From unknown Mon Aug 18 11:07:46 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#33067 <33067@debbugs.gnu.org> To: bug#33067 <33067@debbugs.gnu.org> Subject: Status: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. Reply-To: bug#33067 <33067@debbugs.gnu.org> Date: Mon, 18 Aug 2025 18:07:46 +0000 retitle 33067 [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. reassign 33067 guix-patches submitter 33067 Leo Famulari severity 33067 normal tag 33067 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 16 14:22:46 2018 Received: (at submit) by debbugs.gnu.org; 16 Oct 2018 18:22:46 +0000 Received: from localhost ([127.0.0.1]:53926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCTzS-0006f9-6a for submit@debbugs.gnu.org; Tue, 16 Oct 2018 14:22:46 -0400 Received: from eggs.gnu.org ([208.118.235.92]:33541) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCTzQ-0006er-4J for submit@debbugs.gnu.org; Tue, 16 Oct 2018 14:22:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gCTzJ-00088r-NU for submit@debbugs.gnu.org; Tue, 16 Oct 2018 14:22:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:60229) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gCTzJ-00088f-Is for submit@debbugs.gnu.org; Tue, 16 Oct 2018 14:22:37 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43127) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gCTzI-00012j-3S for guix-patches@gnu.org; Tue, 16 Oct 2018 14:22:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gCTzE-00084w-Ny for guix-patches@gnu.org; Tue, 16 Oct 2018 14:22:36 -0400 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:36871) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gCTz5-0007sZ-85; Tue, 16 Oct 2018 14:22:27 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id B72BD42C; Tue, 16 Oct 2018 14:22:17 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 16 Oct 2018 14:22:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=mesmtp; bh=qaQKobj9zdUFS8b+ZXvXc9/ +c0fHdC7oSVN6bH9SZEg=; b=ejZhvRe+K5EbM0cnwEdBr2aGbxscPHkkFbe7YHr Q9bxdGknjClz9/9bQIqc1h2PYglkDdALJSUBOg0G0yRjUwjbBVZjVzAGLPmniOqQ wV3bFKc0+dZosTRz+0XkI3MDdTMYD1RT9c7GdiPmjT7gsCDICBiupehxymELldeC v5ts= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=qaQKobj9zdUFS8b+Z XvXc9/+c0fHdC7oSVN6bH9SZEg=; b=WbY/z+ycoB7eTH+ElMpSj/T203vvF9td9 WkMkY5/4/DCzezJWXLOrEDL98csjjBLVmVZP/qVNAwjWcMaVA/43x+gf7/l+3pjj 29IhvXdKMkw9MtxG+9fcMRZ8ZREJnSHVi3SKVSeMvn8K5zjO1ezwoMFqGolVyyqd D/8IU1ghwp/sKUZUMVvrczF3d8VPtulzA4yJGyTe5kh47XeuQxcWnbcP8NAMfDKQ XxRnIBkmhfZNSPR1gsWa7XgitmVazIOmfqpWXmbJnSWJkXLzQngqqn1oCzs+lzjK pvGAiadcPnSArJiZKiGNeH9rYFYIrKeOhq/Vr92h7hLrIHAiNPmGw== X-ME-Sender: X-ME-Proxy: Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id A613BE48BD; Tue, 16 Oct 2018 14:22:13 -0400 (EDT) From: Leo Famulari To: guix-patches@gnu.org Subject: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. Date: Tue, 16 Oct 2018 14:22:09 -0400 Message-Id: <5180914feebeadac877e9f9f540f0a6c5aab3baf.1539713945.git.leo@famulari.name> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit Cc: ludo@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) This update should be tested with users of guile-ssh. Also, Ludo, the bug report of the patch removed here is no longer online (they have a new bug tracker at ). The patch doesn't apply, but since I can't read the bug report, I don't know if the problem is fixed upstream, or if we should adapt our patch. * gnu/packages/ssh.scm (libssh): Update to 0.7.6. [source]: Remove 'libssh-hostname-parser-bug.patch'. * gnu/packages/patches/libssh-hostname-parser-bug.