| Message ID | 20231220085438.97520-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,kirkstone,v3,1/4] libssh: upgrade 0.8.9 -> 0.10.4 | expand |
Hi Armin, Any update on this ? Thanks & Regards, Vijay On Wed, Dec 20, 2023 at 2:25 PM Vijay Anusuri via lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Changelog: > https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.5 > > * Generate cases list dynamically in run-ptest. > * Install missing file to fix ptest failure. > > Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > > Ref: > https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut&id=b0833f1f3ec78f16a79d9ff66cdd19da93496018 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../recipes-support/libssh/libssh/run-ptest | 42 ++----------------- > .../{libssh_0.10.4.bb => libssh_0.10.5.bb} | 5 ++- > 2 files changed, 7 insertions(+), 40 deletions(-) > rename meta-oe/recipes-support/libssh/{libssh_0.10.4.bb => > libssh_0.10.5.bb} (85%) > > diff --git a/meta-oe/recipes-support/libssh/libssh/run-ptest > b/meta-oe/recipes-support/libssh/libssh/run-ptest > index 159994e9b..6346b72d5 100644 > --- a/meta-oe/recipes-support/libssh/libssh/run-ptest > +++ b/meta-oe/recipes-support/libssh/libssh/run-ptest > @@ -1,53 +1,17 @@ > #!/bin/sh > > -# Valid tests to run > -tests="torture_bind_config \ > - torture_buffer \ > - torture_bytearray \ > - torture_callbacks \ > - torture_channel \ > - torture_config \ > - torture_crypto \ > - torture_hashes \ > - torture_init \ > - torture_isipaddr \ > - torture_keyfiles \ > - torture_knownhosts_parsing \ > - torture_list \ > - torture_misc \ > - torture_moduli \ > - torture_options \ > - torture_packet \ > - torture_packet_filter \ > - torture_pki \ > - torture_pki_ecdsa \ > - torture_pki_ed25519 \ > - torture_pki_rsa \ > - torture_push_pop_dir \ > - torture_rand \ > - torture_session_keys \ > - torture_temp_dir \ > - torture_temp_file \ > - torture_threads_buffer \ > - torture_threads_crypto \ > - torture_threads_init \ > - torture_threads_pki_rsa \ > - torture_tokens \ > - " > - > ptestdir=$(dirname "$(readlink -f "$0")") > cd "$ptestdir"/tests || exit > > -# Run specified tests > +tests=$(find * -type f -name 'torture_*') > + > for f in $tests > do > - if test -e ./"$f"; then > + if test -x ./"$f"; then > if ./"$f" > ./"$f".out 2> ./"$f".err; then > echo "PASS: $f" > else > echo "FAIL: $f" > fi > - else > - echo "SKIP: $f" > fi > done > diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > b/meta-oe/recipes-support/libssh/libssh_0.10.5.bb > similarity index 85% > rename from meta-oe/recipes-support/libssh/libssh_0.10.4.bb > rename to meta-oe/recipes-support/libssh/libssh_0.10.5.bb > index 4b2ced5e5..f33987acf 100644 > --- a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > +++ b/meta-oe/recipes-support/libssh/libssh_0.10.5.bb > @@ -11,7 +11,7 @@ SRC_URI = "git:// > git.libssh.org/projects/libssh.git;protocol=https;branch=stable > > file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \ > file://run-ptest \ > " > -SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" > +SRCREV = "479eca13aaaa46b43e68c52186e3783f06ae6f34" > > S = "${WORKDIR}/git" > > @@ -34,12 +34,15 @@ EXTRA_OECMAKE = " \ > do_compile:prepend () { > if [ ${PTEST_ENABLED} = "1" ]; then > sed -i -e 's|${B}|${PTEST_PATH}|g' ${B}/config.h > + sed -i -e 's|${S}|${PTEST_PATH}|g' ${B}/config.h > fi > } > > do_install_ptest () { > install -d ${D}${PTEST_PATH}/tests > cp -f ${B}/tests/unittests/torture_* ${D}${PTEST_PATH}/tests/ > + install -d ${D}${PTEST_PATH}/tests/unittests > + cp -f ${S}/tests/unittests/hello*.sh > ${D}${PTEST_PATH}/tests/unittests/ > } > > BBCLASSEXTEND = "native nativesdk" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#107653): > https://lists.openembedded.org/g/openembedded-devel/message/107653 > Mute This Topic: https://lists.openembedded.org/mt/103278130/7301997 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > vanusuri@mvista.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Wed, 2023-12-20 at 14:24 +0530, Vijay Anusuri via lists.openembedded.