Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sslh for openSUSE:Factory checked in
at 2025-06-02 22:00:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslh (Old)
and /work/SRC/openSUSE:Factory/.sslh.new.16005 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslh"
Mon Jun 2 22:00:03 2025 rev:16 rq:1281729 version:2.2.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/sslh/sslh.changes 2025-05-08
18:25:53.166746622 +0200
+++ /work/SRC/openSUSE:Factory/.sslh.new.16005/sslh.changes 2025-06-02
22:00:24.256832248 +0200
@@ -1,0 +2,10 @@
+Mon Jun 2 05:18:34 UTC 2025 - Michael Vetter <mvet...@suse.com>
+
+- Update to 2.2.4:
+ * Fix CVE-2025-46806 (bsc#1243120) for "Misaligned Memory Accesses
+ in `is_openvpn_protocol()`"
+ * Fix CVE-2025-46807 (bsc#1243122) for "File Descriptor Exhaustion
+ in sslh-select and sslh-ev"
+ * Fix potential parsing of undefined data in syslog probe (no CVE assigned)
+
+-------------------------------------------------------------------
@@ -387 +397 @@
-Thu Feb 25 2010 Christian Debertshaeuser <we...@online.de>
+Thu Feb 25 00:00:00 UTC 2010 - Christian Debertshaeuser <we...@online.de>
Old:
----
v2.2.3.tar.gz
New:
----
v2.2.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sslh.spec ++++++
--- /var/tmp/diff_new_pack.I3Uuk5/_old 2025-06-02 22:00:24.772853649 +0200
+++ /var/tmp/diff_new_pack.I3Uuk5/_new 2025-06-02 22:00:24.772853649 +0200
@@ -18,7 +18,7 @@
Name: sslh
-Version: 2.2.3
+Version: 2.2.4
Release: 0
Summary: SSL/SSH multiplexer
License: GPL-2.0-or-later
++++++ v2.2.3.tar.gz -> v2.2.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslh-2.2.3/ChangeLog new/sslh-2.2.4/ChangeLog
--- old/sslh-2.2.3/ChangeLog 2025-05-04 11:47:44.000000000 +0200
+++ new/sslh-2.2.4/ChangeLog 2025-05-28 17:51:04.000000000 +0200
@@ -1,3 +1,15 @@
+v2.2.4:
+ Fix CVE-2025-46806 for "Misaligned Memory Accesses in
`is_openvpn_protocol()`"
+
+ Fix CVE-2025-46807 for "File Descriptor Exhaustion in sslh-select and
sslh-ev"
+
+ Fix potential parsing of undefined data in syslog
+ probe (no CVE assigned)
+
+ Thanks to Matthias Gerstner of the SUSE security
+ team for the security review that found these
+ defects!
+
v2.2.3:
Reverse older commit: version.h cannot be included
without breaking the build (everything recompiles
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslh-2.2.3/Makefile.in new/sslh-2.2.4/Makefile.in
--- old/sslh-2.2.3/Makefile.in 2025-05-04 11:47:44.000000000 +0200
+++ new/sslh-2.2.4/Makefile.in 2025-05-28 17:51:04.000000000 +0200
@@ -22,7 +22,7 @@
# itself
ifneq ($(strip $(ENABLE_SANITIZER)),)
- CFLAGS_SAN=-fsanitize=address -fsanitize=leak -fsanitize=undefined
+ CFLAGS_SAN=-fsanitize=address -fsanitize=leak -fsanitize=undefined
-fsanitize=alignment
endif
ifneq ($(strip $(COV_TEST)),)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslh-2.2.3/probe.c new/sslh-2.2.4/probe.c
--- old/sslh-2.2.3/probe.c 2025-05-04 11:47:44.000000000 +0200
+++ new/sslh-2.2.4/probe.c 2025-05-28 17:51:04.000000000 +0200
@@ -25,6 +25,7 @@
