[pkgsrc/trunk]: pkgsrc/security/libssh2 libssh2: update to 1.8.1.

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bb7fc0fabb07
branches:  trunk
changeset: 331841:bb7fc0fabb07
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Mon Mar 25 22:52:15 2019 +0000

description:
libssh2: update to 1.8.1.

Version 1.8.1 (14 Mar 2019)

Will Cosgrove (14 Mar 2019)
- [Michael Buckley brought this change]

  More 1.8.0 security fixes (#316)

  * Defend against possible integer overflows in comp_method_zlib_decomp.

  * Defend against writing beyond the end of the payload in _libssh2_transport_read().

  * Sanitize padding_length - _libssh2_transport_read(). https://libssh2.org/CVE-2019-3861.html

  This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent.

  * Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. https://libssh2.org/CVE-2019-3858.html

  * Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads.

  * Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. https://libssh2.org/CVE-2019-3860.html

  * Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html

GitHub (14 Mar 2019)
- [Will Cosgrove brought this change]

  1.8 Security fixes (#314)

  * fixed possible integer overflow in packet_length

  CVE https://www.libssh2.org/CVE-2019-3861.html

  * fixed possible interger overflow with userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3856.html

  * fixed possible out zero byte/incorrect bounds allocation

  CVE https://www.libssh2.org/CVE-2019-3857.html

  * bounds checks for response packets

  * fixed integer overflow in userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3863.html

diffstat:

 security/libssh2/Makefile |   4 ++--
 security/libssh2/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (27 lines):

diff -r 5d015f5a0af0 -r bb7fc0fabb07 security/libssh2/Makefile
--- a/security/libssh2/Makefile Mon Mar 25 22:49:16 2019 +0000
+++ b/security/libssh2/Makefile Mon Mar 25 22:52:15 2019 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.15 2016/10/31 16:18:02 wiz Exp $
+# $NetBSD: Makefile,v 1.16 2019/03/25 22:52:15 wiz Exp $
 
-DISTNAME=      libssh2-1.8.0
+DISTNAME=      libssh2-1.8.1
 CATEGORIES=    security
 MASTER_SITES=  https://www.libssh2.org/download/
 
diff -r 5d015f5a0af0 -r bb7fc0fabb07 security/libssh2/distinfo
--- a/security/libssh2/distinfo Mon Mar 25 22:49:16 2019 +0000
+++ b/security/libssh2/distinfo Mon Mar 25 22:52:15 2019 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.9 2016/10/31 16:18:02 wiz Exp $
+$NetBSD: distinfo,v 1.10 2019/03/25 22:52:15 wiz Exp $
 
-SHA1 (libssh2-1.8.0.tar.gz) = baf2d1fb338eee531ba9b6b121c64235e089e0f5
-RMD160 (libssh2-1.8.0.tar.gz) = 84c91d81503510673386714b30630fb3cb169725
-SHA512 (libssh2-1.8.0.tar.gz) = 289aa45c4f99653bebf5f99565fe9c519abc204feb2084b47b7cc3badc8bf4ecdedd49ea6acdce8eb902b3c00995d5f92a3ca77b2508b92f04ae0e7de7287558
-Size (libssh2-1.8.0.tar.gz) = 854916 bytes
+SHA1 (libssh2-1.8.1.tar.gz) = a6c8334b1c31eecb335a7f7f43278636e2033e9f
+RMD160 (libssh2-1.8.1.tar.gz) = 312c85af0b98b86abf1750a76c67e921b7d14f95
+SHA512 (libssh2-1.8.1.tar.gz) = f09ad9ed04d25305b966e7f8c210082fe06c2b236dcd5018b009bd0bd6aaff123d16559d280892a5060760ed055ffe295bc02dc6e8dd1e7b8383c6c703f09290
+Size (libssh2-1.8.1.tar.gz) = 858088 bytes