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > ChangeLog: > https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4 I don't think this is allowed as per stable branch policy unless this is a bug fix only upgrade. Thanks, Anuj > > Drop CVE-2020-16135.patch > > Ref: > https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut&id=4b7e4341327e867208bfc3d8ba1954af66641e60 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../libssh/libssh/CVE-2020-16135.patch | 44 ----------------- > -- > .../{libssh_0.8.9.bb => libssh_0.10.4.bb} | 16 ++----- > 2 files changed, 3 insertions(+), 57 deletions(-) > delete mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2020- > 16135.patch > rename meta-oe/recipes-support/libssh/{libssh_0.8.9.bb => > libssh_0.10.4.bb} (62%) > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020- > 16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020- > 16135.patch > deleted file mode 100644 > index 63b78688d..000000000 > --- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch > +++ /dev/null > @@ -1,44 +0,0 @@ > -From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 > 2001 > -From: Andreas Schneider <asn@cryptomilk.org> > -Date: Wed, 3 Jun 2020 10:04:09 +0200 > -Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new() > - > -Add a missing NULL check for the pointer returned by > ssh_buffer_new() in > -sftpserver.c. > - > -Thanks to Ramin Farajpour Cami for spotting this. > - > -Fixes T232 > - > -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> > -Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> > -Reviewed-by: Jakub Jelen <jjelen@redhat.com> > -(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53) > - > -Upstream-Status: Backport > [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d374 > 8ca69bde5651f20e72761058c] > -CVE: CVE-2020-16135 > -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > ---- > - src/sftpserver.c | 6 ++++++ > - 1 file changed, 6 insertions(+) > - > -diff --git a/src/sftpserver.c b/src/sftpserver.c > -index 1717aa417..1af8a0e76 100644 > ---- a/src/sftpserver.c > -+++ b/src/sftpserver.c > -@@ -64,6 +64,12 @@ sftp_client_message > sftp_get_client_message(sftp_session sftp) { > - > - /* take a copy of the whole packet */ > - msg->complete_message = ssh_buffer_new(); > -+ if (msg->complete_message == NULL) { > -+ ssh_set_error_oom(session); > -+ sftp_client_message_free(msg); > -+ return NULL; > -+ } > -+ > - ssh_buffer_add_data(msg->complete_message, > - ssh_buffer_get(payload), > - ssh_buffer_get_len(payload)); > --- > -2.25.1 > - > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta- > oe/recipes-support/libssh/libssh_0.10.4.bb > similarity index 62% > rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb > rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb > index 061f13912..3a57a728a 100644 > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > +++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > @@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = > "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" > > DEPENDS = "zlib openssl" > > -SRC_URI = > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stabl > e-0.8 \ > - file://CVE-2020-16135.patch \ > - " > -SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > +SRC_URI = > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stabl > e-0.10" > +SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" > > S = "${WORKDIR}/git" > > @@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \ > -DWITH_PCAP=1 \ > -DWITH_SFTP=1 \ > -DWITH_ZLIB=1 \ > - -DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \ > + -DWITH_EXAMPLES=0 \ > " > > -do_configure:prepend () { > - # Disable building of examples > - sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' > ${S}/CMakeLists.txt \ > - || bbfatal "Failed to disable examples" > -} > - > -TOOLCHAIN = "gcc" > - > BBCLASSEXTEND = "native nativesdk" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#107650): > https://lists.openembedded.org/g/openembedded-devel/message/107650 > Mute This Topic: https://lists.openembedded.org/mt/103278127/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Hi Anuj, I thought of updating libssh to 0.10.6 to fix the below security bugs * Fix CVE-2023-6004: Command injection using proxycommand * Fix CVE-2023-48795: Potential downgrade attack using strict kex * Fix CVE-2023-6918: Missing checks for return values of MD functions Ref: https://lists.openembedded.org/g/openembedded-devel/message/107993 (libssh update to 0.10.6 for master branch) Now I have to go with backporting the fixes instead of upgrading? Thanks & Regards, Vijay On Mon, Jan 8, 2024 at 7:44 AM Mittal, Anuj <anuj.mittal@intel.com> wrote: > On Wed, 2023-12-20 at 14:24 +0530, Vijay Anusuri via > lists.openembedded.org wrote: > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > ChangeLog: > > > https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4 > > I don't think this is allowed as per stable branch policy unless this > is a bug fix only upgrade. > > Thanks, > > Anuj > > > > > Drop CVE-2020-16135.patch > > > > Ref: > > > https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut&id=4b7e4341327e867208bfc3d8ba1954af66641e60 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../libssh/libssh/CVE-2020-16135.patch | 44 ----------------- > > -- > > .../{libssh_0.8.9.bb => libssh_0.10.4.bb} | 16 ++----- > > 2 files changed, 3 insertions(+), 57 deletions(-) > > delete mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2020- > > 16135.patch > > rename meta-oe/recipes-support/libssh/{libssh_0.8.9.bb => > > libssh_0.10.4.bb} (62%) > > > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > 16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > 16135.patch > > deleted file mode 100644 > > index 63b78688d..000000000 > > --- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch > > +++ /dev/null > > @@ -1,44 +0,0 @@ > > -From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 > > 2001 > > -From: Andreas Schneider <asn@cryptomilk.org> > > -Date: Wed, 3 Jun 2020 10:04:09 +0200 > > -Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new() > > - > > -Add a missing NULL check for the pointer returned by > > ssh_buffer_new() in > > -sftpserver.c. > > - > > -Thanks to Ramin Farajpour Cami for spotting this. > > - > > -Fixes T232 > > - > > -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> > > -Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> > > -Reviewed-by: Jakub Jelen <jjelen@redhat.com> > > -(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53) > > - > > -Upstream-Status: Backport > > [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d374 > > 8ca69bde5651f20e72761058c] > > -CVE: CVE-2020-16135 > > -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > > ---- > > - src/sftpserver.c | 6 ++++++ > > - 1 file changed, 6 insertions(+) > > - > > -diff --git a/src/sftpserver.c b/src/sftpserver.c > > -index 1717aa417..1af8a0e76 100644 > > ---- a/src/sftpserver.c > > -+++ b/src/sftpserver.c > > -@@ -64,6 +64,12 @@ sftp_client_message > > sftp_get_client_message(sftp_session sftp) { > > - > > - /* take a copy of the whole packet */ > > - msg->complete_message = ssh_buffer_new(); > > -+ if (msg->complete_message == NULL) { > > -+ ssh_set_error_oom(session); > > -+ sftp_client_message_free(msg); > > -+ return NULL; > > -+ } > > -+ > > - ssh_buffer_add_data(msg->complete_message, > > - ssh_buffer_get(payload), > > - ssh_buffer_get_len(payload)); > > --- > > -2.25.1 > > - > > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta- > > oe/recipes-support/libssh/libssh_0.10.4.bb > > similarity index 62% > > rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > index 061f13912..3a57a728a 100644 > > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > +++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > @@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = > > "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" > > > > DEPENDS = "zlib openssl" > > > > -SRC_URI = > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stabl > > e-0.8 \ > > - file://CVE-2020-16135.patch \ > > - " > > -SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > +SRC_URI = > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stabl > > e-0.10" > > +SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" > > > > S = "${WORKDIR}/git" > > > > @@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \ > > -DWITH_PCAP=1 \ > > -DWITH_SFTP=1 \ > > -DWITH_ZLIB=1 \ > > - -DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \ > > + -DWITH_EXAMPLES=0 \ > > " > > > > -do_configure:prepend () { > > - # Disable building of examples > > - sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' > > ${S}/CMakeLists.txt \ > > - || bbfatal "Failed to disable examples" > > -} > > - > > -TOOLCHAIN = "gcc" > > - > > BBCLASSEXTEND = "native nativesdk" > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#107650): > > https://lists.openembedded.org/g/openembedded-devel/message/107650 > > Mute This Topic: https://lists.openembedded.org/mt/103278127/3616702 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-devel/unsub [ > > anuj.mittal@intel.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