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - .../patches/libssh-hostname-parser-bug.patch | 31 --------- gnu/packages/ssh.scm | 63 +++++++++---------- 3 files changed, 29 insertions(+), 66 deletions(-) delete mode 100644 gnu/packages/patches/libssh-hostname-parser-bug.patch diff --git a/gnu/local.mk b/gnu/local.mk index b8248e8da..8171fb2db 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -901,7 +901,6 @@ dist_patch_DATA = \ %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch \ %D%/packages/patches/libsndfile-CVE-2017-8362.patch \ %D%/packages/patches/libsndfile-CVE-2017-12562.patch \ - %D%/packages/patches/libssh-hostname-parser-bug.patch \ %D%/packages/patches/libssh2-fix-build-failure-with-gcrypt.patch \ %D%/packages/patches/libtar-CVE-2013-4420.patch \ %D%/packages/patches/libtheora-config-guess.patch \ diff --git a/gnu/packages/patches/libssh-hostname-parser-bug.patch b/gnu/packages/patches/libssh-hostname-parser-bug.patch deleted file mode 100644 index 69f46cbdd..000000000 --- a/gnu/packages/patches/libssh-hostname-parser-bug.patch +++ /dev/null @@ -1,31 +0,0 @@ -Fix "Hostname" parsing in OpenSSH config files, as reported -at . - -From: Niels Ole Salscheider -Date: Mon, 8 May 2017 17:36:13 +0200 -Subject: [PATCH] Fix reading of the first parameter - -This is a fixup for 7b8b5eb4eac314a3a29be812bef0264c6611f6e7. -Previously, it would return as long as the parameter was _not_ seen -before. It also did not handle the case for the unsupported opcode (-1) -which would cause a segfault when accessing the "seen" array. ---- - src/config.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/config.c b/src/config.c -index 7c03b27..238a655 100644 ---- a/src/config.c -+++ b/src/config.c -@@ -218,8 +218,9 @@ static int ssh_config_parse_line(ssh_session session, const char *line, - } - - opcode = ssh_config_get_opcode(keyword); -- if (*parsing == 1 && opcode != SOC_HOST) { -- if (seen[opcode] == 0) { -+ if (*parsing == 1 && opcode != SOC_HOST && -+ opcode > SOC_UNSUPPORTED && opcode < SOC_END) { -+ if (seen[opcode] == 1) { - return 0; - } - seen[opcode] = 1; diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 362d427a2..6ade3e55b 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -65,40 +65,35 @@ #:use-module (srfi srfi-1)) (define-public libssh - ;; This commit from the 'v0-7' branch contains 7 memory-management-related - ;; bug fixes that we'd rather have. - (let ((commit "239d0f75b5f909174c2ef7fb08d23bcfa6b20ba0") - (revision "0")) - (package - (name "libssh") - (version (git-version "0.7.5" revision commit)) - (source (origin - (method git-fetch) - (uri (git-reference - (url "https://git.libssh.org/projects/libssh.git") - (commit commit))) - (sha256 - (base32 - "01w72w1jsgs9ilj3n1gp6qkmdxr9n74i5h2nipi3x1vzm7bv8na1")) - (patches (search-patches "libssh-hostname-parser-bug.patch")) - (file-name (git-file-name name version)))) - (build-system cmake-build-system) - (outputs '("out" "debug")) - (arguments - '(#:configure-flags '("-DWITH_GCRYPT=ON") - - ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite. - #:tests? #f)) - (inputs `(("zlib" ,zlib) - ("libgcrypt" ,libgcrypt))) - (synopsis "SSH client library") - (description - "libssh is a C library implementing the SSHv2 and SSHv1 protocol for -client and server implementations. With libssh, you can remotely execute -programs, transfer files, and use a secure and transparent tunnel for your -remote applications.") - (home-page "https://www.libssh.org") - (license license:lgpl2.1+)))) + (package + (name "libssh") + (version "0.7.6") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://git.libssh.org/projects/libssh.git") + (commit (string-append "libssh-" version)))) + (sha256 + (base32 + "0slwqa36mhyb6brdv2jvb9fxp7rvsv3ziv67kaxx615jxn52l5pa")) + (file-name (git-file-name name version)))) + (build-system cmake-build-system) + (outputs '("out" "debug")) + (arguments + '(#:configure-flags '("-DWITH_GCRYPT=ON") + + ;; TODO: Add 'CMockery' and '-DWITH_TESTING=ON' for the test suite. + #:tests? #f)) + (inputs `(("zlib" ,zlib) + ("libgcrypt" ,libgcrypt))) + (synopsis "SSH client library") + (description + "libssh is a C library implementing the SSHv2 and SSHv1 protocol for client +and server implementations. With libssh, you can remotely execute programs, +transfer files, and use a secure and transparent tunnel for your remote +applications.") + (home-page "https://www.libssh.org") + (license license:lgpl2.1+))) (define-public libssh2 (package -- 2.19.1 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 17 