>> The 1.8.x branch fixes only resolves the issues brought up by the >> Conicanal review while master contains a more exhaustive review and is >> highly recommended to use. > > Stable distro won't use git master. You can say it is "downstream > problem", but it won't change the end result: either upstream provides > backport(ed|able) security fixes for few previous branches, or most of > end users will use vulnerable code for years. > > And fixes in libssh2 git master are not backportable, 1.8.x branch is.
Yup, I agree. The plain fact of the matter is there isn’t enough man power/interest to provide back-ported fixes for all the issues addressed on master. The plan is to release 1.9.0 on the 11th. I know that doesn’t help prior releases, but it does get the ball moving in the right direction. >> I will submit a patch on Monday for the check length function, thanks >> for bringing that to our attention. > > Not sure if it is still possible to practically exploit it (as of > c07bc647f), but those (int) casts are wrong (and unneeded). > > Anyway, /proper/ check is: > > - if(len > buf->len) > - return 0; > - > - return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : > 0; > + return len <= (size_t)((buf->data + buf->len) - buf->dataptr); This is a better fix, thanks. Regards, Will _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
