libssh2: revision bump to fix CVE-2016-0787

- adds patch copied from Debian to address CVE - fixes zlib detection - changes http to https links - updates maintainer's mail address Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
2018-01-30 15:25:23 +01:00 · 2018-01-30 15:25:23 +01:00 · f84cc525d6
parent 2b8f946204
commit f84cc525d6
2 changed files with 29 additions and 6 deletions
--- a/libs/libssh2/Makefile
+++ b/libs/libssh2/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2015 OpenWrt.org
+# Copyright (C) 2015 - 2018 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=libssh2
 PKG_VERSION:=1.6.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.libssh2.org/download
+PKG_SOURCE_URL:=https://www.libssh2.org/download
 PKG_MD5SUM:=00aabd6e714a5f42a4fb82ace20db1dd

 PKG_INSTALL:=1
@ -26,9 +26,9 @@ define Package/libssh2
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=SSH2 library
-  URL:=http://www.libssh2.org/
+  URL:=https://www.libssh2.org/
  DEPENDS:=+libopenssl +zlib
-  MAINTAINER:=Jiri Slachta <slachta@cesnet.cz>
+  MAINTAINER:=Jiri Slachta <jiri@slachta.eu>
 endef

 define Package/libssh2/description
@ -39,7 +39,8 @@ TARGET_CFLAGS += $(FPIC)

 CONFIGURE_ARGS += \
 	--disable-examples-build \
-	--with-libssl-prefix=$(STAGING_DIR)/usr
+	--with-libssl-prefix=$(STAGING_DIR)/usr \
+	--with-libz-prefix=$(STAGING_DIR)/usr

 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
--- a/libs/libssh2/patches/0004-CVE-2016-0787.patch
+++ b/libs/libssh2/patches/0004-CVE-2016-0787.patch
@ -0,0 +1,22 @@
+Description: CVE-2016-0787: Truncated Difffie-Hellman secret length
+ Convert bytes to bits in diffie_hellman_sha1. Otherwise we get far too
+ small numbers.
+Origin: backport, http://www.libssh2.org/CVE-2016-0787.patch
+Forwarded: not-needed
+Author: Daniel Stenberg <daniel@haxx.se>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-02-18
+Applied-Upstream: 1.7.0
+---
+
+--- a/src/kex.c
+++ b/src/kex.c
+@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_S
+         memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
+ 
+         /* Generate x and e */
+-        _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
+        _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
+         _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
+                             exchange_state->ctx);
+