[oe] [meta-oe][zeus][PATCH] libssh2: CVE-2019-17498.patch
akuster808
akuster808 at gmail.com
Fri Mar 13 15:36:43 UTC 2020
On 3/13/20 4:10 AM, Wang Mingyu wrote:
> Security Advisory
>
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
is this fix in master?
>
> Signed-off-by: Wang Mingyu <wangmy at cn.fujitsu.com>
> ---
> .../libssh2/libssh2/CVE-2019-17498.patch | 131 ++++++++++++++++++
> .../recipes-support/libssh2/libssh2_1.8.2.bb | 1 +
> 2 files changed, 132 insertions(+)
> create mode 100644 meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
>
> diff --git a/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
> new file mode 100644
> index 000000000..f60764c92
> --- /dev/null
> +++ b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
> @@ -0,0 +1,131 @@
> +From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
> +From: Will Cosgrove <will at panic.com>
> +Date: Fri, 30 Aug 2019 09:57:38 -0700
> +Subject: [PATCH] packet.c: improve message parsing (#402)
> +
> +* packet.c: improve parsing of packets
> +
> +file: packet.c
> +
> +notes:
> +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
> +
> +Upstream-Status: Accepted
> +CVE: CVE-2019-17498
> +
> +Reference to upstream patch:
> +https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
> +
> +---
> + src/packet.c | 68 ++++++++++++++++++++++------------------------------
> + 1 file changed, 29 insertions(+), 39 deletions(-)
> +
> +diff --git a/src/packet.c b/src/packet.c
> +index 38ab6294..2e01bfc5 100644
> +--- a/src/packet.c
> ++++ b/src/packet.c
> +@@ -416,8 +416,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
> + size_t datalen, int macstate)
> + {
> + int rc = 0;
> +- char *message = NULL;
> +- char *language = NULL;
> ++ unsigned char *message = NULL;
> ++ unsigned char *language = NULL;
> + size_t message_len = 0;
> + size_t language_len = 0;
> + LIBSSH2_CHANNEL *channelp = NULL;
> +@@ -469,33 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
> +
> + case SSH_MSG_DISCONNECT:
> + if(datalen >= 5) {
> +- size_t reason = _libssh2_ntohu32(data + 1);
> ++ uint32_t reason = 0;
> ++ struct string_buf buf;
> ++ buf.data = (unsigned char *)data;
> ++ buf.dataptr = buf.data;
> ++ buf.len = datalen;
> ++ buf.dataptr++; /* advance past type */
> +
> +- if(datalen >= 9) {
> +- message_len = _libssh2_ntohu32(data + 5);
> ++ _libssh2_get_u32(&buf, &reason);
> ++ _libssh2_get_string(&buf, &message, &message_len);
> ++ _libssh2_get_string(&buf, &language, &language_len);
> +
> +- if(message_len < datalen-13) {
> +- /* 9 = packet_type(1) + reason(4) + message_len(4) */
> +- message = (char *) data + 9;
> +-
> +- language_len =
> +- _libssh2_ntohu32(data + 9 + message_len);
> +- language = (char *) data + 9 + message_len + 4;
> +-
> +- if(language_len > (datalen-13-message_len)) {
> +- /* bad input, clear info */
> +- language = message = NULL;
> +- language_len = message_len = 0;
> +- }
> +- }
> +- else
> +- /* bad size, clear it */
> +- message_len = 0;
> +- }
> + if(session->ssh_msg_disconnect) {
> +- LIBSSH2_DISCONNECT(session, reason, message,
> +- message_len, language, language_len);
> ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
> ++ message_len, (const char *)language,
> ++ language_len);
> + }
> ++
> + _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
> + "Disconnect(%d): %s(%s)", reason,
> + message, language);
> +@@ -534,23 +526,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
> + int always_display = data[1];
> +
> + if(datalen >= 6) {
> +- message_len = _libssh2_ntohu32(data + 2);
> +-
> +- if(message_len <= (datalen - 10)) {
> +- /* 6 = packet_type(1) + display(1) + message_len(4) */
> +- message = (char *) data + 6;
> +- language_len = _libssh2_ntohu32(data + 6 +
> +- message_len);
> +-
> +- if(language_len <= (datalen - 10 - message_len))
> +- language = (char *) data + 10 + message_len;
> +- }
> ++ struct string_buf buf;
> ++ buf.data = (unsigned char *)data;
> ++ buf.dataptr = buf.data;
> ++ buf.len = datalen;
> ++ buf.dataptr += 2; /* advance past type & always display */
> ++
> ++ _libssh2_get_string(&buf, &message, &message_len);
> ++ _libssh2_get_string(&buf, &language, &language_len);
> + }
> +
> + if(session->ssh_msg_debug) {
> +- LIBSSH2_DEBUG(session, always_display, message,
> +- message_len, language, language_len);
> ++ LIBSSH2_DEBUG(session, always_display,
> ++ (const char *)message,
> ++ message_len, (const char *)language,
> ++ language_len);
> + }
> + }
> ++
> + /*
> + * _libssh2_debug will actually truncate this for us so
> + * that it's not an inordinate about of data
> +@@ -576,7 +566,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
> + uint32_t len = 0;
> + unsigned char want_reply = 0;
> + len = _libssh2_ntohu32(data + 1);
> +- if(datalen >= (6 + len)) {
> ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
> + want_reply = data[5 + len];
> + _libssh2_debug(session,
> + LIBSSH2_TRACE_CONN,
> diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
> index fe853cde4..a17ae5b7c 100644
> --- a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
> +++ b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
> @@ -17,6 +17,7 @@ inherit autotools pkgconfig
> EXTRA_OECONF += "\
> --with-libz \
> --with-libz-prefix=${STAGING_LIBDIR} \
> + file://CVE-2019-17498.patch \
> "
>
> # only one of openssl and gcrypt could be set
More information about the Openembedded-devel
mailing list