From 688a2e4d988804f9f34688392292719f005228b5 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Thu, 25 Feb 2016 11:09:18 +0000
Subject: main/libssh2: security fix (CVE-2016-0787). Fixes #5182

(cherry picked from commit 3bf1d9071528d84001ffc0f7565000af2c20023b)
---
 main/libssh2/APKBUILD            | 13 ++++++++++---
 main/libssh2/CVE-2016-0787.patch | 21 +++++++++++++++++++++
 2 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 main/libssh2/CVE-2016-0787.patch

diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD
index bbe3d29a78..e01c0de012 100644
--- a/main/libssh2/APKBUILD
+++ b/main/libssh2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libssh2
 pkgver=1.4.3
-pkgrel=0
+pkgrel=1
 pkgdesc="library for accessing ssh1/ssh2 protocol servers"
 url="http://libssh2.org/"
 arch="all"
@@ -12,7 +12,9 @@ depends_dev="openssl-dev zlib-dev"
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz"
+source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz
+	CVE-2016-0787.patch
+	"
 
 _builddir="$srcdir"/libssh2-$pkgver
 prepare() {
@@ -46,4 +48,9 @@ package() {
 	rm -f "$pkgdir"/usr/lib/*.la
 }
 
-md5sums="071004c60c5d6f90354ad1b701013a0b  libssh2-1.4.3.tar.gz"
+md5sums="071004c60c5d6f90354ad1b701013a0b  libssh2-1.4.3.tar.gz
+6f9fdb632b8946a33a9ab22d3de8afce  CVE-2016-0787.patch"
+sha256sums="eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d  libssh2-1.4.3.tar.gz
+dd8a847a1ecf2df6b968273c97ea96aeb9393c51d9cb7597b04df4b930bf57d5  CVE-2016-0787.patch"
+sha512sums="707e0634b74fcf0f5ae4e46d9807907db7cd09328d553a67c49e9e11d852ae85843a7dcbe3f002e639eb2704e53e865c640c8fe85dcada330d0160708e8b5177  libssh2-1.4.3.tar.gz
+b94362a9cc29e9d74bc1a2dddf12e61346d33868c6e3667647d676772ee29c10404f07310de9c2a072af0258b0428b313a0a9987b823ad1eb0cc1f4bf97102af  CVE-2016-0787.patch"
diff --git a/main/libssh2/CVE-2016-0787.patch b/main/libssh2/CVE-2016-0787.patch
new file mode 100644
index 0000000000..883f0c2d08
--- /dev/null
+++ b/main/libssh2/CVE-2016-0787.patch
@@ -0,0 +1,21 @@
+Description: CVE-2016-0787: Truncated Difffie-Hellman secret length
+ Convert bytes to bits in diffie_hellman_sha1. Otherwise we get far too
+ small numbers.
+Origin: backport, http://www.libssh2.org/CVE-2016-0787.patch
+Forwarded: not-needed
+Author: Daniel Stenberg <daniel@haxx.se>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-02-18
+Applied-Upstream: 1.7.0
+---
+
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -103,7 +103,7 @@ static int diffie_hellman_sha1(LIBSSH2_S
+         memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
+ 
+         /* Generate x and e */
+-        _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
++        _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
+         _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
+                             exchange_state->ctx);
-- 
cgit v1.2.3