diff --git a/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch new file mode 100644 index 0000000..ac66df3 --- /dev/null +++ b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch @@ -0,0 +1,33 @@ +From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:16:53 +0100 +Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch +--- + src/transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 8725da0..5349284 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -430,8 +430,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * and we can extract packet and padding length from it + */ + p->packet_length = _libssh2_ntohu32(block); +- if (p->packet_length < 1) ++ if(p->packet_length < 1) { + return LIBSSH2_ERROR_DECRYPT; ++ } ++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { ++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; ++ } + + p->padding_length = block[4]; + +-- +2.17.2 + diff --git a/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch new file mode 100644 index 0000000..076f08b --- /dev/null +++ b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch @@ -0,0 +1,44 @@ +From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:22:24 +0100 +Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard + interactive handling + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch + +I believe that: + + `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)` + +... can be simplified as: + + `(session->userauth_kybd_num_prompts > 100)` + +Signed-off-by: Kamil Dudka +--- + src/userauth.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/userauth.c b/src/userauth.c +index cdfa25e..3946cf9 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1498,6 +1498,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + /* int num-prompts */ + session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); + s += 4; ++ if(session->userauth_kybd_num_prompts && ++ session->userauth_kybd_num_prompts > 100) { ++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many replies for " ++ "keyboard-interactive prompts"); ++ goto cleanup; ++ } + + if(session->userauth_kybd_num_prompts) { + session->userauth_kybd_prompts = +-- +2.17.2 + diff --git a/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch new file mode 100644 index 0000000..fc14251 --- /dev/null +++ b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch @@ -0,0 +1,124 @@ +From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:29:35 +0100 +Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH + packet processing channel + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch +--- + include/libssh2.h | 12 ++++++++++++ + src/packet.c | 11 +++++++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 34d2842..e25c380 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -71,6 +71,18 @@ + */ + #define LIBSSH2_VERSION_NUM 0x010403 + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* + * This is the date and time when the full source package was created. The + * timestamp is not stored in the source code repo, as the timestamp is +diff --git a/src/packet.c b/src/packet.c +index 5f1feb8..aa10633 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -814,8 +814,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + /* set signal name (without SIG prefix) */ + uint32_t namelen = + _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); +- channelp->exit_signal = +- LIBSSH2_ALLOC(session, namelen + 1); ++ ++ if(namelen <= UINT_MAX - 1) { ++ channelp->exit_signal = ++ LIBSSH2_ALLOC(session, namelen + 1); ++ } ++ else { ++ channelp->exit_signal = NULL; ++ } ++ + if (!channelp->exit_signal) + rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "memory for signal name"); +-- +2.17.2 + + +From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Mon, 18 Mar 2019 15:07:12 -0700 +Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h + +Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207 +Signed-off-by: Kamil Dudka +--- + include/libssh2.h | 12 ------------ + src/libssh2_priv.h | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index e25c380..34d2842 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -71,18 +71,6 @@ + */ + #define LIBSSH2_VERSION_NUM 0x010403 + +-#ifndef SIZE_MAX +-#if _WIN64 +-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +-#else +-#define SIZE_MAX 0xFFFFFFFF +-#endif +-#endif +- +-#ifndef UINT_MAX +-#define UINT_MAX 0xFFFFFFFF +-#endif +- + /* + * This is the date and time when the full source package was created. The + * timestamp is not stored in the source code repo, as the timestamp is +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index b4296a2..bb5d1a5 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -144,6 +144,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs) + + #endif + ++#ifndef SIZE_MAX ++#if _WIN64 ++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF ++#else ++#define SIZE_MAX 0xFFFFFFFF ++#endif ++#endif ++ ++#ifndef UINT_MAX ++#define UINT_MAX 0xFFFFFFFF ++#endif ++ + /* RFC4253 section 6.1 Maximum Packet Length says: + * + * "All implementations MUST be able to process packets with +-- +2.17.2 + diff --git a/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch new file mode 100644 index 0000000..db3ab3c --- /dev/null +++ b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch @@ -0,0 +1,40 @@ +From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:47:41 +0100 +Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user + authenticate keyboard interactive + +... that allows out-of-bounds writes + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch +--- + src/userauth.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index 3946cf9..ee924c5 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1578,8 +1578,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + + for(i = 0; i != session->userauth_kybd_num_prompts; ++i) { + /* string response[1] (ISO-10646 UTF-8) */ +- session->userauth_kybd_packet_len += +- 4 + session->userauth_kybd_responses[i].length; ++ if(session->userauth_kybd_responses[i].length <= ++ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) { ++ session->userauth_kybd_packet_len += ++ 4 + session->userauth_kybd_responses[i].length; ++ } ++ else { ++ _libssh2_error(session, LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate memory for keyboard-" ++ "interactive response packet"); ++ goto cleanup; ++ } + } + + /* A new userauth_kybd_data area is to be allocated, free the +-- +2.17.2 + diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec index 671a235..acb202d 100644 --- a/SPECS/libssh2.spec +++ b/SPECS/libssh2.spec @@ -12,7 +12,7 @@ Name: libssh2 Version: 1.4.3 -Release: 12%{?dist} +Release: 12%{?dist}.2 Summary: A library implementing the SSH2 protocol Group: System Environment/Libraries License: BSD @@ -32,6 +32,19 @@ Patch10: 0010-Set-default-window-size-to-2MB.patch Patch11: 0011-channel_receive_window_adjust-store-windows-size-alw.patch Patch12: 0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch Patch13: 0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch + +# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) +Patch201: 0001-libssh2-1.8.0-CVE-2019-3855.patch + +# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +Patch202: 0002-libssh2-1.8.0-CVE-2019-3856.patch + +# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +Patch203: 0003-libssh2-1.8.0-CVE-2019-3857.patch + +# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +Patch209: 0009-libssh2-1.8.0-CVE-2019-3863.patch + Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch Patch15: 0015-libssh2-1.4.3-debug-msgs.patch Patch101: 0101-libssh2-1.4.3-CVE-2016-0787.patch @@ -116,6 +129,12 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh} # use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) %patch101 -p1 +# rhel-7.6.z patches +%patch201 -p1 +%patch202 -p1 +%patch203 -p1 +%patch209 -p1 + # scp: send valid commands for remote execution (#1489733) %patch14 -p1 @@ -188,6 +207,15 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/libssh2.pc %changelog +* Wed Mar 20 2019 Kamil Dudka 1.4.3-12.el7_6.2 +- sanitize public header file (detected by rpmdiff) + +* Tue Mar 19 2019 Kamil Dudka 1.4.3-12.el7_6.1 +- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863) +- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857) +- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856) +- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855) + * Tue Sep 26 2017 Kamil Dudka 1.4.3-12 - session: avoid printing misleading debug messages (#1503294) - scp: send valid commands for remote execution (#1489733)