diff options
| -rw-r--r-- | 0001-libssh2-1.8.0-CVE-2019-3855.patch | 33 | ||||
| -rw-r--r-- | 0002-libssh2-1.8.0-CVE-2019-3856.patch | 44 | ||||
| -rw-r--r-- | 0003-libssh2-1.8.0-CVE-2019-3857.patch | 124 | ||||
| -rw-r--r-- | 0004-libssh2-1.8.0-CVE-2019-3858.patch | 30 | ||||
| -rw-r--r-- | 0007-libssh2-1.8.0-CVE-2019-3861.patch | 28 | ||||
| -rw-r--r-- | 0008-libssh2-1.8.0-CVE-2019-3862.patch | 75 | ||||
| -rw-r--r-- | 0009-libssh2-1.8.0-CVE-2019-3863.patch | 40 | ||||
| -rw-r--r-- | 0010-libssh2-1.8.0-CVE-2019-17498.patch | 232 | ||||
| -rw-r--r-- | 0014-libssh2-1.4.3-scp-remote-exec.patch | 48 | ||||
| -rw-r--r-- | 0015-libssh2-1.4.3-debug-msgs.patch | 70 | ||||
| -rw-r--r-- | libssh2.spec | 144 |
11 files changed, 72 insertions, 796 deletions
diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch deleted file mode 100644 index 746b515..0000000 --- a/0001-libssh2-1.8.0-CVE-2019-3855.patch +++ /dev/null @@ -1,33 +0,0 @@ -From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:16:53 +0100 -Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read - -... resulting in out of bounds write - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch ---- - src/transport.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/transport.c b/src/transport.c -index 8725da0..5349284 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) - * and we can extract packet and padding length from it - */ - p->packet_length = _libssh2_ntohu32(block); -- if (p->packet_length < 1) -+ if(p->packet_length < 1) { - return LIBSSH2_ERROR_DECRYPT; -+ } -+ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { -+ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; -+ } - - p->padding_length = block[4]; - --- -2.17.2 - diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch deleted file mode 100644 index 40c9e9b..0000000 --- a/0002-libssh2-1.8.0-CVE-2019-3856.patch +++ /dev/null @@ -1,44 +0,0 @@ -From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:22:24 +0100 -Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard - interactive handling - -... resulting in out of bounds write - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch - -I believe that: - - `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)` - -... can be simplified as: - - `(session->userauth_kybd_num_prompts > 100)` - -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - src/userauth.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/userauth.c b/src/userauth.c -index cdfa25e..3946cf9 100644 ---- a/src/userauth.c -+++ b/src/userauth.c -@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, - /* int num-prompts */ - session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); - s += 4; -+ if(session->userauth_kybd_num_prompts && -+ session->userauth_kybd_num_prompts > 100) { -+ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, -+ "Too many replies for " -+ "keyboard-interactive prompts"); -+ goto cleanup; -+ } - - if(session->userauth_kybd_num_prompts) { - session->userauth_kybd_prompts = --- -2.17.2 - diff --git a/0003-libssh2-1.8.0-CVE-2019-3857.patch b/0003-libssh2-1.8.0-CVE-2019-3857.patch deleted file mode 100644 index ea264d2..0000000 --- a/0003-libssh2-1.8.0-CVE-2019-3857.patch +++ /dev/null @@ -1,124 +0,0 @@ -From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:29:35 +0100 -Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH - packet processing channel - -... resulting in out of bounds write - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch ---- - include/libssh2.h | 12 ++++++++++++ - src/packet.c | 11 +++++++++-- - 2 files changed, 21 insertions(+), 2 deletions(-) - -diff --git a/include/libssh2.h b/include/libssh2.h -index 34d2842..e25c380 100644 ---- a/include/libssh2.h -+++ b/include/libssh2.h -@@ -145,6 +145,18 @@ typedef int libssh2_socket_t; - #define LIBSSH2_INVALID_SOCKET -1 - #endif /* WIN32 */ - -+#ifndef SIZE_MAX -+#if _WIN64 -+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF -+#else -+#define SIZE_MAX 0xFFFFFFFF -+#endif -+#endif -+ -+#ifndef UINT_MAX -+#define UINT_MAX 0xFFFFFFFF -+#endif -+ - /* - * Determine whether there is small or large file support on windows. - */ -diff --git a/src/packet.c b/src/packet.c -index 5f1feb8..aa10633 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - /* set signal name (without SIG prefix) */ - uint32_t namelen = - _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); -- channelp->exit_signal = -- LIBSSH2_ALLOC(session, namelen + 1); -+ -+ if(namelen <= UINT_MAX - 1) { -+ channelp->exit_signal = -+ LIBSSH2_ALLOC(session, namelen + 1); -+ } -+ else { -+ channelp->exit_signal = NULL; -+ } -+ - if (!channelp->exit_signal) - rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, - "memory for signal name"); --- -2.17.2 - - -From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001 -From: Michael Buckley <michael@buckleyisms.com> -Date: Mon, 18 Mar 2019 15:07:12 -0700 -Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h - -Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207 -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - include/libssh2.h | 12 ------------ - src/libssh2_priv.h | 12 ++++++++++++ - 2 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/include/libssh2.h b/include/libssh2.h -index e25c380..34d2842 100644 ---- a/include/libssh2.h -+++ b/include/libssh2.h -@@ -145,18 +145,6 @@ typedef int libssh2_socket_t; - #define LIBSSH2_INVALID_SOCKET -1 - #endif /* WIN32 */ - --#ifndef SIZE_MAX --#if _WIN64 --#define SIZE_MAX 0xFFFFFFFFFFFFFFFF --#else --#define SIZE_MAX 0xFFFFFFFF --#endif --#endif -- --#ifndef UINT_MAX --#define UINT_MAX 0xFFFFFFFF --#endif -- - /* - * Determine whether there is small or large file support on windows. - */ -diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h -index b4296a2..bb5d1a5 100644 ---- a/src/libssh2_priv.h -+++ b/src/libssh2_priv.h -@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) - - #endif - -+#ifndef SIZE_MAX -+#if _WIN64 -+#define SIZE_MAX 0xFFFFFFFFFFFFFFFF -+#else -+#define SIZE_MAX 0xFFFFFFFF -+#endif -+#endif -+ -+#ifndef UINT_MAX -+#define UINT_MAX 0xFFFFFFFF -+#endif -+ - /* RFC4253 section 6.1 Maximum Packet Length says: - * - * "All implementations MUST be able to process packets with --- -2.17.2 - diff --git a/0004-libssh2-1.8.0-CVE-2019-3858.patch b/0004-libssh2-1.8.0-CVE-2019-3858.patch deleted file mode 100644 index 04914c5..0000000 --- a/0004-libssh2-1.8.0-CVE-2019-3858.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:32:05 +0100 -Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation - -... with a specially crafted SFTP packet leading to an out-of-bounds read - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch ---- - src/sftp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/sftp.c b/src/sftp.c -index 7c44116..65cef85 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp) - return _libssh2_error(session, - LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED, - "SFTP packet too large"); -+ if (sftp->partial_len == 0) -+ return _libssh2_error(session, -+ LIBSSH2_ERROR_ALLOC, -+ "Unable to allocate empty SFTP packet"); - - _libssh2_debug(session, LIBSSH2_TRACE_SFTP, - "Data begin - Packet Length: %lu", --- -2.17.2 - diff --git a/0007-libssh2-1.8.0-CVE-2019-3861.patch b/0007-libssh2-1.8.0-CVE-2019-3861.patch deleted file mode 100644 index d40bb71..0000000 --- a/0007-libssh2-1.8.0-CVE-2019-3861.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:43:34 +0100 -Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with - specially crafted SSH packets - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch ---- - src/transport.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/transport.c b/src/transport.c -index 5349284..6224c4f 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) - } - - p->padding_length = block[4]; -+ if ( p->padding_length > p->packet_length - 1 ) { -+ return LIBSSH2_ERROR_DECRYPT; -+ } - - /* total_num is the number of bytes following the initial - (5 bytes) packet length and padding length fields */ --- -2.17.2 - diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch deleted file mode 100644 index f1632a5..0000000 --- a/0008-libssh2-1.8.0-CVE-2019-3862.