2 files changed, 134 insertions, 2 deletions
diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch
new file mode 100644
index 0000000000..001080072b
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+* packet.c: improve parsing of packets
+file: packet.c
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+Upstream-Status: Backport
+CVE: CVE-2019-17498
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+diff --git a/src/packet.c b/src/packet.c
+index 38ab629..2e01bfc 100644
+--- a/src/packet.c
+++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
+    unsigned char *message = NULL;
+    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
+                uint32_t reason = 0;
+                struct string_buf buf;
+                buf.data = (unsigned char *)data;
+                buf.dataptr = buf.data;
+                buf.len = datalen;
+                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
+                _libssh2_get_u32(&buf, &reason);
+                _libssh2_get_string(&buf, &message, &message_len);
+                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
+                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
+                                       message_len, (const char *)language,
+                                       language_len);
+                 }
+
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
+                    struct string_buf buf;
+                    buf.data = (unsigned char *)data;
+                    buf.dataptr = buf.data;
+                    buf.len = datalen;
+                    buf.dataptr += 2; /* advance past type & always display */
+
+                    _libssh2_get_string(&buf, &message, &message_len);
+                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
+                    LIBSSH2_DEBUG(session, always_display,
+                                  (const char *)message,
+                                  message_len, (const char *)language,
+                                  language_len);
+                 }
+             }
+
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
+                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
+-- 
+2.17.1
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
index 25e0af3ff6..185ea11b07 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
@@ -7,8 +7,9 @@ DEPENDS = "zlib"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca"
-SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"
+SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
+           file://CVE-2019-17498.patch \
+"
 SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927"
 SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd"

diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch new file mode 100644 index 0000000000..001080072b --- /dev/null +++ b/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
		1	From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
		2	From: Will Cosgrove <will@panic.com>
		3	Date: Fri, 30 Aug 2019 09:57:38 -0700
		4	Subject: [PATCH] packet.c: improve message parsing (#402)
		5
		6	* packet.c: improve parsing of packets
		7
		8	file: packet.c
		9
		10	notes:
		11	Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
		12
		13	Upstream-Status: Backport
		14	CVE: CVE-2019-17498
		15	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		16	---
		17	src/packet.c \| 68 ++++++++++++++++++++++------------------------------
		18	1 file changed, 29 insertions(+), 39 deletions(-)
		19
		20	diff --git a/src/packet.c b/src/packet.c
		21	index 38ab629..2e01bfc 100644
		22	--- a/src/packet.c
		23	+++ b/src/packet.c
		24	@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		25	size_t datalen, int macstate)
		26	{
		27	int rc = 0;
		28	- char *message = NULL;
		29	- char *language = NULL;
		30	+ unsigned char *message = NULL;
		31	+ unsigned char *language = NULL;
		32	size_t message_len = 0;
		33	size_t language_len = 0;
		34	LIBSSH2_CHANNEL *channelp = NULL;
		35	@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		36
		37	case SSH_MSG_DISCONNECT:
		38	if(datalen >= 5) {
		39	- size_t reason = _libssh2_ntohu32(data + 1);
		40	+ uint32_t reason = 0;
		41	+ struct string_buf buf;
		42	+ buf.data = (unsigned char *)data;
		43	+ buf.dataptr = buf.data;
		44	+ buf.len = datalen;
		45	+ buf.dataptr++; /* advance past type */
		46
		47	- if(datalen >= 9) {
		48	- message_len = _libssh2_ntohu32(data + 5);
		49	+ _libssh2_get_u32(&buf, &reason);
		50	+ _libssh2_get_string(&buf, &message, &message_len);
		51	+ _libssh2_get_string(&buf, &language, &language_len);
		52
		53	- if(message_len < datalen-13) {
		54	- /* 9 = packet_type(1) + reason(4) + message_len(4) */
		55	- message = (char *) data + 9;
		56	-
		57	- language_len =
		58	- _libssh2_ntohu32(data + 9 + message_len);
		59	- language = (char *) data + 9 + message_len + 4;
		60	-
		61	- if(language_len > (datalen-13-message_len)) {
		62	- /* bad input, clear info */
		63	- language = message = NULL;
		64	- language_len = message_len = 0;
		65	- }
		66	- }
		67	- else
		68	- /* bad size, clear it */
		69	- message_len = 0;
		70	- }
		71	if(session->ssh_msg_disconnect) {
		72	- LIBSSH2_DISCONNECT(session, reason, message,
		73	- message_len, language, language_len);
		74	+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
		75	+ message_len, (const char *)language,
		76	+ language_len);
		77	}
		78	+
		79	_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
		80	"Disconnect(%d): %s(%s)", reason,
		81	message, language);
		82	@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		83	int always_display = data[1];
		84
		85	if(datalen >= 6) {
		86	- message_len = _libssh2_ntohu32(data + 2);
		87	-
		88	- if(message_len <= (datalen - 10)) {
		89	- /* 6 = packet_type(1) + display(1) + message_len(4) */
		90	- message = (char *) data + 6;
		91	- language_len = _libssh2_ntohu32(data + 6 +
		92	- message_len);
		93	-
		94	- if(language_len <= (datalen - 10 - message_len))
		95	- language = (char *) data + 10 + message_len;
		96	- }
		97	+ struct string_buf buf;
		98	+ buf.data = (unsigned char *)data;
		99	+ buf.dataptr = buf.data;
		100	+ buf.len = datalen;
		101	+ buf.dataptr += 2; /* advance past type & always display */
		102	+
		103	+ _libssh2_get_string(&buf, &message, &message_len);
		104	+ _libssh2_get_string(&buf, &language, &language_len);
		105	}
		106
		107	if(session->ssh_msg_debug) {
		108	- LIBSSH2_DEBUG(session, always_display, message,
		109	- message_len, language, language_len);
		110	+ LIBSSH2_DEBUG(session, always_display,
		111	+ (const char *)message,
		112	+ message_len, (const char *)language,
		113	+ language_len);
		114	}
		115	}
		116	+
		117	/*
		118	* _libssh2_debug will actually truncate this for us so
		119	* that it's not an inordinate about of data
		120	@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		121	uint32_t len = 0;
		122	unsigned char want_reply = 0;
		123	len = _libssh2_ntohu32(data + 1);
		124	- if(datalen >= (6 + len)) {
		125	+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
		126	want_reply = data[5 + len];
		127	_libssh2_debug(session,
		128	LIBSSH2_TRACE_CONN,
		129	--
		130	2.17.1
		131


diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb index 25e0af3ff6..185ea11b07 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
@@ -7,8 +7,9 @@ DEPENDS = "zlib"
7	LICENSE = "BSD-3-Clause"	7	LICENSE = "BSD-3-Clause"
8	LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca"	8	LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca"
9		9
10	SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"	10	SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
11		11	file://CVE-2019-17498.patch \
		12	"
12	SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927"	13	SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927"
13	SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd"	14	SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd"
14		15