Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libssh2: revision bump to fix CVE-2016-0787

Browse source 
- adds patch copied from Debian to address CVE
- fixes zlib detection
- changes http to https links
- updates maintainer's mail address

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper 2018-01-30 15:25:23 +01:00
parent 2b8f946204
commit f84cc525d6
2 changed files with 29 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
libs/libssh2/Makefile
View file

@ -1,5 +1,5 @@
# #
# Copyright (C) 2015 OpenWrt.org # Copyright (C) 2015 - 2018 OpenWrt.org
# #
# This is free software, licensed under the GNU General Public License v2. # This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information. # See /LICENSE for more information.
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libssh2 PKG_NAME:=libssh2
PKG_VERSION:=1.6.0 PKG_VERSION:=1.6.0
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.libssh2.org/download PKG_SOURCE_URL:=https://www.libssh2.org/download
PKG_MD5SUM:=00aabd6e714a5f42a4fb82ace20db1dd PKG_MD5SUM:=00aabd6e714a5f42a4fb82ace20db1dd
PKG_INSTALL:=1 PKG_INSTALL:=1
@ -26,9 +26,9 @@ define Package/libssh2
SECTION:=libs SECTION:=libs
CATEGORY:=Libraries CATEGORY:=Libraries
TITLE:=SSH2 library TITLE:=SSH2 library
URL:=http://www.libssh2.org/ URL:=https://www.libssh2.org/
DEPENDS:=+libopenssl +zlib DEPENDS:=+libopenssl +zlib
MAINTAINER:=Jiri Slachta <slachta@cesnet.cz> MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
endef endef
define Package/libssh2/description define Package/libssh2/description
@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC)
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
--disable-examples-build \ --disable-examples-build \
--with-libssl-prefix=$(STAGING_DIR)/usr --with-libssl-prefix=$(STAGING_DIR)/usr \
--with-libz-prefix=$(STAGING_DIR)/usr
define Build/InstallDev define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include $(INSTALL_DIR) $(1)/usr/include

22
libs/libssh2/patches/0004-CVE-2016-0787.patch Normal file
View file

@ -0,0 +1,22 @@
Description: CVE-2016-0787: Truncated Difffie-Hellman secret length
Convert bytes to bits in diffie_hellman_sha1. Otherwise we get far too
small numbers.
Origin: backport, http://www.libssh2.org/CVE-2016-0787.patch
Forwarded: not-needed
Author: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-02-18
Applied-Upstream: 1.7.0
---
--- a/src/kex.c
+++ b/src/kex.c
@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_S
memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
/* Generate x and e */
- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
+ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
_libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
exchange_state->ctx);