Bug#1036026: unblock: libssh/0.10.5-1

To: Debian BTS Submit <submit@bugs.debian.org>
Cc: 1035832@bugs.debian.org
Subject: Bug#1036026: unblock: libssh/0.10.5-1
From: Martin Pitt <mpitt@debian.org>
Date: Sat, 13 May 2023 15:49:12 +0200
Message-id: <[🔎] ZF+VWEtF1hkNpElr@piware.de>
Reply-to: Martin Pitt <mpitt@debian.org>, 1036026@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libssh@packages.debian.org
Control: affects -1 + src:libssh

Hello,

a few days ago, a new libssh upstream microrelease [1] was published which fixes
two CVEs. I packaged it for unstable four days ago, it built everywhere, and
thus passed the (rather extensive) upstream tests, as well as the autopkgtest
integration tests everywhere [2]. I know one big consumer of libssh well -- cockpit
-- which also has successful tests against 0.10.5.

The packaging git already had a few rather harmless updates from the Debian
janitor [3] which I included into the unstable upload. I attached the debian/*
parts of the debdiff between current testing and unstable. If you want to
inspect the full upstream diff as  well, I suggest the upstream git view for
the stable 0.10 branch [4], or the full debdiff view  on salsa[5].

Salvatore Bonaccorso from the security team pointed out that libssh won't
auto-migrate any more at this point in time, so I'd like to coordinate these
two CVEs with you for fixing testing. If you consider 0.10.5 too risky at this
point, I can also prepare a backport similar to the update that I prepared for
stable-security, but it's more work, and backporting non-trivial patches is
also not risk-free. This gets coordinated in [6].

Thanksk,

Martin

unblock libssh/0.10.5-1


[1] https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
[2] https://tracker.debian.org/pkg/libssh
[3] https://salsa.debian.org/debian/libssh/-/commit/45b9437b4c4711584dba7debe6600aa2a2d7f6c4
    https://salsa.debian.org/debian/libssh/-/commit/5feb4c4e0405e6af69d6d448ab934f7876d2ea90
    https://salsa.debian.org/debian/libssh/-/commit/8e55b07477c194630bd60c049ca28c57da2881fd
[4] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.10
[5] https://salsa.debian.org/debian/libssh/-/compare/4066480562aa1d2682bd5c8666631c1acd2a2777...debian?from_project_id=20695&straight=false
[6] https://bugs.debian.org/1035832

--- libssh-0.10.4/debian/changelog	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/changelog	2023-05-10 06:00:26.000000000 +0000
@@ -1,3 +1,26 @@
+libssh (0.10.5-1) unstable; urgency=high
+
+  [ Martin Pitt ]
+  * New upstream security release (thus high urgency):
+    - Fix authenticated remote DoS through potential NULL dereference during rekeying
+      with algorithm guessing (CVE-2023-1667)
+      https://www.libssh.org/security/advisories/CVE-2023-1667.txt
+    - Client authentication bypass in pki_verify_data_signature() in low-memory
+      conditions with OpenSSL backend; gcrypt backend is not affected
+      https://www.libssh.org/security/advisories/CVE-2023-2283.txt
+      (CVE-2023-2283, Closes: #1035832)
+  * Bump Standards-Version to 4.6.2. No changes necessary.
+  * Drop debian/source/lintian-overrides. It now causes a "mismatched-override"
+    warning, and apparently is not necessary any more.
+  * debian/copyright: Drop files which don't exist any more.
+    Spotted by lintian's "superfluous-file-pattern" warnings.
+
+  [ Debian Janitor ]
+  * Bump debhelper from old 12 to 13.
+  * Avoid explicitly specifying -Wl,--as-needed linker flag.
+
+ -- Martin Pitt <mpitt@debian.org>  Wed, 10 May 2023 08:00:26 +0200
+
 libssh (0.10.4-2) unstable; urgency=medium

