Hello community, here is the log from the commit of package libssh2_org for openSUSE:Factory checked in at 2019-03-24 14:55:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh2_org (Old) and /work/SRC/openSUSE:Factory/.libssh2_org.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org" Sun Mar 24 14:55:54 2019 rev:37 rq:686382 version:1.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh2_org/libssh2_org.changes 2018-01-19 11:46:24.350893657 +0100 +++ /work/SRC/openSUSE:Factory/.libssh2_org.new.25356/libssh2_org.changes 2019-03-24 14:55:56.903208736 +0100 @@ -1,0 +2,23 @@ +Tue Mar 19 09:30:12 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Version update to 1.8.1: + Bug Fixes: + * [bsc#1128471, CVE-2019-3855] Integer overflow when reading a specially + crafted packet + * [bsc#1128493, CVE-2019-3863] Integer overflow in userauth_keyboard_interactive + with a number of extremely long prompt strings + * [bsc#1128472, CVE-2019-3856] Integer overflow if the server sent an extremely + large number of keyboard prompts + * [bsc#1128490, CVE-2019-3861] Out of bounds read when processing a specially + crafted packet + * [bsc#1128474, CVE-2019-3857] Integer overflow when receiving a specially + crafted exit signal message channel packet + * [bsc#1128492, CVE-2019-3862] Out of bounds read when receiving a specially + crafted exit status message channel packet + * [bsc#1128476, CVE-2019-3858] Zero byte allocation when reading a specially + crafted SFTP packet + * [bsc#1128481, CVE-2019-3860] Out of bounds reads when processing specially + crafted SFTP packets + * [bsc#1128480, CVE-2019-3859] Out of bounds reads in _libssh2_packet_require(v) + +------------------------------------------------------------------- Old: ---- libssh2-1.8.0.tar.gz libssh2-1.8.0.tar.gz.asc New: ---- libssh2-1.8.1.tar.gz libssh2-1.8.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh2_org.spec ++++++ --- /var/tmp/diff_new_pack.eC4Qdm/_old 2019-03-24 14:55:57.539208669 +0100 +++ /var/tmp/diff_new_pack.eC4Qdm/_new 2019-03-24 14:55:57.543208669 +0100 @@ -1,7 +1,7 @@ # # spec file for package libssh2_org # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,20 +12,20 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define pkg_name libssh2 Name: libssh2_org -Version: 1.8.0 +Version: 1.8.1 Release: 0 Summary: A library implementing the SSH2 protocol License: BSD-3-Clause Group: Development/Libraries/C and C++ -Url: http://www.libssh2.org/ -Source0: http://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz -Source1: http://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz.asc +Url: https://www.libssh2.org/ +Source0: https://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz +Source1: https://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz.asc Source2: baselibs.conf Source3: libssh2_org.keyring Patch0: libssh2-ocloexec.patch ++++++ libssh2-1.8.0.tar.gz -> libssh2-1.8.1.tar.gz ++++++ ++++ 3164 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/NEWS new/libssh2-1.8.1/NEWS --- old/libssh2-1.8.0/NEWS 2016-10-25 08:44:34.000000000 +0200 +++ new/libssh2-1.8.1/NEWS 2019-03-18 22:30:26.000000000 +0100 @@ -1,5 +1,53 @@ Changelog for the libssh2 project. Generated with git2news.pl +Version 1.8.1 (14 Mar 2019) + +Will Cosgrove (14 Mar 2019) +- [Michael Buckley brought this change] + + More 1.8.0 security fixes (#316) + + * Defend against possible integer overflows in comp_method_zlib_decomp. + + * Defend against writing beyond the end of the payload in _libssh2_transport_read(). + + * Sanitize padding_length - _libssh2_transport_read(). https://libssh2.org/CVE-2019-3861.html + + This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent. + + * Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. https://libssh2.org/CVE-2019-3858.html + + * Check the length of data passed to sftp_packet_add() to prevent out-of-bounds reads. + + * Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. https://libssh2.org/CVE-2019-3860.html + + * Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). https://libssh2.org/CVE-2019-3862.html + +GitHub (14 Mar 2019) +- [Will Cosgrove brought this change] + + 1.8 Security fixes (#314) + + * fixed possible integer overflow in packet_length + + CVE https://www.libssh2.org/CVE-2019-3861.html + + * fixed possible interger overflow with userauth_keyboard_interactive + + CVE https://www.libssh2.org/CVE-2019-3856.html + + * fixed possible out zero byte/incorrect bounds allocation + + CVE https://www.libssh2.org/CVE-2019-3857.html + + * bounds checks for response packets + + * fixed integer overflow in userauth_keyboard_interactive + + CVE https://www.libssh2.org/CVE-2019-3863.html + + * 1.8.1 release notes + Version 1.8.0 (25 Oct 2016) Daniel Stenberg (25 Oct 2016) @@ -5482,10 +5530,3 @@ <http://thread.gmane.org/gmane.network.ssh.libssh2.devel/2530>. - Add. - -- Protect against crash on too small SSH_MSG_IGNORE packets. - - Reported by Bob Alexander <[email protected]> - in <http://thread.gmane.org/gmane.network.ssh.libssh2.devel/2530>. - -- add copyright line diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/RELEASE-NOTES new/libssh2-1.8.1/RELEASE-NOTES --- old/libssh2-1.8.0/RELEASE-NOTES 2016-10-25 08:43:25.000000000 +0200 +++ new/libssh2-1.8.1/RELEASE-NOTES 2019-03-18 22:03:35.000000000 +0100 @@ -1,31 +1,29 @@ -libssh2 1.8.0 - -This release includes the following changes: - - o added a basic dockerised test suite - o crypto: add support for the mbedTLS backend +libssh2 1.8.1 This release includes the following bugfixes: - - o libgcrypt: fixed a NULL pointer dereference on OOM - o VMS: can't use %zd for off_t format - o VMS: update vms/libssh2_config.h - o windows: link with crypt32.lib - o libssh2_channel_open: speeling error fixed in channel error message - o msvc: fixed 14 compilation warnings - o tests: HAVE_NETINET_IN_H was not defined correctly - o openssl: add OpenSSL 1.1.0 compatibility - o cmake: Add CLEAR_MEMORY option, analogously to that for autoconf - o configure: make the --with-* options override the OpenSSL default - o libssh2_wait_socket: set err_msg on errors - o libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds + o fixed possible integer overflow when reading a specially crafted packet + (https://www.libssh2.org/CVE-2019-3855.html) + o fixed possible integer overflow in userauth_keyboard_interactive with a + number of extremely long prompt strings + (https://www.libssh2.org/CVE-2019-3863.html) + o fixed possible integer overflow if the server sent an extremely large number + of keyboard prompts (https://www.libssh2.org/CVE-2019-3856.html) + o fixed possible out of bounds read when processing a specially crafted packet + (https://www.libssh2.org/CVE-2019-3861.html) + o fixed possible integer overflow when receiving a specially crafted exit + signal message channel packet (https://www.libssh2.org/CVE-2019-3857.html) + o fixed possible out of bounds read when receiving a specially crafted exit + status message channel packet (https://www.libssh2.org/CVE-2019-3862.html) + o fixed possible zero byte allocation when reading a specially crafted SFTP + packet (https://www.libssh2.org/CVE-2019-3858.html) + o fixed possible out of bounds reads when processing specially crafted SFTP + packets (https://www.libssh2.org/CVE-2019-3860.html) + o fixed possible out of bounds reads in _libssh2_packet_require(v) + (https://www.libssh2.org/CVE-2019-3859.html) + This release would not have looked like this without help, code, reports and advice from friends like these: - Alexander Lamaison, Antenore Gatta, Brad Harder, Charles Collicutt, - Craig A. Berry, Dan Fandrich, Daniel Stenberg, Kamil Dudka, Keno Fischer, - Taylor Holberton, Viktor Szakats, Will Cosgrove, Zenju - (12 contributors) - - Thanks! (and sorry if I forgot to mention someone) + Chris Coulson, Michael Buckley, Will Cosgrove, Daniel Stenberg + (4 contributors) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/compile new/libssh2-1.8.1/compile --- old/libssh2-1.8.0/compile 2016-09-27 07:59:13.000000000 +0200 +++ new/libssh2-1.8.1/compile 2019-03-17 14:35:33.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -339,9 +340,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/example/libssh2_config.h.in new/libssh2-1.8.1/example/libssh2_config.h.in --- old/libssh2-1.8.0/example/libssh2_config.h.in 2016-09-27 07:59:13.000000000 +0200 +++ new/libssh2-1.8.1/example/libssh2_config.h.in 2019-03-17 14:35:33.000000000 +0100 @@ -64,8 +64,8 @@ /* Define if you have the gcrypt library. */ #undef HAVE_LIBGCRYPT -/* Define if you have the mbedtls library. */ -#undef HAVE_LIBMBEDTLS +/* Define if you have the mbedcrypto library. */ +#undef HAVE_LIBMBEDCRYPTO /* Define if you have the ssl library. */ #undef HAVE_LIBSSL @@ -79,6 +79,9 @@ /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the `memset_s' function. */ +#undef HAVE_MEMSET_S + /* Define to 1 if you have the <netinet/in.h> header file. */ #undef HAVE_NETINET_IN_H @@ -178,10 +181,10 @@ /* Use mbedtls */ #undef LIBSSH2_MBEDTLS -/* Use OpenSSL */ +/* Use openssl */ #undef LIBSSH2_OPENSSL -/* Use Windows CNG */ +/* Use wincng */ #undef LIBSSH2_WINCNG /* Define to the sub-directory where libtool stores uninstalled libraries. