diff options
-rw-r--r-- | .gitignore | 9 | ||||
-rw-r--r-- | 0001-libssh2-1.8.0-CVE-2019-3855.patch | 33 | ||||
-rw-r--r-- | 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch | 54 | ||||
-rw-r--r-- | 0002-libssh2-1.8.0-CVE-2019-3856.patch | 44 | ||||
-rw-r--r-- | 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch | 26 | ||||
-rw-r--r-- | 0003-libssh2-1.8.0-CVE-2019-3857.patch | 124 | ||||
-rw-r--r-- | 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch | 223 | ||||
-rw-r--r-- | 0004-libssh2-1.8.0-CVE-2019-3858.patch | 30 | ||||
-rw-r--r-- | 0004-partially-revert-window_size-explicit-adjustments-on.patch | 69 | ||||
-rw-r--r-- | 0005-channel.c-fix-a-use-after-free.patch | 26 | ||||
-rw-r--r-- | 0007-libssh2-1.8.0-CVE-2019-3861.patch | 28 | ||||
-rw-r--r-- | 0008-libssh2-1.8.0-CVE-2019-3862.patch | 75 | ||||
-rw-r--r-- | 0009-libssh2-1.8.0-CVE-2019-3863.patch | 40 | ||||
-rw-r--r-- | 0010-libssh2-1.8.0-CVE-2019-17498.patch | 232 | ||||
-rw-r--r-- | 0014-libssh2-1.4.3-scp-remote-exec.patch | 48 | ||||
-rw-r--r-- | 0015-libssh2-1.4.3-debug-msgs.patch | 70 | ||||
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | libssh2-1.4.2-utf8.patch | 14 | ||||
-rw-r--r-- | libssh2.spec | 331 |
19 files changed, 985 insertions, 493 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01f0400 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +clog +package-*.xml +*.tgz +*.tar.bz2 +*.tar.gz +*.tar.xz +*.tar.xz.asc +*.src.rpm +*/*rpm diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch new file mode 100644 index 0000000..746b515 --- /dev/null +++ b/0001-libssh2-1.8.0-CVE-2019-3855.patch @@ -0,0 +1,33 @@ +From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:16:53 +0100 +Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch +--- + src/transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 8725da0..5349284 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * and we can extract packet and padding length from it + */ + p->packet_length = _libssh2_ntohu32(block); +- if (p->packet_length < 1) ++ if(p->packet_length < 1) { + return LIBSSH2_ERROR_DECRYPT; ++ } ++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { ++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; ++ } + + p->padding_length = block[4]; + +-- +2.17.2 + diff --git a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch b/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch deleted file mode 100644 index 9acbd6d..0000000 --- a/0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 486bb376218a37fe15318d7724d6eada36b81e6c Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" <rjones@redhat.com> -Date: Tue, 26 Mar 2013 17:58:04 +0100 -Subject: [PATCH 1/3] sftp: seek: Don't flush buffers on same offset - -Signed-off-by: Richard W.M. Jones <rjones@redhat.com> ---- - src/sftp.c | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/src/sftp.c b/src/sftp.c -index d0536dd..3760025 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2132,21 +2132,24 @@ libssh2_sftp_fstat_ex(LIBSSH2_SFTP_HANDLE *hnd, - LIBSSH2_API void - libssh2_sftp_seek64(LIBSSH2_SFTP_HANDLE *handle, libssh2_uint64_t offset) - { -- if(handle) { -- handle->u.file.offset = handle->u.file.offset_sent = offset; -- /* discard all pending requests and currently read data */ -- sftp_packetlist_flush(handle); -+ if(!handle) -+ return; -+ if(handle->u.file.offset == offset && handle->u.file.offset_sent == offset) -+ return; - -- /* free the left received buffered data */ -- if (handle->u.file.data_left) { -- LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -- handle->u.file.data_left = handle->u.file.data_len = 0; -- handle->u.file.data = NULL; -- } -+ handle->u.file.offset = handle->u.file.offset_sent = offset; -+ /* discard all pending requests and currently read data */ -+ sftp_packetlist_flush(handle); - -- /* reset EOF to False */ -- handle->u.file.eof = FALSE; -+ /* free the left received buffered data */ -+ if (handle->u.file.data_left) { -+ LIBSSH2_FREE(handle->sftp->channel->session, handle->u.file.data); -+ handle->u.file.data_left = handle->u.file.data_len = 0; -+ handle->u.file.data = NULL; - } -+ -+ /* reset EOF to False */ -+ handle->u.file.eof = FALSE; - } - - /* libssh2_sftp_seek --- -1.8.1.4 - diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch new file mode 100644 index 0000000..40c9e9b --- /dev/null +++ b/0002-libssh2-1.8.0-CVE-2019-3856.patch @@ -0,0 +1,44 @@ +From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:22:24 +0100 +Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard + interactive handling + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch + +I believe that: + + `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)` + +... can be simplified as: + + `(session->userauth_kybd_num_prompts > 100)` + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/userauth.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/userauth.c b/src/userauth.c +index cdfa25e..3946cf9 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + /* int num-prompts */ + session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); + s += 4; ++ if(session->userauth_kybd_num_prompts && ++ session->userauth_kybd_num_prompts > 100) { ++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many replies for " ++ "keyboard-interactive prompts"); ++ goto cleanup; ++ } + + if(session->userauth_kybd_num_prompts) { + session->userauth_kybd_prompts = +-- +2.17.2 + diff --git a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch b/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch deleted file mode 100644 index 83ca15e..0000000 --- a/0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a12f3ffab579b514eeb7fdfaca0ade271961cdb4 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" <rjones@redhat.com> -Date: Mon, 8 Apr 2013 17:30:10 +0100 -Subject: [PATCH 2/3] sftp: statvfs: Along error path, reset the correct - 'state' variable. - ---- - src/sftp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sftp.c b/src/sftp.c -index 3760025..65fa77a 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -2752,7 +2752,7 @@ static int sftp_statvfs(LIBSSH2_SFTP *sftp, const char *path, - "Error waiting for FXP EXTENDED REPLY"); - } else if (data_len < 93) { - LIBSSH2_FREE(session, data); -- sftp->fstatvfs_state = libssh2_NB_state_idle; -+ sftp->statvfs_state = libssh2_NB_state_idle; - return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, - "SFTP Protocol Error: short response"); - } --- -1.8.1.4 - diff --git a/0003-libssh2-1.8.0-CVE-2019-3857.patch b/0003-libssh2-1.8.0-CVE-2019-3857.patch new file mode 100644 index 0000000..ea264d2 --- /dev/null +++ b/0003-libssh2-1.8.0-CVE-2019-3857.patch @@ -0,0 +1,124 @@ +From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:29:35 +0100 +Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH + packet processing channel + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch +--- + include/libssh2.h | 12 ++++++++++++ + src/packet.c | 11 +++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 34d2842..e25c380 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -145,6 +145,18 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* + * Determine whether there is small or large file support on windows. + */ +diff --git a/src/packet.c b/src/packet.c +index 5f1feb8..aa10633 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + /* set signal name (without SIG prefix) */ + uint32_t namelen = + _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); +- channelp->exit_signal = +- LIBSSH2_ALLOC(session, namelen + 1); ++ ++ if(namelen <= UINT_MAX - 1) { ++ channelp->exit_signal = ++ LIBSSH2_ALLOC(session, namelen + 1); ++ } ++ else { ++ channelp->exit_signal = NULL; ++ } ++ + if (!channelp->exit_signal) + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "memory for signal name"); +-- +2.17.2 + + +From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001 +From: Michael Buckley <michael@buckleyisms.com> +Date: Mon, 18 Mar 2019 15:07:12 -0700 +Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h + +Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207 +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + include/libssh2.h | 12 ------------ + src/libssh2_priv.h | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index e25c380..34d2842 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -145,18 +145,6 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ + +-#ifndef SIZE_MAX +-#if _WIN64 +-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +-#else +-#define SIZE_MAX 0xFFFFFFFF +-#endif +-#endif +- +-#ifndef UINT_MAX +-#define UINT_MAX 0xFFFFFFFF +-#endif +- + /* + * Determine whether there is small or large file support on windows. + */ +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index b4296a2..bb5d1a5 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) + + #endif + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* RFC4253 section 6.1 Maximum Packet Length says: + * + * "All implementations MUST be able to process packets with +-- +2.17.2 + diff --git a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch b/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch deleted file mode 100644 index cc1cbb4..0000000 --- a/0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 6e0d757f24a45252c4cae9ea09732eda2562c767 Mon Sep 17 00:00:00 2001 -From: "Richard W.M. Jones" <rjones@redhat.com> -Date: Tue, 9 Apr 2013 11:42:09 +0200 -Subject: [PATCH 3/3] sftp: Add support for fsync (OpenSSH extension). - -The new libssh2_sftp_fsync API causes data and metadata in the -currently open file to be committed to disk at the server. - -This is an OpenSSH extension to the SFTP protocol. See: - -https://bugzilla.mindrot.org/show_bug.cgi?id=1798 ---- - docs/Makefile.am | 1 + - docs/libssh2_sftp_fsync.3 | 39 +++++++++++++++++++ - include/libssh2_sftp.h | 1 + - src/sftp.c | 97 +++++++++++++++++++++++++++++++++++++++++++++++ - src/sftp.h | 5 +++ - 5 files changed, 143 insertions(+) - create mode 100644 docs/libssh2_sftp_fsync.3 - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index e4cf487..e6ab394 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -120,6 +120,7 @@ dist_man_MANS = \ - libssh2_sftp_fstat.3 \ - libssh2_sftp_fstat_ex.3 \ - libssh2_sftp_fstatvfs.3 \ -+ libssh2_sftp_fsync.3 \ - libssh2_sftp_get_channel.3 \ - libssh2_sftp_init.3 \ - libssh2_sftp_last_error.3 \ -diff --git a/docs/libssh2_sftp_fsync.3 b/docs/libssh2_sftp_fsync.3 -new file mode 100644 -index 0000000..646760a ---- /dev/null -+++ b/docs/libssh2_sftp_fsync.3 -@@ -0,0 +1,39 @@ -+.TH libssh2_sftp_fsync 3 "8 Apr 2013" "libssh2 1.4.4" "libssh2 manual" -+.SH NAME -+libssh2_sftp_fsync - synchronize file to disk -+.SH SYNOPSIS -+.nf -+#include <libssh2.h> -+#include <libssh2_sftp.h> -+ -+int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+.fi -+.SH DESCRIPTION -+This function causes the remote server to synchronize the file -+data and metadata to disk (like fsync(2)). -+ -+For this to work requires fsync@openssh.com support on the server. -+ -+\fIhandle\fP - SFTP File Handle as returned by -+.BR libssh2_sftp_open_ex(3) -+ -+.SH RETURN VALUE -+Returns 0 on success or negative on failure. If used in non-blocking mode, it -+returns LIBSSH2_ERROR_EAGAIN when it would otherwise block. While -+LIBSSH2_ERROR_EAGAIN is a negative number, it isn't really a failure per se. -+.SH ERRORS -+\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed. -+ -+\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket. -+ -+\fILIBSSH2_ERROR_SFTP_PROTOCOL\fP - An invalid SFTP protocol response -+was received on the socket, or an SFTP operation caused an errorcode -+to be returned by the server. In particular, this can be returned if -+the SSH server does not support the fsync operation: the SFTP subcode -+\fILIBSSH2_FX_OP_UNSUPPORTED\fP will be returned in this case. -+ -+.SH AVAILABILITY -+Added in libssh2 1.4.4 and OpenSSH 6.3. -+.SH SEE ALSO -+.BR fsync(2) -diff --git a/include/libssh2_sftp.h b/include/libssh2_sftp.h -index 74884fb..677faf2 100644 ---- a/include/libssh2_sftp.h -+++ b/include/libssh2_sftp.h -@@ -247,6 +247,7 @@ LIBSSH2_API int libssh2_sftp_readdir_ex(LIBSSH2_SFTP_HANDLE *handle, \ - - LIBSSH2_API ssize_t libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *handle, - const char *buffer, size_t count); -+LIBSSH2_API int libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *handle); - - LIBSSH2_API int