From 034fe96dbc20144b50fe11dc3e2c6ce25919c1f4 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Feb 23 2016 11:46:16 +0000
Subject: Fix for CVE-2016-0787


Make sure that there's a conversion done from number of bytes to number of
bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787)
https://www.libssh2.org/adv_20160223.html

---

diff --git a/CVE-2016-0787.patch b/CVE-2016-0787.patch
new file mode 100644
index 0000000..7b24f90
--- /dev/null
+++ b/CVE-2016-0787.patch
@@ -0,0 +1,32 @@
+From 8a453a7b0f1e667b7369eb73b00843a8decdecc9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 11 Feb 2016 13:52:20 +0100
+Subject: [PATCH] diffie_hellman_sha256: convert bytes to bits
+
+As otherwise we get far too small numbers.
+
+CVE-2016-0787
+---
+ src/kex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index 6349457..e89b36c 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -751,11 +751,11 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session,
+ 
+         /* Zero the whole thing out */
+         memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
+ 
+         /* Generate x and e */
+-        _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
++        _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
+         _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
+                             exchange_state->ctx);
+ 
+         /* Send KEX init */
+         /* packet_type(1) + String Length(4) + leading 0(1) */
+-- 
+2.7.0
+
diff --git a/libssh2.spec b/libssh2.spec
index 5621619..43212d0 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -12,13 +12,14 @@
 
 Name:		libssh2
 Version:	1.5.0
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	A library implementing the SSH2 protocol
 Group:		System Environment/Libraries
 License:	BSD
 URL:		http://www.libssh2.org/
 Source0:	http://libssh2.org/download/libssh2-%{version}.tar.gz
 Patch0:		libssh2-1.4.2-utf8.patch
+Patch2:		https://www.libssh2.org/CVE-2016-0787.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildRequires:	openssl-devel
 BuildRequires:	zlib-devel
@@ -72,6 +73,11 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
 # Make sure things are UTF-8...
 %patch0 -p1
 
+# Make sure that there's a conversion done from number of bytes to number of
+# bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787)
+# https://www.libssh2.org/adv_20160223.html
+%patch2 -p1
+
 # Make sshd transition appropriately if building in an SELinux environment
 %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
 chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || :
@@ -149,6 +155,11 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
+* Tue Feb 23 2016 Paul Howarth <paul@city-fan.org> - 1.5.0-2
+- Make sure that there's a conversion done from number of bytes to number of
+  bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787)
+  https://www.libssh2.org/adv_20160223.html
+
 * Wed Mar 11 2015 Paul Howarth <paul@city-fan.org> - 1.5.0-1
 - Update to 1.5.0
   - See RELEASE-NOTES for details of bug fixes and enhancements