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:45:22 +0100 -Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison - -... with specially crafted message channel request - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch ---- - src/packet.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index aa10633..c950b5d 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - uint32_t len = _libssh2_ntohu32(data + 5); - unsigned char want_reply = 1; - -- if(len < (datalen - 10)) -- want_reply = data[9 + len]; -+ if((len + 9) < datalen) -+ want_reply = data[len + 9]; - - _libssh2_debug(session, - LIBSSH2_TRACE_CONN, -@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - channel, len, data + 9, want_reply); - - if (len == sizeof("exit-status") - 1 -+ && (sizeof("exit-status") - 1 + 9) <= datalen - && !memcmp("exit-status", data + 9, - sizeof("exit-status") - 1)) { - -@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - channelp = - _libssh2_channel_locate(session, channel); - -- if (channelp) { -+ if (channelp && (sizeof("exit-status") + 13) <= datalen) { - channelp->exit_status = - _libssh2_ntohu32(data + 9 + sizeof("exit-status")); - _libssh2_debug(session, LIBSSH2_TRACE_CONN, -@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - - } - else if (len == sizeof("exit-signal") - 1 -+ && (sizeof("exit-signal") - 1 + 9) <= datalen - && !memcmp("exit-signal", data + 9, - sizeof("exit-signal") - 1)) { - /* command terminated due to signal */ - if(datalen >= 20) - channelp = _libssh2_channel_locate(session, channel); - -- if (channelp) { -+ if (channelp && (sizeof("exit-signal") + 13) <= datalen) { - /* set signal name (without SIG prefix) */ - uint32_t namelen = - _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); -@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - if (!channelp->exit_signal) - rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, - "memory for signal name"); -- else { -+ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { - memcpy(channelp->exit_signal, -- data + 13 + sizeof("exit_signal"), namelen); -+ data + 13 + sizeof("exit-signal"), namelen); - channelp->exit_signal[namelen] = '\0'; - /* TODO: save error message and language tag */ - _libssh2_debug(session, LIBSSH2_TRACE_CONN, --- -2.17.2 - diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch deleted file mode 100644 index 77615fd..0000000 --- a/0009-libssh2-1.8.0-CVE-2019-3863.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:47:41 +0100 -Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user - authenticate keyboard interactive - -... that allows out-of-bounds writes - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch ---- - src/userauth.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/userauth.c b/src/userauth.c -index 3946cf9..ee924c5 100644 ---- a/src/userauth.c -+++ b/src/userauth.c -@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, - - for(i = 0; i < session->userauth_kybd_num_prompts; i++) { - /* string response[1] (ISO-10646 UTF-8) */ -- session->userauth_kybd_packet_len += -- 4 + session->userauth_kybd_responses[i].length; -+ if(session->userauth_kybd_responses[i].length <= -+ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) { -+ session->userauth_kybd_packet_len += -+ 4 + session->userauth_kybd_responses[i].length; -+ } -+ else { -+ _libssh2_error(session, LIBSSH2_ERROR_ALLOC, -+ "Unable to allocate memory for keyboard-" -+ "interactive response packet"); -+ goto cleanup; -+ } - } - - /* A new userauth_kybd_data area is to be allocated, free the --- -2.17.2 - diff --git a/0010-libssh2-1.8.0-CVE-2019-17498.patch b/0010-libssh2-1.8.0-CVE-2019-17498.patch deleted file mode 100644 index 319e1fd..0000000 --- a/0010-libssh2-1.8.0-CVE-2019-17498.patch +++ /dev/null @@ -1,232 +0,0 @@ -From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove <will@panic.com> -Date: