libssh2: fix CVE-2015-1782

Refer to: http://www.libssh2.org/adv_20150311.html Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br> 2015-06-25 18:48:56 -0300
committer: Armin Kuster <akuster808@gmail.com> 2015-07-19 16:09:15 -0700
commit: c580b62cb2226d2be7cdef77d4ff838fd4095a03 (patch)
tree: 9c15b53151a19d02e3e54e95f722f33dde7c743e
parent: e00844ed8cb964857c73acd8495ae98250c9020f (diff)
download: meta-openembedded-c580b62cb2226d2be7cdef77d4ff838fd4095a03.tar.gz
2 files changed, 118 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch
new file mode 100644
index 000000000..5f4a7c728
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch
@@ -0,0 +1,115 @@
+From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001
+From: Mariusz Ziulek <mzet@owasp.org>
+Date: Sat, 21 Feb 2015 23:31:36 +0100
+Subject: [PATCH] kex: bail out on rubbish in the incoming packet
+Upstream-Status: Backport
+Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br>
+---
+ src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 41 insertions(+), 32 deletions(-)
+diff --git a/src/kex.c b/src/kex.c
+index fa4c4e1..ad7498a 100644
+--- a/src/kex.c
+++ b/src/kex.c
+@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ 
+ /* TODO: When in server mode we need to turn this logic on its head
+  * The Client gets to make the final call on "agreed methods"
+  */
+ 
+/*
+ * kex_string_pair() extracts a string from the packet and makes sure it fits
+ * within the given packet.
+ */
+static int kex_string_pair(unsigned char **sp,   /* parsing position */
+                           unsigned char *data,  /* start pointer to packet */
+                           size_t data_len,      /* size of total packet */
+                           size_t *lenp,         /* length of the string */
+                           unsigned char **strp) /* pointer to string start */
+{
+    unsigned char *s = *sp;
+    *lenp = _libssh2_ntohu32(s);
+
+    /* the length of the string must fit within the current pointer and the
+       end of the packet */
+    if (*lenp > (data_len - (s - data) -4))
+        return 1;
+    *strp = s + 4;
+    s += 4 + *lenp;
+
+    *sp = s;
+    return 0;
+}
+
+ /* kex_agree_methods
+  * Decide which specific method to use of the methods offered by each party
+  */
+ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+                              unsigned data_len)
+@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+     /* Skip cookie, don't worry, it's preserved in the kexinit field */
+     s += 16;
+ 
+     /* Locate each string */
+-    kex_len = _libssh2_ntohu32(s);
+-    kex = s + 4;
+-    s += 4 + kex_len;
+-    hostkey_len = _libssh2_ntohu32(s);
+-    hostkey = s + 4;
+-    s += 4 + hostkey_len;
+-    crypt_cs_len = _libssh2_ntohu32(s);
+-    crypt_cs = s + 4;
+-    s += 4 + crypt_cs_len;
+-    crypt_sc_len = _libssh2_ntohu32(s);
+-    crypt_sc = s + 4;
+-    s += 4 + crypt_sc_len;
+-    mac_cs_len = _libssh2_ntohu32(s);
+-    mac_cs = s + 4;
+-    s += 4 + mac_cs_len;
+-    mac_sc_len = _libssh2_ntohu32(s);
+-    mac_sc = s + 4;
+-    s += 4 + mac_sc_len;
+-    comp_cs_len = _libssh2_ntohu32(s);
+-    comp_cs = s + 4;
+-    s += 4 + comp_cs_len;
+-    comp_sc_len = _libssh2_ntohu32(s);
+-    comp_sc = s + 4;
+-#if 0
+-    s += 4 + comp_sc_len;
+-    lang_cs_len = _libssh2_ntohu32(s);
+-    lang_cs = s + 4;
+-    s += 4 + lang_cs_len;
+-    lang_sc_len = _libssh2_ntohu32(s);
+-    lang_sc = s + 4;
+-    s += 4 + lang_sc_len;
+-#endif
+    if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+       return -1;
+
+     /* If the server sent an optimistic packet, assume that it guessed wrong.
+      * If the guess is determined to be right (by kex_agree_kex_hostkey)
+      * This flag will be reset to zero so that it's not ignored */
+     session->burn_optimistic_kexinit = *(s++);
+     /* Next uint32 in packet is all zeros (reserved) */
+-- 
+2.1.4
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
index b53766333..9af0f7fd1 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
@@ -7,7 +7,9 @@ DEPENDS = "zlib openssl"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d00afe44f336a79a2ca7e1681ce14509"
-SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"
+SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
+           file://CVE-2015-1782.patch \
+"
 SRC_URI[md5sum] = "071004c60c5d6f90354ad1b701013a0b"
 SRC_URI[sha256sum] = "eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d"
author	Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br>	2015-06-25 18:48:56 -0300
committer	Armin Kuster <akuster808@gmail.com>	2015-07-19 16:09:15 -0700
commit	c580b62cb2226d2be7cdef77d4ff838fd4095a03 (patch)
tree	9c15b53151a19d02e3e54e95f722f33dde7c743e
parent	e00844ed8cb964857c73acd8495ae98250c9020f (diff)
download	meta-openembedded-c580b62cb2226d2be7cdef77d4ff838fd4095a03.tar.gz

