Hello community, here is the log from the commit of package libssh.1119 for openSUSE:12.2:Update checked in at 2012-12-07 10:49:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/libssh.1119 (Old) and /work/SRC/openSUSE:12.2:Update/.libssh.1119.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libssh.1119", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-11-30 12:21:47.308011256 +0100 +++ /work/SRC/openSUSE:12.2:Update/.libssh.1119.new/libssh.changes 2012-12-07 10:49:38.000000000 +0100 @@ -0,0 +1,354 @@ +------------------------------------------------------------------- +Tue Nov 20 15:36:29 UTC 2012 - jmcdono...@suse.com + +- Fix multiple vulernabilities (bnc#789827): + * CVE-2012-4559 – Fix multiple double free() flaws + 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch + 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch + 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch + * CVE-2012-4560 – Fix multiple buffer overflow flaws + 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch + 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch + * CVE-2012-4561 – Fix multiple invalid free() flaws + 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch + 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch + * CVE-2012-4562 – Fix multiple improper overflow checks + 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch + 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch + 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch + 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch + +------------------------------------------------------------------- +Tue Feb 7 13:34:00 UTC 2012 - jeng...@medozas.de + +- Ensure pkgconfig symbols are provided + +------------------------------------------------------------------- +Tue Jan 31 10:36:26 UTC 2012 - jeng...@medozas.de + +- Remove redundant tags/sections per specfile guideline suggestions +- Parallel building using %_smp_mflags +- Make pkgconfig provides available +- Add patch to work around compilation problems on SLES11SP1 + +------------------------------------------------------------------- +Sat Sep 17 07:00:53 UTC 2011 - a...@cryptomilk.org + +- Update to version 0.5.2 + * Increased window size x10. + * Fixed SSHv1. + * Fixed bugged lists. + * Fixed use-after-free + inconsistent callbacks call in poll. + * Fixed scp documentation. + * Fixed possible infinite loop in channel_read(). + * Fixed handling of short reads of sftp_async_read(). + * Fixed handling request service timeout in blocking mode. + * Fixed ssh_auth_list() documentation. + * Fixed incorrect return values in ssh_channel_write(). + * Fixed an infinite loop in the termination callback. + * Fixed handling of SSH_AGAIN in channel_open(). + * Fixed "status -5 inflating zlib packet" + +------------------------------------------------------------------- +Tue Sep 6 03:36:48 UTC 2011 - crrodrig...@opensuse.org + +- Build with OPENSSL_LOAD_CONF so we respect user's choice + of which "openssl engine" to use for crypto (aes-ni,intel-accel) + +------------------------------------------------------------------- +Tue Aug 9 15:12:39 UTC 2011 - a...@cryptomilk.org + +- Update to version 0.5.1 + * Added checks for NULL pointers in string.c. + * Set the channel max packet size to 32768. + * Don't (de)compress empty buffers. + * Fixed ssh_scp_write so it works when doing recursive copy. + * Fixed another source of endless wait. + * Fixed an endless loop in case of a channel_open error. + * Fixed session timeout handling. + * Fixed ssh_channel_from_local() loop. + * Fixed permissions of scp example when we copy a file. + * Workaround ssh_get_user_home_dir on LDAP users. + * Added pkg-config support for libssh_threads. + * Fixed compilation without server and sftp modes. + * Fix static .lib overwriting on Windows. + +------------------------------------------------------------------- +Tue May 31 14:32:09 UTC 2011 - a...