NetBSD Problem Report #47518

From www@NetBSD.org  Thu Jan 31 15:16:38 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
Message-Id: <20130131151637.3F98C63C07C@www.NetBSD.org>
Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
From: noud4@home.nl
Reply-To: noud4@home.nl
To: gnats-bugs@NetBSD.org
Subject: security/libssh MUST be replaced by the real wip/libssh
X-Send-Pr-Version: www-1.0

>Number:         47518
>Category:       pkg
>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>Closed-Date:    Fri Feb 01 14:19:42 +0000 2013
>Last-Modified:  Fri Feb 01 18:40:03 +0000 2013
>Originator:     Noud de Brouwer
>Release:        does imply all releases that can build security/libssh
>Organization:
-none-
>Environment:
NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 02:06:10 UTC 2013  mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
>Description:
security/libssh in an imposter and wip/libssh is the real thing.

security/libssh/Makefile:
DISTNAME=       libssh-0.11
PKGREVISION=    3
CATEGORIES=     security
MASTER_SITES=   http://www.0xbadc0de.be/libssh/

wip/libssh/Makefile:
DISTNAME=               libssh-0.5.3
CATEGORIES=             security
MASTER_SITES=           http://www.libssh.org/files/0.5/

now what are the implications!!, we do _not_ know in the current situation if we are exploitable through:
CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.

furthermore: this _total_ unknown security/libssh is used in
wip/gtk-grdc that can be removed given we now have net/remmina.

furthermore: we now have security/hydra,
if we want to keep this it should be in malware/hydra.

i high advise to retrieve ASau his account, even want his
sponsor to be monitored now (given i do not constant want to
check for booby-traps, backdoors and the like given time.)
>How-To-Repeat:
yeah (use your eyes and knowledge).
>Fix:
remove existing security/libssh and pull-up wip/libssh,
preferably immediate.

>Release-Note:

>Audit-Trail:
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 16:29:52 +0100

 On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4@home.nl wrote:
 > security/libssh in an imposter and wip/libssh is the real thing.

 I think it's just a really old version.
 http://www.0xbadc0de.be/libssh/
 has a file listing that says:
 [ ] libssh-0.11.tgz	09-Jan-2008 19:50	297K
 [ ] libssh_now_at_www.libssh.org    26-Apr-2010 23:33	0

 > furthermore: we now have security/hydra,
 > if we want to keep this it should be in malware/hydra.

 Why?

 Btw, there's a newer version of hydra out.
 http://freeworld.thc.org/thc-hydra/

 > i high advise to retrieve ASau his account, even want his
 > sponsor to be monitored now

 What does he have to do with anything? Just because he was the last to
 commit to hydra (destdir related)?

 This mail is much too blatant for my taste.
  Thomas

From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 15:42:44 +0000

 On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
 >  This mail is much too blatant for my taste.

 err, no Thomas, you are in full mistake on this one,
 security/libssh is total blatant, not my PR and successive e-mails.
 >   Thomas
 -- noud

From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org, security-announce@NetBSD.org, 
 pkgsrc-users@NetBSD.org, netbsd-announce@netbsd.org, tech-pkg@netbsd.org
Cc: root@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 16:16:36 +0000

 (top post)

 vulnerabilities in NetBSD are no longer taken serious.

 example, take:
 CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
 we can not say _anything_ if we have this vulnerability,
 given we have an impostor libssh and not _the_real_thing_
 that we do distribute to you all.

 i am total ashame our platform.

 On Thu, 2013-01-31 at 15:20 +0000, gnats-admin@netbsd.org wrote:
 > Thank you very much for your problem report.
 > It has the internal identification `pkg/47518'.
 > The individual assigned to look at your
 > report is: pkg-manager. 
 > 
 > >Category:       pkg
 > >Responsible:    pkg-manager
 > >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
 > >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013

 http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030641.html

 http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=47518

 From www@NetBSD.org  Thu Jan 31 15:16:38 2013
 Return-Path: <www@NetBSD.org>
 Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
 	by www.NetBSD.org (Postfix) with ESMTP id E3C1363C07C
 	for <gnats-bugs@gnats.NetBSD.org>; Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
 Message-Id: <20130131151637.3F98C63C07C@www.NetBSD.org>
 Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
 From: noud4@home.nl
 Reply-To: noud4@home.nl
 To: gnats-bugs@NetBSD.org
 Subject: security/libssh MUST be replaced by the real wip/libssh
 X-Send-Pr-Version: www-1.0


