Ticket #4259: SFTPFS VFS: verify server fingerprint (CVE-2021-36370).

This vulnerability was discovered by AUT-milCERT during an audit of open source software. Initial changeset: set minimal version of libssh2 to 1.2.8. Signed-off-by: Andrew Borodin <[email protected]>
davidklika · Jul 26, 2021 · b0450a1 · b0450a1
1 parent fa9ea0d
commit b0450a1
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 7 deletions.
diff --git a/doc/INSTALL b/doc/INSTALL
@@ -18,7 +18,7 @@ Build requirements for GNU Midnight Commander
 - glib2 >= 2.30
 - slang2 or ncurses
 - gettext >= 0.18.2
-- libssh2 >= 1.2.5 is required only for sftp vfs (1.2.7 if you need ssh-agent support)
+- libssh2 >= 1.2.8 is required only for sftp vfs
 - libaspell to support spell checking in the internal editor
 - ext2fs >= 1.42.4 to support ext{2,3,4}fs extended attributes
 

diff --git a/m4.include/vfs/mc-vfs-sftp.m4 b/m4.include/vfs/mc-vfs-sftp.m4
@@ -4,7 +4,7 @@ AC_DEFUN([mc_VFS_SFTP],
     AC_ARG_ENABLE([vfs-sftp],
                   AS_HELP_STRING([--enable-vfs-sftp], [Support for SFTP filesystem [auto]]))
     if test "$enable_vfs" != "no" -a x"$enable_vfs_sftp" != x"no"; then
-        PKG_CHECK_MODULES(LIBSSH, [libssh2 >= 1.2.5], [found_libssh=yes], [:])
+        PKG_CHECK_MODULES(LIBSSH, [libssh2 >= 1.2.8], [found_libssh=yes], [:])
         if test x"$found_libssh" = "xyes"; then
             mc_VFS_ADDNAME([sftp])
             AC_DEFINE([ENABLE_VFS_SFTP], [1], [Support for SFTP filesystem])
@@ -13,7 +13,7 @@ AC_DEFUN([mc_VFS_SFTP],
         else
             if test x"$enable_vfs_sftp" = x"yes"; then
                 dnl user explicitly requested feature
-                AC_MSG_ERROR([libssh2 >= 1.2.5 library not found])
+                AC_MSG_ERROR([libssh2 >= 1.2.8 library not found])
             fi
             enable_vfs_sftp="no"
         fi

diff --git a/src/vfs/sftpfs/connection.c b/src/vfs/sftpfs/connection.c
@@ -464,12 +464,8 @@ sftpfs_open_connection (struct vfs_s_super *super, GError ** mcerror)
     /* ... start it up. This will trade welcome banners, exchange keys,
      * and setup crypto, compression, and MAC layers
      */
-#if LIBSSH2_VERSION_NUM < 0x010208
-    rc = libssh2_session_startup (sftpfs_super->session, sftpfs_super->socket_handle);
-#else
     rc = libssh2_session_handshake (sftpfs_super->session,
                                     (libssh2_socket_t) sftpfs_super->socket_handle);
-#endif
     if (rc != 0)
     {
         mc_propagate_error (mcerror, rc, "%s", _("sftp: Failure establishing SSH session"));