On Mon, 2024-01-08 at 08:10 +0530, Vijay Anusuri via lists.openembedded.org wrote: > Hi Anuj, > > I thought of updating libssh to 0.10.6 to fix the below security bugs > > * Fix CVE-2023-6004: Command injection using proxycommand > * Fix CVE-2023-48795: Potential downgrade attack using strict kex > * Fix CVE-2023-6918: Missing checks for return values of MD functions > > Ref: > https://lists.openembedded.org/g/openembedded-devel/message/107993 > (libssh update to 0.10.6 for master branch) > > Now I have to go with backporting the fixes instead of upgrading? Yes, that is the policy. https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable/LTS_Patch_Acceptance_Policies Thanks, Anuj > > Thanks & Regards, > Vijay > > > > On Mon, Jan 8, 2024 at 7:44 AM Mittal, Anuj <anuj.mittal@intel.com> > wrote: > > On Wed, 2023-12-20 at 14:24 +0530, Vijay Anusuri via > > lists.openembedded.org wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > > > ChangeLog: > > > https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4 > > > > I don't think this is allowed as per stable branch policy unless > > this > > is a bug fix only upgrade. > > > > Thanks, > > > > Anuj > > > > > > > > Drop CVE-2020-16135.patch > > > > > > Ref: > > > https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut&id=4b7e4341327e867208bfc3d8ba1954af66641e60 > > > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > --- > > > .../libssh/libssh/CVE-2020-16135.patch | 44 ------------- > > > ---- > > > -- > > > .../{libssh_0.8.9.bb => libssh_0.10.4.bb} | 16 ++----- > > > 2 files changed, 3 insertions(+), 57 deletions(-) > > > delete mode 100644 meta-oe/recipes-support/libssh/libssh/CVE- > > > 2020- > > > 16135.patch > > > rename meta-oe/recipes-support/libssh/{libssh_0.8.9.bb => > > > libssh_0.10.4.bb} (62%) > > > > > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > > 16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > > 16135.patch > > > deleted file mode 100644 > > > index 63b78688d..000000000 > > > --- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch > > > +++ /dev/null > > > @@ -1,44 +0,0 @@ > > > -From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 > > > 00:00:00 > > > 2001 > > > -From: Andreas Schneider <asn@cryptomilk.org> > > > -Date: Wed, 3 Jun 2020 10:04:09 +0200 > > > -Subject: CVE-2020-16135: Add missing NULL check for > > > ssh_buffer_new() > > > - > > > -Add a missing NULL check for the pointer returned by > > > ssh_buffer_new() in > > > -sftpserver.c. > > > - > > > -Thanks to Ramin Farajpour Cami for spotting this. > > > - > > > -Fixes T232 > > > - > > > -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> > > > -Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> > > > -Reviewed-by: Jakub Jelen <jjelen@redhat.com> > > > -(cherry picked from commit > > > 533d881b0f4b24c72b35ecc97fa35d295d063e53) > > > - > > > -Upstream-Status: Backport > > > [ > > > https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3 > > > 74 > > > 8ca69bde5651f20e72761058c] > > > -CVE: CVE-2020-16135 > > > -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > > > ---- > > > - src/sftpserver.c | 6 ++++++ > > > - 1 file changed, 6 insertions(+) > > > - > > > -diff --git a/src/sftpserver.c b/src/sftpserver.c > > > -index 1717aa417..1af8a0e76 100644 > > > ---- a/src/sftpserver.c > > > -+++ b/src/sftpserver.c > > > -@@ -64,6 +64,12 @@ sftp_client_message > > > sftp_get_client_message(sftp_session sftp) { > > > - > > > - /* take a copy of the whole packet */ > > > - msg->complete_message = ssh_buffer_new(); > > > -+ if (msg->complete_message == NULL) { > > > -+ ssh_set_error_oom(session); > > > -+ sftp_client_message_free(msg); > > > -+ return NULL; > > > -+ } > > > -+ > > > - ssh_buffer_add_data(msg->complete_message, > > > - ssh_buffer_get(payload), > > > - ssh_buffer_get_len(payload)); > > > --- > > > -2.25.1 > > > - > > > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > b/meta- > > > oe/recipes-support/libssh/libssh_0.10.4.bb > > > similarity index 62% > > > rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > > index 061f13912..3a57a728a 100644 > > > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > +++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > > @@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = > > > "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" > > > > > > DEPENDS = "zlib openssl" > > > > > > -SRC_URI = > > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=s > > > tabl > > > e-0.8 \ > > > - file://CVE-2020-16135.patch \ > > > - " > > > -SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > > +SRC_URI = > > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=s > > > tabl > > > e-0.10" > > > +SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" > > > > > > S = "${WORKDIR}/git" > > > > > > @@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \ > > > -DWITH_PCAP=1 \ > > > -DWITH_SFTP=1 \ > > > -DWITH_ZLIB=1 \ > > > - -DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \ > > > + -DWITH_EXAMPLES=0 \ > > > " > > > > > > -do_configure:prepend () { > > > - # Disable