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/include/libssh2.h new/libssh2-1.8.1/include/libssh2.h --- old/libssh2-1.8.0/include/libssh2.h 2016-10-25 08:44:34.000000000 +0200 +++ new/libssh2-1.8.1/include/libssh2.h 2019-03-18 22:30:26.000000000 +0100 @@ -46,13 +46,13 @@ to make the BANNER define (used by src/session.c) be a valid SSH banner. Release versions have no appended strings and may of course not have dashes either. */ -#define LIBSSH2_VERSION "1.8.0" +#define LIBSSH2_VERSION "1.8.1" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBSSH2_VERSION_MAJOR 1 #define LIBSSH2_VERSION_MINOR 8 -#define LIBSSH2_VERSION_PATCH 0 +#define LIBSSH2_VERSION_PATCH 1 /* This is the numeric version of the libssh2 version number, meant for easier parsing and comparions by programs. The LIBSSH2_VERSION_NUM define will @@ -69,7 +69,7 @@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBSSH2_VERSION_NUM 0x010800 +#define LIBSSH2_VERSION_NUM 0x010801 /* * This is the date and time when the full source package was created. The @@ -80,7 +80,7 @@ * * "Mon Feb 12 11:35:33 UTC 2007" */ -#define LIBSSH2_TIMESTAMP "Tue Oct 25 06:44:33 UTC 2016" +#define LIBSSH2_TIMESTAMP "Mon Mar 18 21:30:25 UTC 2019" #ifndef RC_INVOKED @@ -145,6 +145,18 @@ #define LIBSSH2_INVALID_SOCKET -1 #endif /* WIN32 */ +#ifndef SIZE_MAX +#if _WIN64 +#define SIZE_MAX 0xFFFFFFFFFFFFFFFF +#else +#define SIZE_MAX 0xFFFFFFFF +#endif +#endif + +#ifndef UINT_MAX +#define UINT_MAX 0xFFFFFFFF +#endif + /* * Determine whether there is small or large file support on windows. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/m4/libtool.m4 new/libssh2-1.8.1/m4/libtool.m4 --- old/libssh2-1.8.0/m4/libtool.m4 2016-09-27 07:59:11.000000000 +0200 +++ new/libssh2-1.8.1/m4/libtool.m4 2019-03-17 14:35:31.000000000 +0100 @@ -4063,7 +4063,8 @@ if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -4703,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -6438,7 +6445,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else GXX=no @@ -6813,7 +6820,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -6878,7 +6885,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -7217,7 +7224,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # FIXME: insert proper C++ library support @@ -7301,7 +7308,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # g++ 2.7 appears to require '-G' NOT '-shared' on this # platform. @@ -7312,7 +7319,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/missing new/libssh2-1.8.1/missing --- old/libssh2-1.8.0/missing 2016-09-27 07:59:13.000000000 +0200 +++ new/libssh2-1.8.1/missing 2019-03-17 14:35:33.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,9 +207,9 @@ exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/channel.c new/libssh2-1.8.1/src/channel.c --- old/libssh2-1.8.0/src/channel.c 2016-03-26 23:56:52.000000000 +0100 +++ new/libssh2-1.8.1/src/channel.c 2019-03-18 22:30:01.000000000 +0100 @@ -238,7 +238,20 @@ goto channel_error; } + if(session->open_data_len < 1) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + goto channel_error; + } + if (session->open_data[0] == SSH_MSG_CHANNEL_OPEN_CONFIRMATION) { + + if(session->open_data_len < 17) { + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + goto channel_error; + } + session->open_channel->remote.id = _libssh2_ntohu32(session->open_data + 5); session->open_channel->local.window_size = @@ -518,7 +531,7 @@ if (rc == LIBSSH2_ERROR_EAGAIN) { _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); return NULL; - } else if (rc) { + } else if (rc || data_len < 1) { _libssh2_error(session, LIBSSH2_ERROR_PROTO, "Unknown"); session->fwdLstn_state = libssh2_NB_state_idle; return NULL; @@ -855,6 +868,11 @@ channel->setenv_state = libssh2_NB_state_idle; return rc; } + else if(data_len < 1) { + channel->setenv_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } if (data[0] == SSH_MSG_CHANNEL_SUCCESS) { LIBSSH2_FREE(session, data); @@ -971,7 +989,7 @@ &channel->reqPTY_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->reqPTY_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_PROTO, "Failed to require the PTY package"); @@ -1197,7 +1215,7 @@ &channel->reqX11_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->reqX11_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "waiting for x11-req response packet"); @@ -1324,7 +1342,7 @@ &channel->process_packet_requirev_state); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } else if (rc || data_len < 1) { channel->process_state = libssh2_NB_state_end; return _libssh2_error(session, rc, "Failed waiting for channel success"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/comp.c