packages/libssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-16135

Browse Source 
reference:
533d881b0f
2782cb0495
10b3ebbe61
245ad744b5
This commit is contained in:
seuzw 2020-08-06 17:41:02 +08:00
parent 85b575cc88
commit 9f7722f510
5 changed files with 181 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2020-16135-1.patch Normal file
View File

@ -0,0 +1,36 @@
From 72ca8cc3eceb732c777dfd66e1441f0b34c655a8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:04:09 +0200
Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new()
Thanks to Ramin Farajpour Cami for spotting this.
Fixes T232
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/sftpserver.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/sftpserver.c b/src/sftpserver.c
index 5a2110e..b639a2c 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
/* take a copy of the whole packet */
msg->complete_message = ssh_buffer_new();
+ if (msg->complete_message == NULL) {
+ ssh_set_error_oom(session);
+ sftp_client_message_free(msg);
+ return NULL;
+ }
+
ssh_buffer_add_data(msg->complete_message,
ssh_buffer_get(payload),
ssh_buffer_get_len(payload));
--
2.23.0

38
CVE-2020-16135-2.patch Normal file
View File

@ -0,0 +1,38 @@
From c7b21bfbcd41205d93492a792c973643c94d3079 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:05:51 +0200
Subject: [PATCH 2/4] sftpserver: Add missing return check for
ssh_buffer_add_data()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/sftpserver.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/sftpserver.c b/src/sftpserver.c
index b639a2c..9117f15 100644
--- a/src/sftpserver.c
+++ b/src/sftpserver.c
@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
return NULL;
}
- ssh_buffer_add_data(msg->complete_message,
- ssh_buffer_get(payload),
- ssh_buffer_get_len(payload));
+ rc = ssh_buffer_add_data(msg->complete_message,
+ ssh_buffer_get(payload),
+ ssh_buffer_get_len(payload));
+ if (rc < 0) {
+ ssh_set_error_oom(session);
+ sftp_client_message_free(msg);
+ return NULL;
+ }
ssh_buffer_get_u32(payload, &msg->id);
--
2.23.0

66
CVE-2020-16135-3.patch Normal file
View File

@ -0,0 +1,66 @@
From dafd55eda0093a2201ad847532b9c55af2a01247 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:10:11 +0200
Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data()
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/buffer.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
diff --git a/src/buffer.c b/src/buffer.c
index a2e6246..476bc13 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
*/
int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
{
- buffer_verify(buffer);
+ buffer_verify(buffer);
- if (data == NULL) {
- return -1;
- }
+ if (data == NULL) {
+ return -1;
+ }
- if (buffer->used + len < len) {
- return -1;
- }
+ if (buffer->used + len < len) {
+ return -1;
+ }
- if (buffer->allocated < (buffer->used + len)) {
- if(buffer->pos > 0)
- buffer_shift(buffer);
- if (realloc_buffer(buffer, buffer->used + len) < 0) {
- return -1;
+ if (buffer->allocated < (buffer->used + len)) {
+ if (buffer->pos > 0) {
+ buffer_shift(buffer);
+ }
+ if (realloc_buffer(buffer, buffer->used + len) < 0) {
+ return -1;
+ }
}
- }
- memcpy(buffer->data+buffer->used, data, len);
- buffer->used+=len;
- buffer_verify(buffer);
- return 0;
+ memcpy(buffer->data + buffer->used, data, len);
+ buffer->used += len;
+ buffer_verify(buffer);
+ return 0;
}
/**
--
2.23.0

30
CVE-2020-16135-4.patch Normal file
View File

@ -0,0 +1,30 @@
From 7a4b7eec9a2921ba275be500e05f436ee8ace198 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 3 Jun 2020 10:11:21 +0200
Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
src/buffer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/buffer.c b/src/buffer.c
index 476bc13..ce12f49 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
*/
int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
{
+ if (buffer == NULL) {
+ return -1;
+ }
+
buffer_verify(buffer);
if (data == NULL) {
--
2.23.0

12
libssh.spec
View File

@ -1,6 +1,6 @@
Name: libssh
Version: 0.9.4
Release: 1
Release: 2
Summary: A library implementing the SSH protocol
License: LGPLv2+
URL: http://www.libssh.org
@ -10,6 +10,10 @@ Source1: https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
Patch1: libssh-0.9.4-fix-version.patch
Patch2: CVE-2020-16135-1.patch
Patch3: CVE-2020-16135-2.patch
Patch4: CVE-2020-16135-3.patch
Patch5: CVE-2020-16135-4.patch
BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel
BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server
@ -96,6 +100,12 @@ popd
%doc ChangeLog README
%changelog
* Thu Aug 6 2020 zhaowei <zhaowei23@huawei.com> - 0.9.4-2
- Type:CVE
- Id:CVE-2020-16135
- SUG:NA
- DESC:fix CVE-2020-16135
* Mon Apr 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.9.4-1
- Type:bugfix
- Id:NA