diff options
author | Wang Mingyu <wangmy@cn.fujitsu.com> | 2020-03-13 04:10:22 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2020-03-21 19:46:34 -0700 |
commit | 2cf6bc0e6de881e2385a3a0f2821b411cd1237dc (patch) | |
tree | fa80b5c728333d6c965d8ef71da2858fbeda07f9 | |
parent | 6d38a12f165445a7b47f784d705ab6692c93a6b0 (diff) | |
download | meta-openembedded-2cf6bc0e6de881e2385a3a0f2821b411cd1237dc.tar.gz |
libssh2: CVE-2019-17498.patch
Security Advisory
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch | 131 | ||||
-rw-r--r-- | meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb | 1 |
2 files changed, 132 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch new file mode 100644 index 000000000..f60764c92 --- /dev/null +++ b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch | |||
@@ -0,0 +1,131 @@ | |||
1 | From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 | ||
2 | From: Will Cosgrove <will@panic.com> | ||
3 | Date: Fri, 30 Aug 2019 09:57:38 -0700 | ||
4 | Subject: [PATCH] packet.c: improve message parsing (#402) | ||
5 | |||
6 | * packet.c: improve parsing of packets | ||
7 | |||
8 | file: packet.c | ||
9 | |||
10 | notes: | ||
11 | Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. | ||
12 | |||
13 | Upstream-Status: Accepted | ||
14 | CVE: CVE-2019-17498 | ||
15 | |||
16 | Reference to upstream patch: | ||
17 | https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c | ||
18 | |||
19 | --- | ||
20 | src/packet.c | 68 ++++++++++++++++++++++------------------------------ | ||
21 | 1 file changed, 29 insertions(+), 39 deletions(-) | ||
22 | |||
23 | diff --git a/src/packet.c b/src/packet.c | ||
24 | index 38ab6294..2e01bfc5 100644 | ||
25 | --- a/src/packet.c | ||
26 | +++ b/src/packet.c | ||
27 | @@ -416,8 +416,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
28 | size_t datalen, int macstate) | ||
29 | { | ||
30 | int rc = 0; | ||
31 | - char *message = NULL; | ||
32 | - char *language = NULL; | ||
33 | + unsigned char *message = NULL; | ||
34 | + unsigned char *language = NULL; | ||
35 | size_t message_len = 0; | ||
36 | size_t language_len = 0; | ||
37 | LIBSSH2_CHANNEL *channelp = NULL; | ||
38 | @@ -469,33 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
39 | |||
40 | case SSH_MSG_DISCONNECT: | ||
41 | if(datalen >= 5) { | ||
42 | - size_t reason = _libssh2_ntohu32(data + 1); | ||
43 | + uint32_t reason = 0; | ||
44 | + struct string_buf buf; | ||
45 | + buf.data = (unsigned char *)data; | ||
46 | + buf.dataptr = buf.data; | ||
47 | + buf.len = datalen; | ||
48 | + buf.dataptr++; /* advance past type */ | ||
49 | |||
50 | - if(datalen >= 9) { | ||
51 | - message_len = _libssh2_ntohu32(data + 5); | ||
52 | + _libssh2_get_u32(&buf, &reason); | ||
53 | + _libssh2_get_string(&buf, &message, &message_len); | ||
54 | + _libssh2_get_string(&buf, &language, &language_len); | ||
55 | |||
56 | - if(message_len < datalen-13) { | ||
57 | - /* 9 = packet_type(1) + reason(4) + message_len(4) */ | ||
58 | - message = (char *) data + 9; | ||
59 | - | ||
60 | - language_len = | ||
61 | - _libssh2_ntohu32(data + 9 + message_len); | ||
62 | - language = (char *) data + 9 + message_len + 4; | ||
63 | - | ||
64 | - if(language_len > (datalen-13-message_len)) { | ||
65 | - /* bad input, clear info */ | ||
66 | - language = message = NULL; | ||
67 | - language_len = message_len = 0; | ||
68 | - } | ||
69 | - } | ||
70 | - else | ||
71 | - /* bad size, clear it */ | ||
72 | - message_len = 0; | ||
73 | - } | ||
74 | if(session->ssh_msg_disconnect) { | ||
75 | - LIBSSH2_DISCONNECT(session, reason, message, | ||
76 | - message_len, language, language_len); | ||
77 | + LIBSSH2_DISCONNECT(session, reason, (const char *)message, | ||
78 | + message_len, (const char *)language, | ||
79 | + language_len); | ||
80 | } | ||
81 | + | ||
82 | _libssh2_debug(session, LIBSSH2_TRACE_TRANS, | ||
83 | "Disconnect(%d): %s(%s)", reason, | ||
84 | message, language); | ||
85 | @@ -534,23 +526,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
86 | int always_display = data[1]; | ||
87 | |||
88 | if(datalen >= 6) { | ||
89 | - message_len = _libssh2_ntohu32(data + 2); | ||
90 | - | ||
91 | - if(message_len <= (datalen - 10)) { | ||
92 | - /* 6 = packet_type(1) + display(1) + message_len(4) */ | ||
93 | - message = (char *) data + 6; | ||
94 | - language_len = _libssh2_ntohu32(data + 6 + | ||
95 | - message_len); | ||
96 | - | ||
97 | - if(language_len <= (datalen - 10 - message_len)) | ||
98 | - language = (char *) data + 10 + message_len; | ||
99 | - } | ||
100 | + struct string_buf buf; | ||
101 | + buf.data = (unsigned char *)data; | ||
102 | + buf.dataptr = buf.data; | ||
103 | + buf.len = datalen; | ||
104 | + buf.dataptr += 2; /* advance past type & always display */ | ||
105 | + | ||
106 | + _libssh2_get_string(&buf, &message, &message_len); | ||
107 | + _libssh2_get_string(&buf, &language, &language_len); | ||
108 | } | ||
109 | |||
110 | if(session->ssh_msg_debug) { | ||
111 | - LIBSSH2_DEBUG(session, always_display, message, | ||
112 | - message_len, language, language_len); | ||
113 | + LIBSSH2_DEBUG(session, always_display, | ||
114 | + (const char *)message, | ||
115 | + message_len, (const char *)language, | ||
116 | + language_len); | ||
117 | } | ||
118 | } | ||
119 | + | ||
120 | /* | ||
121 | * _libssh2_debug will actually truncate this for us so | ||
122 | * that it's not an inordinate about of data | ||
123 | @@ -576,7 +566,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
124 | uint32_t len = 0; | ||
125 | unsigned char want_reply = 0; | ||
126 | len = _libssh2_ntohu32(data + 1); | ||
127 | - if(datalen >= (6 + len)) { | ||
128 | + if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { | ||
129 | want_reply = data[5 + len]; | ||
130 | _libssh2_debug(session, | ||
131 | LIBSSH2_TRACE_CONN, | ||
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb index fe853cde4..a17ae5b7c 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb | |||
@@ -17,6 +17,7 @@ inherit autotools pkgconfig | |||
17 | EXTRA_OECONF += "\ | 17 | EXTRA_OECONF += "\ |
18 | --with-libz \ | 18 | --with-libz \ |
19 | --with-libz-prefix=${STAGING_LIBDIR} \ | 19 | --with-libz-prefix=${STAGING_LIBDIR} \ |
20 | file://CVE-2019-17498.patch \ | ||
20 | " | 21 | " |
21 | 22 | ||
22 | # only one of openssl and gcrypt could be set | 23 | # only one of openssl and gcrypt could be set |