libssh2_sftp_close_handle(LIBSSH2_SFTP_HANDLE *handle); - #define libssh2_sftp_close(handle) libssh2_sftp_close_handle(handle) -diff --git a/src/sftp.c b/src/sftp.c -index 65fa77a..01017fd 100644 ---- a/src/sftp.c -+++ b/src/sftp.c -@@ -986,6 +986,10 @@ sftp_shutdown(LIBSSH2_SFTP *sftp) - LIBSSH2_FREE(session, sftp->symlink_packet); - sftp->symlink_packet = NULL; - } -+ if (sftp->fsync_packet) { -+ LIBSSH2_FREE(session, sftp->fsync_packet); -+ sftp->fsync_packet = NULL; -+ } - - sftp_packet_flush(sftp); - -@@ -2014,6 +2018,99 @@ libssh2_sftp_write(LIBSSH2_SFTP_HANDLE *hnd, const char *buffer, - - } - -+static int sftp_fsync(LIBSSH2_SFTP_HANDLE *handle) -+{ -+ LIBSSH2_SFTP *sftp = handle->sftp; -+ LIBSSH2_CHANNEL *channel = sftp->channel; -+ LIBSSH2_SESSION *session = channel->session; -+ /* 34 = packet_len(4) + packet_type(1) + request_id(4) + -+ string_len(4) + strlen("fsync@openssh.com")(17) + handle_len(4) */ -+ uint32_t packet_len = handle->handle_len + 34; -+ size_t data_len; -+ unsigned char *packet, *s, *data; -+ ssize_t rc; -+ uint32_t retcode; -+ -+ if (sftp->fsync_state == libssh2_NB_state_idle) { -+ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, -+ "Issuing fsync command"); -+ s = packet = LIBSSH2_ALLOC(session, packet_len); -+ if (!packet) { -+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC, -+ "Unable to allocate memory for FXP_EXTENDED " -+ "packet"); -+ } -+ -+ _libssh2_store_u32(&s, packet_len - 4); -+ *(s++) = SSH_FXP_EXTENDED; -+ sftp->fsync_request_id = sftp->request_id++; -+ _libssh2_store_u32(&s, sftp->fsync_request_id); -+ _libssh2_store_str(&s, "fsync@openssh.com", 17); -+ _libssh2_store_str(&s, handle->handle, handle->handle_len); -+ -+ sftp->fsync_state = libssh2_NB_state_created; -+ } else { -+ packet = sftp->fsync_packet; -+ } -+ -+ if (sftp->fsync_state == libssh2_NB_state_created) { -+ rc = _libssh2_channel_write(channel, 0, packet, packet_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN || -+ (0 <= rc && rc < (ssize_t)packet_len)) { -+ sftp->fsync_packet = packet; -+ return LIBSSH2_ERROR_EAGAIN; -+ } -+ -+ LIBSSH2_FREE(session, packet); -+ sftp->fsync_packet = NULL; -+ -+ if (rc < 0) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, -+ "_libssh2_channel_write() failed"); -+ } -+ sftp->fsync_state = libssh2_NB_state_sent; -+ } -+ -+ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, -+ sftp->fsync_request_id, &data, &data_len); -+ if (rc == LIBSSH2_ERROR_EAGAIN) { -+ return rc; -+ } else if (rc) { -+ sftp->fsync_state = libssh2_NB_state_idle; -+ return _libssh2_error(session, rc, -+ "Error waiting for FXP EXTENDED REPLY"); -+ } -+ -+ sftp->fsync_state = libssh2_NB_state_idle; -+ -+ retcode = _libssh2_ntohu32(data + 5); -+ LIBSSH2_FREE(session, data); -+ -+ if (retcode != LIBSSH2_FX_OK) { -+ sftp->last_errno = retcode; -+ return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, -+ "fsync failed"); -+ } -+ -+ return 0; -+} -+ -+/* libssh2_sftp_fsync -+ * Commit data on the handle to disk. -+ */ -+LIBSSH2_API int -+libssh2_sftp_fsync(LIBSSH2_SFTP_HANDLE *hnd) -+{ -+ int rc; -+ if(!hnd) -+ return LIBSSH2_ERROR_BAD_USE; -+ BLOCK_ADJUST(rc, hnd->sftp->channel->session, -+ sftp_fsync(hnd)); -+ return rc; -+} -+ -+ - /* - * sftp_fstat - * -diff --git a/src/sftp.h b/src/sftp.h -index 55bdb46..63e8139 100644 ---- a/src/sftp.h -+++ b/src/sftp.h -@@ -175,6 +175,11 @@ struct _LIBSSH2_SFTP - /* State variable used in sftp_write() */ - libssh2_nonblocking_states write_state; - -+ /* State variables used in sftp_fsync() */ -+ libssh2_nonblocking_states fsync_state; -+ unsigned char *fsync_packet; -+ uint32_t fsync_request_id; -+ - /* State variables used in libssh2_sftp_readdir() */ - libssh2_nonblocking_states readdir_state; - unsigned char *readdir_packet; --- -1.8.1.4 - diff --git a/0004-libssh2-1.8.0-CVE-2019-3858.patch b/0004-libssh2-1.8.0-CVE-2019-3858.patch new file mode 100644 index 0000000..04914c5 --- /dev/null +++ b/0004-libssh2-1.8.0-CVE-2019-3858.patch @@ -0,0 +1,30 @@ +From f06cf3a20dc3f54b7a9fc8127eb7719462caab39 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:32:05 +0100 +Subject: [PATCH] Resolves: CVE-2019-3858 - fix zero-byte allocation + +... with a specially crafted SFTP packet leading to an out-of-bounds read + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch +--- + src/sftp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/sftp.c b/src/sftp.c +index 7c44116..65cef85 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -345,6 +345,10 @@ sftp_packet_read(LIBSSH2_SFTP *sftp) + return _libssh2_error(session, + LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED, + "SFTP packet too large"); ++ if (sftp->partial_len == 0) ++ return _libssh2_error(session, ++ LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate empty SFTP packet"); + + _libssh2_debug(session, LIBSSH2_TRACE_SFTP, + "Data begin - Packet Length: %lu", +-- +2.17.2 + diff --git a/0004-partially-revert-window_size-explicit-adjustments-on.patch b/0004-partially-revert-window_size-explicit-adjustments-on.patch deleted file mode 100644 index fe7751a..0000000 --- a/0004-partially-revert-window_size-explicit-adjustments-on.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 9e56b84c41efcaf3349f82a93c3dc854e172e5c4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Fri, 9 Aug 2013 16:22:08 +0200 -Subject: [PATCH 4/5] partially revert "window_size: explicit adjustments only" - -This partially reverts commit 03ca9020756a4e16f0294e5b35e9826ee6af2364 -in order to fix extreme slowdown when uploading to localhost via SFTP. - -I was able to repeat the issue on RHEL-7 on localhost only. It did not -occur when uploading via network and it did not occur on a RHEL-6 box -with the same version of libssh2. - -The problem was that sftp_read() used a read-ahead logic to figure out -the window_size, but sftp_packet_read() called indirectly from -sftp_write() did not use any read-ahead logic. ---- - src/channel.c | 29 +++++++++++++++++++++++++++++ - 1 files changed, 29 insertions(+), 0 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index 4f41e1f..d4ffdce 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -1759,6 +1759,15 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - channel->read_state = libssh2_NB_state_created; - } - -+ /* -+ * =============================== NOTE =============================== -+ * I know this is very ugly and not a really good use of "goto", but -+ * this case statement would be even uglier to do it any other way -+ */ -+ if (channel->read_state == libssh2_NB_state_jump1) { -+ goto channel_read_window_adjust; -+ } -+ - rc = 1; /* set to >0 to let the while loop start */ - - /* Process all pending incoming packets in all states in order to "even -@@ -1867,6 +1876,26 @@ ssize_t _libssh2_channel_read(LIBSSH2_CHANNEL *channel, int stream_id, - more off the network again */ - channel->read_state = libssh2_NB_state_created; - -+ if(channel->remote.window_size < (LIBSSH2_CHANNEL_WINDOW_DEFAULT*30)) { -+ /* the window is getting too narrow, expand it! */ -+ -+ channel_read_window_adjust: -+ channel->read_state = libssh2_NB_state_jump1; -+ /* the actual window adjusting may not finish so we need to deal with -+ this special state here */ -+ rc = _libssh2_channel_receive_window_adjust(channel, -+ (LIBSSH2_CHANNEL_WINDOW_DEFAULT*60), 0, NULL); -+ if (rc) -+ return rc; -+ -+ _libssh2_debug(session, LIBSSH2_TRACE_CONN, -+ "channel_read() filled %d adjusted %d", -+ bytes_read, buflen); -+ /* continue in 'created' state to drain the already read packages -+ first before starting to empty the socket further */ -+ channel->read_state = libssh2_NB_state_created; -+ } -+ - return bytes_read; - } - --- -1.7.1 - diff --git a/0005-channel.c-fix-a-use-after-free.patch b/0005-channel.c-fix-a-use-after-free.patch deleted file mode 100644 index 8fa0a05..0000000 --- a/0005-channel.c-fix-a-use-after-free.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 96e1078fced70e39e4163857ad8345ae9d24573f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Wed, 14 Aug 2013 17:37:00 +0200 -Subject: [PATCH 5/5] channel.c: fix a use after free - -Bug: https://trac.libssh2.org/ticket/268 ---- - src/channel.c | 2 -- - 1 files changed, 0 insertions(+), 2 deletions(-) - -diff --git a/src/channel.c b/src/channel.c -index d4ffdce..9f2c241 100644 ---- a/src/channel.c -+++ b/src/channel.c -@@ -670,8 +670,6 @@ int _libssh2_channel_forward_cancel(LIBSSH2_LISTENER *listener) - - LIBSSH2_FREE(session, listener); - -- listener->chanFwdCncl_state = libssh2_NB_state_idle; -- - return 0; - } - --- -1.7.1 - diff --git a/0007-libssh2-1.8.0-CVE-2019-3861.patch b/0007-libssh2-1.8.0-CVE-2019-3861.patch new file mode 100644 index 0000000..d40bb71 --- /dev/null +++ b/0007-libssh2-1.8.0-CVE-2019-3861.patch @@ -0,0 +1,28 @@ +From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:43:34 +0100 +Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with + specially crafted SSH packets + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch +--- + src/transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/transport.c b/src/transport.c +index 5349284..6224c4f 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + } + + p->padding_length = block[4]; ++ if ( p->padding_length > p->packet_length - 1 ) { ++ return LIBSSH2_ERROR_DECRYPT; ++ } + + /* total_num is the number of bytes following the initial + (5 bytes) packet length and padding length fields */ +-- +2.17.2 + diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch new file mode 100644 index 0000000..f1632a5 --- /dev/null +++ b/0008-libssh2-1.8.0-CVE-2019-3862.patch @@ -0,0 +1,75 @@ +From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:45:22 +0100 +Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison + +... with specially crafted message channel request + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch +--- + src/packet.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index aa10633..c950b5d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = _libssh2_ntohu32(data + 5); + unsigned char want_reply = 1; + +- if(len < (datalen - 10)) +- want_reply = data[9 + len]; ++ if((len + 9) < datalen) ++ want_reply = data[len + 9]; + + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + channel, len, data + 9, want_reply); + + if (len == sizeof("exit-status") - 1 ++ && (sizeof("exit-status") - 1 + 9) <= datalen + && !memcmp("exit-status", data + 9, + sizeof("exit-status") - 1)) { + +@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + channelp = + _libssh2_channel_locate(session, channel); + +- if (channelp) { ++ if (channelp && (sizeof("exit-status") + 13) <= datalen) { + channelp->exit_status = + _libssh2_ntohu32(data + 9 + sizeof("exit-status")); + _libssh2_debug(session, LIBSSH2_TRACE_CONN, +@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + } + else if (len == sizeof("exit-signal") - 1 ++ && (sizeof("exit-signal") - 1 + 9) <= datalen + && !memcmp("exit-signal", data + 9, + sizeof("exit-signal") - 1)) { + /* command terminated due to signal */ + if(datalen >= 20) + channelp = _libssh2_channel_locate(session, channel); + +- if (channelp) { ++ if (channelp && (sizeof("exit-signal") + 13) <= datalen) { + /* set signal name (without SIG prefix) */ + uint32_t namelen = + _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); +@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + if (!channelp->exit_signal) + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "memory for signal name"); +- else { ++ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { + memcpy(channelp->exit_signal, +- data + 13 + sizeof("exit_signal"), namelen); ++ data + 13 + sizeof("exit-signal"), namelen); + channelp->exit_signal[namelen] = '\0'; + /* TODO: save error message and language tag */ + _libssh2_debug(session, LIBSSH2_TRACE_CONN, +-- +2.17.2 + diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch new file mode 100644 index 0000000..77615fd --- /dev/null +++ b/0009-libssh2-1.8.0-CVE-2019-3863.patch @@ -0,0 +1,40 @@ +From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:47:41 +0100 +Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user + authenticate keyboard interactive + +... that allows out-of-bounds writes + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch +--- + src/userauth.