Fri, 30 Aug 2019 09:57:38 -0700 -Subject: [PATCH] packet.c: improve message parsing (#402) - -* packet.c: improve parsing of packets - -file: packet.c - -notes: -Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. - -Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - src/misc.c | 37 +++++++++++++++++++++++ - src/misc.h | 10 +++++++ - src/packet.c | 84 ++++++++++++++++++++++++---------------------------- - 3 files changed, 85 insertions(+), 46 deletions(-) - -diff --git a/src/misc.c b/src/misc.c -index f7faae7..1b2682f 100644 ---- a/src/misc.c -+++ b/src/misc.c -@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size) - } - return p; - } -+ -+int _libssh2_check_length(struct string_buf *buf, size_t len) -+{ -+ unsigned char *endp = &buf->data[buf->len]; -+ size_t left = endp - buf->dataptr; -+ return ((len <= left) && (left <= buf->len)); -+} -+ -+int _libssh2_get_u32(struct string_buf *buf, uint32_t *out) -+{ -+ if(!_libssh2_check_length(buf, 4)) { -+ return -1; -+ } -+ -+ *out = _libssh2_ntohu32(buf->dataptr); -+ buf->dataptr += 4; -+ return 0; -+} -+ -+int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, -+ size_t *outlen) -+{ -+ uint32_t data_len; -+ if(_libssh2_get_u32(buf, &data_len) != 0) { -+ return -1; -+ } -+ if(!_libssh2_check_length(buf, data_len)) { -+ return -1; -+ } -+ *outbuf = buf->dataptr; -+ buf->dataptr += data_len; -+ -+ if(outlen) -+ *outlen = (size_t)data_len; -+ -+ return 0; -+} -diff --git a/src/misc.h b/src/misc.h -index 54ae546..cf5abb5 100644 ---- a/src/misc.h -+++ b/src/misc.h -@@ -49,6 +49,12 @@ struct list_node { - struct list_head *head; - }; - -+struct string_buf { -+ unsigned char *data; -+ unsigned char *dataptr; -+ size_t len; -+}; -+ - int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags); - int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg); - -@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value); - void _libssh2_store_str(unsigned char **buf, const char *str, size_t len); - void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size); - -+int _libssh2_get_u32(struct string_buf *buf, uint32_t *out); -+int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, -+ size_t *outlen); -+ - #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__) - /* provide a private one */ - #undef HAVE_GETTIMEOFDAY -diff --git a/src/packet.c b/src/packet.c -index c950b5d..f180b77 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - size_t datalen, int macstate) - { - int rc = 0; -- char *message=NULL; -- char *language=NULL; -- size_t message_len=0; -- size_t language_len=0; -+ unsigned char *message = NULL; -+ unsigned char *language = NULL; -+ size_t message_len = 0; -+ size_t language_len = 0; - LIBSSH2_CHANNEL *channelp = NULL; - size_t data_head = 0; - unsigned char msg = data[0]; -@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - "Packet type %d received, length=%d", - (int) msg, (int) datalen); - -- if ((macstate == LIBSSH2_MAC_INVALID) && -+ if((macstate == LIBSSH2_MAC_INVALID) && - (!session->macerror || - LIBSSH2_MACERROR(session, (char *) data, datalen))) { - /* Bad MAC input, but no callback set or non-zero return from the -@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - break; - } - -- if (session->packAdd_state == libssh2_NB_state_allocated) { -+ if(session->packAdd_state == libssh2_NB_state_allocated) { - /* A couple exceptions to the packet adding rule: */ -- switch (msg) { -+ switch(msg) { - - /* - byte SSH_MSG_DISCONNECT -@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - - case SSH_MSG_DISCONNECT: - if(datalen >= 5) { -- size_t reason = _libssh2_ntohu32(data + 1); -- -- if(datalen >= 9) { -- message_len = _libssh2_ntohu32(data + 5); -- -- if(message_len < datalen-13) { -- /* 9 = packet_type(1) + reason(4) + message_len(4) */ -- message = (char *) data + 9; -- -- language_len = _libssh2_ntohu32(data + 9 + message_len); -- language = (char *) data + 9 + message_len + 4; -- -- if(language_len > (datalen-13-message_len)) { -- /* bad input, clear