src/config.c b/src/config.c -index 7bb0f50f..7ad3b620 100644 +index b4171efd..611c0349 100644 --- a/src/config.c +++ b/src/config.c -@@ -1449,6 +1449,31 @@ ssh_config_parse_line(ssh_session session, +@@ -1451,45 +1451,67 @@ ssh_config_parse_line(ssh_session session, return 0; } +-/* @brief Parse configuration file and set the options to the given session +/* @brief Parse configuration from a file pointer -+ * -+ * @params[in] session The ssh session + * + * @params[in] session The ssh session +- * @params[in] filename The path to the ssh configuration file + * @params[in] fp A valid file pointer + * @params[in] global Whether the config is global or not -+ * -+ * @returns 0 on successful parsing the configuration file, -1 on error -+ */ -+int ssh_config_parse(ssh_session session, FILE *fp, bool global) { -+ char line[MAX_LINE_SIZE] = {0}; -+ unsigned int count = 0; -+ int parsing, rv; + * + * @returns 0 on successful parsing the configuration file, -1 on error + */ +-int ssh_config_parse_file(ssh_session session, const char *filename) ++int ssh_config_parse(ssh_session session, FILE *fp, bool global) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f = NULL; + int parsing, rv; + + parsing = 1; + while (fgets(line, sizeof(line), fp)) { @@ -123,18 +151,16 @@ + return 0; +} + - /* @brief Parse configuration file and set the options to the given session - * - * @params[in] session The ssh session -@@ -1458,36 +1483,34 @@ ssh_config_parse_line(ssh_session session, - */ - int ssh_config_parse_file(ssh_session session, const char *filename) - { -- char line[MAX_LINE_SIZE] = {0}; -- unsigned int count = 0; -- FILE *f; -- int parsing, rv; -+ FILE *fp; ++/* @brief Parse configuration file and set the options to the given session ++ * ++ * @params[in] session The ssh session ++ * @params[in] filename The path to the ssh configuration file ++ * ++ * @returns 0 on successful parsing the configuration file, -1 on error ++ */ ++int ssh_config_parse_file(ssh_session session, const char *filename) ++{ ++ FILE *fp = NULL; + int rv; bool global = 0; @@ -145,13 +171,11 @@ return 0; } + rv = strcmp(filename, GLOBAL_CLIENT_CONFIG); +#ifdef USR_GLOBAL_CLIENT_CONFIG -+ rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG); + if (rv != 0) { -+ rv = strcmp(filename, GLOBAL_CLIENT_CONFIG); ++ rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG); + } -+#else - rv = strcmp(filename, GLOBAL_CLIENT_CONFIG); +#endif + if (rv == 0) { @@ -179,7 +203,7 @@ /* @brief Parse configuration string and set the options to the given session diff --git a/src/options.c b/src/options.c -index 55c7be39..45346fd1 100644 +index 785296dd..6a72e0e2 100644 --- a/src/options.c +++ b/src/options.c @@ -26,6 +26,7 @@ @@ -199,54 +223,126 @@ * * @return 0 on success, < 0 on error. * -@@ -1823,6 +1826,9 @@ int ssh_options_parse_config(ssh_session session, const char *filename) +@@ -1821,48 +1824,63 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + */ + int ssh_options_parse_config(ssh_session session, const char *filename) { - char *expanded_filename; - int r; -+#ifdef USR_GLOBAL_CLIENT_CONFIG -+ FILE *fp; -+#endif - - if (session == NULL) { - return -1; -@@ -1855,7 +1861,19 @@ int ssh_options_parse_config(ssh_session session, const char *filename) - goto out; - } - if (filename == NULL) { +- char *expanded_filename = NULL; +- int r; ++ char *expanded_filename = NULL; ++ int r; ++ FILE *fp = NULL; + +- if (session == NULL) { +- return -1; +- } +- if (session->opts.host == NULL) { +- ssh_set_error_invalid(session); +- return -1; +- } +- +- if (session->opts.sshdir == NULL) { +- r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL); +- if (r < 0) { +- ssh_set_error_oom(session); +- return -1; +- } +- } +- +- /* set default filename */ +- if (filename == NULL) { +- expanded_filename = ssh_path_expand_escape(session, "%d/config"); +- } else { +- expanded_filename = ssh_path_expand_escape(session, filename); +- } +- if (expanded_filename == NULL) { +- return -1; +- } +- +- r = ssh_config_parse_file(session, expanded_filename); +- if (r < 0) { +- goto out; +- } +- if (filename == NULL) { - r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG); -+#ifdef USR_GLOBAL_CLIENT_CONFIG -+ if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) { -+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", GLOBAL_CLIENT_CONFIG); -+ r = ssh_config_parse(session, fp, true); -+ fclose(fp); -+ } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) { -+ SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", USR_GLOBAL_CLIENT_CONFIG); -+ r = ssh_config_parse(session, fp, true); -+ fclose(fp); +- } +- +- /* Do not process the default configuration as part of connection again */ +- session->opts.config_processed = true; ++ if (session == NULL) { ++ return -1; + } -+#else -+ r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG); ++ if (session->opts.host == NULL) { ++ ssh_set_error_invalid(session); ++ return -1; ++ } ++ ++ if (session->opts.sshdir == NULL) { ++ r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL); ++ if (r < 0) { ++ ssh_set_error_oom(session); ++ return -1; ++ } ++ } ++ ++ /* set default filename */ ++ if (filename == NULL) { ++ expanded_filename = ssh_path_expand_escape(session, "%d/config"); ++ } else { ++ expanded_filename = ssh_path_expand_escape(session, filename); ++ } ++ if (expanded_filename == NULL) { ++ return -1; ++ } ++ ++ r = ssh_config_parse_file(session, expanded_filename); ++ if (r < 0) { ++ goto out; ++ } ++ if (filename == NULL) { ++ if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) { ++ filename = GLOBAL_CLIENT_CONFIG; ++#ifdef USR_GLOBAL_CLIENT_CONFIG ++ } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) { ++ filename = USR_GLOBAL_CLIENT_CONFIG; +#endif - } ++ } ++ ++ if (fp) { ++ SSH_LOG(SSH_LOG_PACKET, ++ "Reading configuration data from %s", ++ filename); ++ r = ssh_config_parse(session, fp, true); ++ fclose(fp); ++ } ++ } ++ ++ /* Do not process the default configuration as part of connection again */ ++ session->opts.config_processed = true; + out: +- free(expanded_filename); +- return r; ++ free(expanded_filename); ++ return r; + } - /* Do not process the default configuration as part of connection again */ -@@ -2706,7 +2724,15 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + int ssh_options_apply(ssh_session session) +@@ -2706,7 +2724,13 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) /* If the global default configuration hasn't been processed yet, process it * before the provided configuration. */ if (!(sshbind->config_processed)) { -+#ifdef USR_GLOBAL_BIND_CONFIG +- rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG); + if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) { + rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG); ++#ifdef USR_GLOBAL_BIND_CONFIG + } else { + rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG); -+ } -+#else - rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG); +#endif ++ } if (rc != 0) { return rc; } -- -2.48.1 +2.50.0 ++++++ libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch ++++++ --- /var/tmp/diff_new_pack.H2oKWz/_old 2025-06-27 23:01:46.870432613 +0200 +++ /var/tmp/diff_new_pack.H2oKWz/_new 2025-06-27 23:01:46.874432778 +0200 @@ -10,10 +10,10 @@ 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tests/client/torture_session.c b/tests/client/torture_session.c -index f95002f4..93d86995 100644 +index cc83578f..6c10dee1 100644 --- a/tests/client/torture_session.c +++ b/tests/client/torture_session.c -@@ -447,15 +447,25 @@ static void torture_channel_exit_signal(void **state) +@@ -447,6 +447,16 @@ static void torture_channel_exit_signal(void **state) /* Make the request, read parts with close */ rc = ssh_channel_request_exec(channel, request); assert_ssh_return_code(session, rc); @@ -30,17 +30,6 @@ rc = ssh_channel_request_send_signal(channel, "TERM"); assert_ssh_return_code(session, rc); -- exit_status = ssh_channel_get_exit_state(channel, -+ rc = ssh_channel_get_exit_state(channel, - &exit_status, - &exit_signal, - &core_dumped); - assert_ssh_return_code(session, rc); -- assert_int_equal(exit_status, 0); -+ assert_int_equal(exit_status, (uint32_t)-1); - assert_string_equal(exit_signal, "TERM"); - SAFE_FREE(exit_signal); - } -- 2.49.0