18:50:42 2018 Received: (at 33067-done) by debbugs.gnu.org; 17 Oct 2018 22:50:42 +0000 Received: from localhost ([127.0.0.1]:55947 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCueI-0006Xc-Bs for submit@debbugs.gnu.org; Wed, 17 Oct 2018 18:50:42 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:48885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCueF-0006XS-SB for 33067-done@debbugs.gnu.org; Wed, 17 Oct 2018 18:50:41 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7FA3A20CA5; Wed, 17 Oct 2018 18:50:39 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 17 Oct 2018 18:50:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=l7+y1NH275tfIDjVdw+TaaL/A3e2lo1mlBa7vvgJwm0=; b=Kb6hl Co1Lg6G4lMUtLC3Nwg4aSEOKhnQMcxJRYuZQ9OI0rb9Wx7rgDchPrqVqUDrlgXV6 jo94oeDgDMpJ1lZbq8EvGXu7FWzFhMxei1EbdUlWsNHXzAl06lM8E16j5Od0t90d ZXmfTymoyw4gcdLcckr6j4tbFyhKGTweJfXbcE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=l7+y1NH275tfIDjVdw+TaaL/A3e2l o1mlBa7vvgJwm0=; b=hQyloQwiispz5q+9+ecYuFpQ3I4nFW6R0KsJc/Uv3Ernu Xqdd7oEjCPU3vdwAeDBiAPmSPP82r6CtK6lTwhUZ8LwU4i3G3b/GYM1ZgPaNWu+/ 0D95ru/L29IlCKtLG6yJbIDqRZlvIFgfVINMlfDlp0FjWTp2Rl5hMFAIR5KM5ata tPVYfNc+4PrmW2qQMJgYw/Ny9D+s5CYWPqJNphsx6hhDG8o0SmPaZ9etukEA4rlR p1z3M/FRPmC+19oyN1hU7OJiSW+qq0Xsiz1DruZp6N5BImQEYZAEjc/OLFpqZfnr VkxcRoKvdr4JcPCS76FIAs55YisS6kEfJ8cc1OLCA== X-ME-Sender: X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id EE4AE102D7 for <33067-done@debbugs.gnu.org>; Wed, 17 Oct 2018 18:50:38 -0400 (EDT) Date: Wed, 17 Oct 2018 18:50:30 -0400 From: Leo Famulari To: 33067-done@debbugs.gnu.org Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. Message-ID: <20181017225030.GA30415@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 33067-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Pushed as a42648d858155930c078f7720c42a47765b2d0ee --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvHvLYACgkQJkb6MLrK fwh3eg//SbQzCSCCj1VFnAQex844MhdCnmC/7eqKwzfZv8QODuN+nMrvoIPUo/2m CMMY2V3avE/jrvcNEDRabiYNzpk3+CGiHn4zl5hLX/xhaJX2eOauy3USLPmhgfFS ylKAYqqv3AzlwH264kZbfPCT61fzDqmFBlGTfpENe4mOFbbx25nkTKSFtwkOiW2F V5MhS3n4T/4jFya0ksslLlo8lJ+HSyACiK8L6/zPTgii49hIVt6dpCq67LwJou6x SK1Nt7nWxUWzWbErvKYsniJZ97eeWuBdBj8EFLM8/sZVAGUAvwnW+oFsRq83ANAu tZsybM2JQw2j8lh1wiyVHqsYjUQtsJpYsNoMS2ZS8NZ6hmL+hQoyDirCaGeQi/Ek /+SOcjcRM46JbaVOU+yau4A7PPgdnE1csIAfE3LloormwycM0zTSWyzsZCblMnmD X/mRrcoAacJA/2GK4GIYXGZh8OZqw80zDJ5wsPQkBlz/Rjdusx/ygWK2htWiirJU IhmJnk+S5vj1aKcPyEQJWL31+KkKV0dFObtBex3qqTIhcPmqexkD3Ig5zfzzyf5i 40oVaHQQgllGcQvYxxUQc3tDz0Htu1+PQs6rZaJlVZPeuDETwCtjJmLuf7WvXIVS 818nI3pZAUNA2hTJ67dG5xS5kNVjWUbZPq2IXC/GWoq3Y5cII3w= =ktP/ -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 17 19:11:25 2018 Received: (at submit) by debbugs.gnu.org; 17 Oct 2018 23:11:25 +0000 Received: from localhost ([127.0.0.1]:55971 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCuyL-0000nX-6K for submit@debbugs.gnu.org; Wed, 17 Oct 2018 19:11:25 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gCuyJ-0000nG-DW for submit@debbugs.gnu.org; Wed, 17 Oct 2018 19:11:23 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gCuyD-00074b-AV for submit@debbugs.gnu.org; Wed, 17 Oct 2018 19:11:18 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:59565) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gCuyC-00073h-5n for submit@debbugs.gnu.org; Wed, 17 Oct 2018 19:11:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49168) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gCuyB-0000tj-5z for guix-patches@gnu.org; Wed, 17 Oct 2018 19:11:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gCuyA-00070i-BO for guix-patches@gnu.org; Wed, 17 Oct 2018 19:11:15 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:48356) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gCuyA-00070I-5L; Wed, 17 Oct 2018 19:11:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41130 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gCuy9-0007WK-TI; Wed, 17 Oct 2018 19:11:14 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. References: <5180914feebeadac877e9f9f540f0a6c5aab3baf.1539713945.git.leo@famulari.name> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 =?utf-8?Q?Vend=C3=A9miaire?