From 1f6f56204191cc4bdda5918068c4b3f5c3ccdf2f Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Tue, 19 Mar 2019 09:48:01 +0100 Subject: [PATCH] libssh2: version bump/CVE fixes - CVE-2019-3855 Possible integer overflow in transport read allows out-of-bounds write - CVE-2019-3856 Possible integer overflow in keyboard interactive handling allows out-of-bounds write - CVE-2019-3857 Possible integer overflow leading to zero-byte allocation and out-of-bounds write - CVE-2019-3858 Possible zero-byte allocation leading to an out-of-bounds read - CVE-2019-3859 Out-of-bounds reads with specially crafted payloads due to unchecked use of `_libssh2_packet_require` and `_libssh2_packet_requirev` - CVE-2019-3860 Out-of-bounds reads with specially crafted SFTP packets - CVE-2019-3861 Out-of-bounds reads with specially crafted SSH packets - CVE-2019-3862 Out-of-bounds memory comparison - CVE-2019-3863 Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes Signed-off-by: Sebastian Kemper --- libs/libssh2/Makefile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libs/libssh2/Makefile b/libs/libssh2/Makefile index f591953bb..e0911f723 100644 --- a/libs/libssh2/Makefile +++ b/libs/libssh2/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh2 -PKG_VERSION:=1.7.0 -PKG_RELEASE:=2 +PKG_VERSION:=1.8.1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.libssh2.org/download -PKG_MD5SUM:=b01662a210e94cccf2f76094db7dac5c +PKG_HASH:=40b517f35b1bb869d0075b15125c7a015557f53a5a3a6a8bffb89b69fd70f159 PKG_INSTALL:=1 @@ -35,12 +35,11 @@ define Package/libssh2/description libssh2 is a client-side C library implementing the SSH2 protocol. endef -TARGET_CFLAGS += $(FPIC) - CONFIGURE_ARGS += \ --disable-examples-build \ --with-libssl-prefix=$(STAGING_DIR)/usr \ - --with-libz-prefix=$(STAGING_DIR)/usr + --with-libz-prefix=$(STAGING_DIR)/usr \ + --with-openssl define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include