From d0662304fe347ff070315f82da4ffd63e7e5a3cd Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Wed, 16 Oct 2019 15:37:53 -0500
Subject: system/libssh2: patch CVE-2019-17498

---
 system/libssh2/APKBUILD             |  12 ++-
 system/libssh2/CVE-2019-17498.patch | 210 ++++++++++++++++++++++++++++++++++++
 2 files changed, 219 insertions(+), 3 deletions(-)
 create mode 100644 system/libssh2/CVE-2019-17498.patch

(limited to 'system')

diff --git a/system/libssh2/APKBUILD b/system/libssh2/APKBUILD
index 401fa2cf0..010c6834d 100644
--- a/system/libssh2/APKBUILD
+++ b/system/libssh2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libssh2
 pkgver=1.9.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Library for accessing SSH servers"
 url="https://libssh2.org/"
 arch="all"
@@ -11,7 +11,12 @@ checkdepends="openssh-server"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
-	test-sshd.patch"
+	test-sshd.patch
+	CVE-2019-17498.patch"
+
+# secfixes:
+#   1.9.0-r1:
+#     - CVE-2019-17498
 
 build() {
 	./configure \
@@ -35,4 +40,5 @@ package() {
 }
 
 sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17  libssh2-1.9.0.tar.gz
-eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c  test-sshd.patch"
+eef3c43184d53a3c655915ad61d182a88d9cced75ba8f8dde73ccf771ff4aeaa0f26e95aeb53601d7c47d96a2421c98678e9baf497f3883faa4427a091eea62c  test-sshd.patch
+102542a2023d53f7684c99a89fa4c592ee4ababc09bc174c52cd20f7f21b4c5878a89bae7e20c3438490666b7b0758caba5cf82c2b2965e1e58e02d5c1f4ea47  CVE-2019-17498.patch"
diff --git a/system/libssh2/CVE-2019-17498.patch b/system/libssh2/CVE-2019-17498.patch
new file mode 100644
index 000000000..a908c9974
--- /dev/null
+++ b/system/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,210 @@
+From b9aa7c2495694d0527e4e7fd560a3f0f18556c72 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:14:19 -0700
+Subject: [PATCH 1/5] packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG, additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST
+---
+ src/packet.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..ac69768c 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,26 +537,26 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+         case SSH_MSG_DEBUG:
+             if(datalen >= 2) {
+                 int always_display = data[1];
+-
++            
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +579,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
+
+From 8b3cf0b17c1b84a138bed9423a9e0743452b4de9 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:15:33 -0700
+Subject: [PATCH 2/5] stray whitespace
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index ac69768c..8908b2c5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -537,7 +537,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+         case SSH_MSG_DEBUG:
+             if(datalen >= 2) {
+                 int always_display = data[1];
+-            
++
+                 if(datalen >= 6) {
+                     struct string_buf buf;
+                     buf.data = (unsigned char *)data;
+
+From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:24:22 -0700
+Subject: [PATCH 3/5] fixed type issue, updated SSH_MSG_DISCONNECT
+
+SSH_MSG_DISCONNECT now also uses  _libssh2_get API.
+---
+ src/packet.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 8908b2c5..97f0cdd4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+
+From 77616117cc9dbbdd0fe1157098435bff73a83a0f Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:26:32 -0700
+Subject: [PATCH 4/5] fixed stray (
+
+bad paste
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 97f0cdd4..bd4c39e4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if((len <= (UINT_MAX - 6) && (datalen >= (6 + len))) {
++                if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
+
+From 436c45dc143cadc8c59afac6c4255be332856581 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:29:00 -0700
+Subject: [PATCH 5/5] added additional parentheses for clarity
+
+---
+ src/packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index bd4c39e4..2e01bfc5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -569,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(len <= (UINT_MAX - 6) && datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
-- 
cgit v1.2.3-60-g2f50