@cryptomilk.org + +- Update to version 0.5.0 + * Added ssh_ prefix to all functions. + * Added complete Windows support. + * Added improved server support. + * Added unit tests for a lot of functions. + * Added asynchronous service request. + * Added a multiplatform ssh_getpass() function. + * Added a tutorial. + * Added a lot of documentation. + * Fixed a lot of bugs. + * Fixed several memory leaks. + +------------------------------------------------------------------- +Sat Jan 15 08:58:45 UTC 2011 - a...@cryptomilk.org + +- Update to version 0.4.8 + * Fixed memory leaks in session signing. + * Fixed memory leak in ssh_print_hexa. + * Fixed problem with ssh_connect w/ timeout and fd > 1024. + * Fixed some warnings on OS/2. + * Fixed installation path for OS/2. + +------------------------------------------------------------------- +Mon Dec 27 20:12:23 CET 2010 - a...@cynapses.org + +- Update to version 0.4.7 + * Fixed a possible memory leak in ssh_get_user_home(). + * Fixed a memory leak in sftp_xstat. + * Fixed uninitialized fd->revents member. + * Fixed timout value in ssh_channel_accept(). + * Fixed length checks in ssh_analyze_banner(). + * Fixed a possible data overread and crash bug. + * Fixed setting max_fd which breaks ssh_select(). + * Fixed some pedantic build warnings. + * Fixed a memory leak with session->bindaddr. + +------------------------------------------------------------------- +Sun Sep 5 19:30:28 CEST 2010 - a...@cynapses.org + +- Update to version 0.4.6 + * Added a cleanup function to free the ws2_32 library. + * Fixed build with gcc 3.4. + * Fixed the Windows build on Vista and newer. + * Fixed the usage of WSAPoll() on Windows. + * Fixed "@deprecated" in doxygen + * Fixed some mingw warnings. + * Fixed handling of opened channels. + * Fixed keepalive problem on older openssh servers. + * Fixed testing for big endian on Windows. + * Fixed the Windows preprocessor macros and defines. + +------------------------------------------------------------------- +Tue Jul 13 10:27:13 CEST 2010 - anschnei...@exsuse.de + +- Update to version 0.4.5 + * Added option to bind a client to an ip address. + * Fixed the ssh socket polling function. + * Fixed Windows related bugs in bsd_poll(). + * Fixed serveral build warnings. + +------------------------------------------------------------------- +Mon May 31 14:13:55 CEST 2010 - anschnei...@exsuse.de + +- Update to version 0.4.4 + * Fixed some bugs ein path expand functions. + +------------------------------------------------------------------- +Mon May 17 23:50:11 CEST 2010 - anschnei...@exsuse.de + +- Update to version 0.4.3 + * Added global/keepalive responses. + * Added runtime detection of WSAPoll(). + * Added a select(2) based poll-emulation if poll(2) is not available. + * Added a function to expand an escaped string. + * Added a function to expand the tilde from a path. + * Added a proxycommand support. + * Added ssh_privatekey_type public function + * Added the possibility to define _OPENSSL_DIR and _ZLIB_DIR. + * Fixed sftp_chown. + * Fixed sftp_rename on protocol version 3. + * Fixed a blocking bug in channel_poll. + * Fixed config parsing wich has overwritten user specified values. + * Fixed hashed [host]:port format in knownhosts + * Fixed Windows build. + * Fixed doublefree happening after a negociation error. + * Fixed aes*-ctr with <= OpenSSL 0.9.7b. + * Fixed some documentation. + * Fixed exec example which has broken read usage. + * Fixed broken algorithm choice for server. + * Fixed a typo that we don't export all symbols. + * Removed the unneeded dependency to doxygen. + * Build examples only on the Linux plattform. + +------------------------------------------------------------------- +Mon Mar 15 19:40:44 CET 2010 - anschnei...