packages/libssh2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update libssh2 to 1.10.0

Browse Source
This commit is contained in:
yangl777 2022-03-22 16:23:05 +08:00
parent 0bd2aa1e48
commit b328325e6f
10 changed files with 1035 additions and 489 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
0001-libssh2-CVE-2019-17498.patch
View File

@ -1,116 +0,0 @@
From ae6b894e43dabed9a93c1b5e47ab564de3f00d6c Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Sat, 21 Dec 2019 19:31:58 +0800
Subject: [PATCH] packet.c: improve message parsing (#402)
---
src/packet.c | 66 +++++++++++++++++++++++++-----------------------------------
1 file changed, 27 insertions(+), 39 deletions(-)
diff --git a/src/packet.c b/src/packet.c
index 38ab629..52eed32 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
size_t datalen, int macstate)
{
int rc = 0;
- char *message = NULL;
- char *language = NULL;
+ unsigned char *message = NULL;
+ unsigned char *language = NULL;
size_t message_len = 0;
size_t language_len = 0;
LIBSSH2_CHANNEL *channelp = NULL;
@@ -472,32 +472,21 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
case SSH_MSG_DISCONNECT:
if(datalen >= 5) {
- size_t reason = _libssh2_ntohu32(data + 1);
+ uint32_t reason = 0;
+ struct string_buf buf;
+ buf.data = (unsigned char *)data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+ buf.dataptr++; /* advance past type */
- if(datalen >= 9) {
- message_len = _libssh2_ntohu32(data + 5);
+ _libssh2_get_u32(&buf, &reason);
+ _libssh2_get_string(&buf, &message, &message_len);
+ _libssh2_get_string(&buf, &language, &language_len);
- if(message_len < datalen-13) {
- /* 9 = packet_type(1) + reason(4) + message_len(4) */
- message = (char *) data + 9;
-
- language_len =
- _libssh2_ntohu32(data + 9 + message_len);
- language = (char *) data + 9 + message_len + 4;
-
- if(language_len > (datalen-13-message_len)) {
- /* bad input, clear info */
- language = message = NULL;
- language_len = message_len = 0;
- }
- }
- else
- /* bad size, clear it */
- message_len = 0;
- }
if(session->ssh_msg_disconnect) {
- LIBSSH2_DISCONNECT(session, reason, message,
- message_len, language, language_len);
+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
+ message_len, (const char *)language,
+ language_len);
}
_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
"Disconnect(%d): %s(%s)", reason,
@@ -539,22 +528,21 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
int always_display = data[1];
if(datalen >= 6) {
- message_len = _libssh2_ntohu32(data + 2);
-
- if(message_len <= (datalen - 10)) {
- /* 6 = packet_type(1) + display(1) + message_len(4) */
- message = (char *) data + 6;
- language_len = _libssh2_ntohu32(data + 6 +
- message_len);
-
- if(language_len <= (datalen - 10 - message_len))
- language = (char *) data + 10 + message_len;
- }
+ struct string_buf buf;
+ buf.data = (unsigned char *)data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+ buf.dataptr += 2; /* advance past type & always display */
+
+ _libssh2_get_string(&buf, &message, &message_len);
+ _libssh2_get_string(&buf, &language, &language_len);
}
if(session->ssh_msg_debug) {
- LIBSSH2_DEBUG(session, always_display, message,
- message_len, language, language_len);
+ LIBSSH2_DEBUG(session, always_display,
+ (const char *)message,
+ message_len, (const char *)language,
+ language_len);
}
}
/*
@@ -579,7 +567,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
uint32_t len = 0;
unsigned char want_reply = 0;
len = _libssh2_ntohu32(data + 1);
- if(datalen >= (6 + len)) {
+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
want_reply = data[5 + len];
_libssh2_debug(session,
LIBSSH2_TRACE_CONN,
--
1.8.3.1

28
0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
View File

@ -1,28 +0,0 @@
From c2304e1ed951644bbe559348030bbb2844b348de Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Sat, 21 Dec 2019 19:35:22 +0800
Subject: [PATCH] misc.c: _libssh2_ntohu32 cast bit shifting (#401)
---
src/misc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/misc.c b/src/misc.c
index bd084c8..b307260 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -196,7 +196,10 @@ _libssh2_send(libssh2_socket_t sock, const void *buffer, size_t length,
unsigned int
_libssh2_ntohu32(const unsigned char *buf)
{
- return (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3];
+ return (((unsigned int)buf[0] << 24)
+ | ((unsigned int)buf[1] << 16)
+ | ((unsigned int)buf[2] << 8)
+ | ((unsigned int)buf[3]));
}
--
1.8.3.1