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index 3946cf9..ee924c5 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + + for(i = 0; i < session->userauth_kybd_num_prompts; i++) { + /* string response[1] (ISO-10646 UTF-8) */ +- session->userauth_kybd_packet_len += +- 4 + session->userauth_kybd_responses[i].length; ++ if(session->userauth_kybd_responses[i].length <= ++ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) { ++ session->userauth_kybd_packet_len += ++ 4 + session->userauth_kybd_responses[i].length; ++ } ++ else { ++ _libssh2_error(session, LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate memory for keyboard-" ++ "interactive response packet"); ++ goto cleanup; ++ } + } + + /* A new userauth_kybd_data area is to be allocated, free the +-- +2.17.2 + diff --git a/0010-libssh2-1.8.0-CVE-2019-17498.patch b/0010-libssh2-1.8.0-CVE-2019-17498.patch new file mode 100644 index 0000000..319e1fd --- /dev/null +++ b/0010-libssh2-1.8.0-CVE-2019-17498.patch @@ -0,0 +1,232 @@ +From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. + +Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/misc.c | 37 +++++++++++++++++++++++ + src/misc.h | 10 +++++++ + src/packet.c | 84 ++++++++++++++++++++++++---------------------------- + 3 files changed, 85 insertions(+), 46 deletions(-) + +diff --git a/src/misc.c b/src/misc.c +index f7faae7..1b2682f 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size) + } + return p; + } ++ ++int _libssh2_check_length(struct string_buf *buf, size_t len) ++{ ++ unsigned char *endp = &buf->data[buf->len]; ++ size_t left = endp - buf->dataptr; ++ return ((len <= left) && (left <= buf->len)); ++} ++ ++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out) ++{ ++ if(!_libssh2_check_length(buf, 4)) { ++ return -1; ++ } ++ ++ *out = _libssh2_ntohu32(buf->dataptr); ++ buf->dataptr += 4; ++ return 0; ++} ++ ++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, ++ size_t *outlen) ++{ ++ uint32_t data_len; ++ if(_libssh2_get_u32(buf, &data_len) != 0) { ++ return -1; ++ } ++ if(!_libssh2_check_length(buf, data_len)) { ++ return -1; ++ } ++ *outbuf = buf->dataptr; ++ buf->dataptr += data_len; ++ ++ if(outlen) ++ *outlen = (size_t)data_len; ++ ++ return 0; ++} +diff --git a/src/misc.h b/src/misc.h +index 54ae546..cf5abb5 100644 +--- a/src/misc.h ++++ b/src/misc.h +@@ -49,6 +49,12 @@ struct list_node { + struct list_head *head; + }; + ++struct string_buf { ++ unsigned char *data; ++ unsigned char *dataptr; ++ size_t len; ++}; ++ + int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags); + int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg); + +@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value); + void _libssh2_store_str(unsigned char **buf, const char *str, size_t len); + void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size); + ++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out); ++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, ++ size_t *outlen); ++ + #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__) + /* provide a private one */ + #undef HAVE_GETTIMEOFDAY +diff --git a/src/packet.c b/src/packet.c +index c950b5d..f180b77 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message=NULL; +- char *language=NULL; +- size_t message_len=0; +- size_t language_len=0; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; ++ size_t message_len = 0; ++ size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; + size_t data_head = 0; + unsigned char msg = data[0]; +@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + "Packet type %d received, length=%d", + (int) msg, (int) datalen); + +- if ((macstate == LIBSSH2_MAC_INVALID) && ++ if((macstate == LIBSSH2_MAC_INVALID) && + (!session->macerror || + LIBSSH2_MACERROR(session, (char *) data, datalen))) { + /* Bad MAC input, but no callback set or non-zero return from the +@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + break; + } + +- if (session->packAdd_state == libssh2_NB_state_allocated) { ++ if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ +- switch (msg) { ++ switch(msg) { + + /* + byte SSH_MSG_DISCONNECT +@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); +- +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); +- +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len=0; +- } +- if (session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ ++ ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); ++ ++ if(session->ssh_msg_disconnect) { ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display= data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + +- if (session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ if(session->ssh_msg_debug) { ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len =0; + unsigned char want_reply=0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +-- +2.20.1 + diff --git a/0014-libssh2-1.4.3-scp-remote-exec.patch b/0014-libssh2-1.4.3-scp-remote-exec.patch new file mode 100644 index 0000000..971a7c9 --- /dev/null +++ b/0014-libssh2-1.4.3-scp-remote-exec.patch @@ -0,0 +1,48 @@ +From 9506e299fa5116aa8c4c626e6de1feaed9ff9ff8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 11 Sep 2017 21:13:45 +0200 +Subject: [PATCH] scp: do not NUL-terminate the command for remote exec (#208) + +It breaks SCP download/upload from/to certain server implementations. + +The bug does not manifest with OpenSSH, which silently drops the NUL +byte (eventually with any garbage that follows the NUL byte) before +executing it. + +Bug: https://bugzilla.redhat.com/1489736 + +Upstream-commit: 819ef4f2037490b6aa2e870aea851b6364184090 +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/scp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/scp.c b/src/scp.c +index f3d4995..c6451bc 100644 +--- a/src/scp.c ++++ b/src/scp.c +@@ -303,8 +303,8 @@ scp_recv(LIBSSH2_SESSION * session, const char *path, libssh2_struct_stat * sb) + &session->scpRecv_command[cmd_len], + session->scpRecv_command_len - cmd_len); + +- session->scpRecv_command[cmd_len] = '\0'; +- session->scpRecv_command_len = cmd_len + 1; ++ /* the command to exec should _not_ be NUL-terminated */ ++ session->scpRecv_command_len = cmd_len; + + _libssh2_debug(session, LIBSSH2_TRACE_SCP, + "Opening channel for SCP receive"); +@@ -845,8 +845,8 @@ scp_send(LIBSSH2_SESSION * session, const char *path, int