CVS commit: pkgsrc/security/libssh2

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Mar 25 22:52:16 UTC 2019

Modified Files:
        pkgsrc/security/libssh2: Makefile distinfo

Log Message:
libssh2: update to 1.8.1.

Version 1.8.1 (14 Mar 2019)

Will Cosgrove (14 Mar 2019)
- [Michael Buckley brought this change]

  More 1.8.0 security fixes (#316)

  * Defend against possible integer overflows in comp_method_zlib_decomp.

  * Defend against writing beyond the end of the payload in _libssh2_transport_read().

  * Sanitize padding_length - _libssh2_transport_read(). https://libssh2.org/CVE-2019-3861.html

  This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent.

  * Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. https://libssh2.org/CVE-2019-3858.html

  * Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads.

  * Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. https://libssh2.org/CVE-2019-3860.html

  * Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html

GitHub (14 Mar 2019)
- [Will Cosgrove brought this change]

  1.8 Security fixes (#314)

  * fixed possible integer overflow in packet_length

  CVE https://www.libssh2.org/CVE-2019-3861.html

  * fixed possible interger overflow with userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3856.html

  * fixed possible out zero byte/incorrect bounds allocation

  CVE https://www.libssh2.org/CVE-2019-3857.html

  * bounds checks for response packets

  * fixed integer overflow in userauth_keyboard_interactive

  CVE https://www.libssh2.org/CVE-2019-3863.html


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/security/libssh2/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/libssh2/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/libssh2/Makefile
diff -u pkgsrc/security/libssh2/Makefile:1.15 pkgsrc/security/libssh2/Makefile:1.16
--- pkgsrc/security/libssh2/Makefile:1.15       Mon Oct 31 16:18:02 2016
+++ pkgsrc/security/libssh2/Makefile    Mon Mar 25 22:52:15 2019
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.15 2016/10/31 16:18:02 wiz Exp $
+# $NetBSD: Makefile,v 1.16 2019/03/25 22:52:15 wiz Exp $
 
-DISTNAME=      libssh2-1.8.0
+DISTNAME=      libssh2-1.8.1
 CATEGORIES=    security
 MASTER_SITES=  https://www.libssh2.org/download/
 

Index: pkgsrc/security/libssh2/distinfo
diff -u pkgsrc/security/libssh2/distinfo:1.9 pkgsrc/security/libssh2/distinfo:1.10
--- pkgsrc/security/libssh2/distinfo:1.9        Mon Oct 31 16:18:02 2016
+++ pkgsrc/security/libssh2/distinfo    Mon Mar 25 22:52:15 2019
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.9 2016/10/31 16:18:02 wiz Exp $
+$NetBSD: distinfo,v 1.10 2019/03/25 22:52:15 wiz Exp $
 
-SHA1 (libssh2-1.8.0.tar.gz) = baf2d1fb338eee531ba9b6b121c64235e089e0f5
-RMD160 (libssh2-1.8.0.tar.gz) = 84c91d81503510673386714b30630fb3cb169725
-SHA512 (libssh2-1.8.0.tar.gz) = 289aa45c4f99653bebf5f99565fe9c519abc204feb2084b47b7cc3badc8bf4ecdedd49ea6acdce8eb902b3c00995d5f92a3ca77b2508b92f04ae0e7de7287558
-Size (libssh2-1.8.0.tar.gz) = 854916 bytes
+SHA1 (libssh2-1.8.1.tar.gz) = a6c8334b1c31eecb335a7f7f43278636e2033e9f
+RMD160 (libssh2-1.8.1.tar.gz) = 312c85af0b98b86abf1750a76c67e921b7d14f95
+SHA512 (libssh2-1.8.1.tar.gz) = f09ad9ed04d25305b966e7f8c210082fe06c2b236dcd5018b009bd0bd6aaff123d16559d280892a5060760ed055ffe295bc02dc6e8dd1e7b8383c6c703f09290
+Size (libssh2-1.8.1.tar.gz) = 858088 bytes