From 9c1a23d9776cd52d5b23c1bcbff8c6ca90cd3b63 Mon Sep 17 00:00:00 2001 From: Jan Pavlinec Date: Mon, 12 Aug 2019 14:44:10 +0200 Subject: [PATCH] libssh2: update to version 1.9.0 (security fix) Changes: Fix CVE-2019-13115 Remove old patches Switch to cmake Signed-off-by: Jan Pavlinec --- libs/libssh2/Makefile | 21 +++--- .../libssh2/patches/01-fix-acinclude-m4.patch | 28 -------- .../patches/02-openssl-deprecated.patch | 69 ------------------- 3 files changed, 13 insertions(+), 105 deletions(-) delete mode 100644 libs/libssh2/patches/01-fix-acinclude-m4.patch delete mode 100644 libs/libssh2/patches/02-openssl-deprecated.patch diff --git a/libs/libssh2/Makefile b/libs/libssh2/Makefile index c2d29ae3a3..7d438bbaae 100644 --- a/libs/libssh2/Makefile +++ b/libs/libssh2/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh2 -PKG_VERSION:=1.8.2 +PKG_VERSION:=1.9.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.libssh2.org/download -PKG_HASH:=088307d9f6b6c4b8c13f34602e8ff65d21c2dc4d55284dfe15d502c4ee190d67 +PKG_HASH:=d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd PKG_FIXUP:=autoreconf @@ -28,6 +28,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_LIBSSH2_OPENSSL include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk define Package/libssh2 SECTION:=libs @@ -46,12 +47,16 @@ define Package/libssh2/config source "$(SOURCE)/Config.in" endef -CONFIGURE_ARGS += \ - --disable-examples-build \ - --disable-silent-rules \ - $(if $(CONFIG_LIBSSH2_MBEDTLS),--with-mbedtls --with-libmbedtls-prefix=$(STAGING_DIR)/usr) \ - $(if $(CONFIG_LIBSSH2_OPENSSL),--with-openssl --with-libssl-prefix=$(STAGING_DIR)/usr) \ - --with-libz-prefix=$(STAGING_DIR)/usr +CMAKE_OPTIONS += \ + -DBUILD_SHARED_LIBS=ON \ + -DENABLE_ZLIB_COMPRESSION=ON \ + -DCLEAR_MEMORY=ON + +ifeq ($(CONFIG_LIBSSH2_OPENSSL),y) + CMAKE_OPTIONS += -DCRYPTO_BACKEND=OpenSSL +else + CMAKE_OPTIONS += -DCRYPTO_BACKEND=mbedTLS +endif define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include diff --git a/libs/libssh2/patches/01-fix-acinclude-m4.patch b/libs/libssh2/patches/01-fix-acinclude-m4.patch deleted file mode 100644 index d4e11827dc..0000000000 --- a/libs/libssh2/patches/01-fix-acinclude-m4.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -386,9 +386,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS -- if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then -- LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" -- CFLAGS="$CFLAGS -I$use_mbedtls/include" -+ if test -n "$with_libmbedtls_prefix" && test "$use_mbedtls" != "no"; then -+ LDFLAGS="$LDFLAGS -L$with_libmbedtls_prefix/lib" -+ CFLAGS="$CFLAGS -I$with_libmbedtls_prefix/include" - fi - - AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ -@@ -412,9 +412,9 @@ AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS -- if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then -- LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" -- CFLAGS="$CFLAGS -I$use_libgcrypt/include" -+ if test -n "$with_libgcrypt_prefix" && test "$use_libgcrypt" != "no"; then -+ LDFLAGS="$LDFLAGS -L$with_libgcrypt_prefix/lib" -+ CFLAGS="$CFLAGS -I$with_libgcrypt_prefix/include" - fi - AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ - #include diff --git a/libs/libssh2/patches/02-openssl-deprecated.patch b/libs/libssh2/patches/02-openssl-deprecated.patch deleted file mode 100644 index eab0d86eea..0000000000 --- a/libs/libssh2/patches/02-openssl-deprecated.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff --git a/src/openssl.c b/src/openssl.c -index 4f63ef9..411f9f6 100644 ---- a/src/openssl.c -+++ b/src/openssl.c -@@ -1062,6 +1062,7 @@ _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, - "Unable to extract public key from private key " - "file: Unable to open private key file"); - } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (!EVP_get_cipherbyname("des")) { - /* If this cipher isn't loaded it's a pretty good indication that none - * are. I have *NO DOUBT* that there's a better way to deal with this -@@ -1070,6 +1071,7 @@ _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, - */ - OpenSSL_add_all_ciphers(); - } -+#endif - BIO_reset(bp); - pk = PEM_read_bio_PrivateKey(bp, NULL, NULL, (void*)passphrase); - BIO_free(bp); -@@ -1138,6 +1140,7 @@ _libssh2_pub_priv_keyfilememory(LIBSSH2_SESSION *session, - if (!bp) { - return -1; - } -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - if (!EVP_get_cipherbyname("des")) { - /* If this cipher isn't loaded it's a pretty good indication that none - * are. I have *NO DOUBT* that there's a better way to deal with this -@@ -1146,6 +1149,7 @@ _libssh2_pub_priv_keyfilememory(LIBSSH2_SESSION *session, - */ - OpenSSL_add_all_ciphers(); - } -+#endif - BIO_reset(bp); - pk = PEM_read_bio_PrivateKey(bp, NULL, NULL, (void*)passphrase); - BIO_free(bp); -diff --git a/src/openssl.h b/src/openssl.h -index 3ca71fa..7a89793 100644 ---- a/src/openssl.h -+++ b/src/openssl.h -@@ -40,7 +40,9 @@ - #include - #include - #include -+#ifndef OPENSSL_NO_ENGINE - #include -+#endif - #ifndef OPENSSL_NO_DSA - #include - #endif -@@ -226,10 +228,18 @@ int _libssh2_md5_init(libssh2_md5_ctx *ctx); - #define libssh2_hmac_cleanup(ctx) HMAC_cleanup(ctx) - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#ifndef OPENSSL_NO_ENGINE - #define libssh2_crypto_init() \ - OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); \ - ENGINE_register_all_complete() -+#else -+#define libssh2_crypto_init() OpenSSL_add_all_algorithms() -+#endif -+#else -+#define libssh2_crypto_init() -+#endif - - #define libssh2_crypto_exit() -