mode, + &session->scpSend_command[cmd_len], + session->scpSend_command_len - cmd_len); + +- session->scpSend_command[cmd_len] = '\0'; +- session->scpSend_command_len = cmd_len + 1; ++ /* the command to exec should _not_ be NUL-terminated */ ++ session->scpSend_command_len = cmd_len; + + _libssh2_debug(session, LIBSSH2_TRACE_SCP, + "Opening channel for SCP send"); +-- +2.13.5 + diff --git a/0015-libssh2-1.4.3-debug-msgs.patch b/0015-libssh2-1.4.3-debug-msgs.patch new file mode 100644 index 0000000..034f337 --- /dev/null +++ b/0015-libssh2-1.4.3-debug-msgs.patch @@ -0,0 +1,70 @@ +From c1bbc2d6b0708dcb1fd014554585296b0ba25a43 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 9 Oct 2017 17:35:51 +0200 +Subject: [PATCH] session: avoid printing misleading debug messages + +... while throwing LIBSSH2_ERROR_EAGAIN out of session_startup() + +If the session runs in blocking mode, LIBSSH2_ERROR_EAGAIN never reaches +the libssh2 API boundary and, in non-blocking mode, these messages are +suppressed by the condition in _libssh2_error_flags() anyway. + +Closes #211 + +Upstream-commit: 712c6cbdd2f1b509f586aea5889a5c1deb7c9bda +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/session.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/session.c b/src/session.c +index 9838d2b..62ef70d 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -703,7 +703,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) + + if (session->startup_state == libssh2_NB_state_created) { + rc = banner_send(session); +- if (rc) { ++ if (rc == LIBSSH2_ERROR_EAGAIN) ++ return rc; ++ else if (rc) { + return _libssh2_error(session, rc, + "Failed sending banner"); + } +@@ -714,7 +716,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) + if (session->startup_state == libssh2_NB_state_sent) { + do { + rc = banner_receive(session); +- if (rc) ++ if (rc == LIBSSH2_ERROR_EAGAIN) ++ return rc; ++ else if (rc) + return _libssh2_error(session, rc, + "Failed getting banner"); + } while(strncmp("SSH-", (char *)session->remote.banner, 4)); +@@ -724,7 +728,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) + + if (session->startup_state == libssh2_NB_state_sent1) { + rc = _libssh2_kex_exchange(session, 0, &session->startup_key_state); +- if (rc) ++ if (rc == LIBSSH2_ERROR_EAGAIN) ++ return rc; ++ else if (rc) + return _libssh2_error(session, rc, + "Unable to exchange encryption keys"); + +@@ -749,7 +755,9 @@ session_startup(LIBSSH2_SESSION *session, libssh2_socket_t sock) + rc = _libssh2_transport_send(session, session->startup_service, + sizeof("ssh-userauth") + 5 - 1, + NULL, 0); +- if (rc) { ++ if (rc == LIBSSH2_ERROR_EAGAIN) ++ return rc; ++ else if (rc) { + return _libssh2_error(session, rc, + "Unable to ask for ssh-userauth service"); + } +-- +2.13.6 + @@ -1,4 +1,4 @@ SRCDIR := $(shell pwd) NAME := $(shell basename $(SRCDIR)) -include ../common/Makefile +include ../../common/Makefile diff --git a/libssh2-1.4.2-utf8.patch b/libssh2-1.4.2-utf8.patch deleted file mode 100644 index 9177691..0000000 --- a/libssh2-1.4.2-utf8.patch +++ /dev/null @@ -1,14 +0,0 @@ - NEWS | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - ---- libssh2/NEWS -+++ libssh2/NEWS -@@ -3552,7 +3552,7 @@ Simon Josefsson (16 Nov 2009) - - support arcfour128 cipher per RFC 4345 - - Daniel Stenberg (21 Oct 2009) --- [Cristian Rodríguez brought this change] -+- [Cristian RodrÃguez brought this change] - - add support for GCC visibility features - diff --git a/libssh2.spec b/libssh2.spec index d9f88a4..f704268 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,42 +1,57 @@ -# Fedora 10 onwards support noarch subpackages; by using one, we can -# put the arch-independent docs in a common subpackage and save lots -# of space on the mirrors -%if 0%{?fedora} > 9 || 0%{?rhel} > 5 -%global noarch_docs_package 1 -%else -%global noarch_docs_package 0 -%endif +Name: libssh2 +Version: 1.8.0 +Release: 4%{?dist} +Summary: A library implementing the SSH2 protocol +Group: System Environment/Libraries +License: BSD +URL: http://www.libssh2.org/ +Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz + +# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) +Patch1: 0001-libssh2-1.8.0-CVE-2019-3855.patch + +# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +Patch2: 0002-libssh2-1.8.0-CVE-2019-3856.patch + +# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +Patch3: 0003-libssh2-1.8.0-CVE-2019-3857.patch + +# fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) +Patch4: 0004-libssh2-1.8.0-CVE-2019-3858.patch + +# fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +Patch7: 0007-libssh2-1.8.0-CVE-2019-3861.patch + +# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) +Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch -# Define %%{__isa_bits} for old releases -%{!?__isa_bits: %global __isa_bits %((echo '#include <bits/wordsize.h>'; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} - -Name: libssh2 -Version: 1.4.3 -Release: 8%{?dist}.1 -Summary: A library implementing the SSH2 protocol -Group: System Environment/Libraries -License: BSD -URL: http://www.libssh2.org/ -Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: libssh2-1.4.2-utf8.patch -Patch1: 0001-sftp-seek-Don-t-flush-buffers-on-same-offset.patch -Patch2: 0002-sftp-statvfs-Along-error-path-reset-the-correct-stat.patch -Patch3: 0003-sftp-Add-support-for-fsync-OpenSSH-extension.patch -Patch4: 0004-partially-revert-window_size-explicit-adjustments-on.patch -Patch5: 0005-channel.c-fix-a-use-after-free.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) -BuildRequires: openssl-devel -BuildRequires: zlib-devel -BuildRequires: /usr/bin/man +# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch + +# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) +Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch + +Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch +Patch15: 0015-libssh2-1.4.3-debug-msgs.