Hello community, here is the log from the commit of package libssh2_org for openSUSE:Factory checked in at 2019-10-25 18:41:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libssh2_org (Old) and /work/SRC/openSUSE:Factory/.libssh2_org.new.2990 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh2_org" Fri Oct 25 18:41:08 2019 rev:40 rq:742246 version:1.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libssh2_org/libssh2_org.changes 2019-06-25 22:17:27.292720639 +0200 +++ /work/SRC/openSUSE:Factory/.libssh2_org.new.2990/libssh2_org.changes 2019-10-25 18:41:09.967842437 +0200 @@ -1,0 +2,9 @@ +Wed Oct 23 13:53:38 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1154862, CVE-2019-17498] + * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in + a bounds check that might lead to disclose sensitive information + or cause a denial of service + * Add patch libssh2_org-CVE-2019-17498.patch + +------------------------------------------------------------------- New: ---- libssh2_org-CVE-2019-17498.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh2_org.spec ++++++ --- /var/tmp/diff_new_pack.XXV0x0/_old 2019-10-25 18:41:10.779843209 +0200 +++ /var/tmp/diff_new_pack.XXV0x0/_new 2019-10-25 18:41:10.783843213 +0200 @@ -29,6 +29,8 @@ Source2: baselibs.conf Source3: libssh2_org.keyring Patch0: libssh2-ocloexec.patch +# PATCH-FIX-UPSTREAM bsc#1154862 CVE-2019-17498 +Patch1: libssh2_org-CVE-2019-17498.patch BuildRequires: groff BuildRequires: libtool BuildRequires: man @@ -69,6 +71,7 @@ %prep %setup -q -n %{pkg_name}-%{version} %patch0 -p1 +%patch1 -p1 %build sed -i -e 's@AM_CONFIG_HEADER@AC_CONFIG_HEADERS@g' configure.ac ++++++ libssh2_org-CVE-2019-17498.patch ++++++ >From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 From: Will Cosgrove <[email protected]> Date: Fri, 30 Aug 2019 09:57:38 -0700 Subject: [PATCH] packet.c: improve message parsing (#402) * packet.c: improve parsing of packets file: packet.c notes: Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. --- src/packet.c | 68 ++++++++++++++++++++++------------------------------ 1 file changed, 29 insertions(+), 39 deletions(-) diff --git a/src/packet.c b/src/packet.c index 38ab6294..2e01bfc5 100644 --- a/src/packet.c +++ b/src/packet.c @@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, size_t datalen, int macstate) { int rc = 0; - char *message = NULL; - char *language = NULL; + unsigned char *message = NULL; + unsigned char *language = NULL; size_t message_len = 0; size_t language_len = 0; LIBSSH2_CHANNEL *channelp = NULL; @@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, case SSH_MSG_DISCONNECT: if(datalen >= 5) { - size_t reason = _libssh2_ntohu32(data + 1); + uint32_t reason = 0; + struct string_buf buf; + buf.data = (unsigned char *)data; + buf.dataptr = buf.data; + buf.len = datalen; + buf.dataptr++; /* advance past type */ - if(datalen >= 9) { - message_len = _libssh2_ntohu32(data + 5); + _libssh2_get_u32(&buf, &reason); + _libssh2_get_string(&buf, &message, &message_len); + _libssh2_get_string(&buf, &language, &language_len); - if(message_len < datalen-13) { - /* 9 = packet_type(1) + reason(4) + message_len(4) */ - message = (char *) data + 9; - - language_len = - _libssh2_ntohu32(data + 9 + message_len); - language = (char *) data + 9 + message_len + 4; - - if(language_len > (datalen-13-message_len)) { - /* bad input, clear info */ - language = message = NULL; - language_len = message_len = 0; - } - } - else - /* bad size, clear it */ - message_len = 0; - } if(session->ssh_msg_disconnect) { - LIBSSH2_DISCONNECT(session, reason, message, - message_len, language, language_len); + LIBSSH2_DISCONNECT(session, reason, (const char *)message, + message_len, (const char *)language, + language_len); } + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, "Disconnect(%d): %s(%s)", reason, message, language); @@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, int always_display = data[1]; if(datalen >= 6) { - message_len = _libssh2_ntohu32(data + 2); - - if(message_len <= (datalen - 10)) { - /* 6 = packet_type(1) + display(1) + message_len(4) */ - message = (char *) data + 6; - language_len = _libssh2_ntohu32(data + 6 + - message_len); - - if(language_len <= (datalen - 10 - message_len)) - language = (char *) data + 10 + message_len; - } + struct string_buf buf; + buf.data = (unsigned char *)data; + buf.dataptr = buf.data; + buf.len = datalen; + buf.dataptr += 2; /* advance past type & always display */ + + _libssh2_get_string(&buf, &message, &message_len); + _libssh2_get_string(&buf, &language, &language_len); } if(session->ssh_msg_debug) { - LIBSSH2_DEBUG(session, always_display, message, - message_len, language, language_len); + LIBSSH2_DEBUG(session, always_display, + (const char *)message, + message_len, (const char *)language, + language_len); } } + /* * _libssh2_debug will actually truncate this for us so * that it's not an inordinate about of data @@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, uint32_t len = 0; unsigned char want_reply = 0; len = _libssh2_ntohu32(data + 1); - if(datalen >= (6 + len)) { + if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { want_reply = data[5 + len]; _libssh2_debug(session, LIBSSH2_TRACE_CONN,