new/libssh2-1.8.1/src/comp.c --- old/libssh2-1.8.0/src/comp.c 2014-12-22 15:54:17.000000000 +0100 +++ new/libssh2-1.8.1/src/comp.c 2019-03-18 22:30:01.000000000 +0100 @@ -224,7 +224,12 @@ /* A short-term alloc of a full data chunk is better than a series of reallocs */ char *out; - int out_maxlen = 4 * src_len; + size_t out_maxlen = src_len; + + if (src_len <= SIZE_MAX / 4) + out_maxlen = src_len * 4; + else + out_maxlen = payload_limit; /* If strm is null, then we have not yet been initialized. */ if (strm == NULL) @@ -271,7 +276,7 @@ "decompression failure"); } - if (out_maxlen >= (int) payload_limit) { + if (out_maxlen > (int) payload_limit || out_maxlen > SIZE_MAX / 2) { LIBSSH2_FREE(session, out); return _libssh2_error(session, LIBSSH2_ERROR_ZLIB, "Excessive growth in decompression phase"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/kex.c new/libssh2-1.8.1/src/kex.c --- old/libssh2-1.8.0/src/kex.c 2016-10-17 16:28:29.000000000 +0200 +++ new/libssh2-1.8.1/src/kex.c 2019-03-18 22:30:01.000000000 +0100 @@ -228,11 +228,23 @@ } /* Parse KEXDH_REPLY */ + if(exchange_state->s_packet_len < 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + goto clean_exit; + } + exchange_state->s = exchange_state->s_packet + 1; session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s); exchange_state->s += 4; + if(session->server_hostkey_len > exchange_state->s_packet_len - 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Host key length out of bounds"); + goto clean_exit; + } + if (session->server_hostkey) LIBSSH2_FREE(session, session->server_hostkey); @@ -848,11 +860,23 @@ } /* Parse KEXDH_REPLY */ + if(exchange_state->s_packet_len < 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + goto clean_exit; + } + exchange_state->s = exchange_state->s_packet + 1; session->server_hostkey_len = _libssh2_ntohu32(exchange_state->s); exchange_state->s += 4; + if(session->server_hostkey_len > exchange_state->s_packet_len - 5) { + ret = _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Host key length out of bounds"); + goto clean_exit; + } + if (session->server_hostkey) LIBSSH2_FREE(session, session->server_hostkey); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/packet.c new/libssh2-1.8.1/src/packet.c --- old/libssh2-1.8.0/src/packet.c 2015-01-14 08:34:41.000000000 +0100 +++ new/libssh2-1.8.1/src/packet.c 2019-03-18 22:30:01.000000000 +0100 @@ -775,8 +775,8 @@ uint32_t len = _libssh2_ntohu32(data + 5); unsigned char want_reply = 1; - if(len < (datalen - 10)) - want_reply = data[9 + len]; + if((len + 9) < datalen) + want_reply = data[len + 9]; _libssh2_debug(session, LIBSSH2_TRACE_CONN, @@ -784,6 +784,7 @@ channel, len, data + 9, want_reply); if (len == sizeof("exit-status") - 1 + && (sizeof("exit-status") - 1 + 9) <= datalen && !memcmp("exit-status", data + 9, sizeof("exit-status") - 1)) { @@ -792,7 +793,7 @@ channelp = _libssh2_channel_locate(session, channel); - if (channelp) { + if (channelp && (sizeof("exit-status") + 13) <= datalen) { channelp->exit_status = _libssh2_ntohu32(data + 9 + sizeof("exit-status")); _libssh2_debug(session, LIBSSH2_TRACE_CONN, @@ -805,24 +806,32 @@ } else if (len == sizeof("exit-signal") - 1 + && (sizeof("exit-signal") - 1 + 9) <= datalen && !memcmp("exit-signal", data + 9, sizeof("exit-signal") - 1)) { /* command terminated due to signal */ if(datalen >= 20) channelp = _libssh2_channel_locate(session, channel); - if (channelp) { + if (channelp && (sizeof("exit-signal") + 13) <= datalen) { /* set signal name (without SIG prefix) */ uint32_t namelen = _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); - channelp->exit_signal = - LIBSSH2_ALLOC(session, namelen + 1); + + if(namelen <= UINT_MAX - 1) { + channelp->exit_signal = + LIBSSH2_ALLOC(session, namelen + 1); + } + else { + channelp->exit_signal = NULL; + } + if (!channelp->exit_signal) rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, "memory for signal name"); - else { + else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { memcpy(channelp->exit_signal, - data + 13 + sizeof("exit_signal"), namelen); + data + 13 + sizeof("exit-signal"), namelen); channelp->exit_signal[namelen] = '\0'; /* TODO: save error message and language tag */ _libssh2_debug(session, LIBSSH2_TRACE_CONN, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/session.c new/libssh2-1.8.1/src/session.c --- old/libssh2-1.8.0/src/session.c 2016-10-19 09:49:52.000000000 +0200 +++ new/libssh2-1.8.1/src/session.c 2019-03-18 22:30:01.000000000 +0100 @@ -765,6 +765,11 @@ if (rc) return rc; + if(session->startup_data_len < 5) { + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet length"); + } + session->startup_service_length = _libssh2_ntohu32(session->startup_data + 1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/sftp.c new/libssh2-1.8.1/src/sftp.c --- old/libssh2-1.8.0/src/sftp.c 2016-02-24 23:44:12.000000000 +0100 +++ new/libssh2-1.8.1/src/sftp.c 2019-03-18 22:30:01.000000000 +0100 @@ -204,6 +204,10 @@ LIBSSH2_SFTP_PACKET *packet; uint32_t request_id; + if (data_len < 5) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + _libssh2_debug(session, LIBSSH2_TRACE_SFTP, "Received packet type %d (len %d)", (int) data[0], data_len); @@ -345,6 +349,10 @@ return _libssh2_error(session, LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED, "SFTP packet too large"); + if (sftp->partial_len == 0) + return _libssh2_error(session, + LIBSSH2_ERROR_ALLOC, + "Unable to allocate empty SFTP packet"); _libssh2_debug(session, LIBSSH2_TRACE_SFTP, "Data begin - Packet Length: %lu", @@ -504,11 +512,15 @@ static int sftp_packet_require(LIBSSH2_SFTP *sftp, unsigned char packet_type, uint32_t request_id, unsigned char **data, - size_t *data_len) + size_t *data_len, size_t required_size) { LIBSSH2_SESSION *session = sftp->channel->session; int rc; + if (data == NULL || data_len == NULL || required_size == 0) { + return LIBSSH2_ERROR_BAD_USE; + } + _libssh2_debug(session, LIBSSH2_TRACE_SFTP, "Requiring packet %d id %ld", (int) packet_type, request_id); @@ -516,6 +528,11 @@ /* The right packet was available in the packet brigade */ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, "Got %d", (int) packet_type); + + if (*data_len < required_size) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + return LIBSSH2_ERROR_NONE; } @@ -529,6 +546,11 @@ /* The right packet was available in the packet brigade */ _libssh2_debug(session, LIBSSH2_TRACE_SFTP, "Got %d", (int) packet_type); + + if (*data_len < required_size) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + return LIBSSH2_ERROR_NONE; } } @@ -544,11 +566,15 @@ sftp_packet_requirev(LIBSSH2_SFTP *sftp, int num_valid_responses, const unsigned char *valid_responses, uint32_t request_id, unsigned char **data, - size_t *data_len) + size_t *data_len, size_t required_size) { int i; int rc; + if (data == NULL || data_len == NULL || required_size == 0) { + return LIBSSH2_ERROR_BAD_USE; + } + /* If no timeout is active, start a new one */ if (sftp->requirev_start == 0) sftp->requirev_start = time(NULL); @@ -562,6 +588,11 @@ * the timeout is not active */ sftp->requirev_start = 0; + + if (*data_len < required_size) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + return LIBSSH2_ERROR_NONE; } } @@ -636,36 +667,65 @@ /* sftp_bin2attr */ static int -sftp_bin2attr(LIBSSH2_SFTP_ATTRIBUTES * attrs, const unsigned char *p) +sftp_bin2attr(LIBSSH2_SFTP_ATTRIBUTES * attrs, const unsigned char *p, size_t data_len) { const unsigned char *s = p; - memset(attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES)); - attrs->flags = _libssh2_ntohu32(s); - s += 4; + if (data_len >= 4) { + memset(attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES)); + attrs->flags = _libssh2_ntohu32(s); + s += 4; + data_len -= 4; + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } if (attrs->flags & LIBSSH2_SFTP_ATTR_SIZE) { - attrs->filesize = _libssh2_ntohu64(s); - s += 8; + if (data_len >= 8) { + attrs->filesize = _libssh2_ntohu64(s); + s += 8; + data_len -= 8; + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } } if (attrs->flags & LIBSSH2_SFTP_ATTR_UIDGID) { - attrs->uid = _libssh2_ntohu32(s); - s += 4; - attrs->gid = _libssh2_ntohu32(s); - s += 4; + if (data_len >= 8) { + attrs->uid = _libssh2_ntohu32(s); + s += 4; + attrs->gid = _libssh2_ntohu32(s); + s += 4; + data_len -= 8; + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } } if (attrs->flags & LIBSSH2_SFTP_ATTR_PERMISSIONS) { - attrs->permissions = _libssh2_ntohu32(s); - s += 4; + if (data_len >= 4) { + attrs->permissions = _libssh2_ntohu32(s); + s += 4; + data_len -= 4; + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } } if (attrs->flags & LIBSSH2_SFTP_ATTR_ACMODTIME) { - attrs->atime = _libssh2_ntohu32(s); - s += 4; - attrs->mtime = _libssh2_ntohu32(s); - s += 4; + if (data_len >= 8) { + attrs->atime = _libssh2_ntohu32(s); + s += 4; + attrs->mtime = _libssh2_ntohu32(s); + s += 4; + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } } return (s - p); @@ -835,18 +895,23 @@ } rc = sftp_packet_require(sftp_handle, SSH_FXP_VERSION, - 0, &data, &data_len); - if (rc == LIBSSH2_ERROR_EAGAIN) + 0, &data, &data_len, 5); + if (rc == LIBSSH2_ERROR_EAGAIN) { + _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, + "Would