97
0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
View File

@ -1,97 +0,0 @@
From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Wed, 4 Sep 2019 12:16:52 -0700
Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener
(#404)
* improved bounds checking in packet_queue_listener
file: packet.c
notes:
improved parsing packet in packet_queue_listener
---
src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++-------------------
1 file changed, 43 insertions(+), 20 deletions(-)
diff --git a/src/packet.c b/src/packet.c
index 2e01bfc..c83a68d 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data,
char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED;
int rc;
- (void) datalen;
-
if(listen_state->state == libssh2_NB_state_idle) {
- unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5;
- listen_state->sender_channel = _libssh2_ntohu32(s);
- s += 4;
+ unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5;
+ size_t temp_len = 0;
+ struct string_buf buf;
+ buf.data = data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+
+ if(datalen < offset) {
+ return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+ "Unexpected packet size");
+ }
- listen_state->initial_window_size = _libssh2_ntohu32(s);
- s += 4;
- listen_state->packet_size = _libssh2_ntohu32(s);
- s += 4;
+ buf.dataptr += offset;
- listen_state->host_len = _libssh2_ntohu32(s);
- s += 4;
- listen_state->host = s;
- s += listen_state->host_len;
- listen_state->port = _libssh2_ntohu32(s);
- s += 4;
+ if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting channel");
+ }
+ if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting window size");
+ }
+ if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting packet");
+ }
+ if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting host");
+ }
+ listen_state->host_len = (uint32_t)temp_len;
- listen_state->shost_len = _libssh2_ntohu32(s);
- s += 4;
- listen_state->shost = s;
- s += listen_state->shost_len;
- listen_state->sport = _libssh2_ntohu32(s);
+ if(_libssh2_get_u32(&buf, &(listen_state->port))) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting port");
+ }
+ if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting shost");
+ }
+ listen_state->shost_len = (uint32_t)temp_len;
+
+ if(_libssh2_get_u32(&buf, &(listen_state->sport))) {
+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL,
+ "Data too short extracting sport");
+ }
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
"Remote received connection from %s:%ld to %s:%ld",
--
1.8.3.1

88
0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
View File

@ -1,88 +0,0 @@
From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Fri, 13 Sep 2019 09:45:34 -0700
Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410)
Use new API to parse data in packet_x11_open() for better bounds checking.
---
src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 49 insertions(+), 14 deletions(-)
diff --git a/src/packet.c b/src/packet.c
index c83a68d..9897f77 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data,
LIBSSH2_CHANNEL *channel = x11open_state->channel;
int rc;
- (void) datalen;
-
if(x11open_state->state == libssh2_NB_state_idle) {
- unsigned char *s = data + (sizeof("x11") - 1) + 5;
- x11open_state->sender_channel = _libssh2_ntohu32(s);
- s += 4;
- x11open_state->initial_window_size = _libssh2_ntohu32(s);
- s += 4;
- x11open_state->packet_size = _libssh2_ntohu32(s);
- s += 4;
- x11open_state->shost_len = _libssh2_ntohu32(s);
- s += 4;
- x11open_state->shost = s;
- s += x11open_state->shost_len;
- x11open_state->sport = _libssh2_ntohu32(s);
+
+ unsigned long offset = (sizeof("x11") - 1) + 5;
+ size_t temp_len = 0;
+ struct string_buf buf;
+ buf.data = data;
+ buf.dataptr = buf.data;
+ buf.len = datalen;
+
+ if(datalen < offset) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected data length");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
+
+ buf.dataptr += offset;
+
+ if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected sender channel size");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
+ if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected window size");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
+ if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected window size");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
+ if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected host size");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
+ x11open_state->shost_len = (uint32_t)temp_len;
+
+ if(_libssh2_get_u32(&buf, &(x11open_state->sport))) {
+ _libssh2_error(session, LIBSSH2_ERROR_INVAL,
+ "unexpected port size");
+ failure_code = SSH_OPEN_CONNECT_FAILED;
+ goto x11_exit;
+ }
_libssh2_debug(session, LIBSSH2_TRACE_CONN,
"X11 Connection Received from %s:%ld on channel %lu",
--
1.8.3.1

1025
backport-RSA-SHA2-256-512-key-upgrade-support-RFC-8332.patch Normal file
View File

