libssh2: CVE-2019-17498.patch

Security Advisory References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498 Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Wang Mingyu <wangmy@cn.fujitsu.com> 2020-03-13 04:10:22 -0700
committer: Armin Kuster <akuster808@gmail.com> 2020-03-21 19:46:34 -0700
commit: 2cf6bc0e6de881e2385a3a0f2821b411cd1237dc (patch)
tree: fa80b5c728333d6c965d8ef71da2858fbeda07f9
parent: 6d38a12f165445a7b47f784d705ab6692c93a6b0 (diff)
download: meta-openembedded-2cf6bc0e6de881e2385a3a0f2821b411cd1237dc.tar.gz
2 files changed, 132 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
new file mode 100644
index 000000000..f60764c92
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+* packet.c: improve parsing of packets
+file: packet.c
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+Upstream-Status: Accepted
+CVE: CVE-2019-17498
+Reference to upstream patch:
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..2e01bfc5 100644
+--- a/src/packet.c
+++ b/src/packet.c
+@@ -416,8 +416,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
+    unsigned char *message = NULL;
+    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -469,33 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
+                uint32_t reason = 0;
+                struct string_buf buf;
+                buf.data = (unsigned char *)data;
+                buf.dataptr = buf.data;
+                buf.len = datalen;
+                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
+                _libssh2_get_u32(&buf, &reason);
+                _libssh2_get_string(&buf, &message, &message_len);
+                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
+                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
+                                       message_len, (const char *)language,
+                                       language_len);
+                 }
+
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -534,23 +526,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
+                    struct string_buf buf;
+                    buf.data = (unsigned char *)data;
+                    buf.dataptr = buf.data;
+                    buf.len = datalen;
+                    buf.dataptr += 2; /* advance past type & always display */
+
+                    _libssh2_get_string(&buf, &message, &message_len);
+                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
+                    LIBSSH2_DEBUG(session, always_display,
+                                  (const char *)message,
+                                  message_len, (const char *)language,
+                                  language_len);
+                 }
+             }
+
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -576,7 +566,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
+                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
index fe853cde4..a17ae5b7c 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
@@ -17,6 +17,7 @@ inherit autotools pkgconfig
 EXTRA_OECONF += "\
                 --with-libz \
                 --with-libz-prefix=${STAGING_LIBDIR} \
+                 file://CVE-2019-17498.patch \
                "
 # only one of openssl and gcrypt could be set
author	Wang Mingyu <wangmy@cn.fujitsu.com>	2020-03-13 04:10:22 -0700
committer	Armin Kuster <akuster808@gmail.com>	2020-03-21 19:46:34 -0700
commit	2cf6bc0e6de881e2385a3a0f2821b411cd1237dc (patch)
tree	fa80b5c728333d6c965d8ef71da2858fbeda07f9
parent	6d38a12f165445a7b47f784d705ab6692c93a6b0 (diff)
download	meta-openembedded-2cf6bc0e6de881e2385a3a0f2821b411cd1237dc.tar.gz

