summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-03-03 09:58:34 (GMT)
committerNora Björklund <nora.bjorklund@enea.com>2016-03-07 08:05:26 (GMT)
commita75cee30877e48e44e72a2f2f7d319f3eac575c9 (patch)
tree1b046fb011564b36b5825fd5dfcbad3508f228b8
parente53b536aeac9d42e1864233b0fe9b0a653780385 (diff)
downloadmeta-openembedded-a75cee30877e48e44e72a2f2f7d319f3eac575c9.tar.gz
libssh: CVE-2016-0739
bits/bytes confusion resulting in truncated Difffie-Hellman secret length Reference: https://www.libssh.org/2016/02/23/libssh-0-7-3-security-and-bugfix-release/ Reference to upstream patch: https://git.libssh.org/projects/libssh.git/patch/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
-rw-r--r--meta-oe/recipes-support/libssh/files/CVE-2016-0739.patch73
-rw-r--r--meta-oe/recipes-support/libssh/libssh_0.6.3.bb6
2 files changed, 78 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libssh/files/CVE-2016-0739.patch b/meta-oe/recipes-support/libssh/files/CVE-2016-0739.patch
new file mode 100644
index 0000000..ebe012c
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/files/CVE-2016-0739.patch
@@ -0,0 +1,73 @@
1From f8d0026c65fc8a55748ae481758e2cf376c26c86 Mon Sep 17 00:00:00 2001
2From: Aris Adamantiadis <aris@0xbadc0de.be>
3Date: Tue, 9 Feb 2016 15:09:27 +0100
4Subject: [PATCH] dh: Fix CVE-2016-0739
5
6Due to a byte/bit confusion, the DH secret was too short. This file was
7completely reworked and will be commited in a future version.
8
9Upstream-Status: Backport
10
11Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
12Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
13Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
14---
15 src/dh.c | 22 +++++++++++++++++-----
16 1 file changed, 17 insertions(+), 5 deletions(-)
17
18diff --git a/src/dh.c b/src/dh.c
19index e489a1d..d27b66e 100644
20--- a/src/dh.c
21+++ b/src/dh.c
22@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
23 }
24
25 int dh_generate_x(ssh_session session) {
26+ int keysize;
27+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
28+ keysize = 1023;
29+ } else {
30+ keysize = 2047;
31+ }
32 session->next_crypto->x = bignum_new();
33 if (session->next_crypto->x == NULL) {
34 return -1;
35 }
36
37 #ifdef HAVE_LIBGCRYPT
38- bignum_rand(session->next_crypto->x, 128);
39+ bignum_rand(session->next_crypto->x, keysize);
40 #elif defined HAVE_LIBCRYPTO
41- bignum_rand(session->next_crypto->x, 128, 0, -1);
42+ bignum_rand(session->next_crypto->x, keysize, -1, 0);
43 #endif
44
45 /* not harder than this */
46@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
47
48 /* used by server */
49 int dh_generate_y(ssh_session session) {
50- session->next_crypto->y = bignum_new();
51+ int keysize;
52+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
53+ keysize = 1023;
54+ } else {
55+ keysize = 2047;
56+ }
57+ session->next_crypto->y = bignum_new();
58 if (session->next_crypto->y == NULL) {
59 return -1;
60 }
61
62 #ifdef HAVE_LIBGCRYPT
63- bignum_rand(session->next_crypto->y, 128);
64+ bignum_rand(session->next_crypto->y, keysize);
65 #elif defined HAVE_LIBCRYPTO
66- bignum_rand(session->next_crypto->y, 128, 0, -1);
67+ bignum_rand(session->next_crypto->y, keysize, -1, 0);
68 #endif
69
70 /* not harder than this */
71--
721.9.1
73
diff --git a/meta-oe/recipes-support/libssh/libssh_0.6.3.bb b/meta-oe/recipes-support/libssh/libssh_0.6.3.bb
index 771a47a..c110a01 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.6.3.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.6.3.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Multiplatform C library implementing the SSHv2 and SSHv1 protocol" 1SUMMARY = "Multiplatform C library implementing the SSHv2 and SSHv1 protocol"
2FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
2HOMEPAGE = "http://www.libssh.org" 3HOMEPAGE = "http://www.libssh.org"
3SECTION = "libs" 4SECTION = "libs"
4 5
@@ -7,7 +8,10 @@ DEPENDS = "zlib openssl libgcrypt"
7LICENSE = "LGPLv2.1" 8LICENSE = "LGPLv2.1"
8LIC_FILES_CHKSUM = "file://COPYING;md5=388a4fb1dea8ceae0be78ba9b01fc139" 9LIC_FILES_CHKSUM = "file://COPYING;md5=388a4fb1dea8ceae0be78ba9b01fc139"
9 10
10SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=v0-6" 11SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=v0-6 \
12 file://CVE-2016-0739.patch \
13 "
14
11SRCREV = "87145387aa12b720b52d6bc75b4dd6cd058c868a" 15SRCREV = "87145387aa12b720b52d6bc75b4dd6cd058c868a"
12S = "${WORKDIR}/git" 16S = "${WORKDIR}/git"
13 17