 >Number:         47518
 >Category:       pkg
 >Synopsis:       security/libssh MUST be replaced by the real wip/libssh
 >Confidential:   no
 >Severity:       critical
 >Priority:       high
 >Responsible:    pkg-manager
 >State:          open
 >Class:          change-request
 >Submitter-Id:   net
 >Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
 >Last-Modified:  Thu Jan 31 15:40:04 +0000 2013
 >Originator:     Noud de Brouwer
 >Release:        does imply all releases that can build security/libssh
 >Organization:
 -none-
 >Environment:
 NetBSD 10.0.2.17 6.99.16 NetBSD 6.99.16 (MONOLITHIC.UGEN) #7: Wed Jan 16 02:06:10 UTC 2013  mickey55@10.0.2.17:/obj-src/sys/arch/i386/compile/MONOLITHIC.UGEN i386
 >Description:
 security/libssh in an imposter and wip/libssh is the real thing.


 security/libssh/Makefile:
 DISTNAME=       libssh-0.11
 PKGREVISION=    3
 CATEGORIES=     security
 MASTER_SITES=   http://www.0xbadc0de.be/libssh/


 wip/libssh/Makefile:
 DISTNAME=               libssh-0.5.3
 CATEGORIES=             security
 MASTER_SITES=           http://www.libssh.org/files/0.5/


 now what are the implications!!, we do _not_ know in the current situation if we are exploitable through:
 CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.


 furthermore: this _total_ unknown security/libssh is used in
 wip/gtk-grdc that can be removed given we now have net/remmina.


 furthermore: we now have security/hydra,
 if we want to keep this it should be in malware/hydra.


 i high advise to retrieve ASau his account, even want his
 sponsor to be monitored now (given i do not constant want to
 check for booby-traps, backdoors and the like given time.)
 >How-To-Repeat:
 yeah (use your eyes and knowledge).
 >Fix:
 remove existing security/libssh and pull-up wip/libssh,
 preferably immediate.


 >Audit-Trail:
 From: Thomas Klausner <wiz@NetBSD.org>
 To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
 Cc: 
 Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
  wip/libssh
 Date: Thu, 31 Jan 2013 16:29:52 +0100


  On Thu, Jan 31, 2013 at 03:20:01PM +0000, noud4@home.nl wrote:
  > security/libssh in an imposter and wip/libssh is the real thing.


  I think it's just a really old version.
  http://www.0xbadc0de.be/libssh/
  has a file listing that says:
  [ ] libssh-0.11.tgz	09-Jan-2008 19:50	297K
  [ ] libssh_now_at_www.libssh.org    26-Apr-2010 23:33	0


  > furthermore: we now have security/hydra,
  > if we want to keep this it should be in malware/hydra.


  Why?


  Btw, there's a newer version of hydra out.
  http://freeworld.thc.org/thc-hydra/


  > i high advise to retrieve ASau his account, even want his
  > sponsor to be monitored now


  What does he have to do with anything? Just because he was the last to
  commit to hydra (destdir related)?


  This mail is much too blatant for my taste.
   Thomas


 From: Noud de Brouwer <noud4@home.nl>
 To: gnats-bugs@NetBSD.org
 Cc: 
 Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
  wip/libssh
 Date: Thu, 31 Jan 2013 15:42:44 +0000


  On Thu, 2013-01-31 at 15:30 +0000, Thomas Klausner wrote:
  >  This mail is much too blatant for my taste.


  err, no Thomas, you are in full mistake on this one,
  security/libssh is total blatant, not my PR and successive e-mails.
  >   Thomas
  -- noud

From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc: 
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 17:59:39 +0100

 On Thu, Jan 31, 2013 at 04:15:03PM +0000, Noud de Brouwer wrote:
 >  furthermore: this _total_ unknown security/libssh

 The pkgsrc version is not a "total unknown" libssh. It is just a very
 old version of the one that is now on libssh.org.