diff --git a/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch new file mode 100644 index 000000000..f60764c92 --- /dev/null +++ b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
		1	From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
		2	From: Will Cosgrove <will@panic.com>
		3	Date: Fri, 30 Aug 2019 09:57:38 -0700
		4	Subject: [PATCH] packet.c: improve message parsing (#402)
		5
		6	* packet.c: improve parsing of packets
		7
		8	file: packet.c
		9
		10	notes:
		11	Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
		12
		13	Upstream-Status: Accepted
		14	CVE: CVE-2019-17498
		15
		16	Reference to upstream patch:
		17	https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
		18
		19	---
		20	src/packet.c \| 68 ++++++++++++++++++++++------------------------------
		21	1 file changed, 29 insertions(+), 39 deletions(-)
		22
		23	diff --git a/src/packet.c b/src/packet.c
		24	index 38ab6294..2e01bfc5 100644
		25	--- a/src/packet.c
		26	+++ b/src/packet.c
		27	@@ -416,8 +416,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		28	size_t datalen, int macstate)
		29	{
		30	int rc = 0;
		31	- char *message = NULL;
		32	- char *language = NULL;
		33	+ unsigned char *message = NULL;
		34	+ unsigned char *language = NULL;
		35	size_t message_len = 0;
		36	size_t language_len = 0;
		37	LIBSSH2_CHANNEL *channelp = NULL;
		38	@@ -469,33 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		39
		40	case SSH_MSG_DISCONNECT:
		41	if(datalen >= 5) {
		42	- size_t reason = _libssh2_ntohu32(data + 1);
		43	+ uint32_t reason = 0;
		44	+ struct string_buf buf;
		45	+ buf.data = (unsigned char *)data;
		46	+ buf.dataptr = buf.data;
		47	+ buf.len = datalen;
		48	+ buf.dataptr++; /* advance past type */
		49
		50	- if(datalen >= 9) {
		51	- message_len = _libssh2_ntohu32(data + 5);
		52	+ _libssh2_get_u32(&buf, &reason);
		53	+ _libssh2_get_string(&buf, &message, &message_len);
		54	+ _libssh2_get_string(&buf, &language, &language_len);
		55
		56	- if(message_len < datalen-13) {
		57	- /* 9 = packet_type(1) + reason(4) + message_len(4) */
		58	- message = (char *) data + 9;
		59	-
		60	- language_len =
		61	- _libssh2_ntohu32(data + 9 + message_len);
		62	- language = (char *) data + 9 + message_len + 4;
		63	-
		64	- if(language_len > (datalen-13-message_len)) {
		65	- /* bad input, clear info */
		66	- language = message = NULL;
		67	- language_len = message_len = 0;
		68	- }
		69	- }
		70	- else
		71	- /* bad size, clear it */
		72	- message_len = 0;
		73	- }
		74	if(session->ssh_msg_disconnect) {
		75	- LIBSSH2_DISCONNECT(session, reason, message,
		76	- message_len, language, language_len);
		77	+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
		78	+ message_len, (const char *)language,
		79	+ language_len);
		80	}
		81	+
		82	_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
		83	"Disconnect(%d): %s(%s)", reason,
		84	message, language);
		85	@@ -534,23 +526,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		86	int always_display = data[1];
		87
		88	if(datalen >= 6) {
		89	- message_len = _libssh2_ntohu32(data + 2);
		90	-
		91	- if(message_len <= (datalen - 10)) {
		92	- /* 6 = packet_type(1) + display(1) + message_len(4) */
		93	- message = (char *) data + 6;
		94	- language_len = _libssh2_ntohu32(data + 6 +
		95	- message_len);
		96	-
		97	- if(language_len <= (datalen - 10 - message_len))
		98	- language = (char *) data + 10 + message_len;
		99	- }
		100	+ struct string_buf buf;
		101	+ buf.data = (unsigned char *)data;
		102	+ buf.dataptr = buf.data;
		103	+ buf.len = datalen;
		104	+ buf.dataptr += 2; /* advance past type & always display */
		105	+
		106	+ _libssh2_get_string(&buf, &message, &message_len);
		107	+ _libssh2_get_string(&buf, &language, &language_len);
		108	}
		109
		110	if(session->ssh_msg_debug) {
		111	- LIBSSH2_DEBUG(session, always_display, message,
		112	- message_len, language, language_len);
		113	+ LIBSSH2_DEBUG(session, always_display,
		114	+ (const char *)message,
		115	+ message_len, (const char *)language,
		116	+ language_len);
		117	}
		118	}
		119	+
		120	/*
		121	* _libssh2_debug will actually truncate this for us so
		122	* that it's not an inordinate about of data
		123	@@ -576,7 +566,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		124	uint32_t len = 0;
		125	unsigned char want_reply = 0;
		126	len = _libssh2_ntohu32(data + 1);
		127	- if(datalen >= (6 + len)) {
		128	+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
		129	want_reply = data[5 + len];
		130	_libssh2_debug(session,
		131	LIBSSH2_TRACE_CONN,


diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb index fe853cde4..a17ae5b7c 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
@@ -17,6 +17,7 @@ inherit autotools pkgconfig
17	EXTRA_OECONF += "\	17	EXTRA_OECONF += "\
18	--with-libz \	18	--with-libz \
19	--with-libz-prefix=${STAGING_LIBDIR} \	19	--with-libz-prefix=${STAGING_LIBDIR} \
		20	file://CVE-2019-17498.patch \
20	"	21	"
21		22
22	# only one of openssl and gcrypt could be set	23	# only one of openssl and gcrypt could be set