Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2021 December

 

Work done this month:
  • Worked on libssh2
    • The patch from jessie solving CVE-2019-17498 applies cleanly but it does not build. The reason is that it is using functions introduced by other patches from the jessie version.
      • additional-bounds-checks-in-diffie_hellman_sha1.patch introduces libssh2_get_string
      • CVE-2019-3859-3+CVE-2019-13115.patch introduces libssh2_get_u32
    • A problem here is that CVE-2019-3859 was solved in a different way for stretch, but this can probably be solved by extracting those new functions from the patches above and introduce that as a separate fix.
    • Anton took over from here after me reporting the status and how far I had analyzed it.