#define PCRE2_CODE_UNIT_WIDTH 8
#include <pcre2.h>
#endif
+#include <regex.h>
#include <ctype.h>
#include "probe.h"
#include "log.h"
@@ -146,6 +147,7 @@
#define OVPN_OPCODE_MASK 0xF8
#define OVPN_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3)
#define OVPN_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3)
+#define OVPN_CONTROL_HARD_RESET_CLIENT_V3 (0x0A << 3)
#define OVPN_HMAC_128 16
#define OVPN_HMAC_160 20
#define OVPN_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size)
@@ -164,8 +166,12 @@
if (len < 1)
return PROBE_NEXT;
+ printf("opcode: %d\n", (p[0] & OVPN_OPCODE_MASK) >> 3);
+
if ((p[0] & OVPN_OPCODE_MASK) != OVPN_CONTROL_HARD_RESET_CLIENT_V1 &&
- (p[0] & OVPN_OPCODE_MASK) != OVPN_CONTROL_HARD_RESET_CLIENT_V2)
+ (p[0] & OVPN_OPCODE_MASK) != OVPN_CONTROL_HARD_RESET_CLIENT_V2 &&
+ (p[0] & OVPN_OPCODE_MASK) != OVPN_CONTROL_HARD_RESET_CLIENT_V3
+ )
return PROBE_NEXT;
/* The detection pattern above may not be reliable enough.
@@ -176,12 +182,18 @@
if (len <= OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_128) +
sizeof(uint32_t))
return PROBE_NEXT;
- if (ntohl(*(uint32_t*)(p +
OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_128))) <= 5u)
+ uint32_t i;
+ /* OVPN_HMAC_128 is unaligned, which requires special care e.g. on ARM
*/
+ memcpy(&i, (p + OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_128)),
sizeof(i));
+ i = ntohl(i);
+ if (i <= 5u)
return PROBE_MATCH;
if (len <= OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_160) +
sizeof(uint32_t))
return PROBE_NEXT;
+ memcpy(&i, (p + OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_160)),
sizeof(i));
+ i = ntohl(i);
if (ntohl(*(uint32_t*)(p +
OVPN_HARD_RESET_PACKET_ID_OFFSET(OVPN_HMAC_160))) <= 5u)
return PROBE_MATCH;
@@ -362,17 +374,38 @@
return PROBE_MATCH;
}
+/* ******************
+ * is_syslog_protocol
+ * */
+static regex_t syslog_preg;
+static int configured_syslog_regex = 0;
+
+static void config_syslog_regex(void)
+{
+ /* two patterns for syslog messages:
+ * <12> My message
+ * 15 <12> My message
+ * 12 is 'priority', 1 to 3 digits (RFC4234)
+ * 15 is 'message length', a TCP-only option (RFC6587)
+ */
+ int res = regcomp(&syslog_preg, "^([0-9]{1,3} )?<[0-9]{1,3}>",
REG_EXTENDED);
+ if (res) {
+ print_message(msg_system_error, "regcomp");
+ exit(1);
+ }
+ configured_syslog_regex = 1;
+}
+
static int is_syslog_protocol(const char *p, ssize_t len, struct
sslhcfg_protocols_item* proto)
{
- int res, i, j;
+ char buf[len+1];
- res = sscanf(p, "<%d>", &i);
- if (res == 1) return 1;
+ if (!configured_syslog_regex) config_syslog_regex();
- res = sscanf(p, "%d <%d>", &i, &j);
- if (res == 2) return 1;
+ strncpy(buf, p, len);
+ buf[len] = 0;
- return 0;
+ return (regexec(&syslog_preg, buf, (size_t)0, NULL, 0) == 0);
}
static int is_teamspeak_protocol(const char *p, ssize_t len, struct
sslhcfg_protocols_item* proto)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslh-2.2.3/sslh-select.c new/sslh-2.2.4/sslh-select.c