 If you don't believe me, check it out yourself:
 # git clone git://git.libssh.org/projects/libssh.git libssh
 # cd libssh
 # git log -v | tail -7
 commit c65f56aefa50a2e2a78a0e45564526ecc921d74f
 Author: Aris Adamantiadis <aris@0xbadc0de.be>
 Date:   Tue Jul 5 01:21:44 2005 +0000

     first import

     git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@1 7dcaeef0-15fb-0310-b436-a5af3365683c
 # cd ..
 # tar xzf .../libssh-0.11.tgz
 # diff -r libssh-0.11 libssh | less
 Only in libssh: .git
 Only in libssh: Doxyfile
 diff -r libssh-0.11/Makefile.in libssh/Makefile.in
 22c22
 < VERSION=0.11
 ---
 > VERSION=0.12-dev
 63a64,65
 >       $(INSTALL) include/libssh/ssh2.h $(incldir)/libssh/
 >       $(INSTALL) include/libssh/ssh1.h $(incldir)/libssh/
 diff -r libssh-0.11/configure.in libssh/configure.in
 5c5
 < AC_INIT(libssh, 0.11 , aris@0xbadc0de.be)
 ---
 > AC_INIT(libssh, 0.2-dev , aris@0xbadc0de.be)
 (here follow about 2000 lines of changes since 0.11 and 0.12-dev)

 Also compare the email with the HOMEPAGE of the libssh package:
 HOMEPAGE=       http://0xbadc0de.be/

 So you can argue that we should have updated the package a long time
 ago, but that's true of quite a number of packages.
  Thomas

From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 17:17:07 +0000

 okay, no need to double-check you, so pull-up can be done innt.
 -- noud
 On Thu, 2013-01-31 at 17:00 +0000, Thomas Klausner wrote:
 > The following reply was made to PR pkg/47518; it has been noted by GNATS.
 > 
 > From: Thomas Klausner <wiz@NetBSD.org>
 > To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
 > Cc: 
 > Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 >  wip/libssh
 > Date: Thu, 31 Jan 2013 17:59:39 +0100
 > 
 >  On Thu, Jan 31, 2013 at 04:15:03PM +0000, Noud de Brouwer wrote:
 >  >  furthermore: this _total_ unknown security/libssh
 >  
 >  The pkgsrc version is not a "total unknown" libssh. It is just a very
 >  old version of the one that is now on libssh.org.
 >  
 >  If you don't believe me, check it out yourself:
 >  # git clone git://git.libssh.org/projects/libssh.git libssh
 >  # cd libssh
 >  # git log -v | tail -7
 >  commit c65f56aefa50a2e2a78a0e45564526ecc921d74f
 >  Author: Aris Adamantiadis <aris@0xbadc0de.be>
 >  Date:   Tue Jul 5 01:21:44 2005 +0000
 >  
 >      first import
 >      
 >      git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@1 7dcaeef0-15fb-0310-b436-a5af3365683c
 >  # cd ..
 >  # tar xzf .../libssh-0.11.tgz
 >  # diff -r libssh-0.11 libssh | less
 >  Only in libssh: .git
 >  Only in libssh: Doxyfile
 >  diff -r libssh-0.11/Makefile.in libssh/Makefile.in
 >  22c22
 >  < VERSION=0.11
 >  ---
 >  > VERSION=0.12-dev
 >  63a64,65
 >  >       $(INSTALL) include/libssh/ssh2.h $(incldir)/libssh/
 >  >       $(INSTALL) include/libssh/ssh1.h $(incldir)/libssh/
 >  diff -r libssh-0.11/configure.in libssh/configure.in
 >  5c5
 >  < AC_INIT(libssh, 0.11 , aris@0xbadc0de.be)
 >  ---
 >  > AC_INIT(libssh, 0.2-dev , aris@0xbadc0de.be)
 >  (here follow about 2000 lines of changes since 0.11 and 0.12-dev)
 >  
 >  Also compare the email with the HOMEPAGE of the libssh package:
 >  HOMEPAGE=       http://0xbadc0de.be/
 >  
 >  So you can argue that we should have updated the package a long time
 >  ago, but that's true of quite a number of packages.
 >   Thomas
 >  


State-Changed-From-To: open->closed
State-Changed-By: mbalmer@NetBSD.org
State-Changed-When: Thu, 31 Jan 2013 21:09:15 +0000
State-Changed-Why:
We do not want PR's that insult or attack people.


