Resolves: CVE-2019-17498 - fix integer overflow in SSH_MSG_DISCONNECT logic
This commit is contained in:
parent
3d9150262d
commit
41525baf3f
130
0001-libssh2-1.9.0-CVE-2019-17498.patch
Normal file
130
0001-libssh2-1.9.0-CVE-2019-17498.patch
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
From a1554e78e15fc0daeb574c3dd5c87654469a3742 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Will Cosgrove <will@panic.com>
|
||||||
|
Date: Fri, 30 Aug 2019 09:57:38 -0700
|
||||||
|
Subject: [PATCH] packet.c: improve message parsing (#402)
|
||||||
|
|
||||||
|
* packet.c: improve parsing of packets
|
||||||
|
|
||||||
|
file: packet.c
|
||||||
|
|
||||||
|
notes:
|
||||||
|
Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
|
||||||
|
|
||||||
|
Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
src/packet.c | 68 ++++++++++++++++++++++------------------------------
|
||||||
|
1 file changed, 29 insertions(+), 39 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/packet.c b/src/packet.c
|
||||||
|
index 38ab629..2e01bfc 100644
|
||||||
|
--- a/src/packet.c
|
||||||
|
+++ b/src/packet.c
|
||||||
|
@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
||||||
|
size_t datalen, int macstate)
|
||||||
|
{
|
||||||
|
int rc = 0;
|
||||||
|
- char *message = NULL;
|
||||||
|
- char *language = NULL;
|
||||||
|
+ unsigned char *message = NULL;
|
||||||
|
+ unsigned char *language = NULL;
|
||||||
|
size_t message_len = 0;
|
||||||
|
size_t language_len = 0;
|
||||||
|
LIBSSH2_CHANNEL *channelp = NULL;
|
||||||
|
@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
||||||
|
|
||||||
|
case SSH_MSG_DISCONNECT:
|
||||||
|
if(datalen >= 5) {
|
||||||
|
- size_t reason = _libssh2_ntohu32(data + 1);
|
||||||
|
+ uint32_t reason = 0;
|
||||||
|
+ struct string_buf buf;
|
||||||
|
+ buf.data = (unsigned char *)data;
|
||||||
|
+ buf.dataptr = buf.data;
|
||||||
|
+ buf.len = datalen;
|
||||||
|
+ buf.dataptr++; /* advance past type */
|
||||||
|
|
||||||
|
- if(datalen >= 9) {
|
||||||
|
- message_len = _libssh2_ntohu32(data + 5);
|
||||||
|
+ _libssh2_get_u32(&buf, &reason);
|
||||||
|
+ _libssh2_get_string(&buf, &message, &message_len);
|
||||||
|
+ _libssh2_get_string(&buf, &language, &language_len);
|
||||||
|
|
||||||
|
- if(message_len < datalen-13) {
|
||||||
|
- /* 9 = packet_type(1) + reason(4) + message_len(4) */
|
||||||
|
- message = (char *) data + 9;
|
||||||
|
-
|
||||||
|
- language_len =
|
||||||
|
- _libssh2_ntohu32(data + 9 + message_len);
|
||||||
|
- language = (char *) data + 9 + message_len + 4;
|
||||||
|
-
|
||||||
|
- if(language_len > (datalen-13-message_len)) {
|
||||||
|
- /* bad input, clear info */
|
||||||
|
- language = message = NULL;
|
||||||
|
- language_len = message_len = 0;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- /* bad size, clear it */
|
||||||
|
- message_len = 0;
|
||||||
|
- }
|
||||||
|
if(session->ssh_msg_disconnect) {
|
||||||
|
- LIBSSH2_DISCONNECT(session, reason, message,
|
||||||
|
- message_len, language, language_len);
|
||||||
|
+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
|
||||||
|
+ message_len, (const char *)language,
|
||||||
|
+ language_len);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
|
||||||
|
"Disconnect(%d): %s(%s)", reason,
|
||||||
|
message, language);
|
||||||
|
@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
||||||
|
int always_display = data[1];
|
||||||
|
|
||||||
|
if(datalen >= 6) {
|
||||||
|
- message_len = _libssh2_ntohu32(data + 2);
|
||||||
|
-
|
||||||
|
- if(message_len <= (datalen - 10)) {
|
||||||
|
- /* 6 = packet_type(1) + display(1) + message_len(4) */
|
||||||
|
- message = (char *) data + 6;
|
||||||
|
- language_len = _libssh2_ntohu32(data + 6 +
|
||||||
|
- message_len);
|
||||||
|
-
|
||||||
|
- if(language_len <= (datalen - 10 - message_len))
|
||||||
|
- language = (char *) data + 10 + message_len;
|
||||||
|
- }
|
||||||
|
+ struct string_buf buf;
|
||||||
|
+ buf.data = (unsigned char *)data;
|
||||||
|
+ buf.dataptr = buf.data;
|
||||||
|
+ buf.len = datalen;
|
||||||
|
+ buf.dataptr += 2; /* advance past type & always display */
|
||||||
|
+
|
||||||
|
+ _libssh2_get_string(&buf, &message, &message_len);
|
||||||
|
+ _libssh2_get_string(&buf, &language, &language_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(session->ssh_msg_debug) {
|
||||||
|
- LIBSSH2_DEBUG(session, always_display, message,
|
||||||
|
- message_len, language, language_len);
|
||||||
|
+ LIBSSH2_DEBUG(session, always_display,
|
||||||
|
+ (const char *)message,
|
||||||
|
+ message_len, (const char *)language,
|
||||||
|
+ language_len);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* _libssh2_debug will actually truncate this for us so
|
||||||
|
* that it's not an inordinate about of data
|
||||||
|
@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
|
||||||
|
uint32_t len = 0;
|
||||||
|
unsigned char want_reply = 0;
|
||||||
|
len = _libssh2_ntohu32(data + 1);
|
||||||
|
- if(datalen >= (6 + len)) {
|
||||||
|
+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
|
||||||
|
want_reply = data[5 + len];
|
||||||
|
_libssh2_debug(session,
|
||||||
|
LIBSSH2_TRACE_CONN,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,11 +1,14 @@
|
|||||||
Name: libssh2
|
Name: libssh2
|
||||||
Version: 1.9.0
|
Version: 1.9.0
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: A library implementing the SSH2 protocol
|
Summary: A library implementing the SSH2 protocol
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://www.libssh2.org/
|
URL: http://www.libssh2.org/
|
||||||
Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
|
Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz
|
||||||
|
|
||||||
|
# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
|
||||||
|
Patch1: 0001-libssh2-1.9.0-CVE-2019-17498.patch
|
||||||
|
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -48,6 +51,7 @@ developing applications that use libssh2.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
# Replace hard wired port number in the test suite to avoid collisions
|
# Replace hard wired port number in the test suite to avoid collisions
|
||||||
# between 32-bit and 64-bit builds running on a single build-host
|
# between 32-bit and 64-bit builds running on a single build-host
|
||||||
@ -111,6 +115,9 @@ LC_ALL=en_US.UTF-8 make -C tests check
|
|||||||
%{_libdir}/pkgconfig/libssh2.pc
|
%{_libdir}/pkgconfig/libssh2.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 30 2019 Kamil Dudka <kdudka@redhat.com> - 1.9.0-3
|
||||||
|
- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-2
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.0-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user