= an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Thu, 18 Oct 2018 01:11:12 +0200 In-Reply-To: <5180914feebeadac877e9f9f540f0a6c5aab3baf.1539713945.git.leo@famulari.name> (Leo Famulari's message of "Tue, 16 Oct 2018 14:22:09 -0400") Message-ID: <87ftx49njj.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit Cc: guix-patches@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi Leo, Leo Famulari skribis: > This update should be tested with users of guile-ssh. > > Also, Ludo, the bug report of the patch removed here is no longer online > (they have a new bug tracker at ). The patch > doesn't apply, but since I can't read the bug report, I don't know if > the problem is fixed upstream, or if we should adapt our patch. The patch changes just one =E2=80=98if=E2=80=99 condition. Could you check= in 0.7.6 if that condition matches what the patch changed? I haven=E2=80=99t yet been able to test the change with Guile-SSH and Guix. Thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 19 04:29:57 2018 Received: (at 33067) by debbugs.gnu.org; 19 Oct 2018 08:29:57 +0000 Received: from localhost ([127.0.0.1]:58110 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gDQAO-0000Il-LN for submit@debbugs.gnu.org; Fri, 19 Oct 2018 04:29:56 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48378) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gDQAM-0000IX-OG for 33067@debbugs.gnu.org; Fri, 19 Oct 2018 04:29:55 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gDQAD-0002mv-N7 for 33067@debbugs.gnu.org; Fri, 19 Oct 2018 04:29:48 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:51860) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gDQAA-0002kr-2H; Fri, 19 Oct 2018 04:29:43 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=44230 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gDQA9-0007Sn-PW; Fri, 19 Oct 2018 04:29:41 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [PATCH] gnu: libssh: Update to 0.7.6 [fixes CVE-2018-10933]. In-Reply-To: <20181019033926.GA14834@jasmine.lan> (Leo Famulari's message of "Thu, 18 Oct 2018 23:39:26 -0400") References: <5180914feebeadac877e9f9f540f0a6c5aab3baf.1539713945.git.leo@famulari.name> <87ftx49njj.fsf@gnu.org> <20181019033926.GA14834@jasmine.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 28 =?utf-8?Q?Vend=C3=A9miaire?= an 227 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 19 Oct 2018 10:29:40 +0200 Message-ID: <87pnw6ibkb.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 33067 Cc: 33067@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello! Leo Famulari skribis: > Previously I reported the patch pushed and closed the bug. However, the > push must have failed without me noticing. Now that I saw your message, > I had more time to look at the patch and update it. Now pushed as > eed00f93e8999712191e39c59c15e23461520f43 > > On Thu, Oct 18, 2018 at 01:11:12AM +0200, Ludovic Court=C3=A8s wrote: >> The patch changes just one =E2=80=98if=E2=80=99 condition. Could you ch= eck in 0.7.6 if >> that condition matches what the patch changed? > > The only upstream change was to fix the bug which would make it ignore > valid configuration data when parsing the config file. > > Our patch also tightened the conditional that led to that point, so that > the previously faulty check would not be passed some "dummy" constants. > > Not being able to read the original bug report, I can't tell if these > extra changes were made in response to a bug that was actually > experienced, or if we were just being cautious. > > Since nothing else changed upstream, it seems like the tightening can't > hurt, at least the one regarding the SOC_END constant, which I think > could still be used erroneously. But we should send it upstream. Sounds good, thanks for checking! Ludo=E2=80=99. From unknown Mon Aug 18 11:07:46 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 16 Nov 2018 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator