Upgrade libssh2 to 1.8.2

libssh2/RELEASE-NOTES

@@ -1,29 +1,12 @@
-libssh2 1.8.1
+libssh2 1.8.2
 
 This release includes the following bugfixes:
 
- o fixed possible integer overflow when reading a specially crafted packet 
-   (https://www.libssh2.org/CVE-2019-3855.html)
- o fixed possible integer overflow in userauth_keyboard_interactive with a 
-   number of extremely long prompt strings 
-   (https://www.libssh2.org/CVE-2019-3863.html)
- o fixed possible integer overflow if the server sent an extremely large number 
-   of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html)
- o fixed possible out of bounds read when processing a specially crafted packet 
-   (https://www.libssh2.org/CVE-2019-3861.html)
- o fixed possible integer overflow when receiving a specially crafted exit 
-   signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html)
- o fixed possible out of bounds read when receiving a specially crafted exit 
-   status message channel packet (https://www.libssh2.org/CVE-2019-3862.html)
- o fixed possible zero byte allocation when reading a specially crafted SFTP 
-   packet (https://www.libssh2.org/CVE-2019-3858.html)
- o fixed possible out of bounds reads when processing specially crafted SFTP 
-   packets (https://www.libssh2.org/CVE-2019-3860.html)
- o fixed possible out of bounds reads in _libssh2_packet_require(v) 
-   (https://www.libssh2.org/CVE-2019-3859.html)
+ o Fixed the misapplied userauth patch that broke 1.8.1
+ o moved the MAX size declarations from the public header
 
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Chris Coulson, Michael Buckley, Will Cosgrove, Daniel Stenberg
-  (4 contributors)
+  Will Cosgrove
+  (1 contributors)

libssh2/include/libssh2.h

@@ -46,13 +46,13 @@
    to make the BANNER define (used by src/session.c) be a valid SSH
    banner. Release versions have no appended strings and may of course not
    have dashes either. */
-#define LIBSSH2_VERSION "1.8.1"
+#define LIBSSH2_VERSION "1.8.2"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBSSH2_VERSION_MAJOR 1
 #define LIBSSH2_VERSION_MINOR 8
-#define LIBSSH2_VERSION_PATCH 1
+#define LIBSSH2_VERSION_PATCH 2
 
 /* This is the numeric version of the libssh2 version number, meant for easier
    parsing and comparions by programs. The LIBSSH2_VERSION_NUM define will
@@ -69,7 +69,7 @@
    and it is always a greater number in a more recent release. It makes
    comparisons with greater than and less than work.
 */
-#define LIBSSH2_VERSION_NUM 0x010801
+#define LIBSSH2_VERSION_NUM 0x010802
 
 /*
  * This is the date and time when the full source package was created. The
@@ -80,7 +80,7 @@
  *
  * "Mon Feb 12 11:35:33 UTC 2007"
  */
-#define LIBSSH2_TIMESTAMP "Mon Mar 18 21:30:25 UTC 2019"
+#define LIBSSH2_TIMESTAMP "Mon Mar 25 19:29:57 UTC 2019"
 
 #ifndef RC_INVOKED
 
@@ -145,18 +145,6 @@ typedef int libssh2_socket_t;
 #define LIBSSH2_INVALID_SOCKET -1
 #endif /* WIN32 */
 
-#ifndef SIZE_MAX
-#if _WIN64
-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
-#else
-#define SIZE_MAX 0xFFFFFFFF
-#endif
-#endif
-
-#ifndef UINT_MAX
-#define UINT_MAX 0xFFFFFFFF
-#endif
-
 /*
  * Determine whether there is small or large file support on windows.
  */

libssh2/src/libssh2_priv.h

@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
 
 #endif
 
+#ifndef SIZE_MAX
+#if _WIN64
+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+#else
+#define SIZE_MAX 0xFFFFFFFF
+#endif
+#endif
+
+#ifndef UINT_MAX
+#define UINT_MAX 0xFFFFFFFF
+#endif
+
 /* RFC4253 section 6.1 Maximum Packet Length says:
  *
  * "All implementations MUST be able to process packets with

libssh2/src/userauth.c

@@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
         LIBSSH2_FREE(session, session->userauth_list_data);
         session->userauth_list_data = NULL;
 
-        if (rc || (session->userauth_list_data_len < 1)) {
+        if (rc) {
             _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND,
                            "Unable to send userauth-none request");
             session->userauth_list_state = libssh2_NB_state_idle;
@@ -127,7 +127,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username,
             _libssh2_error(session, LIBSSH2_ERROR_EAGAIN,
                            "Would block requesting userauth list");
             return NULL;
-        } else if (rc) {
+        } else if (rc || (session->userauth_list_data_len < 1)) {
             _libssh2_error(session, rc, "Failed getting response");
             session->userauth_list_state = libssh2_NB_state_idle;
             return NULL;
@@ -1172,7 +1172,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
                                      NULL, 0);
         if (rc == LIBSSH2_ERROR_EAGAIN)
             return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block");
-        else if (rc || (session->userauth_pblc_data_len < 1)) {
+        else if (rc) {
             LIBSSH2_FREE(session, session->userauth_pblc_packet);
             session->userauth_pblc_packet = NULL;
             LIBSSH2_FREE(session, session->userauth_pblc_method);
@@ -1195,7 +1195,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
         if (rc == LIBSSH2_ERROR_EAGAIN) {
             return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block");
         }
-        else if (rc) {
+        else if (rc || (session->userauth_pblc_data_len < 1)) {
             LIBSSH2_FREE(session, session->userauth_pblc_packet);
             session->userauth_pblc_packet = NULL;
             LIBSSH2_FREE(session, session->userauth_pblc_method);