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) + +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: gcc +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: sed +BuildRequires: zlib-devel +BuildRequires: /usr/bin/man # Test suite requirements - we run the OpenSSH server and try to connect to it -BuildRequires: openssh-server +BuildRequires: openssh-server # We use matchpathcon to get the correct SELinux context for the ssh server # initialization script so that it can transition correctly in an SELinux -# environment; matchpathcon is only available from FC-4 and moved from the -# libselinux to libselinux-utils package in F-10 -%if (0%{?fedora} >= 4 || 0%{?rhel} >= 5) && !(0%{?fedora} >=17 || 0%{?rhel} >=7) -BuildRequires: /usr/sbin/matchpathcon selinux-policy-targeted +# environment +%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) +BuildRequires: libselinux-utils +BuildRequires: selinux-policy-targeted %endif %description @@ -45,49 +60,46 @@ Internet Drafts: SECSH-TRANS(22), SECSH-USERAUTH(25), SECSH-CONNECTION(23), SECSH-ARCH(20), SECSH-FILEXFER(06)*, SECSH-DHGEX(04), and SECSH-NUMBERS(10). -%package devel -Summary: Development files for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: openssl-devel -Requires: pkgconfig +%package devel +Summary: Development files for libssh2 +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig -%description devel +%description devel The libssh2-devel package contains libraries and header files for developing applications that use libssh2. -%package docs -Summary: Documentation for libssh2 -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -%if %{noarch_docs_package} -BuildArch: noarch -%endif +%package docs +Summary: Documentation for libssh2 +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +BuildArch: noarch -%description docs +%description docs The libssh2-docs package contains man pages and examples for developing applications that use libssh2. %prep %setup -q - -# Replace hard wired port number in the test suite to avoid collisions -# between 32-bit and 64-bit builds running on a single build-host -sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} - -# Make sure things are UTF-8... -%patch0 -p1 - -# Three upstream patches required for qemu ssh block driver. %patch1 -p1 %patch2 -p1 %patch3 -p1 - -# http://thread.gmane.org/gmane.network.ssh.libssh2.devel/6428 %patch4 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 + +# Replace hard wired port number in the test suite to avoid collisions +# between 32-bit and 64-bit builds running on a single build-host +sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} + +# scp: send valid commands for remote execution (#1489733) +%patch14 -p1 -# https://trac.libssh2.org/ticket/268 -%patch5 -p1 +# session: avoid printing misleading debug messages (#1503294) +%patch15 -p1 # Make sshd transition appropriately if building in an SELinux environment %if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7) @@ -97,7 +109,7 @@ chcon $(/usr/sbin/matchpathcon -n /etc/ssh/ssh_host_key) tests/etc/{host,user} | %endif %build -%configure --disable-static --enable-shared +%configure --disable-silent-rules --disable-static --enable-shared make %{?_smp_mflags} # Avoid polluting libssh2.pc with linker options (#947813) @@ -106,17 +118,18 @@ sed -i -e 's|[[:space:]]-Wl,[^[:space:]]*||' libssh2.pc %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" -find %{buildroot} -name '*.la' -exec rm -f {} \; +find %{buildroot} -name '*.la' -delete # clean things up a bit for packaging make -C example clean rm -rf example/.deps -find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -exec rm -v {} \; +find example/ -type f '(' -name '*.am' -o -name '*.in' ')' -delete # avoid multilib conflict on libssh2-devel mv -v example example.%{_arch} %check +echo "Running tests for %{_arch}" # The SSH test will fail if we don't have /dev/tty, as is the case in some # versions of mock (#672713) if [ ! -c /dev/tty ]; then @@ -128,6 +141,11 @@ fi echo Skipping SSH test on sparc/arm echo "exit 0" > tests/ssh2.sh %endif +# mansyntax check fails on PPC* and aarch64 with some strange locale error +%ifarch ppc %{power64} aarch64 +echo "Skipping mansyntax test on PPC* and aarch64" +echo "exit 0" > tests/mansyntax.sh +%endif make -C tests check %clean @@ -138,18 +156,15 @@ rm -rf %{buildroot} %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) -%doc AUTHORS ChangeLog COPYING README NEWS +%doc COPYING docs/AUTHORS README RELEASE-NOTES %{_libdir}/libssh2.so.1 %{_libdir}/libssh2.so.1.* %files docs -%defattr(-,root,root,-) -%doc HACKING +%doc docs/BINDINGS docs/HACKING docs/TODO NEWS %{_mandir}/man3/libssh2_*.3* %files devel -%defattr(-,root,root,-) %doc example.%{_arch}/ %{_includedir}/libssh2.h %{_includedir}/libssh2_publickey.h @@ -158,16 +173,172 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog -* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8.1 -- libssh2-devel requires openssl-devel - -* Sat Dec 20 2014 Remi Collet <RPMS@FamilleCollet.com> 1.4.3-8 -- sync with 1.4.3-8 from RHEL-7 -- ABI is compatible according to ABI compliance checker - http://upstream.rosalinux.ru/versions/libssh2.html - -* Sun Jul 24 2011 Remi Collet <RPMS@FamilleCollet.com> 1.2.7-1 -- rebuild for remi repo (EL-5) +* Wed Oct 30 2019 Kamil Dudka <kdudka@redhat.com> - 1.8.0-4 +- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) + +* Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-3 +- sanitize public header file (detected by rpmdiff) + +* Tue Mar 19 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-2 +- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862) +- fix out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861) +- fix zero-byte allocation in SFTP packet processing resulting in out-of-bounds read (CVE-2019-3858) +- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) + +* Wed Nov 21 2018 Kamil Dudka <kdudka@redhat.com> 1.8.0-1 +- rebase to 1.8.0 (#1592784) + +* Tue Sep 26 2017 Kamil Dudka <kdudka@redhat.com> 1.4.3-12 +- session: avoid printing misleading debug messages (#1503294) +- scp: send valid commands for remote execution (#1489733) + +* Fri Feb 19 2016 Kamil Dudka <kdudka@redhat.com> 1.4.3-11 +- use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) + +* Mon Jun 01 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-10 +- check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782) + +* Tue May 05 2015 Kamil Dudka <kdudka@redhat.com> 1.4.3-9 +- curl consumes too