From f6f328f5d40e8d135fe1251ca13e2e521dd6aebf Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Thu, 3 Mar 2016 10:58:35 +0100
Subject: libssh2: CVE-2016-0787
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bits/bytes confusion resulting in truncated Diffie-Hellman secret length

Reference:
https://www.libssh2.org/adv_20160223.html

Reference to upstream patch:
https://www.libssh2.org/CVE-2016-0787.patch

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
---
 .../libssh2/files/CVE-2016-0787.patch              | 36 ++++++++++++++++++++++
 meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb   |  6 +++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/libssh2/files/CVE-2016-0787.patch

diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2016-0787.patch b/meta-oe/recipes-support/libssh2/files/CVE-2016-0787.patch
new file mode 100644
index 000000000..9468feb6d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/files/CVE-2016-0787.patch
@@ -0,0 +1,36 @@
+From 8a453a7b0f1e667b7369eb73b00843a8decdecc9 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 11 Feb 2016 13:52:20 +0100
+Subject: [PATCH] diffie_hellman_sha256: convert bytes to bits
+
+As otherwise we get far too small numbers.
+
+CVE-2016-0787
+Patch is from [https://www.libssh2.org/CVE-2016-0787.patch]
+
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ src/kex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index 6349457..e89b36c 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -751,11 +751,11 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session,
+ 
+         /* Zero the whole thing out */
+         memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
+ 
+         /* Generate x and e */
+-        _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
++        _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
+         _libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
+                             exchange_state->ctx);
+ 
+         /* Send KEX init */
+         /* packet_type(1) + String Length(4) + leading 0(1) */
+-- 
+2.7.0
+
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
index b53766333..8f64cf03a 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
@@ -1,4 +1,5 @@
 SUMMARY = "A client-side C library implementing the SSH2 protocol"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 HOMEPAGE = "http://www.libssh2.org/"
 SECTION = "libs"
 
@@ -7,7 +8,10 @@ DEPENDS = "zlib openssl"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d00afe44f336a79a2ca7e1681ce14509"
 
-SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"
+SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
+           file://CVE-2016-0787.patch \
+           "
+
 SRC_URI[md5sum] = "071004c60c5d6f90354ad1b701013a0b"
 SRC_URI[sha256sum] = "eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d"
 
-- 
cgit v1.2.3-54-g00ecf