block receiving SSH_FXP_VERSION"); return NULL; - else if (rc) { - _libssh2_error(session, rc, - "Timeout waiting for response from SFTP subsystem"); - goto sftp_init_error; } - if (data_len < 5) { + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, "Invalid SSH_FXP_VERSION response"); - LIBSSH2_FREE(session, data); + goto sftp_init_error; + } + else if (rc) { + _libssh2_error(session, rc, + "Timeout waiting for response from SFTP subsystem"); goto sftp_init_error; } @@ -1112,12 +1177,20 @@ { SSH_FXP_HANDLE, SSH_FXP_STATUS }; rc = sftp_packet_requirev(sftp, 2, fopen_responses, sftp->open_request_id, &data, - &data_len); + &data_len, 1); if (rc == LIBSSH2_ERROR_EAGAIN) { _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block waiting for status message"); return NULL; } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Response too small"); + return NULL; + } sftp->open_state = libssh2_NB_state_idle; if (rc) { _libssh2_error(session, rc, "Timeout waiting for status message"); @@ -1148,12 +1221,20 @@ /* silly situation, but check for a HANDLE */ rc = sftp_packet_require(sftp, SSH_FXP_HANDLE, sftp->open_request_id, &data, - &data_len); + &data_len, 10); if(rc == LIBSSH2_ERROR_EAGAIN) { /* go back to sent state and wait for something else */ sftp->open_state = libssh2_NB_state_sent; return NULL; } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Too small FXP_HANDLE"); + return NULL; + } else if(!rc) /* we got the handle so this is not a bad situation */ badness = 0; @@ -1480,15 +1561,21 @@ } rc = sftp_packet_requirev(sftp, 2, read_responses, - chunk->request_id, &data, &data_len); - - if (rc==LIBSSH2_ERROR_EAGAIN && bytes_in_buffer != 0) { + chunk->request_id, &data, &data_len, 9); + if (rc == LIBSSH2_ERROR_EAGAIN && bytes_in_buffer != 0) { /* do not return EAGAIN if we have already * written data into the buffer */ return bytes_in_buffer; } - if (rc < 0) { + if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Response too small"); + } + else if(rc < 0) { sftp->read_state = libssh2_NB_state_sent2; return rc; } @@ -1698,7 +1785,7 @@ if (attrs) memset(attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES)); - s += sftp_bin2attr(attrs ? attrs : &attrs_dummy, s); + s += sftp_bin2attr(attrs ? attrs : &attrs_dummy, s, 32); handle->u.dir.next_name = (char *) s; end: @@ -1753,9 +1840,16 @@ retcode = sftp_packet_requirev(sftp, 2, read_responses, sftp->readdir_request_id, &data, - &data_len); + &data_len, 9); if (retcode == LIBSSH2_ERROR_EAGAIN) return retcode; + else if (retcode == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Status message too short"); + } else if (retcode) { sftp->readdir_state = libssh2_NB_state_idle; return _libssh2_error(session, retcode, @@ -1981,8 +2075,15 @@ /* we check the packets in order */ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, - chunk->request_id, &data, &data_len); - if (rc < 0) { + chunk->request_id, &data, &data_len, 9); + if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "FXP write packet too short"); + } + else if (rc < 0) { if (rc == LIBSSH2_ERROR_EAGAIN) sftp->write_state = libssh2_NB_state_sent; return rc; @@ -2124,10 +2225,18 @@ } rc = sftp_packet_require(sftp, SSH_FXP_STATUS, - sftp->fsync_request_id, &data, &data_len); + sftp->fsync_request_id, &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP fsync packet too short"); + } + else if (rc) { sftp->fsync_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP EXTENDED REPLY"); @@ -2227,9 +2336,16 @@ rc = sftp_packet_requirev(sftp, 2, fstat_responses, sftp->fstat_request_id, &data, - &data_len); + &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) return rc; + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP fstat packet too short"); + } else if (rc) { sftp->fstat_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, @@ -2252,7 +2368,12 @@ } } - sftp_bin2attr(attrs, data + 5); + if (sftp_bin2attr(attrs, data + 5, data_len - 5) < 0) { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Attributes too short in SFTP fstat"); + } + LIBSSH2_FREE(session, data); return 0; @@ -2429,11 +2550,19 @@ if (handle->close_state == libssh2_NB_state_sent) { rc = sftp_packet_require(sftp, SSH_FXP_STATUS, handle->close_request_id, &data, - &data_len); + &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + data = NULL; + _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Packet too short in FXP_CLOSE command"); + } + else if (rc) { _libssh2_error(session, rc, "Error waiting for status message"); } @@ -2547,10 +2676,17 @@ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, sftp->unlink_request_id, &data, - &data_len); + &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP unlink packet too short"); + } else if (rc) { sftp->unlink_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, @@ -2658,10 +2794,18 @@ rc = sftp_packet_require(sftp, SSH_FXP_STATUS, sftp->rename_request_id, &data, - &data_len); + &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP rename packet too short"); + } + else if (rc) { sftp->rename_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP STATUS"); @@ -2783,11 +2927,19 @@ } rc = sftp_packet_requirev(sftp, 2, responses, sftp->fstatvfs_request_id, - &data, &data_len); + &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP rename packet too short"); + } + else if (rc) { sftp->fstatvfs_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP EXTENDED REPLY"); @@ -2910,10 +3062,18 @@ } rc = sftp_packet_requirev(sftp, 2, responses, sftp->statvfs_request_id, - &data, &data_len); + &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP fstat packet too short"); + } + else if (rc) { sftp->statvfs_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP EXTENDED REPLY"); @@ -3040,10 +3200,18 @@ } rc = sftp_packet_require(sftp, SSH_FXP_STATUS, sftp->mkdir_request_id, - &data, &data_len); + &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP mkdir packet too short"); + } + else if (rc) { sftp->mkdir_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP STATUS"); @@ -3134,10 +3302,18 @@ } rc = sftp_packet_require(sftp, SSH_FXP_STATUS, - sftp->rmdir_request_id, &data, &data_len); + sftp->rmdir_request_id, &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) { return rc; - } else if (rc) { + } + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP rmdir packet too short"); + } + else if (rc) { sftp->rmdir_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, "Error waiting for FXP STATUS"); @@ -3247,9 +3423,16 @@ } rc = sftp_packet_requirev(sftp, 2, stat_responses, - sftp->stat_request_id, &data, &data_len); + sftp->stat_request_id, &data, &data_len, 9); if (rc == LIBSSH2_ERROR_EAGAIN) return rc; + else if (rc == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP stat packet too short"); + } else if (rc) { sftp->stat_state = libssh2_NB_state_idle; return _libssh2_error(session, rc, @@ -3273,7 +3456,12 @@ } memset(attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES)); - sftp_bin2attr(attrs, data + 5); + if (sftp_bin2attr(attrs, data + 5, data_len - 5) < 0) { + LIBSSH2_FREE(session, data); + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "Attributes too short in SFTP fstat"); + } + LIBSSH2_FREE(session, data); return 0; @@ -3378,9 +3566,16 @@ retcode = sftp_packet_requirev(sftp, 2, link_responses, sftp->symlink_request_id, &data, - &data_len); + &data_len, 9); if (retcode == LIBSSH2_ERROR_EAGAIN) return retcode; + else if (retcode == LIBSSH2_ERROR_OUT_OF_BOUNDARY) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP symlink packet too short"); + } else if (retcode) { sftp->symlink_state = libssh2_NB_state_idle; return _libssh2_error(session, retcode, @@ -3410,6 +3605,14 @@ "no name entries"); } + if (data_len < 13) { + if (data_len > 0) { + LIBSSH2_FREE(session, data); + } + return _libssh2_error(session, LIBSSH2_ERROR_SFTP_PROTOCOL, + "SFTP stat packet too short"); + } + /* this reads a u32 and stores it into a signed 32bit value */ link_len = _libssh2_ntohu32(data + 9); if (link_len < target_len) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/transport.c new/libssh2-1.8.1/src/transport.c --- old/libssh2-1.8.0/src/transport.c 2015-09-16 09:31:48.000000000 +0200 +++ new/libssh2-1.8.1/src/transport.c 2019-03-18 22:30:01.000000000 +0100 @@ -438,6 +438,16 @@ return LIBSSH2_ERROR_DECRYPT; p->padding_length = block[4]; + if(p->packet_length < 1) { + return LIBSSH2_ERROR_DECRYPT; + } + else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + else if ( p->padding_length > p->packet_length - 1 ) { + return LIBSSH2_ERROR_DECRYPT; + } + /* total_num is the number of bytes following the initial (5 bytes) packet length and padding length fields */ @@ -471,8 +481,12 @@ /* copy the data from index 5 to the end of the blocksize from the temporary buffer to the start of the decrypted buffer */ - memcpy(p->wptr, &block[5], blocksize - 5); - p->wptr += blocksize - 5; /* advance write pointer */ + if (blocksize - 5 <= total_num) { + memcpy(p->wptr, &block[5], blocksize - 5); + p->wptr += blocksize - 5; /* advance write pointer */ + } else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } } /* init the data_num field to the number of bytes of @@ -546,7 +560,13 @@ /* if there are bytes to copy that