   * autopkgtest: Drop valgrind run. This hasn't worked for years on many
diff -Nru libssh-0.10.4/debian/control libssh-0.10.5/debian/control
--- libssh-0.10.4/debian/control	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/control	2023-05-10 06:00:26.000000000 +0000
@@ -4,7 +4,7 @@
 Maintainer: Laurent Bigonville <bigon@debian.org>
 Uploaders: Mike Gabriel <sunweaver@debian.org>, Martin Pitt <mpitt@debian.org>
 Build-Depends: cmake (>= 2.8.5),
-               debhelper-compat (= 12),
+               debhelper-compat (= 13),
                libcmocka-dev <!nocheck>,
                libgcrypt-dev,
                libkrb5-dev | heimdal-dev,
@@ -15,7 +15,7 @@
                pkg-config,
                python3:any <!nocheck>,
 Build-Depends-Indep: doxygen <!nodoc>, graphviz <!nodoc>
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/debian/libssh.git
 Vcs-Browser: https://salsa.debian.org/debian/libssh
@@ -97,6 +97,7 @@
 Suggests: doc-base
 Depends: ${misc:Depends}
 Build-Profiles: <!nodoc>
+Multi-Arch: foreign
 Description: tiny C SSH library - Documentation files
  The ssh library was designed to be used by programmers needing a working SSH
  implementation by the mean of a library. The complete control of the client
diff -Nru libssh-0.10.4/debian/copyright libssh-0.10.5/debian/copyright
--- libssh-0.10.4/debian/copyright	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/copyright	2023-05-10 06:00:26.000000000 +0000
@@ -23,7 +23,6 @@
        tests/client/torture_connect.c
        tests/client/torture_knownhosts.c
        tests/client/torture_session.c
-       tests/test_pcap.c
        tests/test_socket.c
 Copyright: 2003-2021, Aris Adamantiadis
            2008-2018 Andreas Schneider <asn@cryptomilk.org>
@@ -39,7 +38,6 @@
        examples/senddata.c
        examples/CMakeLists.txt
        include/libssh/ssh2.h
-       tests/authentication.c
        tests/benchmarks/bench1.sh
        tests/benchmarks/bench2.sh
        tests/chmodtest.c
@@ -47,13 +45,7 @@
        tests/client/torture_sftp_dir.c
        tests/client/torture_sftp_read.c
        tests/cmdline.c
-       tests/connection.c
        tests/generate.py
-       tests/sftp_stress/main.c
-       tests/test_exec.c
-       tests/test_ssh_bind_accept_fd.c
-       tests/test_tunnel.c
-       tests/tests.h
        tests/unittests/torture_buffer.c
        tests/unittests/torture_callbacks.c
        tests/unittests/torture_channel.c
diff -Nru libssh-0.10.4/debian/rules libssh-0.10.5/debian/rules
--- libssh-0.10.4/debian/rules	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/rules	2023-05-10 06:00:26.000000000 +0000
@@ -2,7 +2,7 @@

 DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON

-export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1 -Wl,--as-needed
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all

 %:
diff -Nru libssh-0.10.4/debian/source/lintian-overrides libssh-0.10.5/debian/source/lintian-overrides
--- libssh-0.10.4/debian/source/lintian-overrides	2022-09-19 08:41:22.000000000 +0000
+++ libssh-0.10.5/debian/source/lintian-overrides	2023-05-10 06:00:26.000000000 +0000
@@ -1 +0,0 @@
-libssh source: very-long-line-length-in-source-file tests/keys/.*

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: unblock: libssh/0.10.5-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1036026: unblock: libssh/0.10.5-1
  - From: Sebastian Ramacher <sramacher@debian.org>
- Processed: Re: Bug#1036026: unblock: libssh/0.10.5-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#1036026: unblock: libssh/0.10.5-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1036026: marked as done (unblock: libssh/0.10.5-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: libssh/0.10.5-1
Next by Date: Bug#1036027: unblock: kitty/0.26.5-5
Previous by thread: Bug#1036025: marked as done (unblock: exim4/4.96-15)
Next by thread: Processed: unblock: libssh/0.10.5-1
Index(es):
- Date
- Thread