diff options
| author | Remi Collet <remi@remirepo.net> | 2021-03-02 11:01:02 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2021-03-02 11:01:02 +0100 |
| commit | 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 (patch) | |
| tree | 2cc6c3d025aeafca8a378072f4db34ee1e3d7cd8 /0008-libssh2-1.8.0-CVE-2019-3862.patch | |
| parent | ef20bb6b3d0272c8340b5e55347eeffa114c889b (diff) | |
import from RHEL 7.7
Diffstat (limited to '0008-libssh2-1.8.0-CVE-2019-3862.patch')
| -rw-r--r-- | 0008-libssh2-1.8.0-CVE-2019-3862.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch new file mode 100644 index 0000000..f1632a5 --- /dev/null +++ b/0008-libssh2-1.8.0-CVE-2019-3862.patch @@ -0,0 +1,75 @@ +From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:45:22 +0100 +Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison + +... with specially crafted message channel request + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch +--- + src/packet.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index aa10633..c950b5d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = _libssh2_ntohu32(data + 5); + unsigned char want_reply = 1; + +- if(len < (datalen - 10)) +- want_reply = data[9 + len]; ++ if((len + 9) < datalen) ++ want_reply = data[len + 9]; + + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + channel, len, data + 9, want_reply); + + if (len == sizeof("exit-status") - 1 ++ && (sizeof("exit-status") - 1 + 9) <= datalen + && !memcmp("exit-status", data + 9, + sizeof("exit-status") - 1)) { + +@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + channelp = + _libssh2_channel_locate(session, channel); + +- if (channelp) { ++ if (channelp && (sizeof("exit-status") + 13) <= datalen) { + channelp->exit_status = + _libssh2_ntohu32(data + 9 + sizeof("exit-status")); + _libssh2_debug(session, LIBSSH2_TRACE_CONN, +@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + } + else if (len == sizeof("exit-signal") - 1 ++ && (sizeof("exit-signal") - 1 + 9) <= datalen + && !memcmp("exit-signal", data + 9, + sizeof("exit-signal") - 1)) { + /* command terminated due to signal */ + if(datalen >= 20) + channelp = _libssh2_channel_locate(session, channel); + +- if (channelp) { ++ if (channelp && (sizeof("exit-signal") + 13) <= datalen) { + /* set signal name (without SIG prefix) */ + uint32_t namelen = + _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); +@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + if (!channelp->exit_signal) + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "memory for signal name"); +- else { ++ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { + memcpy(channelp->exit_signal, +- data + 13 + sizeof("exit_signal"), namelen); ++ data + 13 + sizeof("exit-signal"), namelen); + channelp->exit_signal[namelen] = '\0'; + /* TODO: save error message and language tag */ + _libssh2_debug(session, LIBSSH2_TRACE_CONN, +-- +2.17.2 + |