Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libssh for openSUSE:Factory checked 
in at 2025-06-27 23:00:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libssh (Old)
 and      /work/SRC/openSUSE:Factory/.libssh.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libssh"

Fri Jun 27 23:00:44 2025 rev:79 rq:1288631 version:0.11.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/libssh/libssh.changes    2025-06-04 
20:27:57.147489128 +0200
+++ /work/SRC/openSUSE:Factory/.libssh.new.7067/libssh.changes  2025-06-27 
23:01:45.802388595 +0200
@@ -1,0 +2,28 @@
+Tue Jun 24 14:36:44 UTC 2025 - Andreas Schneider <a...@cryptomilk.org>
+
+- Update to version 0.11.2
+  * Security:
+    * CVE-2025-4877 - Write beyond bounds in binary to base64 conversion 
(bsc#1245309)
+    * CVE-2025-4878 - Use of uninitialized variable in privatekey_from_file() 
(bsc#1245310)
+    * CVE-2025-5318 - Likely read beyond bounds in sftp server handle 
management (bsc#1245311)
+    * CVE-2025-5351 - Double free in functions exporting keys (bsc#1245312)
+    * CVE-2025-5372 - ssh_kdf() returns a success code on certain failures 
(bsc#1245314)
+    * CVE-2025-5449 - Likely read beyond bounds in sftp server message 
decoding (bsc#1245316)
+    * CVE-2025-5987 - Invalid return code for chacha20 poly1305 with OpenSSL 
(bsc#1245317)
+  * Compatibility
+    * Fixed compatibility with CPM.cmake
+    * Compatibility with OpenSSH 10.0
+    * Tests compatibility with new Dropbear releases
+    * Removed p11-kit remoting from the pkcs11 testsuite
+  * Bugfixes
+    * Implement missing packet filter for DH GEX
+    * Properly process the SSH2_MSG_DEBUG message
+    * Allow escaping quotes in quoted arguments to ssh configuration
+    * Do not fail with unknown match keywords in ssh configuration
+    * Process packets before selecting signature algorithm during 
authentication
+    * Do not fail hard when the SFTP status message is not sent by noncompliant
+      servers
+- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
+- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
+
+-------------------------------------------------------------------

Old:
----
  libssh-0.11.1.tar.xz
  libssh-0.11.1.tar.xz.asc
  libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
  libssh-misc-Fix-OpenSSH-banner-parsing.patch

New:
----
  libssh-0.11.2.tar.xz
  libssh-0.11.2.tar.xz.asc

----------(Old B)----------
  Old:      servers
- Removed libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
  Old:- Removed 
libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
- Removed libssh-misc-Fix-OpenSSH-banner-parsing.patch
----------(Old E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libssh.spec ++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old  2025-06-27 23:01:46.554419589 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new  2025-06-27 23:01:46.558419754 +0200
@@ -32,7 +32,7 @@
 %endif
 
 Name:           libssh%{pkg_suffix}
-Version:        0.11.1
+Version:        0.11.2
 Release:        0
 Summary:        The SSH library
 License:        LGPL-2.1-or-later
@@ -46,12 +46,8 @@
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM: libssh tries to read config from wrong crypto-policies 
location (bsc#1222716)
 Patch0:         libssh-cmake-Add-option-WITH_HERMETIC_USR.patch
-# PATCH-FIX-UPSTREAM: fix build with OpenSSH >= 10.0
-Patch1:         
libssh-CmakeLists-Fix-multiple-digit-major-version-for-OpenSSH.patch
-# PATCH-FIX-UPSTREAM: fix OpenSSH banner parsing
-Patch2:         libssh-misc-Fix-OpenSSH-banner-parsing.patch
 # PATCH-FIX-SUSE: fix hang in torture_channel tests (bsc#1243799)
-Patch3:         
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
+Patch1:         
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  krb5-devel

++++++ libssh-0.11.1.tar.xz -> libssh-0.11.2.tar.xz ++++++
++++ 5307 lines of diff (skipped)

++++++ libssh-cmake-Add-option-WITH_HERMETIC_USR.patch ++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old  2025-06-27 23:01:46.854431954 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new  2025-06-27 23:01:46.858432119 +0200
@@ -1,24 +1,31 @@
-From ae314e4a23178a355fb3e85e8a501efcbc1b9a74 Mon Sep 17 00:00:00 2001
+From d88dbc1e0fa6dab2de359f211792c0b5c3ec7664 Mon Sep 17 00:00:00 2001
 From: Lucas Mulling <lucas.mull...@suse.com>
 Date: Mon, 17 Feb 2025 14:13:53 -0300
 Subject: [PATCH] cmake: Add option WITH_HERMETIC_USR
 
