Commit Graph

21 Commits

Author SHA1 Message Date
Peter Korsgaard
f4f7dd9557 package/libssh2: security bump to latest git
Bump the version to latest git to fix the following security issues:

CVE-2019-3855
 Possible integer overflow in transport read allows out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3855.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
 Possible integer overflow in keyboard interactive handling allows
 out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3856.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
 Possible integer overflow leading to zero-byte allocation and out-of-bounds
 write
 URL: https://www.libssh2.org/CVE-2019-3857.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
 Possible zero-byte allocation leading to an out-of-bounds read
 URL: https://www.libssh2.org/CVE-2019-3858.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
 Out-of-bounds reads with specially crafted payloads due to unchecked use of
 `_libssh2_packet_require` and `_libssh2_packet_requirev`
 URL: https://www.libssh2.org/CVE-2019-3859.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
 Out-of-bounds reads with specially crafted SFTP packets
 URL: https://www.libssh2.org/CVE-2019-3860.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
 Out-of-bounds reads with specially crafted SSH packets
 URL: https://www.libssh2.org/CVE-2019-3861.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
 Out-of-bounds memory comparison
 URL: https://www.libssh2.org/CVE-2019-3862.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
 Integer overflow in user authenicate keyboard interactive allows
 out-of-bounds writes
 URL: https://www.libssh2.org/CVE-2019-3863.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
is now upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-03-21 00:00:54 +01:00
Ferdinand van Aartsen
af0cd44a15 package: clean up remaining references to $(HOST_DIR)/usr
Signed-off-by: Ferdinand van Aartsen <ferdinand@ombud.nl>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-25 22:22:24 +02:00
Bernd Kuhls
9c31063b0f package/libssh2: bump version
Added license hash.

This bump includes "ECDSA key types are now explicit"
62b825c8af

which is needed by vlc since
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=afee1e72a8e08866bbe35d1a57e859cac81052b4

Fixes
http://autobuild.buildroot.net/results/579/579e2418e59680ad4bf3dc85f2918457b6221bfa/
http://autobuild.buildroot.net/results/c73/c7348c442d3f585ace0bc62860f802dc08150776/
http://autobuild.buildroot.net/results/731/73187b883d7fe14b08a4903b326706c9d1f8b519/
http://autobuild.buildroot.net/results/f6d/f6d4fca6063c81a8e240fed4db89269e455f057e/
http://autobuild.buildroot.net/results/371/371f4f017f4a5af0ac6d6a8b1b8276858ad47f75/
http://autobuild.buildroot.net/results/d6a/d6a3b43211eb740bdebbb339668b854d26e878b7/
http://autobuild.buildroot.net/results/a05/a0576aeeb57a49958e5229d9ec08f2bd792d48b6/
http://autobuild.buildroot.net/results/57a/57a9ae2f157183a86fbf1b2cc5cbb38e948690ce/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-12 10:30:18 +02:00
Eric Le Bihan
93a911fd5b libssh2: add host variant
Allow build of host variant of libssh2, which depends on host-openssl.

Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-05 14:57:47 +01:00
Sam Voss
04a1031d34 package/libssh2: Add selectable crypto libraries
Currently, the selection of the backend is based on a priority order,
which is not always desirable: not all features are available for all
backends, as reported upstream:
    https://github.com/libssh2/libssh2/issues/213
In that particular case, the problem is that libgcrypt is unable to
read encrypted certificates created with openssl, but it is likely
that other incompatibilities exist as well.

As such, allow a user to select the backend most appropriate to their
use-case.

Note that this changes the defaults: previously, if openssl was already
selected and we additionally select libssh2, openssl would be used as
a backend. Now, mbedtls is the default so if the user doesn't change
it, mbedtls will be used.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
[Arnout: remove now-unneeded comment in .mk file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-11-04 22:50:12 +01:00
Sam Voss
a660d1fc74 package/libssh2: update to newest version
Update libssh2 to use the newest version from git. This caused a
transition from released version number to hash as it has not been
version rev'd in over a year (see issue
https://github.com/libssh2/libssh2/issues/220 for bump request).

This brings in changes to the autoconf to correctly pick the crypto
library.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-11-01 10:56:14 +01:00
Baruch Siach
908960d98f libssh2: fix build with libgcrypt and mbedtls enabled
The --without-libgcrypt configure parameter is not enough to disable the
libgcrypt back-end. This breaks the build when mbedtls (default backend) is
enabled, and libgcrypt builds before libssh2. Seed ac_cv_libgcrypt to really
disable libgcrypt when it is not the selected crypto back-end.

Fixes:
http://autobuild.buildroot.net/results/b4e/b4e39890e003e9e590a5bf17c9300c653020d88c/
http://autobuild.buildroot.net/results/45a/45a9b3559ceea4e1399794f9612f717f7c57a4a3/
http://autobuild.buildroot.net/results/ae4/ae4afec62ca297df1cd02350601f1d62fc3cd1b7/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-07-29 15:52:19 +02:00
Baruch Siach
714df4cfed libssh2: add mbedtls backend
libssh2 support mbedtls as crypto back-end library since version 1.8.0.

Default to mbedtls since it's smaller than either libgcrypt or openssl.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-11 21:34:56 +02:00
Baruch Siach
816ba1cee5 libssh2: fix link with libgcrypt
libssh2 uses the implicit 'yes' argument of the --with-libgcrypt parameter as
a library path prefix, which breaks the build. Pass the library path as
--with-libgcrypt argument to fix that. Drop the unneeded
--with-libgcrypt-prefix.