diff --git a/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch new file mode 100644 index 000000000..5f4a7c728 --- /dev/null +++ b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch
@@ -0,0 +1,115 @@
		1	From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001
		2	From: Mariusz Ziulek <mzet@owasp.org>
		3	Date: Sat, 21 Feb 2015 23:31:36 +0100
		4	Subject: [PATCH] kex: bail out on rubbish in the incoming packet
		5
		6	Upstream-Status: Backport
		7
		8	Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br>
		9
		10	---
		11	src/kex.c \| 73 +++++++++++++++++++++++++++++++++++----------------------------
		12	1 file changed, 41 insertions(+), 32 deletions(-)
		13
		14	diff --git a/src/kex.c b/src/kex.c
		15	index fa4c4e1..ad7498a 100644
		16	--- a/src/kex.c
		17	+++ b/src/kex.c
		18	@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
		19
		20	/* TODO: When in server mode we need to turn this logic on its head
		21	* The Client gets to make the final call on "agreed methods"
		22	*/
		23
		24	+/*
		25	+ * kex_string_pair() extracts a string from the packet and makes sure it fits
		26	+ * within the given packet.
		27	+ */
		28	+static int kex_string_pair(unsigned char *sp, / parsing position */
		29	+ unsigned char data, / start pointer to packet */
		30	+ size_t data_len, /* size of total packet */
		31	+ size_t lenp, / length of the string */
		32	+ unsigned char *strp) / pointer to string start */
		33	+{
		34	+ unsigned char s = sp;
		35	+ *lenp = _libssh2_ntohu32(s);
		36	+
		37	+ /* the length of the string must fit within the current pointer and the
		38	+ end of the packet */
		39	+ if (*lenp > (data_len - (s - data) -4))
		40	+ return 1;
		41	+ *strp = s + 4;
		42	+ s += 4 + *lenp;
		43	+
		44	+ *sp = s;
		45	+ return 0;
		46	+}
		47	+
		48	/* kex_agree_methods
		49	* Decide which specific method to use of the methods offered by each party
		50	*/
		51	static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
		52	unsigned data_len)
		53	@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
		54
		55	/* Skip cookie, don't worry, it's preserved in the kexinit field */
		56	s += 16;
		57
		58	/* Locate each string */
		59	- kex_len = _libssh2_ntohu32(s);
		60	- kex = s + 4;
		61	- s += 4 + kex_len;
		62	- hostkey_len = _libssh2_ntohu32(s);
		63	- hostkey = s + 4;
		64	- s += 4 + hostkey_len;
		65	- crypt_cs_len = _libssh2_ntohu32(s);
		66	- crypt_cs = s + 4;
		67	- s += 4 + crypt_cs_len;
		68	- crypt_sc_len = _libssh2_ntohu32(s);
		69	- crypt_sc = s + 4;
		70	- s += 4 + crypt_sc_len;
		71	- mac_cs_len = _libssh2_ntohu32(s);
		72	- mac_cs = s + 4;
		73	- s += 4 + mac_cs_len;
		74	- mac_sc_len = _libssh2_ntohu32(s);
		75	- mac_sc = s + 4;
		76	- s += 4 + mac_sc_len;
		77	- comp_cs_len = _libssh2_ntohu32(s);
		78	- comp_cs = s + 4;
		79	- s += 4 + comp_cs_len;
		80	- comp_sc_len = _libssh2_ntohu32(s);
		81	- comp_sc = s + 4;
		82	-#if 0
		83	- s += 4 + comp_sc_len;
		84	- lang_cs_len = _libssh2_ntohu32(s);
		85	- lang_cs = s + 4;
		86	- s += 4 + lang_cs_len;
		87	- lang_sc_len = _libssh2_ntohu32(s);
		88	- lang_sc = s + 4;
		89	- s += 4 + lang_sc_len;
		90	-#endif
		91	+ if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
		92	+ return -1;
		93	+ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
		94	+ return -1;
		95	+ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
		96	+ return -1;
		97	+ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
		98	+ return -1;
		99	+ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
		100	+ return -1;
		101	+ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
		102	+ return -1;
		103	+ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
		104	+ return -1;
		105	+ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
		106	+ return -1;
		107	+
		108	/* If the server sent an optimistic packet, assume that it guessed wrong.
		109	* If the guess is determined to be right (by kex_agree_kex_hostkey)
		110	* This flag will be reset to zero so that it's not ignored */
		111	session->burn_optimistic_kexinit = *(s++);
		112	/* Next uint32 in packet is all zeros (reserved) */
		113	--
		114	2.1.4
		115


diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb index b53766333..9af0f7fd1 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
@@ -7,7 +7,9 @@ DEPENDS = "zlib openssl"
7	LICENSE = "BSD"	7	LICENSE = "BSD"
8	LIC_FILES_CHKSUM = "file://COPYING;md5=d00afe44f336a79a2ca7e1681ce14509"	8	LIC_FILES_CHKSUM = "file://COPYING;md5=d00afe44f336a79a2ca7e1681ce14509"
9		9
10	SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"	10	SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
		11	file://CVE-2015-1782.patch \
		12	"
11	SRC_URI[md5sum] = "071004c60c5d6f90354ad1b701013a0b"	13	SRC_URI[md5sum] = "071004c60c5d6f90354ad1b701013a0b"
12	SRC_URI[sha256sum] = "eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d"	14	SRC_URI[sha256sum] = "eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d"
13		15