+Add a cmake option to enable hermetic-usr, i.e., use of config files in /usr/.
+If turned on, GLOBAL_*_CONFIG is prepended with /usr/ and defined as
+USR_GLOBAL_*_CONFIG. Config lookup follows this path GLOBAL_*_CONFIG ->
+USR_GLOBAL_*_CONFIG.
+
 Introduce a ssh_config_parse primitive. This avoids convoluted checks for file
 presence (without modifing the behaviour of ssh_config_parse_file) and allows
 marking whether the config is global at the call site.
 
 Signed-off-by: Lucas Mulling <lucas.mull...@suse.com>
+Reviewed-by: Jakub Jelen <jje...@redhat.com>
 ---
- CMakeLists.txt           |  8 +++++-
- DefineOptions.cmake      |  6 +++++
- config.h.cmake           |  2 ++
- include/libssh/options.h |  1 +
- src/config.c             | 57 ++++++++++++++++++++++++++++------------
- src/options.c            | 28 +++++++++++++++++++-
- 6 files changed, 83 insertions(+), 19 deletions(-)
+ CMakeLists.txt           |   8 ++-
+ DefineOptions.cmake      |   6 +++
+ config.h.cmake           |   2 +
+ include/libssh/libssh.h  |   3 +-
+ include/libssh/options.h |   1 +
+ src/config.c             |  56 ++++++++++++++-------
+ src/options.c            | 106 ++++++++++++++++++++++++---------------
+ 7 files changed, 122 insertions(+), 60 deletions(-)
 
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index d484bdfa..fee994cd 100644
+index 9877cd70..9a4ea9e3 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
 @@ -249,9 +249,15 @@ message(STATUS "Benchmarks: ${WITH_BENCHMARKS}")
@@ -78,6 +85,22 @@
  #cmakedefine GLOBAL_CLIENT_CONFIG "${GLOBAL_CLIENT_CONFIG}"
  
  /************************** HEADER FILES *************************/
+diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
+index 3bddb019..28fe7396 100644
+--- a/include/libssh/libssh.h
++++ b/include/libssh/libssh.h
+@@ -49,9 +49,10 @@
+   #endif
+ #endif
+ 
++#include <inttypes.h>
+ #include <stdarg.h>
++#include <stdbool.h>
+ #include <stdint.h>
+-#include <inttypes.h>
+ 
+ #ifdef _MSC_VER
+   typedef int mode_t;
 diff --git a/include/libssh/options.h b/include/libssh/options.h
 index d32e1589..63b207fa 100644
 --- a/include/libssh/options.h
@@ -91,25 +114,30 @@
  int ssh_config_parse_string(ssh_session session, const char *input);
  int ssh_options_set_algo(ssh_session session,
 diff --git a/src/config.c b/src/config.c
-index 7bb0f50f..7ad3b620 100644
+index b4171efd..611c0349 100644
 --- a/src/config.c
 +++ b/src/config.c
-@@ -1449,6 +1449,31 @@ ssh_config_parse_line(ssh_session session,
+@@ -1451,45 +1451,67 @@ ssh_config_parse_line(ssh_session session,
    return 0;
  }
  
+-/* @brief Parse configuration file and set the options to the given session
 +/* @brief Parse configuration from a file pointer
-+ *
-+ * @params[in] session   The ssh session
+  *
+  * @params[in] session   The ssh session
+- * @params[in] filename  The path to the ssh configuration file
 + * @params[in] fp        A valid file pointer
 + * @params[in] global    Whether the config is global or not
-+ *
-+ * @returns    0 on successful parsing the configuration file, -1 on error
-+ */
-+int ssh_config_parse(ssh_session session, FILE *fp, bool global) {
-+    char line[MAX_LINE_SIZE] = {0};
-+    unsigned int count = 0;
-+    int parsing, rv;
+  *
+  * @returns    0 on successful parsing the configuration file, -1 on error
+  */
+-int ssh_config_parse_file(ssh_session session, const char *filename)
++int ssh_config_parse(ssh_session session, FILE *fp, bool global)
+ {
+     char line[MAX_LINE_SIZE] = {0};
+     unsigned int count = 0;
+-    FILE *f = NULL;
+     int parsing, rv;
 +
 +    parsing = 1;
 +    while (fgets(line, sizeof(line), fp)) {
@@ -123,18 +151,16 @@
 +    return 0;
 +}
 +
- /* @brief Parse configuration file and set the options to the given session
-  *
-  * @params[in] session   The ssh session
-@@ -1458,36 +1483,34 @@ ssh_config_parse_line(ssh_session session,
-  */
- int ssh_config_parse_file(ssh_session session, const char *filename)
- {
--    char line[MAX_LINE_SIZE] = {0};
--    unsigned int count = 0;
--    FILE *f;
--    int parsing, rv;
-+    FILE *fp;
++/* @brief Parse configuration file and set the options to the given session
++ *
++ * @params[in] session   The ssh session
++ * @params[in] filename  The path to the ssh configuration file
++ *
++ * @returns    0 on successful parsing the configuration file, -1 on error
++ */
++int ssh_config_parse_file(ssh_session session, const char *filename)
++{
++    FILE *fp = NULL;
 +    int rv;
      bool global = 0;
  
