From d0662304fe347ff070315f82da4ffd63e7e5a3cd Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 15:37:53 -0500 Subject: system/libssh2: patch CVE-2019-17498 --- system/libssh2/APKBUILD | 12 ++- system/libssh2/CVE-2019-17498.patch | 210 ++++++++++++++++++++++++++++++++++++ 2 files changed, 219 insertions(+), 3 deletions(-) create mode 100644 system/libssh2/CVE-2019-17498.patch (limited to 'system') diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD index 401fa2cf0..010c6834d 100644 --- a/system/libssh2/APKBUILD +++ b/system/libssh2/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=libssh2 pkgver=1.9.0 -pkgrel=0 +pkgrel=1 pkgdesc="Library for accessing SSH servers" url="https://libssh2.org/" arch="all" @@ -11,7 +11,12 @@ checkdepends="openssh-server" makedepends="openssl-dev zlib-dev" subpackages="$pkgname-dev $pkgname-doc" source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz - test-sshd.patch" + test-sshd.patch + CVE-2019-17498.patch" + +# secfixes: +# 1.9.0-r1: +# - CVE-2019-17498 build() { ./configure \ @@ -35,4 +40,5 @@ package() { } sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz -eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch" +eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c test-sshd.patch +102542a2023d53f7684c99a89fa4c592ee4ababc09bc174c52cd20f7f21b4c5878a89bae7e20c3438490666b7b0758caba5cf82c2b2965e1e58e02d5c1f4ea47 CVE-2019-17498.patch" diff --git a/system/libssh2/CVE-2019-17498.patch b/system/libssh2/CVE-2019-17498.patch new file mode 100644 index 000000000..a908c9974 --- /dev/null +++ b/system/libssh2/CVE-2019-17498.patch @@ -0,0 +1,210 @@ +From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:14:19 -0700 +Subject: [PATCH 1/5] packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST +--- + src/packet.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab6294..ac69768c 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + case SSH_MSG_DEBUG: + if(datalen >= 2) { + int always_display = data[1]; +- ++ + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, + +From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:15:33 -0700 +Subject: [PATCH 2/5] stray whitespace + +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index ac69768c..8908b2c5 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + case SSH_MSG_DEBUG: + if(datalen >= 2) { + int always_display = data[1]; +- ++ + if(datalen >= 6) { + struct string_buf buf; + buf.data = (unsigned char *)data; + +From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:24:22 -0700 +Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT + +SSH_MSG_DISCONNECT now also uses _libssh2_get API. +--- + src/packet.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 8908b2c5..97f0cdd4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); + +From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:26:32 -0700 +Subject: [PATCH 4/5] fixed stray ( + +bad paste +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index 97f0cdd4..bd4c39e4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) { ++ if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, + +From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:29:00 -0700 +Subject: [PATCH 5/5] added additional parentheses for clarity + +--- + src/packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/packet.c b/src/packet.c +index bd4c39e4..2e01bfc5 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, -- cgit v1.2.3-70-g09d2 From 8c4d830f564c6c9a7448556d157d54247618292c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 16:29:42 -0500 Subject: system/binutils: patch CVE-2019-17450 and CVE-2019-17451 (#212) --- system/binutils/APKBUILD | 9 +++- system/binutils/CVE-2019-17450.patch | 87 ++++++++++++++++++++++++++++++++++++ system/binutils/CVE-2019-17451.patch | 38 ++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 system/binutils/CVE-2019-17450.patch create mode 100644 system/binutils/CVE-2019-17451.patch (limited to 'system') diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD index 682f2e93c..f5defac52 100644 --- a/system/binutils/APKBUILD +++ b/system/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Adelie Platform Group pkgname=binutils pkgver=2.32 -pkgrel=4 +pkgrel=5 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" depends="" @@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz CVE-2019-12972.patch CVE-2019-14250.patch CVE-2019-14444.patch + CVE-2019-17450.patch + CVE-2019-17451.patch BTS-170.patch BTS-196.patch " @@ -63,6 +65,9 @@ fi # - CVE-2019-14250 # 2.32-r3: # - CVE-2019-14444 +# 2.32-r5: +# - CVE-2019-17450 +# - CVE-2019-17451 build() { local _sysroot=/ @@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be 9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch 0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch +4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd CVE-2019-17450.patch +a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8 CVE-2019-17451.patch d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch 9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch" diff --git a/system/binutils/CVE-2019-17450.patch b/system/binutils/CVE-2019-17450.patch new file mode 100644 index 000000000..edc0e94df --- /dev/null +++ b/system/binutils/CVE-2019-17450.patch @@ -0,0 +1,87 @@ +From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 9 Oct 2019 00:07:29 +1030 +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance + + PR 25078 + * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add + recur_count. Error on recur_count reaching 100 rather than + info_ptr matching orig_info_ptr. Adjust calls. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 575b082..d39f4fd 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *, + struct dwarf2_debug *); + + static bfd_boolean +-find_abstract_instance (struct comp_unit * unit, +- bfd_byte * orig_info_ptr, +- struct attribute * attr_ptr, +- const char ** pname, +- bfd_boolean * is_linkage, +- char ** filename_ptr, +- int * linenumber_ptr) ++find_abstract_instance (struct comp_unit *unit, ++ struct attribute *attr_ptr, ++ unsigned int recur_count, ++ const char **pname, ++ bfd_boolean *is_linkage, ++ char **filename_ptr, ++ int *linenumber_ptr) + { + bfd *abfd = unit->abfd; + bfd_byte *info_ptr; +@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit * unit, + struct attribute attr; + const char *name = NULL; + ++ if (recur_count == 100) ++ { ++ _bfd_error_handler ++ (_("DWARF error: abstract instance recursion detected")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + /* DW_FORM_ref_addr can reference an entry in a different CU. It + is an offset from the .debug_info section, not the current CU. */ + if (attr_ptr->form == DW_FORM_ref_addr) +@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit * unit, + info_ptr, info_ptr_end); + if (info_ptr == NULL) + break; +- /* It doesn't ever make sense for DW_AT_specification to +- refer to the same DIE. Stop simple recursion. */ +- if (info_ptr == orig_info_ptr) +- { +- _bfd_error_handler +- (_("DWARF error: abstract instance recursion detected")); +- bfd_set_error (bfd_error_bad_value); +- return FALSE; +- } + switch (attr.name) + { + case DW_AT_name: +@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit * unit, + } + break; + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, recur_count + 1, + &name, is_linkage, + filename_ptr, linenumber_ptr)) + return FALSE; +@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_abstract_origin: + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, 0, + &func->name, + &func->is_linkage, + &func->file, +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch new file mode 100644 index 000000000..f6af71601 --- /dev/null +++ b/system/binutils/CVE-2019-17451.patch @@ -0,0 +1,38 @@ +From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 9 Oct 2019 10:47:13 +1030 +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line + +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 +and ffffd5555453b140 result in a total size of 1. Reading the first +section of course overflows the buffer and tramples on other memory. + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index d39f4fd..88aaa2d 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + for (total_size = 0; + msec; + msec = find_debug_info (debug_bfd, debug_sections, msec)) +- total_size += msec->size; ++ { ++ /* Catch PR25070 testcase overflowing size calculation here. */ ++ if (total_size + msec->size < total_size ++ || total_size + msec->size < msec->size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ total_size += msec->size; ++ } + + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); + if (stash->info_ptr_memory == NULL) +-- +2.9.3 + -- cgit v1.2.3-70-g09d2