From af8f7eb4f2a664c2d0fb3faabaf2e80c72993ef6 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 21 Mar 2019 13:34:24 -0400
Subject: [PATCH] gnu: libssh2: Update to 1.8.1 [security fixes].

Fixes CVE-2019-{3855,3856,3857,3858,3859,3860,3861,3862,3863}.

* gnu/packages/ssh.scm (libssh2): Update to 1.8.1.
(libssh2-1.8.0): New variable.
* gnu/packages/curl.scm (curl)[inputs]: Use libssh2-1.8.0.
---
 gnu/packages/curl.scm | 10 +++++++---
 gnu/packages/ssh.scm  | 24 +++++++++++++++++++++---
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 456a18012d..a36a1ee4a6 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -66,10 +66,14 @@ (define-public curl
    (inputs `(("gnutls" ,gnutls)
              ("gss" ,gss)
              ("libidn" ,libidn)
-             ("libssh2" ,libssh2)
              ("openldap" ,openldap)
              ("nghttp2" ,nghttp2 "lib")
-             ("zlib" ,zlib)))
+             ("zlib" ,zlib)
+             ;; TODO XXX <https://bugs.gnu.org/34927>
+             ;; Curl doesn't actually use or refer to libssh2 because the build
+             ;; is not configured with '--with-libssh2'.  Remove this input when
+             ;; a mass rebuild is appropriate (e.g. core-updates).
+             ("libssh2" ,libssh2-1.8.0)))
    (native-inputs
      `(("perl" ,perl)
        ;; to enable the --manual option and make test 1026 pass
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index dc81736f06..5b5890aae6 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -111,7 +111,7 @@ (define-public libssh
 (define-public libssh2
   (package
    (name "libssh2")
-   (version "1.8.0")
+   (version "1.8.1")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -119,7 +119,7 @@ (define-public libssh2
                    version ".tar.gz"))
             (sha256
              (base32
-              "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr"))
+              "0ngif3ynk6xqzy5nlfjs7bsmfm81g9f145av0z86kf0vbgrigda0"))
             (patches
              (search-patches "libssh2-fix-build-failure-with-gcrypt.patch"))))
    (build-system gnu-build-system)
@@ -143,6 +143,24 @@ (define-public libssh2
    (license license:bsd-3)
    (home-page "https://www.libssh2.org/")))
 
+;; XXX A hidden special obsolete libssh2 for temporary use in the curl package.
+;; <https://bugs.gnu.org/34927>
+(define-public libssh2-1.8.0
+  (hidden-package
+    (package
+      (inherit libssh2)
+      (version "1.8.0")
+      (source (origin
+               (method url-fetch)
+               (uri (string-append
+                      "https://www.libssh2.org/download/libssh2-"
+                      version ".tar.gz"))
+               (sha256
+                (base32
+                 "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr"))
+               (patches
+                (search-patches "libssh2-fix-build-failure-with-gcrypt.patch")))))))
+
 (define-public openssh
   (package
    (name "openssh")