From da9063bdfbe130f424ba487f167da68e0ce90e7d Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Tue, 2 Jan 2024 15:02:33 +0800 Subject: libssh: upgrade 0.10.5 -> 0.10.6 0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch 0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch refreshed for 0.10.6 Changelog: ========== * Fix CVE-2023-6004: Command injection using proxycommand * Fix CVE-2023-48795: Potential downgrade attack using strict kex * Fix CVE-2023-6918: Missing checks for return values of MD functions * Fix ssh_send_issue_banner() for CMD(PowerShell) * Avoid passing other events to callbacks when poll is called recursively (#202) * Allow @ in usernames when parsing from URI composes Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 1bea2e8c3053e7ecffb04adaaded54555f2afa0b) Signed-off-by: Armin Kuster --- ...-Fix-prototype-of-des3_encrypt-des3_decry.patch | 10 ++--- ...Lists.txt-do-not-search-ssh-sshd-commands.patch | 10 ++--- meta-oe/recipes-support/libssh/libssh_0.10.5.bb | 48 ---------------------- meta-oe/recipes-support/libssh/libssh_0.10.6.bb | 48 ++++++++++++++++++++++ 4 files changed, 56 insertions(+), 60 deletions(-) delete mode 100644 meta-oe/recipes-support/libssh/libssh_0.10.5.bb create mode 100644 meta-oe/recipes-support/libssh/libssh_0.10.6.bb diff --git a/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch b/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch index 19775fa529..d2d1fb5955 100644 --- a/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch +++ b/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch @@ -1,4 +1,4 @@ -From 0cade4573334571055127a2d4fe3641e2397948d Mon Sep 17 00:00:00 2001 +From 49a8ae4d6f77434ed9f7a601b9df488b921e4a22 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Mon, 20 Mar 2023 21:59:19 -0700 Subject: [PATCH] libgcrypt.c: Fix prototype of des3_encrypt/des3_decrypt @@ -18,15 +18,16 @@ TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/libssh/0.10.4-r0/git/ Upstream-Status: Pending Signed-off-by: Khem Raj + --- src/libgcrypt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libgcrypt.c b/src/libgcrypt.c -index da5588ad..e482b654 100644 +index f410d997..e3f66781 100644 --- a/src/libgcrypt.c +++ b/src/libgcrypt.c -@@ -469,12 +469,12 @@ static int des3_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) { +@@ -416,12 +416,12 @@ static int des3_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) { } static void des3_encrypt(struct ssh_cipher_struct *cipher, void *in, @@ -41,6 +42,3 @@ index da5588ad..e482b654 100644 gcry_cipher_decrypt(cipher->key[0], out, len, in, len); } --- -2.40.0 - diff --git a/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch b/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch index 0c7f53029e..d6bc75c3a6 100644 --- a/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch +++ b/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch @@ -1,4 +1,4 @@ -From d2525ba0bc7b11de12c54ea1a3d1eb862537136d Mon Sep 17 00:00:00 2001 +From 69a89e8f015802f61637fed0d3791d20a594f298 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 15 Mar 2023 16:51:58 +0800 Subject: [PATCH] tests/CMakeLists.txt: do not search ssh/sshd commands on host @@ -9,12 +9,13 @@ not required by unittests, we can skip the search. Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao + --- tests/CMakeLists.