Fixes:
http://autobuild.buildroot.net/results/ac3/ac3a3f5871a6c20f5407a468809682ce491b9cb3/
http://autobuild.buildroot.net/results/ba3/ba31fa11b2ce2875649414dd9093e039dfc129e8/
http://autobuild.buildroot.net/results/b07/b07bbbf7fe164ba6dc435de6d8b41fadff7a3b08/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-09 23:10:22 +02:00
Baruch Siach
0dcf75eb7d libssh2: bump to version 1.8.0
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-09 11:12:22 +02:00
Yann E. MORIN
d8a2955a2b package/libssh2: fix dependency on libgcrypt
Since 2f89476 (package/libgpg-error: bump to version 1.23), libssh2 has
inherited the dependency from libgcrypt (propagated from libgpg-error).

However, since libssh2 can use either openssl or libgcrypt as a backend,
the dependency should be relaxed when openssl is available.

But the test is broken and inverted: it will make libssh unavailable as
soon as openssl is enabled.

Fix this dependenc byt doing what other similar packages do: select
openssl if the other crypto backend (here libgcrypt) is not enabled.
This also allows us to drop the propagated dependency on the arch
condition.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Cc: Jörg Krause <joerg.krause@embedded.rocks>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Romain Naour <romain.naour@openwide.fr>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-09-11 22:49:04 +02:00
Gustavo Zacarias
229ea8a18c libssh2: security bump to version 1.7.0
Fixes:
CVE-2016-0787 - diffie_hellman_sha256: convert bytes to bits.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-02-24 17:36:35 +01:00
Gustavo Zacarias
18df1fd088 libssh2: bump to version 1.6.0
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-01-08 18:46:24 +01:00
Arnout Vandecappelle
7d69a79624 packages: use backtick instead of $(shell ...) make function
It is often difficult to know exactly when make will expand the
variable, and usually it can only be expanded after the dependencies
have been built (e.g. pkg-config or the .pc file). Using a backtick
instead makes it very clear that it will be expanded only while
executing the command.

This change is useful for two cases:

1. The per-package staging (and host) directory will be created as part
   of the configure step, so any $(shell ...) variable that is used in
   the configure step will fail because the directory doesn't exist
   yet.

2. 'make printvars' evaluates the variables it prints. It will therefore
   trigger a lot of errors from missing .pc files and others. The
   backticks, on the other hand, are not expanded, so with this change
   the output of 'make printvars' becomes clean again.

This commit contains only the easy changes: replace $(shell ...) with
`...`, and also replace ' with " where needed. Follow-up commits will
tackle the more complicated cases that need additional explanation.

After this change, the following instances of $(shell ...) will remain:

- All assignments that use :=
- All variables that are used in make conditionals (which don't expand
  the backticks).
- All variables that only refer to system executables and make
  variables that don't change.
- The calls to check-host-* in dependencies.mk, because it is eval'ed.

[Original patch by Fabio Porcedda, but extended quite a bit by Arnout.]

Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-07-15 00:42:01 +02:00
Gustavo Zacarias
0df6ad5ddb libssh2: security bump to version 1.5.0
Fixes CVE-2015-1782 - kex: bail out on rubbish in the incoming packet.

Also add hash file.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2015-03-11 17:09:59 +01:00
Romain Naour
3f335ed550 package/libssh2: fix zlib library search path issues
Like for lingcrypt and openssl, help the configure script to find
zlib installed in STAGING_DIR.

Otherwise, It might find the one installed on the host:
checking how to link with libz... /usr/lib/libz.so -Wl,-rpath -Wl,/usr/lib

Fixes:
http://autobuild.buildroot.net/results/93b/93b43e114f21a22f0f8b7d7dd6774c089c426cd1

Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2015-02-14 22:01:49 +01:00
Peter Korsgaard
3b45139297 libssh2: fix static linking issue with libgcrypt
Fixes:
http://autobuild.buildroot.net/results/07e/07e50ba575b305b37e7a94a773c2b2e255393e9f/
http://autobuild.buildroot.net/results/072/07249f0a001a34ae608a8f8646b26a1152219252/
http://autobuild.buildroot.net/results/1c0/1c0447431e4c025732ea2eb8e9788e303f24fd04/
http://autobuild.buildroot.net/results/5e1/5e1f58c086e437b85b0d31310a93a3b2d0d70836/

And many more.

libgcrypt depends on libgpg-error and the configure script forgets to link
against it breaking static linking.  Fix it by using libgcrypt-config
--libs.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2014-11-18 15:31:33 +01:00
Thomas De Schampheleire
aaffd209fa packages: rename FOO_CONF_OPT into FOO_CONF_OPTS
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.

Sed command used:
   find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'

Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-10-04 18:54:16 +02:00
Jerzy Grzegorek
c7f4b96471 package: remove the trailing slash sign from <PKG>_SITE variable
Since the trailing slash is stripped from $($(PKG)_SITE) by pkg-generic.mk:

$(call DOWNLOAD,$($(PKG)_SITE:/=)/$($(PKG)_SOURCE))

so it is redundant.
This patch removes it from $(PKG)_SITE variable for BR consistency.

Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2014-07-31 23:17:46 +02:00
Ryan Barnett
4716290630 libssh2: fix library search path issues
Fix issues with some toolchains not finding libssl or libgcrypt.

Fixes http://autobuild.buildroot.net/results/eeaaf41c0c5f88357af8445750dce776774c2b5d
Fixes http://autobuild.buildroot.net/results/7a2590a7c3a1f52590f3e886b7cf9d04ad966a10

[Peter: indentation fixup]
Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-09-26 16:54:52 +02:00
Ryan Barnett
2ee180e3e2 libssh2: add package
[Peter: minor white space tweaks]
Signed-off-by: Ryan Barnett <rjbarnet@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
2013-09-08 21:52:52 +02:00