diff --git a/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch b/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch new file mode 100644 index 0000000..319e1fd --- /dev/null +++ b/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch @@ -0,0 +1,232 @@ +From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. + +Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c +Signed-off-by: Kamil Dudka +--- + src/misc.c | 37 +++++++++++++++++++++++ + src/misc.h | 10 +++++++ + src/packet.c | 84 ++++++++++++++++++++++++---------------------------- + 3 files changed, 85 insertions(+), 46 deletions(-) + +diff --git a/src/misc.c b/src/misc.c +index f7faae7..1b2682f 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size) + } + return p; + } ++ ++int _libssh2_check_length(struct string_buf *buf, size_t len) ++{ ++ unsigned char *endp = &buf->data[buf->len]; ++ size_t left = endp - buf->dataptr; ++ return ((len <= left) && (left <= buf->len)); ++} ++ ++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out) ++{ ++ if(!_libssh2_check_length(buf, 4)) { ++ return -1; ++ } ++ ++ *out = _libssh2_ntohu32(buf->dataptr); ++ buf->dataptr += 4; ++ return 0; ++} ++ ++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, ++ size_t *outlen) ++{ ++ uint32_t data_len; ++ if(_libssh2_get_u32(buf, &data_len) != 0) { ++ return -1; ++ } ++ if(!_libssh2_check_length(buf, data_len)) { ++ return -1; ++ } ++ *outbuf = buf->dataptr; ++ buf->dataptr += data_len; ++ ++ if(outlen) ++ *outlen = (size_t)data_len; ++ ++ return 0; ++} +diff --git a/src/misc.h b/src/misc.h +index 54ae546..cf5abb5 100644 +--- a/src/misc.h ++++ b/src/misc.h +@@ -49,6 +49,12 @@ struct list_node { + struct list_head *head; + }; + ++struct string_buf { ++ unsigned char *data; ++ unsigned char *dataptr; ++ size_t len; ++}; ++ + int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags); + int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg); + +@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value); + void _libssh2_store_str(unsigned char **buf, const char *str, size_t len); + void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size); + ++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out); ++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf, ++ size_t *outlen); ++ + #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__) + /* provide a private one */ + #undef HAVE_GETTIMEOFDAY +diff --git a/src/packet.c b/src/packet.c +index c950b5d..f180b77 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message=NULL; +- char *language=NULL; +- size_t message_len=0; +- size_t language_len=0; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; ++ size_t message_len = 0; ++ size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; + size_t data_head = 0; + unsigned char msg = data[0]; +@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + "Packet type %d received, length=%d", + (int) msg, (int) datalen); + +- if ((macstate == LIBSSH2_MAC_INVALID) && ++ if((macstate == LIBSSH2_MAC_INVALID) && + (!session->macerror || + LIBSSH2_MACERROR(session, (char *) data, datalen))) { + /* Bad MAC input, but no callback set or non-zero return from the +@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + break; + } + +- if (session->packAdd_state == libssh2_NB_state_allocated) { ++ if(session->packAdd_state == libssh2_NB_state_allocated) { + /* A couple exceptions to the packet adding rule: */ +- switch (msg) { ++ switch(msg) { + + /* + byte SSH_MSG_DISCONNECT +@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); +- +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); +- +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len=0; +- } +- if (session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ ++ ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); ++ ++ if(session->ssh_msg_disconnect) { ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display= data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + +- if (session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ if(session->ssh_msg_debug) { ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len =0; + unsigned char want_reply=0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +-- +2.20.1 + diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec index 302f94c..f704268 100644 --- a/SPECS/libssh2.spec +++ b/SPECS/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.8.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -28,6 +28,9 @@ Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch # fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch +# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) +Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch + Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch Patch15: 0015-libssh2-1.4.3-debug-msgs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) @@ -86,6 +89,7 @@ developing applications that use libssh2. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host @@ -169,6 +173,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Oct 30 2019 Kamil Dudka - 1.8.0-4 +- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498) + * Wed Mar 20 2019 Kamil Dudka 1.8.0-3 - sanitize public header file (detected by rpmdiff)