@@ -145,13 +171,11 @@
          return 0;
      }
  
+     rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
 +#ifdef USR_GLOBAL_CLIENT_CONFIG
-+    rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
 +    if (rv != 0) {
-+        rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
++        rv = strcmp(filename, USR_GLOBAL_CLIENT_CONFIG);
 +    }
-+#else
-     rv = strcmp(filename, GLOBAL_CLIENT_CONFIG);
 +#endif
 +
      if (rv == 0) {
@@ -179,7 +203,7 @@
  
  /* @brief Parse configuration string and set the options to the given session
 diff --git a/src/options.c b/src/options.c
-index 55c7be39..45346fd1 100644
+index 785296dd..6a72e0e2 100644
 --- a/src/options.c
 +++ b/src/options.c
 @@ -26,6 +26,7 @@
@@ -199,54 +223,126 @@
   *
   * @return 0 on success, < 0 on error.
   *
-@@ -1823,6 +1826,9 @@ int ssh_options_parse_config(ssh_session session, const 
char *filename)
+@@ -1821,48 +1824,63 @@ int ssh_options_getopt(ssh_session session, int 
*argcptr, char **argv)
+  */
+ int ssh_options_parse_config(ssh_session session, const char *filename)
  {
-   char *expanded_filename;
-   int r;
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+  FILE *fp;
-+#endif
- 
-   if (session == NULL) {
-     return -1;
-@@ -1855,7 +1861,19 @@ int ssh_options_parse_config(ssh_session session, const 
char *filename)
-       goto out;
-   }
-   if (filename == NULL) {
+-  char *expanded_filename = NULL;
+-  int r;
++    char *expanded_filename = NULL;
++    int r;
++    FILE *fp = NULL;
+ 
+-  if (session == NULL) {
+-    return -1;
+-  }
+-  if (session->opts.host == NULL) {
+-    ssh_set_error_invalid(session);
+-    return -1;
+-  }
+-
+-  if (session->opts.sshdir == NULL) {
+-      r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
+-      if (r < 0) {
+-          ssh_set_error_oom(session);
+-          return -1;
+-      }
+-  }
+-
+-  /* set default filename */
+-  if (filename == NULL) {
+-    expanded_filename = ssh_path_expand_escape(session, "%d/config");
+-  } else {
+-    expanded_filename = ssh_path_expand_escape(session, filename);
+-  }
+-  if (expanded_filename == NULL) {
+-    return -1;
+-  }
+-
+-  r = ssh_config_parse_file(session, expanded_filename);
+-  if (r < 0) {
+-      goto out;
+-  }
+-  if (filename == NULL) {
 -      r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
-+#ifdef USR_GLOBAL_CLIENT_CONFIG
-+    if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+      SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", 
GLOBAL_CLIENT_CONFIG);
-+      r = ssh_config_parse(session, fp, true);
-+      fclose(fp);
-+    } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
-+      SSH_LOG(SSH_LOG_PACKET, "Reading configuration data from %s", 
USR_GLOBAL_CLIENT_CONFIG);
-+      r = ssh_config_parse(session, fp, true);
-+      fclose(fp);
+-  }
+-
+-  /* Do not process the default configuration as part of connection again */
+-  session->opts.config_processed = true;
++    if (session == NULL) {
++        return -1;
 +    }
-+#else
-+    r = ssh_config_parse_file(session, GLOBAL_CLIENT_CONFIG);
++    if (session->opts.host == NULL) {
++        ssh_set_error_invalid(session);
++        return -1;
++    }
++
++    if (session->opts.sshdir == NULL) {
++        r = ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
++        if (r < 0) {
++            ssh_set_error_oom(session);
++            return -1;
++        }
++    }
++
++    /* set default filename */
++    if (filename == NULL) {
++        expanded_filename = ssh_path_expand_escape(session, "%d/config");
++    } else {
++        expanded_filename = ssh_path_expand_escape(session, filename);
++    }
++    if (expanded_filename == NULL) {
++        return -1;
++    }
++
++    r = ssh_config_parse_file(session, expanded_filename);
++    if (r < 0) {
++        goto out;
++    }
++    if (filename == NULL) {
++        if ((fp = fopen(GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++            filename = GLOBAL_CLIENT_CONFIG;
++#ifdef USR_GLOBAL_CLIENT_CONFIG
++        } else if ((fp = fopen(USR_GLOBAL_CLIENT_CONFIG, "r")) != NULL) {
++            filename = USR_GLOBAL_CLIENT_CONFIG;
 +#endif
-   }
++        }
++
++        if (fp) {
++            SSH_LOG(SSH_LOG_PACKET,
++                    "Reading configuration data from %s",
++                    filename);
++            r = ssh_config_parse(session, fp, true);
++            fclose(fp);
++        }
++    }
++
++    /* Do not process the default configuration as part of connection again */
++    session->opts.config_processed = true;
+ out:
+-  free(expanded_filename);
+-  return r;
++    free(expanded_filename);
++    return r;
+ }
  