building of examples > > > - sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' > > > ${S}/CMakeLists.txt \ > > > - || bbfatal "Failed to disable examples" > > > -} > > > - > > > -TOOLCHAIN = "gcc" > > > - > > > BBCLASSEXTEND = "native nativesdk" > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#108083): > https://lists.openembedded.org/g/openembedded-devel/message/108083 > Mute This Topic: https://lists.openembedded.org/mt/103278127/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Thanks Anuj for the information provided Thanks & Regards, Vijay On Mon, Jan 8, 2024 at 8:36 AM Mittal, Anuj <anuj.mittal@intel.com> wrote: > On Mon, 2024-01-08 at 08:10 +0530, Vijay Anusuri via > lists.openembedded.org wrote: > > Hi Anuj, > > > > I thought of updating libssh to 0.10.6 to fix the below security bugs > > > > * Fix CVE-2023-6004: Command injection using proxycommand > > * Fix CVE-2023-48795: Potential downgrade attack using strict kex > > * Fix CVE-2023-6918: Missing checks for return values of MD functions > > > > Ref: > > https://lists.openembedded.org/g/openembedded-devel/message/107993 > > (libssh update to 0.10.6 for master branch) > > > > Now I have to go with backporting the fixes instead of upgrading? > > Yes, that is the policy. > > > https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS#Stable/LTS_Patch_Acceptance_Policies > > Thanks, > > Anuj > > > > > Thanks & Regards, > > Vijay > > > > > > > > On Mon, Jan 8, 2024 at 7:44 AM Mittal, Anuj <anuj.mittal@intel.com> > > wrote: > > > On Wed, 2023-12-20 at 14:24 +0530, Vijay Anusuri via > > > lists.openembedded.org wrote: > > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > > > > > ChangeLog: > > > > > https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4 > > > > > > I don't think this is allowed as per stable branch policy unless > > > this > > > is a bug fix only upgrade. > > > > > > Thanks, > > > > > > Anuj > > > > > > > > > > > Drop CVE-2020-16135.patch > > > > > > > > Ref: > > > > > https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut&id=4b7e4341327e867208bfc3d8ba1954af66641e60 > > > > > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > > > --- > > > > .../libssh/libssh/CVE-2020-16135.patch | 44 ------------- > > > > ---- > > > > -- > > > > .../{libssh_0.8.9.bb => libssh_0.10.4.bb} | 16 ++----- > > > > 2 files changed, 3 insertions(+), 57 deletions(-) > > > > delete mode 100644 meta-oe/recipes-support/libssh/libssh/CVE- > > > > 2020- > > > > 16135.patch > > > > rename meta-oe/recipes-support/libssh/{libssh_0.8.9.bb => > > > > libssh_0.10.4.bb} (62%) > > > > > > > > diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > > > 16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020- > > > > 16135.patch > > > > deleted file mode 100644 > > > > index 63b78688d..000000000 > > > > --- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch > > > > +++ /dev/null > > > > @@ -1,44 +0,0 @@ > > > > -From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 > > > > 00:00:00 > > > > 2001 > > > > -From: Andreas Schneider <asn@cryptomilk.org> > > > > -Date: Wed, 3 Jun 2020 10:04:09 +0200 > > > > -Subject: CVE-2020-16135: Add missing NULL check for > > > > ssh_buffer_new() > > > > - > > > > -Add a missing NULL check for the pointer returned by > > > > ssh_buffer_new() in > > > > -sftpserver.c. > > > > - > > > > -Thanks to Ramin Farajpour Cami for spotting this. > > > > - > > > > -Fixes T232 > > > > - > > > > -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> > > > > -Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> > > > > -Reviewed-by: Jakub Jelen <jjelen@redhat.com> > > > > -(cherry picked from commit > > > > 533d881b0f4b24c72b35ecc97fa35d295d063e53) > > > > - > > > > -Upstream-Status: Backport > > > > [ > > > > https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3 > > > > 74 > > > > 8ca69bde5651f20e72761058c] > > > > -CVE: CVE-2020-16135 > > > > -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> > > > > ---- > > > > - src/sftpserver.c | 6 ++++++ > > > > - 1 file changed, 6 insertions(+) > > > > - > > > > -diff --git a/src/sftpserver.c b/src/sftpserver.c > > > > -index 1717aa417..1af8a0e76 100644 > > > > ---- a/src/sftpserver.c > > > > -+++ b/src/sftpserver.c > > > > -@@ -64,6 +64,12 @@ sftp_client_message > > > > sftp_get_client_message(sftp_session sftp) { > > > > - > > > > - /* take a copy of the whole packet */ > > > > - msg->complete_message = ssh_buffer_new(); > > > > -+ if (msg->complete_message == NULL) { > > > > -+ ssh_set_error_oom(session); > > > > -+ sftp_client_message_free(msg); > > > > -+ return