Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package podman for openSUSE:Factory checked in at 2025-03-28 09:36:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/podman (Old) and /work/SRC/openSUSE:Factory/.podman.new.2696 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podman" Fri Mar 28 09:36:14 2025 rev:156 rq:1256158 version:5.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/podman/podman.changes 2025-03-17 22:15:28.225159418 +0100 +++ /work/SRC/openSUSE:Factory/.podman.new.2696/podman.changes 2025-03-28 09:36:31.650881810 +0100 @@ -1,0 +2,6 @@ +Wed Mar 26 08:24:05 UTC 2025 - Danish Prakash <danish.prak...@suse.com> + +- Add patch for CVE-2025-22869 (bsc#1239330): + * 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch + +------------------------------------------------------------------- New: ---- 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch BETA DEBUG BEGIN: New:- Add patch for CVE-2025-22869 (bsc#1239330): * 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ podman.spec ++++++ --- /var/tmp/diff_new_pack.HeA5Zz/_old 2025-03-28 09:36:32.778928568 +0100 +++ /var/tmp/diff_new_pack.HeA5Zz/_new 2025-03-28 09:36:32.778928568 +0100 @@ -30,6 +30,7 @@ URL: https://%{project} Source0: %{name}-%{version}.tar.gz Source1: podman.conf +Patch0: 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch BuildRequires: man BuildRequires: bash-completion BuildRequires: device-mapper-devel ++++++ 0001-CVE-2025-22869-ssh-limit-the-size-of-the-internal-pa.patch ++++++ >From 7766adad2e935fcf5fec3ec3b1bb0a0169fdf4c3 Mon Sep 17 00:00:00 2001 From: Nicola Murino <nicola.mur...@gmail.com> Date: Wed, 12 Mar 2025 19:54:12 +0530 Subject: [PATCH] CVE-2025-22869: ssh: limit the size of the internal packet queue while waiting for KEX In the SSH protocol, clients and servers execute the key exchange to generate one-time session keys used for encryption and authentication. The key exchange is performed initially after the connection is established and then periodically after a configurable amount of data. While a key exchange is in progress, we add the received packets to an internal queue until we receive SSH_MSG_KEXINIT from the other side. This can result in high memory usage if the other party is slow to respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a malicious client never responds to an SSH_MSG_KEXINIT packet during a large file transfer. We now limit the internal queue to 64 packets: this means 2MB with the typical 32KB packet size. When the internal queue is full we block further writes until the pending key exchange is completed or there is a read or write error. Thanks to Yuichi Watanabe for reporting this issue. Fixes: CVE-2025-22869 Bugs: bsc#1239330 Signed-off-by: Danish Prakash <cont...@danishpraka.sh> --- vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go index 56cdc7c21c3b..a68d20f7f396 100644 --- a/vendor/golang.org/x/crypto/ssh/handshake.go +++ b/vendor/golang.org/x/crypto/ssh/handshake.go @@ -25,6 +25,11 @@ const debugHandshake = false // quickly. const chanSize = 16 +// maxPendingPackets sets the maximum number of packets to queue while waiting +// for KEX to complete. This limits the total pending data to maxPendingPackets +// * maxPacket bytes, which is ~16.8MB. +const maxPendingPackets = 64 + // keyingTransport is a packet based transport that supports key // changes. It need not be thread-safe. It should pass through // msgNewKeys in both directions. @@ -73,11 +78,19 @@ type handshakeTransport struct { incoming chan []byte readError error - mu sync.Mutex - writeError error - sentInitPacket []byte - sentInitMsg *kexInitMsg - pendingPackets [][]byte // Used when a key exchange is in progress. + mu sync.Mutex + // Condition for the above mutex. It is used to notify a completed key + // exchange or a write failure. Writes can wait for this condition while a + // key exchange is in progress. + writeCond *sync.Cond + writeError error + sentInitPacket []byte + sentInitMsg *kexInitMsg + // Used to queue writes when a key exchange is in progress. The length is + // limited by pendingPacketsSize. Once full, writes will block until the key + // exchange is completed or an error occurs. If not empty, it is emptied + // all at once when the key exchange is completed in kexLoop. + pendingPackets [][]byte writePacketsLeft uint32 writeBytesLeft int64 @@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, config: config, } + t.writeCond = sync.NewCond(&t.mu) t.resetReadThresholds() t.resetWriteThresholds() @@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) { defer t.mu.Unlock() if t.writeError == nil && err != nil { t.writeError = err + t.writeCond.Broadcast() } } @@ -362,6 +377,8 @@ write: } } t.pendingPackets = t.pendingPackets[:0] + // Unblock writePacket if waiting for KEX. + t.writeCond.Broadcast() t.mu.Unlock() } @@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { } if t.sentInitMsg != nil { - // Copy the packet so the writer can reuse the buffer. - cp := make([]byte, len(p)) - copy(cp, p) - t.pendingPackets = append(t.pendingPackets, cp) - return nil + if len(t.pendingPackets) < maxPendingPackets { + // Copy the packet so the writer can reuse the buffer. + cp := make([]byte, len(p)) + copy(cp, p) + t.pendingPackets = append(t.pendingPackets, cp) + return nil + } + for t.sentInitMsg != nil { + // Block and wait for KEX to complete or an error. + t.writeCond.Wait() + if t.writeError != nil { + return t.writeError + } + } } if t.writeBytesLeft > 0 { @@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { if err := t.pushPacket(p); err != nil { t.writeError = err + t.writeCond.Broadcast() } return nil -- 2.46.0