aren't decrypted, simply copy them as-is to the target buffer */ if (numbytes > 0) { - memcpy(p->wptr, &p->buf[p->readidx], numbytes); + + if (numbytes <= total_num - (p->wptr - p->payload)) { + memcpy(p->wptr, &p->buf[p->readidx], numbytes); + } + else { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } /* advance the read pointer */ p->readidx += numbytes; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libssh2-1.8.0/src/userauth.c new/libssh2-1.8.1/src/userauth.c --- old/libssh2-1.8.0/src/userauth.c 2016-10-17 16:28:29.000000000 +0200 +++ new/libssh2-1.8.1/src/userauth.c 2019-03-18 22:30:01.000000000 +0100 @@ -107,7 +107,7 @@ LIBSSH2_FREE(session, session->userauth_list_data); session->userauth_list_data = NULL; - if (rc) { + if (rc || (session->userauth_list_data_len < 1)) { _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, "Unable to send userauth-none request"); session->userauth_list_state = libssh2_NB_state_idle; @@ -143,8 +143,20 @@ return NULL; } - methods_len = _libssh2_ntohu32(session->userauth_list_data + 1); + if(session->userauth_list_data_len < 5) { + LIBSSH2_FREE(session, session->userauth_list_data); + session->userauth_list_data = NULL; + _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + return NULL; + } + methods_len = _libssh2_ntohu32(session->userauth_list_data + 1); + if(methods_len >= session->userauth_list_data_len - 5) { + _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Unexpected userauth list size"); + return NULL; + } /* Do note that the memory areas overlap! */ memmove(session->userauth_list_data, session->userauth_list_data + 5, methods_len); @@ -285,6 +297,11 @@ return _libssh2_error(session, rc, "Waiting for password response"); } + else if(session->userauth_pswd_data_len < 1) { + session->userauth_pswd_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } if (session->userauth_pswd_data[0] == SSH_MSG_USERAUTH_SUCCESS) { _libssh2_debug(session, LIBSSH2_TRACE_AUTH, @@ -312,6 +329,12 @@ session->userauth_pswd_state = libssh2_NB_state_sent1; } + if(session->userauth_pswd_data_len < 1) { + session->userauth_pswd_state = libssh2_NB_state_idle; + return _libssh2_error(session, LIBSSH2_ERROR_PROTO, + "Unexpected packet size"); + } + if ((session->userauth_pswd_data[0] == SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) || (session->userauth_pswd_data0 == @@ -976,7 +999,7 @@ } session->userauth_host_state = libssh2_NB_state_idle; - if (rc) { + if (rc || data_len < 1) { return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED, "Auth failed"); } @@ -1149,7 +1172,7 @@ NULL, 0); if (rc == LIBSSH2_ERROR_EAGAIN) return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); - else if (rc) { + else if (rc || (session->userauth_pblc_data_len < 1)) { LIBSSH2_FREE(session, session->userauth_pblc_packet); session->userauth_pblc_packet = NULL; LIBSSH2_FREE(session, session->userauth_pblc_method); @@ -1332,7 +1355,7 @@ if (rc == LIBSSH2_ERROR_EAGAIN) { return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block requesting userauth list"); - } else if (rc) { + } else if (rc || session->userauth_pblc_data_len < 1) { session->userauth_pblc_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED, "Waiting for publickey USERAUTH response"); @@ -1654,7 +1677,7 @@ if (rc == LIBSSH2_ERROR_EAGAIN) { return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); - } else if (rc) { + } else if (rc || session->userauth_kybd_data_len < 1) { session->userauth_kybd_state = libssh2_NB_state_idle; return _libssh2_error(session, LIBSSH2_ERROR_AUTHENTICATION_FAILED, @@ -1734,6 +1757,13 @@ /* int num-prompts */ session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); s += 4; + if(session->userauth_kybd_num_prompts && + session->userauth_kybd_num_prompts > 100) { + _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, + "Too many replies for " + "keyboard-interactive prompts"); + goto cleanup; + } if(session->userauth_kybd_num_prompts) { session->userauth_kybd_prompts = @@ -1801,8 +1831,17 @@ for(i = 0; i < session->userauth_kybd_num_prompts; i++) { /* string response[1] (ISO-10646 UTF-8) */ - session->userauth_kybd_packet_len += - 4 + session->userauth_kybd_responses[i].length; + if(session->userauth_kybd_responses[i].length <= + (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) { + session->userauth_kybd_packet_len += + 4 + session->userauth_kybd_responses[i].length; + } + else { + _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "Unable to allocate memory for keyboard-" + "interactive response packet"); + goto cleanup; + } } /* A new userauth_kybd_data area is to be allocated, free the