File diff suppressed because it is too large Load Diff

119
fix-heap-buffer-overflow-in-kex_agree_methods.patch
View File

@ -1,119 +0,0 @@
From 43f24eb152b8ec62473d2de6108d7c0b267b2419 Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Tue, 27 Aug 2019 10:58:52 -0700
Subject: [PATCH] kex.c: improve bounds checking in kex_agree_methods() (#399)
file: kex.c
notes:
use _libssh2_get_string instead of kex_string_pair which does additional checks
---
src/kex.c | 65 ++++++++++++++++++++-----------------------------------
1 file changed, 24 insertions(+), 41 deletions(-)
diff --git a/src/kex.c b/src/kex.c
index df9a4fdd6..7b111feaa 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -3937,35 +3937,10 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
}
-
/* TODO: When in server mode we need to turn this logic on its head
* The Client gets to make the final call on "agreed methods"
*/
-/*
- * kex_string_pair() extracts a string from the packet and makes sure it fits
- * within the given packet.
- */
-static int kex_string_pair(unsigned char **sp, /* parsing position */
- unsigned char *data, /* start pointer to packet */
- size_t data_len, /* size of total packet */
- size_t *lenp, /* length of the string */
- unsigned char **strp) /* pointer to string start */
-{
- unsigned char *s = *sp;
- *lenp = _libssh2_ntohu32(s);
-
- /* the length of the string must fit within the current pointer and the
- end of the packet */
- if(*lenp > (data_len - (s - data) -4))
- return 1;
- *strp = s + 4;
- s += 4 + *lenp;
-
- *sp = s;
- return 0;
-}
-
/* kex_agree_methods
* Decide which specific method to use of the methods offered by each party
*/
@@ -3976,40 +3951,48 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
*mac_cs, *mac_sc;
size_t kex_len, hostkey_len, crypt_cs_len, crypt_sc_len, comp_cs_len;
size_t comp_sc_len, mac_cs_len, mac_sc_len;
- unsigned char *s = data;
+ struct string_buf buf;
- /* Skip packet_type, we know it already */
- s++;
+ if(data_len < 17)
+ return -1;
+
+ buf.data = (unsigned char *)data;
+ buf.len = data_len;
+ buf.dataptr = buf.data;
+ buf.dataptr++; /* advance past packet type */
/* Skip cookie, don't worry, it's preserved in the kexinit field */
- s += 16;
+ buf.dataptr += 16;
/* Locate each string */
- if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+ if(_libssh2_get_string(&buf, &kex, &kex_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+ if(_libssh2_get_string(&buf, &hostkey, &hostkey_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+ if(_libssh2_get_string(&buf, &crypt_cs, &crypt_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+ if(_libssh2_get_string(&buf, &crypt_sc, &crypt_sc_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+ if(_libssh2_get_string(&buf, &mac_cs, &mac_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+ if(_libssh2_get_string(&buf, &mac_sc, &mac_sc_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+ if(_libssh2_get_string(&buf, &comp_cs, &comp_cs_len))
return -1;
- if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+ if(_libssh2_get_string(&buf, &comp_sc, &comp_sc_len))
return -1;
/* If the server sent an optimistic packet, assume that it guessed wrong.
* If the guess is determined to be right (by kex_agree_kex_hostkey)
* This flag will be reset to zero so that it's not ignored */
- session->burn_optimistic_kexinit = *(s++);
- /* Next uint32 in packet is all zeros (reserved) */
+ if(_libssh2_check_length(&buf, 1)) {
+ session->burn_optimistic_kexinit = *(buf.dataptr++);
+ }
+ else {
+ return -1;
+ }
- if(data_len < (unsigned) (s - data))
- return -1; /* short packet */
+ /* Next uint32 in packet is all zeros (reserved) */
if(kex_agree_kex_hostkey(session, kex, kex_len, hostkey, hostkey_len)) {
return -1;

32
fix-use-of-uninitialized-value-476-478.patch
View File

@ -1,32 +0,0 @@
From 0b44e558f311671f6e6d14c559bc1c9bda59b8df Mon Sep 17 00:00:00 2001
From: Will Cosgrove <will@panic.com>
Date: Thu, 28 May 2020 14:20:08 -0700
Subject: [PATCH 2/2] transport.c: moving total_num check from #476 (#478)
file: transport.c
notes:
moving total_num zero length check from #476 up to the prior bounds check which already includes a total_num check. Makes it slightly more readable.
credit:
Will Cosgrove
---
src/transport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/transport.c b/src/transport.c
index adf96c2..11e5614 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -465,7 +465,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
* or less (including length, padding length, payload,
* padding, and MAC.)."
*/
- if(total_num > LIBSSH2_PACKET_MAXPAYLOAD) {
+ if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) {
return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
}
--
1.8.3.1

BIN
libssh2-1.10.0.tar.gz Normal file
View File

Binary file not shown.

BIN
libssh2-1.9.0.tar.gz
View File

Binary file not shown.

19
libssh2.spec
View File

@ -1,21 +1,16 @@
Name: libssh2
Version: 1.9.0
Release: 6
Version: 1.10.0
Release: 1
Summary: A library implementing the SSH2 protocol
License: BSD
URL: https://www.libssh2.org/
Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz
Patch0: 0001-libssh2-CVE-2019-17498.patch
Patch1: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch
Patch2: fix-use-of-uninitialized-value-476-478.patch
Patch3: fix-heap-buffer-overflow-in-kex_agree_methods.patch
Patch4: 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch
Patch5: 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch
Patch0: backport-RSA-SHA2-256-512-key-upgrade-support-RFC-8332.patch
BuildRequires: coreutils findutils /usr/bin/man zlib-devel
BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server
BuildRequires: glibc-langpack-en
BuildRequires: glibc-langpack-en groff
%description
libssh2 is a library implementing the SSH2 protocol as defined by
@ -91,6 +86,12 @@ LC_ALL=en_US.UTF-8 make -C tests check
%{_mandir}/man3/libssh2_*.3*
%changelog
* Tue Mar 21 2022 yanglu <yanglu72@h-partners.com> - 1.10.0-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:update libssh2 to 1.10.0
* Thu Sep 24 2020 yuboyun <yuboyun@huawei.com> - 1.9.0-6
- Type:bugfix
- ID:NA