much memory during scp download (#1080459) +- prevent a not-connected agent from closing STDIN (#1147717) + +* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.4.3-8 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.4.3-7 +- Mass rebuild 2013-12-27 + +* Wed Aug 14 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-6 +- fix very slow sftp upload to localhost +- fix a use after free in channel.c + +* Tue Apr 9 2013 Richard W.M. Jones <rjones@redhat.com> 1.4.3-5 +- Add three patches from upstream git required for qemu ssh block driver. + +* Wed Apr 3 2013 Paul Howarth <paul@city-fan.org> 1.4.3-4 +- Avoid polluting libssh2.pc with linker options (#947813) + +* Tue Mar 26 2013 Kamil Dudka <kdudka@redhat.com> 1.4.3-3 +- Avoid collisions between 32-bit and 64-bit builds running on a single build + host + +* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Nov 28 2012 Paul Howarth <paul@city-fan.org> 1.4.3-1 +- Update to 1.4.3 + - compression: add support for zlib@openssh.com + - sftp_read: return error if a too large package arrives + - libssh2_hostkey_hash.3: update the description of return value + - Fixed MSVC NMakefile + - examples: use stderr for messages, stdout for data + - openssl: do not leak memory when handling errors + - improved handling of disabled MD5 algorithm in OpenSSL + - known_hosts: Fail when parsing unknown keys in known_hosts file + - configure: gcrypt doesn't come with pkg-config support + - session_free: wrong variable used for keeping state + - libssh2_userauth_publickey_fromfile_ex.3: mention publickey == NULL + - comp_method_zlib_decomp: handle Z_BUF_ERROR when inflating +- Drop upstreamed patches + +* Wed Nov 07 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-4 +- examples: use stderr for messages, stdout for data (upstream commit b31e35ab) +- Update libssh2_hostkey_hash(3) man page (upstream commit fe8f3deb) + +* Wed Sep 26 2012 Kamil Dudka <kdudka@redhat.com> 1.4.2-3 +- Fix basic functionality of libssh2 in FIPS mode +- Skip SELinux-related quirks on recent distros to prevent a test-suite failure + +* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun May 20 2012 Paul Howarth <paul@city-fan.org> 1.4.2-1 +- Update to 1.4.2 + - Return LIBSSH2_ERROR_SOCKET_DISCONNECT on EOF when reading banner + - userauth.c: fread() from public key file to correctly detect any errors + - configure.ac: add option to disable build of the example applications + - added 'Requires.private:' line to libssh2.pc + - SFTP: filter off incoming "zombie" responses + - gettimeofday: no need for a replacement under cygwin + - SSH_MSG_CHANNEL_REQUEST: default to want_reply + - win32/libssh2_config.h: remove hardcoded #define LIBSSH2_HAVE_ZLIB + +* Fri Apr 27 2012 Paul Howarth <paul@city-fan.org> 1.4.1-2 +- Fix multi-arch conflict again (#816969) + +* Thu Apr 5 2012 Paul Howarth <paul@city-fan.org> 1.4.1-1 +- Update to 1.4.1 + - Build error with gcrypt backend + - Always do "forced" window updates to avoid corner case stalls + - aes: the init function fails when OpenSSL has AES support + - transport_send: finish in-progress key exchange before sending data + - channel_write: acknowledge transport errors + - examples/x11.c: make sure sizeof passed to read operation is correct + - examples/x11.c: fix suspicious sizeof usage + - sftp_packet_add: verify the packet before accepting it + - SFTP: preserve the original error code more + - sftp_packet_read: adjust window size as necessary + - Use safer snprintf rather then sprintf in several places + - Define and use LIBSSH2_INVALID_SOCKET instead of INVALID_SOCKET + - sftp_write: cannot return acked data *and* EAGAIN + - sftp_read: avoid data *and* EAGAIN + - libssh2.h: add missing prototype for libssh2_session_banner_set() +- Drop upstream patches now included in release tarball + +* Mon Mar 19 2012 Kamil Dudka <kdudka@redhat.com> 1.4.0-4 +- Don't ignore transport errors when writing to channel (#804150) + +* Sun Mar 18 2012 Paul Howarth <paul@city-fan.org> 1.4.0-3 +- Don't try to use openssl's AES-CTR functions + (http://www.libssh2.org/mail/libssh2-devel-archive-2012-03/0111.shtml) + +* Fri Mar 16 2012 Paul Howarth <paul@city-fan.org> 1.4.0-2 +- fix libssh2 failing key re-exchange when write channel is saturated (#804156) +- drop %%defattr, redundant since rpm 4.4 + +* Wed Feb 1 2012 Paul Howarth <paul@city-fan.org> 1.4.0-1 +- update to 1.4.0 + - added libssh2_session_supported_algs() + - added libssh2_session_banner_get() + - added libssh2_sftp_get_channel() + - libssh2.h: bump the default window size to 256K + - sftp-seek: clear EOF flag + - userauth: provide more informations if ssh pub key extraction fails + - ssh2_exec: skip error outputs for EAGAIN + - LIBSSH2_SFTP_PACKET_MAXLEN: increase to 80000 + - knownhost_check(): don't dereference ext if NULL is passed + - knownhost_add: avoid dereferencing uninitialized memory on error path + - OpenSSL EVP: fix threaded use of structs + - _libssh2_channel_read: react on errors from receive_window_adjust + - sftp_read: cap the read ahead maximum amount + - _libssh2_channel_read: fix non-blocking window adjusting +- add upstream patch fixing undefined function reference in libgcrypt backend +- BR: /usr/bin/man for test suite + +* Sun Jan 15 2012 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.0-4 +- skip the ssh test on ARM too + +* Fri Jan 13 2012 Paul Howarth <paul@city-fan.org> 1.3.0-3 +- make docs package noarch where possible +- example includes arch-specific bits, so move to devel package +- use patch rather than scripted iconv to fix character encoding +- don't make assumptions about SELinux context types used for the ssh server + in the test suite +- skip the ssh test if /dev/tty isn't present, as in some versions of mock +- make the %%files list more explicit +- use tabs for indentation + +* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> 1.3.0-2 +- rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Sep 08 2011 Kamil Dudka <kdudka@redhat.com> 1.3.0-1 +- update to 1.3.0 + +* Sat Jun 25 2011 Dennis Gilmore <dennis@ausil.us> 1.2.7-2 +- sshd/loopback test fails in the sparc buildsystem * Tue Oct 12 2010 Kamil Dudka <kdudka@redhat.com> 1.2.7-1 - update to 1.2.7 (#632916) |