info */ -- language = message = NULL; -- language_len = message_len = 0; -- } -- } -- else -- /* bad size, clear it */ -- message_len=0; -- } -- if (session->ssh_msg_disconnect) { -- LIBSSH2_DISCONNECT(session, reason, message, -- message_len, language, language_len); -+ uint32_t reason = 0; -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr++; /* advance past type */ -+ -+ _libssh2_get_u32(&buf, &reason); -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); -+ -+ if(session->ssh_msg_disconnect) { -+ LIBSSH2_DISCONNECT(session, reason, (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } -+ - _libssh2_debug(session, LIBSSH2_TRACE_TRANS, - "Disconnect(%d): %s(%s)", reason, - message, language); -@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - int always_display= data[1]; - - if(datalen >= 6) { -- message_len = _libssh2_ntohu32(data + 2); -- -- if(message_len <= (datalen - 10)) { -- /* 6 = packet_type(1) + display(1) + message_len(4) */ -- message = (char *) data + 6; -- language_len = _libssh2_ntohu32(data + 6 + message_len); -- -- if(language_len <= (datalen - 10 - message_len)) -- language = (char *) data + 10 + message_len; -- } -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr += 2; /* advance past type & always display */ -+ -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); - } - -- if (session->ssh_msg_debug) { -- LIBSSH2_DEBUG(session, always_display, message, -- message_len, language, language_len); -+ if(session->ssh_msg_debug) { -+ LIBSSH2_DEBUG(session, always_display, -+ (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } - } -+ - /* - * _libssh2_debug will actually truncate this for us so - * that it's not an inordinate about of data -@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - uint32_t len =0; - unsigned char want_reply=0; - len = _libssh2_ntohu32(data + 1); -- if(datalen >= (6 + len)) { -+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { - want_reply = data[5 + len]; - _libssh2_debug(session, - LIBSSH2_TRACE_CONN, --- -2.20.1 - diff --git a/0014-libssh2-1.4.3-scp-remote-exec.patch b/0014-libssh2-1.4.3-scp-remote-exec.patch deleted file mode 100644 index 971a7c9..0000000 --- a/0014-libssh2-1.4.3-scp-remote-exec.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Mon, 11 Sep 2017 21:13:45 +0200 -Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208) - -It breaks SCP download/upload from/to certain server implementations. - -The bug does not manifest with OpenSSH, which silently drops the NUL -byte (eventually with any garbage that follows the NUL byte) before -executing it. - -Bug: https://bugzilla.redhat.com/1489736 - -Upstream-commit: 819ef4f2037490b6aa2e870aea851b6364184090 -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - src/scp.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/scp.c b/src/scp.c -index f3d4995..c6451bc 100644 ---- a/src/scp.c -+++ b/src/scp.c -@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb) - &session->scpRecv_command[cmd_len], - session->scpRecv_command_len - cmd_len); - -- session->scpRecv_command[cmd_len] = '\0'; -- session->scpRecv_command_len = cmd_len + 1; -+ /* the command to exec should _not_ be NUL-terminated */ -+ session->scpRecv_command_len = cmd_len; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP receive"); -@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, - &session->scpSend_command[cmd_len], - session->scpSend_command_len - cmd_len); - -- session->scpSend_command[cmd_len] = '\0'; -- session->scpSend_command_len = cmd_len + 1; -+ /* the command to exec should _not_ be NUL-terminated */ -+ session->scpSend_command_len = cmd_len; - - _libssh2_debug(session, LIBSSH2_TRACE_SCP, - "Opening channel for SCP send"); --- -2.13.5 - diff --git a/0015-libssh2-1.4.3-debug-msgs.patch b/0015-libssh2-1.4.3-debug-msgs.patch deleted file mode 100644 index 034f337..0000000 --- a/0015-libssh2-1.4.3-debug-msgs.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c1bbc2d6b0708dcb1fd014554585296b0ba25a43 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Mon, 9 Oct 2017 17:35:51 +0200 -Subject: [PATCH] session: avoid printing misleading debug messages - -... while throwing LIBSSH2_ERROR_EAGAIN out of session_startup() - -If the session runs in blocking mode, LIBSSH2_ERROR_EAGAIN never reaches -the libssh2 API boundary and, in non-blocking mode, these messages are -suppressed by the condition in _libssh2_error_flags() anyway. - -Closes #211 - -Upstream-commit: 712c6cbdd2f1b509f586aea5889a5c1deb7c9bda -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - src/session.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/session.c b/src/session.c -index 9838d2b..62ef70d 100644 ---- a/src/session.c -+++ b/src/session.c -@@ -703,7 +703,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) - - if (session->startup_state == libssh2_NB_state_created) { - rc = banner_send(session); -- if (rc) { -+ if (rc == LIBSSH2_ERROR_EAGAIN) -+ return rc; -+ else if (rc) { - return _libssh2_error(session, rc, - "Failed sending banner"); - } -@@ -714,7 +716,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) - if (session->startup_state == libssh2_NB_state_sent) { - do { - rc = banner_receive(session); -- if (rc) -+ if (rc == LIBSSH2_ERROR_EAGAIN) -+ return rc; -+ else if (rc) - return _libssh2_error(session, rc, - "Failed getting banner"); - } while(strncmp("SSH-", (char *)session->remote.banner, 4)); -@@ -724,7 +728,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) - - if (session->startup_state == libssh2_NB_state_sent1) { - rc = _libssh2_kex_exchange(session, 0, &session->startup_key_state); -- if (rc) -+ if (rc == LIBSSH2_ERROR_EAGAIN) -+ return rc; -+ else if (rc) - return _libssh2_error(session, rc, - "Unable to exchange encryption keys"); - -@@ -749,7 +755,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) - rc = _libssh2_transport_send(session, session->startup_service, - sizeof("ssh-userauth") + 5 - 1, - NULL, 0); -- if (rc) { -+ if (rc == LIBSSH2_ERROR_EAGAIN) -+ return rc; -+ else if (rc) { - return _libssh2_error(session, rc, - "Unable to ask for ssh-userauth service"); - } --- -2.13.6 - diff --git a/libssh2.spec b/libssh2.spec index be8598e..e807f62 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,39 +1,32 @@ -Name: libssh2 -Version: 1.8.0 -Release: 0%{?dist} +# remirepo spec file for remi-libssh2 +# renamed for parallel installation, from: +# +# Fedora spec file for libssh2 +# +# License: MIT +# http://opensource.org/licenses/MIT +# +# Please preserve changelog entries +# + +%global projname libssh2 + +%if 0%{?vendeur:1} && 0%{?fedora} < 35 && 0%{?rhel} < 9 +%global move_to_opt 1 +%global _prefix /opt/%{vendeur}/%{projname} +%global __arch_install_post /bin/true +Name: %{vendeur}-%{projname} +%else +%global move_to_opt 0 +Name: %{projname} +%endif + +Version: 1.10.0 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries License: BSD -URL: http://www.libssh2.org/ -Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz - -# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) -Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch - -# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) -Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch - -# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) -Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch - -# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) -Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch - -# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) -Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch - -# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) -Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch - -# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) -Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch - -# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) -Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch - -Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch -Patch15: 0015-libssh2-1.4.3-debug-msgs.