From 859a8475ce1ef58e30684e1bd19e177c08c1eaba Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 09:53:21 +0000 Subject: import libssh-0.9.4-3.el8 --- diff --git a/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch new file mode 100644 index 0000000..9221f03 --- /dev/null +++ b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch @@ -0,0 +1,41 @@ +diff -up libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 libssh-0.9.4/src/buffer.c +--- libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 2021-04-21 10:27:53.562473773 +0200 ++++ libssh-0.9.4/src/buffer.c 2021-04-21 10:29:21.768165663 +0200 +@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_ + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { ++ if (buffer == NULL) { ++ return -1; ++ } ++ + buffer_verify(buffer); + + if (data == NULL) { +diff -up libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 libssh-0.9.4/src/sftpserver.c +--- libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 2021-04-21 10:30:43.864796642 +0200 ++++ libssh-0.9.4/src/sftpserver.c 2021-04-21 10:41:52.166933113 +0200 +@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_mess + + /* take a copy of the whole packet */ + msg->complete_message = ssh_buffer_new(); +- ssh_buffer_add_data(msg->complete_message, +- ssh_buffer_get(payload), +- ssh_buffer_get_len(payload)); ++ if (msg->complete_message == NULL) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } ++ ++ rc = ssh_buffer_add_data(msg->complete_message, ++ ssh_buffer_get(payload), ++ ssh_buffer_get_len(payload)); ++ if (rc < 0) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } + + ssh_buffer_get_u32(payload, &msg->id); + diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec index c61df8b..0bc82e3 100644 --- a/SPECS/libssh.spec +++ b/SPECS/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.9.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -16,6 +16,7 @@ Patch1: libssh-0.9.4-fix-version.patch Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch Patch3: libssh-0.9.4-add-cve-2019-14889-test.patch Patch4: libssh-0.9.4-do-not-parse-config-during-tests.patch +Patch5: libssh-0.9.4-fix-cve-2020-16135.patch BuildRequires: cmake BuildRequires: doxygen @@ -135,6 +136,10 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Wed Apr 21 2021 Sahana Prasad - 0.9.4-3 +- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if + ssh_buffer_new returns NULL (#1862646) + * Wed Jun 24 2020 Anderson Sasaki - 0.9.4-2 - Do not return error when server properly closed the channel (#1849071) - Add a test for CVE-2019-14889