[MIR] libssh2

Bug #681423 reported by Martin Lindhe on 2010-11-25
52
This bug affects 8 people
Affects Status Importance Assigned to Milestone
libssh2 (Ubuntu)
Undecided
Ubuntu Security Team

Bug Description

Rationale:
  * moving this to main would resolve lp bug #311029
  * its a (optional) dependency for curl, already in main
  * it can be made to replace libssh (already in main), have more features and being active developed; see feature comparison: http://www.libssh2.org/libssh2-vs-libssh.html
  * however, libssh-depending apps would need to be updated so in the mean time it would need to duplicate what libssh does
  * all libssh2 build dependencies are already in main
  * i could not find any past security bugs for libssh2

I've checked the MIR requirements as careful as I can. This is my first MIR request so please forgive me if i made a mistake.

description: updated
Jonathan Thomas (echidnaman) wrote :

I believe the comments in the libssh MIR are relevant here: bug 492931

Andreas Schneider (cynapses) wrote :

Hi,

does this mean you want to rewrite kio_sftp and maintain it in future cause you believe the FUD written down at http://www.libssh2.org/libssh2-vs-libssh.html ?

Martin Lindhe (martinlindhe) wrote :

I detect some agressivenes from Andreas Schneider here and also at bug #492931 he claims FUD, but could you please clarify where this FUD is?
Please do so in your blog and not here. This is a bug tracker and no place for personal vendettas.

I do want to understand the situation as to where there is two libs for the same thing, and have thus contacted Daniel from libssh2 / curl for a response. He is currently in Thailand though so will get back from him in a few weeks.

PS. i am not involved in libssh or libssh2... just trying to resolve a user case issue (#311029)

Andreas Schneider (cynapses) wrote :

There are two libraries which implement the SSH protocol. Both are well maintained and under active development. Developers prefer one or the other, cause they have different feature sets. There is no reason to replace libssh cause of that page. curl uses libssh2 and other applications are using libssh.

You don't remove GTK from a distribution cause there is QT.

Andreas Schneider (cynapses) wrote :

libssh2 should be included in the distribution, but you should stop forcing people to choose the libraries they want to use to develop applications.

Michael Terry (mterry) on 2011-01-19
Changed in libssh2 (Ubuntu):
assignee: nobody → Kees Cook (kees)
Kees Cook (kees) wrote :

I'd like to see a few things fixed up before this goes into main:

- build-time FORTIFY_SOURCE warnings should be appropriately fixed, for example:
  sftp.c: In function 'kbd_callback':
  sftp.c:78: warning: ignoring return value of 'fgets', declared with attribute warn_unused_result
  sftp.c: In function 'main':
  sftp.c:259: warning: ignoring return value of 'write', declared with attribute warn_unused_result

- I'd like to see the upstream tests actually run at build-time

Beyond that, it looks fine to me.

Changed in libssh2 (Ubuntu):
status: New → Incomplete
assignee: Kees Cook (kees) → nobody
Daniel Stenberg (daniel-haxx) wrote :

Those warnings are from the example code, not from code that is used in the actual library. Upstream will still appreciate a patch to fix them of course.

Launchpad Janitor (janitor) wrote :

[Expired for libssh2 (Ubuntu) because there has been no activity for 60 days.]

Changed in libssh2 (Ubuntu):
status: Incomplete → Expired
Robin Munn (rmunn) wrote :

This MIR expired without a decision being made. But since a project I'm working on needs bug #311029 to be fixed, and #311029 is in turned blocked by this MIR, I'm reopening the MIR to hopefully make some progress on it.

Changed in libssh2 (Ubuntu):
status: Expired → New
Robin Munn (rmunn) wrote :

One of the concernes that Kees Cook raised over this MIR was the compile-time warnings about ignored return values. While those only appear in example code and not in actual library code, it's always best to heed the warnings the compiler gives. I've written a patch to fix the compile-time warnings in the example code by actually checking the return values and doing something about them.

Robin Munn (rmunn) wrote :

The other concern was that the upstream tests should actually run at build time. This patch addresses that concern.

Michael Terry (mterry) on 2012-12-19
Changed in libssh2 (Ubuntu):
assignee: nobody → Adam Conrad (adconrad)
Robin Munn (rmunn) wrote :

It's been a month since I reopened this MIR, and no apparent activity.

@adconrad - Have you noticed anything else besides the possible problems Kees Cook identified and I've submitted patches for? Are there any other reasons why this package could not go into main? LP #311029 depends on this getting resolved, and I'd like to see that one fixed in time for Raring. Which means this one also needs action soon.

Thomas Leavitt (u-tho4as-f) wrote :

Hey, we'd really like it if the packaged version of curl supported sftp, it is unexpected from an end user standpoint when it doesn't, especially given that the man page specifically says so:

curl is a tool to transfer data from or to a server, using one of the
supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP,
IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS,
TELNET and TFTP). The command is designed to work without user inter‐
action.

***

The end user shouldn't have to run curl -V to find out that this is not true for Ubuntu.

Looking through the comments here, it looks like the patches Robin Munn submitted actually fix the issues identified. What's the block on implementing this?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libssh2 (Ubuntu):
status: New → Confirmed
Adam Conrad (adconrad) on 2016-02-16
Changed in libssh2 (Ubuntu):
assignee: Adam Conrad (adconrad) → nobody
Michael Terry (mterry) on 2016-02-16
Changed in libssh2 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)

Ping? nmap is blocked by this, it has always been using its embedded libssh2, and now it has moved to the system one.

I don't want to use embedded libssh2 libraries

Matthias Klose (doko) wrote :

security team, please could you re-review this. There seem to be now at least two users in main: curl and nmap

Changed in libssh2 (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security)

FYI: qemu would be able to drop one delta as well, not too important for our users but nice to have (ssh to remote disks).

FYI: qemu switched to libssh, so we don't need it for that anymore.
Bu tunless it changed as Matthias outlined curl and nmap would still benefit.

Seth Arnold (seth-arnold) wrote :

Chris, do you recall if upstream responded sufficiently to your findings? If they did, can you report back whether or not this package should be promoted to main?

Thanks

Hi Seth,
do you mean me or "Chris Coulson" who is also subscribed?

If you meant me: As I said in comment #18, the reason to promote it for qemu is gone (that was my motivation to participate here), but curl/nmap would still benefit.
There are no further updates to this from my side.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers