Fix for CVE-2016-0787
Make sure that there's a conversion done from number of bytes to number of bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787) https://www.libssh2.org/adv_20160223.html
This commit is contained in:
Paul Howarth
parent
33cf9702d8
commit
034fe96dbc
|
|
@ -0,0 +1,32 @@
|
|||
From 8a453a7b0f1e667b7369eb73b00843a8decdecc9 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 11 Feb 2016 13:52:20 +0100
|
||||
Subject: [PATCH] diffie_hellman_sha256: convert bytes to bits
|
||||
|
||||
As otherwise we get far too small numbers.
|
||||
|
||||
CVE-2016-0787
|
||||
---
|
||||
src/kex.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kex.c b/src/kex.c
|
||||
index 6349457..e89b36c 100644
|
||||
--- a/src/kex.c
|
||||
+++ b/src/kex.c
|
||||
@@ -751,11 +751,11 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session,
|
||||
|
||||
/* Zero the whole thing out */
|
||||
memset(&exchange_state->req_state, 0, sizeof(packet_require_state_t));
|
||||
|
||||
/* Generate x and e */
|
||||
- _libssh2_bn_rand(exchange_state->x, group_order, 0, -1);
|
||||
+ _libssh2_bn_rand(exchange_state->x, group_order * 8 - 1, 0, -1);
|
||||
_libssh2_bn_mod_exp(exchange_state->e, g, exchange_state->x, p,
|
||||
exchange_state->ctx);
|
||||
|
||||
/* Send KEX init */
|
||||
/* packet_type(1) + String Length(4) + leading 0(1) */
|
||||
--
|
||||
2.7.0
|
||||
|
||||
13
libssh2.spec
13
libssh2.spec
|
|
@ -12,13 +12,14 @@
|
|||
|
||||
Name: libssh2
|
||||
Version: 1.5.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A library implementing the SSH2 protocol
|
||||
Group: System Environment/Libraries
|
||||
License: BSD
|
||||
URL: http://www.libssh2.org/
|
||||
Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
|
||||
Patch0: libssh2-1.4.2-utf8.patch
|
||||
Patch2: https://www.libssh2.org/CVE-2016-0787.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
|
@ -72,6 +73,11 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
|
|||
# Make sure things are UTF-8...
|
||||
%patch0 -p1
|
||||
|
||||
# Make sure that there's a conversion done from number of bytes to number of
|
||||
# bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787)
|
||||
# https://www.libssh2.org/adv_20160223.html
|
||||
%patch2 -p1
|
||||
|
||||
# Make sshd transition appropriately if building in an SELinux environment
|
||||
%if !(0%{?fedora} >= 17 || 0%{?rhel} >= 7)
|
||||
chcon $(/usr/sbin/matchpathcon -n /etc/rc.d/init.d/sshd) tests/ssh2.sh || :
|
||||
|
|
@ -149,6 +155,11 @@ rm -rf %{buildroot}
|
|||
%{_libdir}/pkgconfig/libssh2.pc
|
||||
|
||||
%changelog
|
||||
* Tue Feb 23 2016 Paul Howarth <paul@city-fan.org> - 1.5.0-2
|
||||
- Make sure that there's a conversion done from number of bytes to number of
|
||||
bits when the internal _libssh2_bn_rand function is called (CVE-2016-0787)
|
||||
https://www.libssh2.org/adv_20160223.html
|
||||
|
||||
* Wed Mar 11 2015 Paul Howarth <paul@city-fan.org> - 1.5.0-1
|
||||
- Update to 1.5.0
|
||||
- See RELEASE-NOTES for details of bug fixes and enhancements
|
||||
|
|
|
|||
Loading…
Reference in New Issue