main/libssh2: fix for CVE-2019-17498

fixes #10883
author: Natanael Copa <ncopa@alpinelinux.org> 2019-10-17 09:15:12 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-10-17 11:19:06 +0200
commit: abdf2ab6d79a67fd9049354e301836e75be57fce (patch)
tree: f0bab747a764fa962ec0fb4c032b9b8b9b5d502b
parent: c7986fb0359cb021d60aa53eeb6a625812062705 (diff)
download: alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.bz2
alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.xz
alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.zip
2 files changed, 78 insertions, 2 deletions
diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD
index c87aa6ae9f..6f3b458dd8 100644
--- a/main/libssh2/APKBUILD
+++ b/main/libssh2/APKBUILD
@@ -8,10 +8,13 @@ arch="all"
 license="BSD-3-Clause"
 makedepends="openssl-dev zlib-dev"
 subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"
-source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz"
+source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
+        CVE-2019-17498.patch"
 builddir="$srcdir"/libssh2-$pkgver
 # security fixes:
+#   1.9.0-r1:
+#     - CVE-2019-17498
 #   1.9.0-r0:
 #     - CVE-2019-13115
 #   1.8.1-r0:
@@ -57,4 +60,5 @@ static() {
        mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
 }
-sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17  libssh2-1.9.0.tar.gz"
+sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17  libssh2-1.9.0.tar.gz
+fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813  CVE-2019-17498.patch"
diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch
new file mode 100644
index 0000000000..e858cca186
--- /dev/null
+++ b/main/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,72 @@
+From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:24:22 -0700
+Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT
+SSH_MSG_DISCONNECT now also uses  _libssh2_get API.
+---
+ src/packet.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+diff --git a/src/packet.c b/src/packet.c
+index 8908b2c5..97f0cdd4 100644
+--- a/src/packet.c
+++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
+    unsigned char *message = NULL;
+    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
+                uint32_t reason = 0;
+                struct string_buf buf;
+                buf.data = (unsigned char *)data;
+                buf.dataptr = buf.data;
+                buf.len = datalen;
+                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
+                _libssh2_get_u32(&buf, &reason);
+                _libssh2_get_string(&buf, &message, &message_len);
+                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
+                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
+                                       message_len, (const char *)language,
+                                       language_len);
+                 }
+
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
author	Natanael Copa <ncopa@alpinelinux.org>	2019-10-17 09:15:12 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-10-17 11:19:06 +0200
commit	abdf2ab6d79a67fd9049354e301836e75be57fce (patch)
tree	f0bab747a764fa962ec0fb4c032b9b8b9b5d502b
parent	c7986fb0359cb021d60aa53eeb6a625812062705 (diff)
download	alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.bz2 alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.xz alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.zip

diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD index c87aa6ae9f..6f3b458dd8 100644 --- a/main/libssh2/APKBUILD +++ b/main/libssh2/APKBUILD
@@ -8,10 +8,13 @@ arch="all"
8	license="BSD-3-Clause"	8	license="BSD-3-Clause"
9	makedepends="openssl-dev zlib-dev"	9	makedepends="openssl-dev zlib-dev"
10	subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"	10	subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"
11	source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz"	11	source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz
		12	CVE-2019-17498.patch"
12	builddir="$srcdir"/libssh2-$pkgver	13	builddir="$srcdir"/libssh2-$pkgver
13		14
14	# security fixes:	15	# security fixes:
		16	# 1.9.0-r1:
		17	# - CVE-2019-17498
15	# 1.9.0-r0:	18	# 1.9.0-r0:
16	# - CVE-2019-13115	19	# - CVE-2019-13115
17	# 1.8.1-r0:	20	# 1.8.1-r0:
@@ -57,4 +60,5 @@ static() {
57	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib	60	mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
58	}	61	}
59		62
60	sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz"	63	sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz
		64	fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813 CVE-2019-17498.patch"


diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch new file mode 100644 index 0000000000..e858cca186 --- /dev/null +++ b/main/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,72 @@
		1	From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
		2	From: Will Cosgrove <will@panic.com>
		3	Date: Thu, 29 Aug 2019 15:24:22 -0700
		4	Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT
		5
		6	SSH_MSG_DISCONNECT now also uses _libssh2_get API.
		7	---
		8	src/packet.c \| 40 +++++++++++++++-------------------------
		9	1 file changed, 15 insertions(+), 25 deletions(-)
		10
		11	diff --git a/src/packet.c b/src/packet.c
		12	index 8908b2c5..97f0cdd4 100644
		13	--- a/src/packet.c
		14	+++ b/src/packet.c
		15	@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		16	size_t datalen, int macstate)
		17	{
		18	int rc = 0;
		19	- char *message = NULL;
		20	- char *language = NULL;
		21	+ unsigned char *message = NULL;
		22	+ unsigned char *language = NULL;
		23	size_t message_len = 0;
		24	size_t language_len = 0;
		25	LIBSSH2_CHANNEL *channelp = NULL;
		26	@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
		27
		28	case SSH_MSG_DISCONNECT:
		29	if(datalen >= 5) {
		30	- size_t reason = _libssh2_ntohu32(data + 1);
		31	+ uint32_t reason = 0;
		32	+ struct string_buf buf;
		33	+ buf.data = (unsigned char *)data;
		34	+ buf.dataptr = buf.data;
		35	+ buf.len = datalen;
		36	+ buf.dataptr++; /* advance past type */
		37
		38	- if(datalen >= 9) {
		39	- message_len = _libssh2_ntohu32(data + 5);
		40	+ _libssh2_get_u32(&buf, &reason);
		41	+ _libssh2_get_string(&buf, &message, &message_len);
		42	+ _libssh2_get_string(&buf, &language, &language_len);
		43
		44	- if(message_len < datalen-13) {
		45	- /* 9 = packet_type(1) + reason(4) + message_len(4) */
		46	- message = (char *) data + 9;
		47	-
		48	- language_len =
		49	- _libssh2_ntohu32(data + 9 + message_len);
		50	- language = (char *) data + 9 + message_len + 4;
		51	-
		52	- if(language_len > (datalen-13-message_len)) {
		53	- /* bad input, clear info */
		54	- language = message = NULL;
		55	- language_len = message_len = 0;
		56	- }
		57	- }
		58	- else
		59	- /* bad size, clear it */
		60	- message_len = 0;
		61	- }
		62	if(session->ssh_msg_disconnect) {
		63	- LIBSSH2_DISCONNECT(session, reason, message,
		64	- message_len, language, language_len);
		65	+ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
		66	+ message_len, (const char *)language,
		67	+ language_len);
		68	}
		69	+
		70	_libssh2_debug(session, LIBSSH2_TRACE_TRANS,
		71	"Disconnect(%d): %s(%s)", reason,
		72	message, language);