From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org
Cc: tech-pkg@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Thu, 31 Jan 2013 22:32:58 +0000

 there's an update

 http://mail-index.netbsd.org/pkgsrc-wip-cvs/2013/01/31/msg030643.html

 Log Message:
 libssh 0.5.4 (SECURITY RELEASE)
 CVE-2013-0176 - NULL dereference leads to denial of service.
 -- noud

State-Changed-From-To: closed->analyzed
State-Changed-By: is@NetBSD.org
State-Changed-When: Fri, 01 Feb 2013 14:19:03 +0000
State-Changed-Why:
It turns out the major consumer, remmina/remmina-plugins, needs libssh>0.4
anyway - else ssh functionality is ignored.
It further tuns out that Hydra claims to work with 0.4.x nowadays.

The wip package can't be directly used because we need to keep ordering
between the old and the new versions - 0.11 should have been named 0.1.1
more than 5 years ago by upstream.

Also, PLIST needs fixing, and maintainer needs to be set to a working
address.


State-Changed-From-To: analyzed->closed
State-Changed-By: is@NetBSD.org
State-Changed-When: Fri, 01 Feb 2013 14:19:42 +0000
State-Changed-Why:
committed with fixes.


From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org,
  is@NetBSD.org, tech-pkg@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Fri, 01 Feb 2013 16:39:26 +0000

 On Fri, 2013-02-01 at 14:19 +0000, is@NetBSD.org wrote:
 > Synopsis: security/libssh MUST be replaced by the real wip/libssh
 > 
 > State-Changed-From-To: analyzed->closed
 > State-Changed-By: is@NetBSD.org
 > State-Changed-When: Fri, 01 Feb 2013 14:19:42 +0000
 > State-Changed-Why:
 > committed with fixed.

 the package now does not build.

 you a) forgot to pull-up wip/libssh/options.mk
 b) forgot to adopt buildlink3.mk the version.

 further, i advise to take the version as is,
 and not construct some that is not immediate
 recognisable(sp) for an outsider.

 pls address a) and b). thanks,
 -- noud

From: is@netbsd.org
To: 
Cc: gnats-bugs@NetBSD.org, pkg-manager@netbsd.org, pkgsrc-bugs@netbsd.org,
	gnats-admin@netbsd.org, is@NetBSD.org, tech-pkg@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Fri, 1 Feb 2013 17:47:57 +0100

 Hi,

 On Fri, Feb 01, 2013 at 04:39:26PM +0000, Noud de Brouwer wrote:
 > On Fri, 2013-02-01 at 14:19 +0000, is@NetBSD.org wrote:
 > > Synopsis: security/libssh MUST be replaced by the real wip/libssh
 > > 
 > > State-Changed-From-To: analyzed->closed
 > > State-Changed-By: is@NetBSD.org
 > > State-Changed-When: Fri, 01 Feb 2013 14:19:42 +0000
 > > State-Changed-Why:
 > > committed with fixed.
 > 
 > the package now does not build.
 > 
 > you a) forgot to pull-up wip/libssh/options.mk

 oh right. Thanks for beta-testing.

 > b) forgot to adopt buildlink3.mk the version.

 Hm, yes, right.

 > further, i advise to take the version as is,
 > and not construct some that is not immediate
 > recognisable(sp) for an outsider.

 sorry, this would break pkg_admin audit - which is used to warn
 users against known security problems - as well as updating the
 package from pkgsrc.

 We can switch to the new upstream version numbers when they reach "1.0".

 	-is

From: Noud de Brouwer <noud4@home.nl>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
  tech-pkg@netbsd.org
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real
 wip/libssh
Date: Fri, 01 Feb 2013 18:41:40 +0000

 On Fri, 2013-02-01 at 16:50 +0000, is@netbsd.org wrote:
 > oh right. Thanks for beta-testing.

 Welcome. no thanks needed and pity them did not handle this correct
 in the first place.

 >  sorry, this would break pkg_admin audit - which is used to warn
 >  users against known security problems - as well as updating the
 >  package from pkgsrc.

 not real but yes i see where things can botch in an automated deploy.
 plus, is now pkg_admin audit still wrong in this whole?

 >  We can switch to the new upstream version numbers when they reach "1.0".

 maybe notify upstream about our somewhat strange versions behavior.
 maybe a small note viewable for our pkg users?
 so them know what they drive, like pkgsrc users can see.
 maybe notify upstream we did now final bump our pkg version theres.

 -- noud

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.