@exsuse.de + +- Update to version 0.4.2 + * Added owner and group information in sftp attributes. + * Added missing SSH_OPTIONS_FD option. + * Added printout of owner and group in the sftp example. + * Added a prepend function for ssh_list. + * Added send back replies to openssh's keepalives. + * Fixed documentation in scp code + * Fixed longname parsing, this only workings with readdir. + * Fixed and added support for several identity files. + * Fixed sftp_parse_longname() on Windows. + * Fixed a race condition bug in ssh_scp_close() + * Remove config support for SSHv1 Cipher variable. + * Rename ssh_list_add to ssh_list_append. + * Rename ssh_list_get_head to ssh_list_pop_head + +------------------------------------------------------------------- +Mon Feb 15 12:41:47 CET 2010 - anschnei...@exsuse.de + +- Fixed Requires. + +------------------------------------------------------------------- +Sat Feb 13 15:29:14 CET 2010 - anschnei...@exsuse.de + ++++ 157 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.libssh.1119.new/libssh.changes New: ---- 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch libssh-0.5.2.tar.bz2 libssh.changes libssh.spec remove-pedantic-errors.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh.spec ++++++ # # spec file for package libssh # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Url: http://www.libssh.org Name: libssh BuildRequires: cmake BuildRequires: doxygen BuildRequires: gcc-c++ BuildRequires: openssl-devel BuildRequires: pkgconfig Version: 0.5.2 Release: 0 Summary: SSH library License: LGPL-2.1+ Group: System/Libraries Source0: %{name}-%{version}.tar.bz2 Patch1: remove-pedantic-errors.diff Patch2: 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch Patch3: 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch Patch4: 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch Patch5: 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch Patch6: 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch Patch7: 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch Patch8: 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch Patch9: 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch Patch10: 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch Patch11: 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch Patch12: 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). This package provides libssh from http://www.libssh.org that should not be confused with libssh2 available from http://www.libssh2.org (libssh2 package) %package -n libssh4 Summary: SSH library Group: System/Libraries %description -n libssh4 The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). This package provides libssh from http://www.libssh.org that should not be confused with libssh2 available from http://www.libssh2.org (libssh2 package) %package devel Summary: SSH library development headers Group: Development/Libraries/C and C++ Requires: libssh4 = %{version} %description devel Development headers for the SSH library. %package devel-doc Summary: SSH library api documentation Group: Development/Languages/C and C++ %description devel-doc Documentation for libssh development. %prep %setup -q %if "%{?sles_version}" == "11" %patch -P 1 -p1 %endif %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %build if test ! -e "build"; then mkdir build fi pushd build cmake \ -DCMAKE_C_FLAGS:STRING="%{optflags} -DOPENSSL_LOAD_CONF" \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ -DCMAKE_SKIP_RPATH=ON \ -DCMAKE_INSTALL_PREFIX=%{_prefix} \ %if %{_lib} == lib64 -DLIB_SUFFIX=64 \ %endif %{_builddir}/%{name}-%{version} make %{?_smp_mflags} VERBOSE=1 %__make doc popd build %install pushd build %if 0%{?suse_version} %makeinstall %else %__make DESTDIR=%{buildroot} install %endif popd build %post -n libssh4 -p /sbin/ldconfig %postun -n libssh4 -p /sbin/ldconfig %files -n libssh4 %defattr(-,root,root) %doc AUTHORS README ChangeLog %{_libdir}/libssh.so.* %{_libdir}/libssh_threads.so.* %files devel %defattr(-,root,root) %{_includedir}/libssh %{_libdir}/libssh.so %{_libdir}/libssh_threads.so %{_libdir}/pkgconfig/libssh.pc %{_libdir}/pkgconfig/libssh_threads.pc %files devel-doc %defattr(-,root,root) %doc build/doc/html %changelog ++++++ 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch ++++++ >From 8489521c0d7a9d1336b23a4a64e5df2d0f3ba57a Mon Sep 17 00:00:00 2001 From: Xi Wang <xi.w...@gmail.com> Date: Fri, 25 Nov 2011 23:02:06 -0500 Subject: [PATCH 01/13] CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa(). No exploit known, but it is better to check the string length. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/dh.c | 4 ++++ 1 file changed, 4 insertions(+) Index: libssh-0.5.2/src/dh.c =================================================================== --- libssh-0.5.2.orig/src/dh.c +++ libssh-0.5.2/src/dh.c @@ -44,6 +44,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #ifndef _WIN32 #include <arpa/inet.h> @@ -193,6 +194,9 @@ char *ssh_get_hexa(const unsigned char * char *hexa = NULL; size_t i; + if (len > (UINT_MAX - 1) / 3) + return NULL; + hexa = malloc(len * 3 + 1); if (hexa == NULL) { return NULL; ++++++ 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch ++++++ >From db81310d719878cc04b23e4033fbe19fa0b1f8a3 Mon Sep 17 00:00:00 2001 From: Xi Wang <xi.w...@gmail.com> Date: Mon, 28 Nov 2011 04:42:54 -0500 Subject: [PATCH 02/13] CVE-2012-4562: Fix multiple integer overflows in buffer-related functions. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/buffer.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) Index: libssh-0.5.2/src/buffer.c =================================================================== --- libssh-0.5.2.orig/src/buffer.c +++ libssh-0.5.2/src/buffer.c @@ -21,6 +21,7 @@ * MA 02111-1307, USA. */ +#include <limits.h> #include <stdlib.h> #include <string.h> @@ -180,6 +181,10 @@ int buffer_reinit(struct ssh_buffer_stru */ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { buffer_verify(buffer); + + if (buffer->used + len < len) + return -1; + if (buffer->allocated < (buffer->used + len)) { if(buffer->pos > 0) buffer_shift(buffer); @@ -318,6 +323,8 @@ int buffer_prepend_data(struct ssh_buffe return 0; } /* pos isn't high enough */ + if (buffer->used - buffer->pos + len < len) + return -1; if (buffer->allocated < (buffer->used - buffer->pos + len)) { if (realloc_buffer(buffer, buffer->used - buffer->pos + len) < 0) { return -1; @@ -429,7 +436,7 @@ uint32_t buffer_get_rest_len(struct ssh_ */ uint32_t buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){ buffer_verify(buffer); - if(buffer->used < buffer->pos+len) + if (buffer->pos + len < len || buffer->used < buffer->pos + len) return 0; buffer->pos+=len; /* if the buffer is empty after having passed the whole bytes into it, we can clean it */ @@ -454,8 +461,11 @@ uint32_t buffer_pass_bytes(struct ssh_bu */ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){ buffer_verify(buffer); - if(buffer->used < buffer->pos + len) - return 0; + + if (buffer->used < len) { + return 0; + } + buffer->used-=len; buffer_verify(buffer); return len; @@ -548,7 +558,7 @@ struct ssh_string_struct *buffer_get_ssh } hostlen = ntohl(stringlen); /* verify if there is enough space in buffer to get it */ - if ((buffer->pos + hostlen) > buffer->used) { + if (buffer->pos + hostlen < hostlen || buffer->pos + hostlen > buffer->used) { return NULL; /* it is indeed */ } str = ssh_string_new(hostlen); @@ -585,7 +595,7 @@ struct ssh_string_struct *buffer_get_mpi } bits = ntohs(bits); len = (bits + 7) / 8; - if ((buffer->pos + len) > buffer->used) { + if (buffer->pos + len < len || buffer->pos + len > buffer->used) { return NULL; } str = ssh_string_new(len); ++++++ 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch ++++++ >From 1699adfa036ffc66c62fdbb784610445cbebfc6e Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 12 Oct 2012 11:35:20 +0200 Subject: [PATCH 03/13] CVE-2012-4562: Fix a possible infinite loop in buffer_reinit(). If needed is bigger than the highest power of two or a which fits in an integer we will loop forever. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/buffer.