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +URL: https://www.libssh2.org/ +Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz BuildRequires: coreutils BuildRequires: findutils @@ -44,14 +37,14 @@ BuildRequires: sed BuildRequires: zlib-devel BuildRequires: /usr/bin/man -# Test suite requirements - we run the OpenSSH server and try to connect to it +# Test suite requirements +# Full groff (not just groff-base) needed for the mansyntax check +BuildRequires: groff +# We run the OpenSSH server and try to connect to it BuildRequires: openssh-server -# We use matchpathcon to get the correct SELinux context for the ssh server -# initialization script so that it can transition correctly in an SELinux -# environment -%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) -BuildRequires: libselinux-utils -BuildRequires: selinux-policy-targeted +# Need a valid locale to run the mansyntax check +%if 0%{?fedora} > 23 || 0%{?rhel} > 7 +BuildRequires: glibc-langpack-en %endif %description @@ -62,7 +55,6 @@ SECSH-DHGEX(04), and SECSH-NUMBERS(10). %package devel Summary: Development files for libssh2 -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} Requires: pkgconfig @@ -72,7 +64,6 @@ developing applications that use libssh2. %package docs Summary: Documentation for libssh2 -Group: Development/Libraries Requires: %{name} = %{version}-%{release} BuildArch: noarch @@ -80,43 +71,29 @@ BuildArch: noarch The libssh2-docs package contains man pages and examples for developing applications that use libssh2. + +%if %{move_to_opt} +# Filter in the /opt installation +%{?filter_from_provides: %filter_from_provides /libssh2/d} +%{?filter_from_requires: %filter_from_requires /libssh2/d} +%{?filter_setup} +%endif + + %prep -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 +%setup -q -n %{projname}-%{version} # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} -# scp: send valid commands for remote execution (#1489733) -%patch14 -p1 - -# session: avoid printing misleading debug messages (#1503294) -%patch15 -p1 - -# Make sshd transition appropriately if building in an SELinux environment -%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) -chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || : -chcon -R $(/usr/sbin/matchpathcon -n /etc) tests/etc || : -chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} || : -%endif %build %configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} -# Avoid polluting libssh2.pc with linker options (#947813) -sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install -rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" find %{buildroot} -name '*.la' -delete @@ -146,26 +123,45 @@ echo "exit 0" > tests/ssh2.sh echo "Skipping mansyntax test on PPC* and aarch64" echo "exit 0" > tests/mansyntax.sh %endif -make -C tests check +LC_ALL=en_US.UTF-8 make -C tests check -%clean -rm -rf %{buildroot} +%if 0%{?fedora} < 28 && 0%{?rhel} < 8 %post -p /sbin/ldconfig - %postun -p /sbin/ldconfig +%endif + %files -%doc COPYING docs/AUTHORS README RELEASE-NOTES +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc docs/AUTHORS README RELEASE-NOTES +%if %{move_to_opt} +%dir %{_libdir} +%dir %{_prefix} +%dir %{_datadir} +%ghost %{_datadir}/doc +%ghost %{_docdir} +%{?_licensedir:%ghost %{_datadir}/licenses} +%{?_licensedir:%ghost %{_licensedir}} +%endif %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs %doc docs/BINDINGS docs/HACKING docs/TODO NEWS +%if %{move_to_opt} +%dir %{_mandir} +%dir %{_mandir}/man3 +%endif %{_mandir}/man3/libssh2_*.3* %files devel %doc example.%{_arch}/ +%if %{move_to_opt} +%dir %{_includedir} +%dir %{_libdir}/pkgconfig/ +%endif %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h %{_includedir}/libssh2_sftp.h @@ -173,6 +169,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Sun Jun 26 2022 Remi Collet <remi@remirepo.net> - 1.10.0-1 +- rename to remi-libssh2 for EL-7 and EL-8 +- update to 1.10.0 + * Tue Mar 2 2021 Remi Collet <remi@remirepo.net> - 1.8.0-0 - rebuild with lower release for amazon |