--- old/sslh-2.2.3/sslh-select.c 2025-05-04 11:47:44.000000000 +0200
+++ new/sslh-2.2.4/sslh-select.c 2025-05-28 17:51:04.000000000 +0200
@@ -156,13 +156,15 @@
/* Check main socket for new connections */
for (i = 0; i < num_addr_listen; i++) {
if (FD_ISSET(listen_sockets[i].socketfd, &readfds)) {
- struct connection* new_cnx = cnx_accept_process(&fd_info,
&listen_sockets[i]);
-
- if (fd_out_of_range(new_cnx->q[0].fd))
- tidy_connection(new_cnx, &fd_info);
-
/* don't also process it as a read socket */
FD_CLR(listen_sockets[i].socketfd, &readfds);
+
+ struct connection* new_cnx;
+ while ((new_cnx = cnx_accept_process(&fd_info,
&listen_sockets[i]))) {
+ if (fd_out_of_range(new_cnx->q[0].fd))
+ tidy_connection(new_cnx, &fd_info);
+ }
+
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslh-2.2.3/t new/sslh-2.2.4/t
--- old/sslh-2.2.3/t 2025-05-04 11:47:44.000000000 +0200
+++ new/sslh-2.2.4/t 2025-05-28 17:51:04.000000000 +0200
@@ -9,7 +9,7 @@
use strict;
use IO::Socket::INET6;
use Test::More qw/no_plan/;
-use Conf::Libconfig;
+use Conf::Libconfig 1.0.3;
my $conf = new Conf::Libconfig;
$conf->read_file("test.cfg");
@@ -17,7 +17,7 @@
my $no_listen = 8083; # Port on which no-one listens
my $pidfile = $conf->lookup_value("pidfile");
-my $sslh_port = $conf->fetch_array("listen")->[0]->{port};
+my $sslh_port = $conf->value("listen")->[0]->{port};
my $user = (getpwuid $<)[0]; # Run under current username
# Which tests do we run
@@ -84,8 +84,9 @@
sub test_probe {
my (%opts) = @_;
+ print "test_probe [$opts{expected}] $sslh_port\n";
my $cnx = new IO::Socket::INET(PeerHost => "localhost:$sslh_port");
- warn "$!\n" unless $cnx;
+ warn "t: $!\n" unless $cnx;
return unless $cnx;
my $pattern = $opts{data};
@@ -119,7 +120,7 @@
sub test_probes {
my (%in_opts) = @_;
- my @probes = @{$conf->fetch_array("protocols")};
+ my @probes = @{$conf->value("protocols")};
foreach my $p (@probes) {
my %protocols = (
'ssh' => { data => "SSH-2.0 tester" },
@@ -194,7 +195,7 @@
# Start an echoserver for each service
-foreach my $s (@{$conf->fetch_array("protocols")}) {
+foreach my $s (@{$conf->value("protocols")}) {
my $prefix = $s->{name};
$prefix =~ s/^ssl/tls/; # To remove in 1.21
@@ -217,7 +218,7 @@
my ($sslh_pid, $valgrind);
if (!($sslh_pid = fork)) {
my $user = (getpwuid $<)[0]; # Run under current username
- my $cmd = "./$binary -v 4 -f -u $user -F test.cfg";
+ my $cmd = "./$binary -u $user -F test.cfg";
#$valgrind = 1;
#$cmd = "valgrind --leak-check=full $cmd";
verbose_exec $cmd;
@@ -339,11 +340,11 @@
}
-my $ssh_conf = (grep { $_->{name} eq "ssh" }
@{$conf->fetch_array("protocols")})[0];
+my $ssh_conf = (grep { $_->{name} eq "ssh" } @{$conf->value("protocols")})[0];
my $ssh_address = $ssh_conf->{host} . ":" . $ssh_conf->{port};
# Use the last TLS echoserv (no SNI/ALPN)
-my $ssl_conf = (grep { $_->{name} eq "tls" }
@{$conf->fetch_array("protocols")})[-1];
+my $ssl_conf = (grep { $_->{name} eq "tls" } @{$conf->value
("protocols")})[-1];
my $ssl_address = $ssl_conf->{host} . ":" . $ssl_conf->{port};