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) Index: libssh-0.5.2/src/buffer.c =================================================================== --- libssh-0.5.2.orig/src/buffer.c +++ libssh-0.5.2/src/buffer.c @@ -110,13 +110,18 @@ void ssh_buffer_free(struct ssh_buffer_s SAFE_FREE(buffer); } -static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) { - int smallest = 1; - char *new = NULL; +static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) { + size_t smallest = 1; + char *new; + buffer_verify(buffer); + /* Find the smallest power of two which is greater or equal to needed */ while(smallest <= needed) { - smallest <<= 1; + if (smallest == 0) { + return -1; + } + smallest <<= 1; } needed = smallest; new = realloc(buffer->data, needed); ++++++ 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch ++++++ >From e3d9501b31a11b427afe1cc1cba5208adc2c3c39 Mon Sep 17 00:00:00 2001 From: Xi Wang <xi.w...@gmail.com> Date: Fri, 25 Nov 2011 23:02:57 -0500 Subject: [PATCH 04/13] CVE-2012-4562: Fix possible string related integer overflows. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/string.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) Index: libssh-0.5.2/src/string.c =================================================================== --- libssh-0.5.2.orig/src/string.c +++ libssh-0.5.2/src/string.c @@ -22,6 +22,7 @@ */ #include <errno.h> +#include <limits.h> #include <stdlib.h> #include <string.h> @@ -51,7 +52,11 @@ struct ssh_string_struct *ssh_string_new(size_t size) { struct ssh_string_struct *str = NULL; - str = malloc(size + 4); + if (size > UINT_MAX - sizeof(struct ssh_string_struct)) { + return NULL; + } + + str = malloc(sizeof(struct ssh_string_struct) + size); if (str == NULL) { return NULL; } @@ -141,16 +146,22 @@ size_t ssh_string_len(struct ssh_string_ char *ssh_string_to_char(struct ssh_string_struct *s) { size_t len; char *new; - if(s==NULL || s->string == NULL) - return NULL; - len = ntohl(s->size) + 1; - new = malloc(len); + if (s == NULL || s->string == NULL) { + return NULL; + } + len = ssh_string_len(s); + if (len + 1 < len) { + return NULL; + } + + new = malloc(len + 1); if (new == NULL) { return NULL; } - memcpy(new, s->string, len - 1); - new[len - 1] = '\0'; + memcpy(new, s->string, len); + new[len] = '\0'; + return new; } ++++++ 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch ++++++ >From 64fca8a7ed83c3315781a77aac1ea36d52ff0c7e Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 11:37:09 +0200 Subject: [PATCH 05/13] CVE-2012-4560: Fix a write one past the end of the 'u' buffer. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libssh-0.5.2/src/misc.c =================================================================== --- libssh-0.5.2.orig/src/misc.c +++ libssh-0.5.2/src/misc.c @@ -655,7 +655,7 @@ char *ssh_path_expand_tilde(const char * size_t s = p - d; char u[128]; - if (s > sizeof(u)) { + if (s >= sizeof(u)) { return NULL; } memcpy(u, d, s); ++++++ 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch ++++++ >From b485463197cd220aa654e7fc34a18d68af37e6e7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 11:39:47 +0200 Subject: [PATCH 06/13] CVE-2012-4560: Fix a write one past the end of 'buf'. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/misc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: libssh-0.5.2/src/misc.c =================================================================== --- libssh-0.5.2.orig/src/misc.c +++ libssh-0.5.2/src/misc.c @@ -719,7 +719,8 @@ char *ssh_path_expand_escape(ssh_session if (*p != '%') { buf[i] = *p; i++; - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { + free(r); return NULL; } buf[i] = '\0'; @@ -769,7 +770,7 @@ char *ssh_path_expand_escape(ssh_session } i += strlen(x); - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { ssh_set_error(session, SSH_FATAL, "String too long"); return NULL; ++++++ 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch ++++++ >From 1471f2c67a23602898e783c97b65aea9cc6356a4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 14:33:29 +0200 Subject: [PATCH 07/13] CVE-2012-4559: Ensure we don't free blob or request twice. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/agent.c | 2 ++ 1 file changed, 2 insertions(+) Index: libssh-0.5.2/src/agent.c =================================================================== --- libssh-0.5.2.orig/src/agent.c +++ libssh-0.5.2/src/agent.c @@ -438,6 +438,7 @@ ssh_string agent_sign_data(struct ssh_se } ssh_string_free(blob); + blob = NULL; reply = ssh_buffer_new(); if (reply == NULL) { @@ -450,6 +451,7 @@ ssh_string agent_sign_data(struct ssh_se return NULL; } ssh_buffer_free(request); + request = NULL; /* check if reply is valid */ if (buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) { ++++++ 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch ++++++ >From 6236001ff4f9017c9f842d6548baba9760c95f5c Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 14:39:51 +0200 Subject: [PATCH 08/13] CVE-2012-4559: Ensure that we don't free req twice. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/channels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libssh-0.5.2/src/channels.c =================================================================== --- libssh-0.5.2.orig/src/channels.c +++ libssh-0.5.2/src/channels.c @@ -1414,6 +1414,7 @@ static int channel_request(ssh_channel c buffer_add_ssh_string(session->out_buffer, req) < 0 || buffer_add_u8(session->out_buffer, reply == 0 ? 0 : 1) < 0) { ssh_set_error_oom(session); + ssh_string_free(req); goto error; } ssh_string_free(req); @@ -1473,7 +1474,6 @@ static int channel_request(ssh_channel c return rc; error: buffer_reinit(session->out_buffer); - ssh_string_free(req); leave_function(); return rc; ++++++ 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch ++++++ >From 46b2eb3c147a29478809f1ab95e924e1bb7e3768 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 14:46:36 +0200 Subject: [PATCH 09/13] CVE-2012-4559: Make sure we don't free name and longname twice on error. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/sftp.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) Index: libssh-0.5.2/src/sftp.c =================================================================== --- libssh-0.5.2.orig/src/sftp.c +++ libssh-0.5.2/src/sftp.c @@ -1193,8 +1193,8 @@ static char *sftp_parse_longname(const c so that number of pairs equals extended_count */ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, int expectname) { - ssh_string longname = NULL; - ssh_string name = NULL; + ssh_string longname; + ssh_string name; sftp_attributes attr; uint32_t flags = 0; int ok = 0; @@ -1209,19 +1209,27 @@ static sftp_attributes sftp_parse_attr_3 /* This isn't really a loop, but it is like a try..catch.. */ do { if (expectname) { - if ((name = buffer_get_ssh_string(buf)) == NULL || - (attr->name = ssh_string_to_char(name)) == NULL) { - break; + name = buffer_get_ssh_string(buf); + if (name == NULL) { + break; } + attr->name = ssh_string_to_char(name); ssh_string_free(name); + if (attr->name == NULL) { + break; + } ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name); - if ((longname=buffer_get_ssh_string(buf)) == NULL || - (attr->longname=ssh_string_to_char(longname)) == NULL) { - break; + longname = buffer_get_ssh_string(buf); + if (longname == NULL) { + break; } + attr->longname = ssh_string_to_char(longname); ssh_string_free(longname); + if (attr->longname == NULL) { + break; + } /* Set owner and group if we talk to openssh and have the longname */ if (ssh_get_openssh_version(sftp->session)) { @@ -1326,8 +1334,6 @@ static sftp_attributes sftp_parse_attr_3 if (!ok) { /* break issued somewhere */ - ssh_string_free(name); - ssh_string_free(longname); ssh_string_free(attr->extended_type); ssh_string_free(attr->extended_data); SAFE_FREE(attr->name); ++++++ 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch ++++++ >From 455da60846d68c508f7fed5b381097b364647425 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 14:56:56 +0200 Subject: [PATCH 10/13] CVE-2012-4561: Fix error handling of try_publickey_from_file(). Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/keyfiles.