From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Mar 2021 11:01:02 +0100 Subject: import from RHEL 7.7 --- 0003-libssh2-1.8.0-CVE-2019-3857.patch | 124 +++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 0003-libssh2-1.8.0-CVE-2019-3857.patch (limited to '0003-libssh2-1.8.0-CVE-2019-3857.patch') diff --git a/0003-libssh2-1.8.0-CVE-2019-3857.patch b/0003-libssh2-1.8.0-CVE-2019-3857.patch new file mode 100644 index 0000000..ea264d2 --- /dev/null +++ b/0003-libssh2-1.8.0-CVE-2019-3857.patch @@ -0,0 +1,124 @@ +From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:29:35 +0100 +Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH + packet processing channel + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch +--- + include/libssh2.h | 12 ++++++++++++ + src/packet.c | 11 +++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 34d2842..e25c380 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -145,6 +145,18 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* + * Determine whether there is small or large file support on windows. + */ +diff --git a/src/packet.c b/src/packet.c +index 5f1feb8..aa10633 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -815,8 +815,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + /* set signal name (without SIG prefix) */ + uint32_t namelen = + _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); +- channelp->exit_signal = +- LIBSSH2_ALLOC(session, namelen + 1); ++ ++ if(namelen <= UINT_MAX - 1) { ++ channelp->exit_signal = ++ LIBSSH2_ALLOC(session, namelen + 1); ++ } ++ else { ++ channelp->exit_signal = NULL; ++ } ++ + if (!channelp->exit_signal) + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "memory for signal name"); +-- +2.17.2 + + +From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Mon, 18 Mar 2019 15:07:12 -0700 +Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h + +Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207 +Signed-off-by: Kamil Dudka +--- + include/libssh2.h | 12 ------------ + src/libssh2_priv.h | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index e25c380..34d2842 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -145,18 +145,6 @@ typedef int libssh2_socket_t; + #define LIBSSH2_INVALID_SOCKET -1 + #endif /* WIN32 */ + +-#ifndef SIZE_MAX +-#if _WIN64 +-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +-#else +-#define SIZE_MAX 0xFFFFFFFF +-#endif +-#endif +- +-#ifndef UINT_MAX +-#define UINT_MAX 0xFFFFFFFF +-#endif +- + /* + * Determine whether there is small or large file support on windows. + */ +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index b4296a2..bb5d1a5 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -146,6 +146,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) + + #endif + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* RFC4253 section 6.1 Maximum Packet Length says: + * + * "All implementations MUST be able to process packets with +-- +2.17.2 + -- cgit