From 6f747825fa312a10d6f0834efbb7df1e0fdaa445 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jan 06 2023 10:57:27 +0000 Subject: Minor cleanups from upstream Fix one-byte overflow in SSH banner processing Resolves: rhbz#2138345 Fix double free() in error path Resolves: rhbz#2138347 --- diff --git a/openssh-9.1p1-sshbanner.patch b/openssh-9.1p1-sshbanner.patch new file mode 100644 index 0000000..57112be --- /dev/null +++ b/openssh-9.1p1-sshbanner.patch @@ -0,0 +1,57 @@ +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index d29a03b4..d7283136 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -490,6 +490,15 @@ congreet(int s) + return; + } + ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -517,6 +526,11 @@ congreet(int s) + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); +diff --git a/sshsig.c b/sshsig.c +index 1e3b6398..eb2a931e 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + { + char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; + ssize_t n, total = 0; +- struct ssh_digest_ctx *ctx; ++ struct ssh_digest_ctx *ctx = NULL; + int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + +@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + /* success */ + r = 0; + out: ++ oerrno = errno; + sshbuf_free(b); + ssh_digest_free(ctx); + explicit_bzero(hash, sizeof(hash)); ++ errno = oerrno; + return r; + } + diff --git a/openssh.spec b/openssh.spec index 0baac59..8271a20 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 25 +%global openssh_rel 26 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch # downstream only, IBMCA tentative fix # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 Patch984: openssh-8.7p1-ibmca.patch +# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566 +Patch986: openssh-9.1p1-sshbanner.patch # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) # upstream commits: @@ -442,6 +444,7 @@ popd %patch982 -p1 -b .minrsabits %patch983 -p1 -b .evpgenrsa %patch984 -p1 -b .ibmca +%patch986 -p1 -b .91cleanup %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jan 06 2023 Dmitry Belyavskiy - 8.7p1-26 +- Fix one-byte overflow in SSH banner processing + Resolves: rhbz#2138345 +- Fix double free() in error path + Resolves: rhbz#2138347 + * Fri Dec 16 2022 Dmitry Belyavskiy - 8.7p1-25 - Build fix after OpenSSL rebase Resolves: rhbz#2153626