-   /* Do not process the default configuration as part of connection again */
-@@ -2706,7 +2724,15 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, 
const char *filename)
+ int ssh_options_apply(ssh_session session)
+@@ -2706,7 +2724,13 @@ int ssh_bind_options_parse_config(ssh_bind sshbind, 
const char *filename)
      /* If the global default configuration hasn't been processed yet, process 
it
       * before the provided configuration. */
      if (!(sshbind->config_processed)) {
-+#ifdef USR_GLOBAL_BIND_CONFIG
+-        rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
 +        if (access(GLOBAL_BIND_CONFIG, F_OK) == 0) {
 +            rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
++#ifdef USR_GLOBAL_BIND_CONFIG
 +        } else {
 +            rc = ssh_bind_config_parse_file(sshbind, USR_GLOBAL_BIND_CONFIG);
-+        }
-+#else
-         rc = ssh_bind_config_parse_file(sshbind, GLOBAL_BIND_CONFIG);
 +#endif
++        }
          if (rc != 0) {
              return rc;
          }
 -- 
-2.48.1
+2.50.0
 
 

++++++ 
libssh-tests-Fix-an-issue-where-torture_session-request-a-SIGTERM-too-early.patch
 ++++++
--- /var/tmp/diff_new_pack.H2oKWz/_old  2025-06-27 23:01:46.870432613 +0200
+++ /var/tmp/diff_new_pack.H2oKWz/_new  2025-06-27 23:01:46.874432778 +0200
@@ -10,10 +10,10 @@
  1 file changed, 12 insertions(+), 2 deletions(-)
 
 diff --git a/tests/client/torture_session.c b/tests/client/torture_session.c
-index f95002f4..93d86995 100644
+index cc83578f..6c10dee1 100644
 --- a/tests/client/torture_session.c
 +++ b/tests/client/torture_session.c
-@@ -447,15 +447,25 @@ static void torture_channel_exit_signal(void **state)
+@@ -447,6 +447,16 @@ static void torture_channel_exit_signal(void **state)
      /* Make the request, read parts with close */
      rc = ssh_channel_request_exec(channel, request);
      assert_ssh_return_code(session, rc);
@@ -30,17 +30,6 @@
      rc = ssh_channel_request_send_signal(channel, "TERM");
      assert_ssh_return_code(session, rc);
  
--    exit_status = ssh_channel_get_exit_state(channel,
-+    rc = ssh_channel_get_exit_state(channel,
-                                              &exit_status,
-                                              &exit_signal,
-                                              &core_dumped);
-     assert_ssh_return_code(session, rc);
--    assert_int_equal(exit_status, 0);
-+    assert_int_equal(exit_status, (uint32_t)-1);
-     assert_string_equal(exit_signal, "TERM");
-     SAFE_FREE(exit_signal);
- }
 -- 
 2.49.0
 

Reply via email to