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt -index 22a36f37..aa32ca2e 100644 +index f5c30061..885c926a 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -86,6 +86,7 @@ set(TEST_TARGET_LIBRARIES @@ -25,7 +26,7 @@ index 22a36f37..aa32ca2e 100644 # OpenSSH Capabilities are required for all unit tests find_program(SSH_EXECUTABLE NAMES ssh) if (SSH_EXECUTABLE) -@@ -293,6 +294,7 @@ if (CLIENT_TESTING OR SERVER_TESTING) +@@ -302,6 +303,7 @@ if (CLIENT_TESTING OR SERVER_TESTING) message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}") endif () @@ -33,6 +34,3 @@ index 22a36f37..aa32ca2e 100644 configure_file(tests_config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/tests_config.h) --- -2.25.1 - diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.5.bb b/meta-oe/recipes-support/libssh/libssh_0.10.5.bb deleted file mode 100644 index f33987acf5..0000000000 --- a/meta-oe/recipes-support/libssh/libssh_0.10.5.bb +++ /dev/null @@ -1,48 +0,0 @@ -SUMMARY = "Multiplatform C library implementing the SSHv2 and SSHv1 protocol" -HOMEPAGE = "http://www.libssh.org" -SECTION = "libs" -LICENSE = "LGPL-2.1-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" - -DEPENDS = "zlib openssl" - -SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.10 \ - file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \ - file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \ - file://run-ptest \ - " -SRCREV = "479eca13aaaa46b43e68c52186e3783f06ae6f34" - -S = "${WORKDIR}/git" - -inherit cmake ptest - -PACKAGECONFIG ??= "gcrypt ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" -PACKAGECONFIG[gssapi] = "-DWITH_GSSAPI=1, -DWITH_GSSAPI=0, krb5, " -PACKAGECONFIG[gcrypt] = "-DWITH_GCRYPT=1, -DWITH_GCRYPT=0, libgcrypt, " -PACKAGECONFIG[tests] = "-DUNIT_TESTING=1, -DUNIT_TESTING=0, cmocka" - -ARM_INSTRUCTION_SET:armv5 = "arm" - -EXTRA_OECMAKE = " \ - -DWITH_PCAP=1 \ - -DWITH_SFTP=1 \ - -DWITH_ZLIB=1 \ - -DWITH_EXAMPLES=0 \ - " - -do_compile:prepend () { - if [ ${PTEST_ENABLED} = "1" ]; then - sed -i -e 's|${B}|${PTEST_PATH}|g' ${B}/config.h - sed -i -e 's|${S}|${PTEST_PATH}|g' ${B}/config.h - fi -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - cp -f ${B}/tests/unittests/torture_* ${D}${PTEST_PATH}/tests/ - install -d ${D}${PTEST_PATH}/tests/unittests - cp -f ${S}/tests/unittests/hello*.sh ${D}${PTEST_PATH}/tests/unittests/ -} - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb new file mode 100644 index 0000000000..31f29c1b7d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -0,0 +1,48 @@ +SUMMARY = "Multiplatform C library implementing the SSHv2 and SSHv1 protocol" +HOMEPAGE = "http://www.libssh.org" +SECTION = "libs" +LICENSE = "LGPL-2.1-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" + +DEPENDS = "zlib openssl" + +SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.10 \ + file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \ + file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \ + file://run-ptest \ + " +SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" + +S = "${WORKDIR}/git" + +inherit cmake ptest + +PACKAGECONFIG ??= "gcrypt ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" +PACKAGECONFIG[gssapi] = "-DWITH_GSSAPI=1, -DWITH_GSSAPI=0, krb5, " +PACKAGECONFIG[gcrypt] = "-DWITH_GCRYPT=1, -DWITH_GCRYPT=0, libgcrypt, " +PACKAGECONFIG[tests] = "-DUNIT_TESTING=1, -DUNIT_TESTING=0, cmocka" + +ARM_INSTRUCTION_SET:armv5 = "arm" + +EXTRA_OECMAKE = " \ + -DWITH_PCAP=1 \ + -DWITH_SFTP=1 \ + -DWITH_ZLIB=1 \ + -DWITH_EXAMPLES=0 \ + " + +do_compile:prepend () { + if [ ${PTEST_ENABLED} = "1" ]; then + sed -i -e 's|${B}|${PTEST_PATH}|g' ${B}/config.h + sed -i -e 's|${S}|${PTEST_PATH}|g' ${B}/config.h + fi +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + cp -f ${B}/tests/unittests/torture_* ${D}${PTEST_PATH}/tests/ + install -d ${D}${PTEST_PATH}/tests/unittests + cp -f ${S}/tests/unittests/hello*.sh ${D}${PTEST_PATH}/tests/unittests/ +} + +BBCLASSEXTEND = "native nativesdk" -- cgit 1.2.3-korg