diff options
author | Max Rees <maxcrees@me.com> | 2019-10-16 15:37:53 -0500 |
---|---|---|
committer | Max Rees <maxcrees@me.com> | 2019-10-16 15:37:53 -0500 |
commit | d0662304fe347ff070315f82da4ffd63e7e5a3cd (patch) | |
tree | 18e7e1fe27cea92669385e16c2bb0adc80495647 | |
parent | e61f79983d1f626916f5f67e54b9d2ffecf4b2ee (diff) | |
download | packages-d0662304fe347ff070315f82da4ffd63e7e5a3cd.tar.gz packages-d0662304fe347ff070315f82da4ffd63e7e5a3cd.tar.bz2 packages-d0662304fe347ff070315f82da4ffd63e7e5a3cd.tar.xz packages-d0662304fe347ff070315f82da4ffd63e7e5a3cd.zip |
system/libssh2: patch CVE-2019-17498
-rw-r--r-- | system/libssh2/APKBUILD | 12 | ||||
-rw-r--r-- | system/libssh2/CVE-2019-17498.patch | 210 |
2 files changed, 219 insertions, 3 deletions
diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD index 401fa2cf0..010c6834d 100644 --- a/system/libssh2/APKBUILD +++ b/system/libssh2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=libssh2 pkgver=1.9.0 -pkgrel=0 +pkgrel=1 pkgdesc="Library for accessing SSH servers" url="https://libssh2.org/" arch="all" @@ -11,7 +11,12 @@ checkdepends="openssh-server" makedepends="openssl-dev zlib-dev" subpackages="$pkgname-dev $pkgname-doc" source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz - test-sshd.patch" + test-sshd.patch + CVE-2019-17498.patch" + +# secfixes: +# 1.9.0-r1: +# - CVE-2019-17498 build() { ./configure \ @@ -35,4 +40,5 @@ package() { } sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz -eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch" +eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch +102542a2023d53f7684c99a89fa4c592ee4ababc09bc174c52cd20f7f21b4c5878a89bae7e20c3438490666b7b0758caba5cf82c2b2965e1e58e02d5c1f4ea47 CVE-2019-17498.patch" diff --git a/system/libssh2/CVE-2019-17498.patch b/system/libssh2/CVE-2019-17498.patch new file mode 100644 index 000000000..a908c9974 --- /dev/null +++ b/system/libssh2/CVE-2019-17498.patch @@ -0,0 +1,210 @@ +From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:14:19 -0700 +Subject: [PATCH 1/5] packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST +--- + src/packet.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab6294..ac69768c 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + case SSH_MSG_DEBUG: + if(datalen >= 2) { + int always_display = data[1]; +- ++ + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, + +From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:15:33 -0700 +Subject: [PATCH 2/5] stray whitespace + +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index ac69768c..8908b2c5 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + case SSH_MSG_DEBUG: + if(datalen >= 2) { + int always_display = data[1]; +- ++ + if(datalen >= 6) { + struct string_buf buf; + buf.data = (unsigned char *)data; + +From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:24:22 -0700 +Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT + +SSH_MSG_DISCONNECT now also uses _libssh2_get API. +--- + src/packet.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 8908b2c5..97f0cdd4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); + +From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:26:32 -0700 +Subject: [PATCH 4/5] fixed stray ( + +bad paste +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index 97f0cdd4..bd4c39e4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) { ++ if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, + +From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Thu, 29 Aug 2019 15:29:00 -0700 +Subject: [PATCH 5/5] added additional parentheses for clarity + +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index bd4c39e4..2e01bfc5 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, |