From acf0169a7370752459019693bc769d13c34bfba6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 06 2021 11:14:43 +0000
Subject: import libssh-0.9.4-3.el8


---

diff --git a/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
new file mode 100644
index 0000000..9221f03
--- /dev/null
+++ b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
@@ -0,0 +1,41 @@
+diff -up libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 libssh-0.9.4/src/buffer.c
+--- libssh-0.9.4/src/buffer.c.fix-cve-2020-16135	2021-04-21 10:27:53.562473773 +0200
++++ libssh-0.9.4/src/buffer.c	2021-04-21 10:29:21.768165663 +0200
+@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
++  if (buffer == NULL) {
++      return -1;
++  }
++
+   buffer_verify(buffer);
+ 
+   if (data == NULL) {
+diff -up libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 libssh-0.9.4/src/sftpserver.c
+--- libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135	2021-04-21 10:30:43.864796642 +0200
++++ libssh-0.9.4/src/sftpserver.c	2021-04-21 10:41:52.166933113 +0200
+@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_mess
+ 
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
+-  ssh_buffer_add_data(msg->complete_message,
+-                      ssh_buffer_get(payload),
+-                      ssh_buffer_get_len(payload));
++  if (msg->complete_message == NULL) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
++
++  rc = ssh_buffer_add_data(msg->complete_message,
++                           ssh_buffer_get(payload),
++                           ssh_buffer_get_len(payload));
++  if (rc < 0) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
+ 
+   ssh_buffer_get_u32(payload, &msg->id);
+ 
diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec
index c61df8b..0bc82e3 100644
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@@ -16,6 +16,7 @@ Patch1:         libssh-0.9.4-fix-version.patch
 Patch2:         libssh-0.9.4-do-not-return-error-server-closed-channel.patch
 Patch3:         libssh-0.9.4-add-cve-2019-14889-test.patch
 Patch4:         libssh-0.9.4-do-not-parse-config-during-tests.patch
+Patch5:         libssh-0.9.4-fix-cve-2020-16135.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
@@ -135,6 +136,10 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
+- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
+  ssh_buffer_new returns NULL (#1862646)
+
 * Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
 - Do not return error when server properly closed the channel (#1849071)
 - Add a test for CVE-2019-14889