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) Index: libssh-0.5.2/src/keyfiles.c =================================================================== --- libssh-0.5.2.orig/src/keyfiles.c +++ libssh-0.5.2/src/keyfiles.c @@ -1214,7 +1214,7 @@ ssh_string try_publickey_from_file(ssh_s const char *priv; const char *pub; char *new; - ssh_string pubkey=NULL; + ssh_string pubkey; pub = keytab.publickey; if (pub == NULL) { @@ -1234,13 +1234,13 @@ ssh_string try_publickey_from_file(ssh_s ssh_log(session, SSH_LOG_PACKET, "Trying to open publickey %s", pub); if (!ssh_file_readaccess_ok(pub)) { ssh_log(session, SSH_LOG_PACKET, "Failed to open publickey %s", pub); - goto error; + return NULL; } ssh_log(session, SSH_LOG_PACKET, "Trying to open privatekey %s", priv); if (!ssh_file_readaccess_ok(priv)) { ssh_log(session, SSH_LOG_PACKET, "Failed to open privatekey %s", priv); - goto error; + return NULL; } ssh_log(session, SSH_LOG_PACKET, "Success opening public and private key"); @@ -1255,18 +1255,18 @@ ssh_string try_publickey_from_file(ssh_s "Wasn't able to open public key file %s: %s", pub, ssh_get_error(session)); - goto error; + return NULL; } new = realloc(*privkeyfile, strlen(priv) + 1); if (new == NULL) { ssh_string_free(pubkey); - goto error; + return NULL; } strcpy(new, priv); *privkeyfile = new; -error: + return pubkey; } ++++++ 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch ++++++ >From d63f19c3000f8bc699ba99814bec9d7ddf6a5b20 Mon Sep 17 00:00:00 2001 From: Andreas Schneider <a...@cryptomilk.org> Date: Fri, 5 Oct 2012 15:07:17 +0200 Subject: [PATCH 11/13] CVE-2012-4561: Fix possible free's on invalid pointers. Signed-off-by: Andreas Schneider <a...@cryptomilk.org> --- src/keys.c | 5 +++++ 1 file changed, 5 insertions(+) Index: libssh-0.5.2/src/keys.c =================================================================== --- libssh-0.5.2.orig/src/keys.c +++ libssh-0.5.2/src/keys.c @@ -88,6 +88,7 @@ ssh_public_key publickey_make_dss(ssh_se ssh_buffer_free(buffer); return NULL; } + ZERO_STRUCTP(key); key->type = SSH_KEYTYPE_DSS; key->type_c = ssh_type_to_char(key->type); @@ -173,6 +174,7 @@ ssh_public_key publickey_make_rsa(ssh_se ssh_buffer_free(buffer); return NULL; } + ZERO_STRUCTP(key); key->type = type; key->type_c = ssh_type_to_char(key->type); @@ -897,6 +899,7 @@ SIGNATURE *signature_from_string(ssh_ses ssh_set_error(session, SSH_FATAL, "Not enough space"); return NULL; } + ZERO_STRUCTP(sign); tmpbuf = ssh_buffer_new(); if (tmpbuf == NULL) { @@ -1280,6 +1283,7 @@ ssh_string ssh_do_sign(ssh_session sessi if (sign == NULL) { return NULL; } + ZERO_STRUCTP(sign); switch(privatekey->type) { case SSH_KEYTYPE_DSS: @@ -1436,6 +1440,7 @@ ssh_string ssh_sign_session_id(ssh_sessi if (sign == NULL) { return NULL; } + ZERO_STRUCTP(sign); switch(privatekey->type) { case SSH_KEYTYPE_DSS: ++++++ remove-pedantic-errors.diff ++++++ From: Jan Engelhardt <jeng...@medozas.de> Date: 2012-02-06 00:00:21.707276910 +0100 The header file /usr/include/asm/sigcontext.h uses an unnamed aggregate (inside struct _fpstate), which is not permitted by ISO C99. gcc's -pedantic-errors flag causes this to be flagged. gcc has an exception that system header files are exempt from pedantic-error reporting, but somehow this fails to work in SLES 11 SP 1 and only SP1, even though - both SP0 and SP1 have gcc-4.3.4 - the unnamed aggregate is in both SP0 and SP1 Just like -Werror is a common nuisance, rip out -pedantic-errors occurences as well. --- cmake/Modules/DefineCompilerFlags.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libssh-0.5.1/cmake/Modules/DefineCompilerFlags.cmake =================================================================== --- libssh-0.5.1.orig/cmake/Modules/DefineCompilerFlags.cmake +++ libssh-0.5.1/cmake/Modules/DefineCompilerFlags.cmake @@ -9,7 +9,7 @@ if (UNIX AND NOT WIN32) # if (${CMAKE_C_COMPILER_ID} MATCHES GNU) # add -Wconversion ? - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic -pedantic-errors") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -pedantic") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Wformat-security") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-format-attribute") -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org