summaryrefslogtreecommitdiffstats
path: root/0008-libssh2-1.8.0-CVE-2019-3862.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2021-03-02 11:01:02 +0100
committerRemi Collet <remi@remirepo.net>2021-03-02 11:01:02 +0100
commit2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 (patch)
tree2cc6c3d025aeafca8a378072f4db34ee1e3d7cd8 /0008-libssh2-1.8.0-CVE-2019-3862.patch
parentef20bb6b3d0272c8340b5e55347eeffa114c889b (diff)
import from RHEL 7.7
Diffstat (limited to '0008-libssh2-1.8.0-CVE-2019-3862.patch')
-rw-r--r--0008-libssh2-1.8.0-CVE-2019-3862.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch
new file mode 100644
index 0000000..f1632a5
--- /dev/null
+++ b/0008-libssh2-1.8.0-CVE-2019-3862.patch
@@ -0,0 +1,75 @@
+From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:45:22 +0100
+Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
+
+... with specially crafted message channel request
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
+---
+ src/packet.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index aa10633..c950b5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = _libssh2_ntohu32(data + 5);
+ unsigned char want_reply = 1;
+
+- if(len < (datalen - 10))
+- want_reply = data[9 + len];
++ if((len + 9) < datalen)
++ want_reply = data[len + 9];
+
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ channel, len, data + 9, want_reply);
+
+ if (len == sizeof("exit-status") - 1
++ && (sizeof("exit-status") - 1 + 9) <= datalen
+ && !memcmp("exit-status", data + 9,
+ sizeof("exit-status") - 1)) {
+
+@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ channelp =
+ _libssh2_channel_locate(session, channel);
+
+- if (channelp) {
++ if (channelp && (sizeof("exit-status") + 13) <= datalen) {
+ channelp->exit_status =
+ _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
+ _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ }
+ else if (len == sizeof("exit-signal") - 1
++ && (sizeof("exit-signal") - 1 + 9) <= datalen
+ && !memcmp("exit-signal", data + 9,
+ sizeof("exit-signal") - 1)) {
+ /* command terminated due to signal */
+ if(datalen >= 20)
+ channelp = _libssh2_channel_locate(session, channel);
+
+- if (channelp) {
++ if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
+ /* set signal name (without SIG prefix) */
+ uint32_t namelen =
+ _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
+@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ if (!channelp->exit_signal)
+ rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "memory for signal name");
+- else {
++ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
+ memcpy(channelp->exit_signal,
+- data + 13 + sizeof("exit_signal"), namelen);
++ data + 13 + sizeof("exit-signal"), namelen);
+ channelp->exit_signal[namelen] = '\0';
+ /* TODO: save error message and language tag */
+ _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+--
+2.17.2
+