NULL; > > > > -+ } > > > > -+ > > > > - ssh_buffer_add_data(msg->complete_message, > > > > - ssh_buffer_get(payload), > > > > - ssh_buffer_get_len(payload)); > > > > --- > > > > -2.25.1 > > > > - > > > > diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > > b/meta- > > > > oe/recipes-support/libssh/libssh_0.10.4.bb > > > > similarity index 62% > > > > rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > > rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > > > index 061f13912..3a57a728a 100644 > > > > --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb > > > > +++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb > > > > @@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = > > > > "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" > > > > > > > > DEPENDS = "zlib openssl" > > > > > > > > -SRC_URI = > > > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=s > > > > tabl > > > > e-0.8 \ > > > > - file://CVE-2020-16135.patch \ > > > > - " > > > > -SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" > > > > +SRC_URI = > > > > "git://git.libssh.org/projects/libssh.git;protocol=https;branch=s > > > > tabl > > > > e-0.10" > > > > +SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" > > > > > > > > S = "${WORKDIR}/git" > > > > > > > > @@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \ > > > > -DWITH_PCAP=1 \ > > > > -DWITH_SFTP=1 \ > > > > -DWITH_ZLIB=1 \ > > > > - -DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \ > > > > + -DWITH_EXAMPLES=0 \ > > > > " > > > > > > > > -do_configure:prepend () { > > > > - # Disable building of examples > > > > - sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' > > > > ${S}/CMakeLists.txt \ > > > > - || bbfatal "Failed to disable examples" > > > > -} > > > > - > > > > -TOOLCHAIN = "gcc" > > > > - > > > > BBCLASSEXTEND = "native nativesdk" > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#108083): > > https://lists.openembedded.org/g/openembedded-devel/message/108083 > > Mute This Topic: https://lists.openembedded.org/mt/103278127/3616702 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-devel/unsub [ > > anuj.mittal@intel.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > >
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch deleted file mode 100644 index 63b78688d..000000000 --- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@cryptomilk.org> -Date: Wed, 3 Jun 2020 10:04:09 +0200 -Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new() - -Add a missing NULL check for the pointer returned by ssh_buffer_new() in -sftpserver.c. - -Thanks to Ramin Farajpour Cami for spotting this. - -Fixes T232 - -Signed-off-by: Andreas Schneider <asn@cryptomilk.org> -Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> -Reviewed-by: Jakub Jelen <jjelen@redhat.com> -(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53) - -Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c] -CVE: CVE-2020-16135 -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> ---- - src/sftpserver.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/sftpserver.c b/src/sftpserver.c -index 1717aa417..1af8a0e76 100644 ---- a/src/sftpserver.c -+++ b/src/sftpserver.c -@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { - - /* take a copy of the whole packet */ - msg->complete_message = ssh_buffer_new(); -+ if (msg->complete_message == NULL) { -+ ssh_set_error_oom(session); -+ sftp_client_message_free(msg); -+ return NULL; -+ } -+ - ssh_buffer_add_data(msg->complete_message, - ssh_buffer_get(payload), - ssh_buffer_get_len(payload)); --- -2.25.1 - diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb similarity index 62% rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb index 061f13912..3a57a728a 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb @@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" DEPENDS = "zlib openssl" -SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8 \ - file://CVE-2020-16135.patch \ - " -SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" +SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.10" +SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85" S = "${WORKDIR}/git" @@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \ -DWITH_PCAP=1 \ -DWITH_SFTP=1 \ -DWITH_ZLIB=1 \ - -DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \ + -DWITH_EXAMPLES=0 \ " -do_configure:prepend () { - # Disable building of examples - sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' ${S}/CMakeLists.txt \ - || bbfatal "Failed to disable examples" -} - -TOOLCHAIN = "gcc" - BBCLASSEXTEND = "native nativesdk"