diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2019-10-17 09:15:12 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-10-17 11:19:06 +0200 |
commit | abdf2ab6d79a67fd9049354e301836e75be57fce (patch) | |
tree | f0bab747a764fa962ec0fb4c032b9b8b9b5d502b | |
parent | c7986fb0359cb021d60aa53eeb6a625812062705 (diff) | |
download | alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.bz2 alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.tar.xz alpine_aports-abdf2ab6d79a67fd9049354e301836e75be57fce.zip |
main/libssh2: fix for CVE-2019-17498
fixes #10883
-rw-r--r-- | main/libssh2/APKBUILD | 8 | ||||
-rw-r--r-- | main/libssh2/CVE-2019-17498.patch | 72 |
2 files changed, 78 insertions, 2 deletions
diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD index c87aa6ae9f..6f3b458dd8 100644 --- a/main/libssh2/APKBUILD +++ b/main/libssh2/APKBUILD | |||
@@ -8,10 +8,13 @@ arch="all" | |||
8 | license="BSD-3-Clause" | 8 | license="BSD-3-Clause" |
9 | makedepends="openssl-dev zlib-dev" | 9 | makedepends="openssl-dev zlib-dev" |
10 | subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc" | 10 | subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc" |
11 | source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz" | 11 | source="https://www.libssh2.org/download/libssh2-$pkgver.tar.gz |
12 | CVE-2019-17498.patch" | ||
12 | builddir="$srcdir"/libssh2-$pkgver | 13 | builddir="$srcdir"/libssh2-$pkgver |
13 | 14 | ||
14 | # security fixes: | 15 | # security fixes: |
16 | # 1.9.0-r1: | ||
17 | # - CVE-2019-17498 | ||
15 | # 1.9.0-r0: | 18 | # 1.9.0-r0: |
16 | # - CVE-2019-13115 | 19 | # - CVE-2019-13115 |
17 | # 1.8.1-r0: | 20 | # 1.8.1-r0: |
@@ -57,4 +60,5 @@ static() { | |||
57 | mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib | 60 | mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib |
58 | } | 61 | } |
59 | 62 | ||
60 | sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz" | 63 | sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz |
64 | fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813 CVE-2019-17498.patch" | ||
diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch new file mode 100644 index 0000000000..e858cca186 --- /dev/null +++ b/main/libssh2/CVE-2019-17498.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001 | ||
2 | From: Will Cosgrove <will@panic.com> | ||
3 | Date: Thu, 29 Aug 2019 15:24:22 -0700 | ||
4 | Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT | ||
5 | |||
6 | SSH_MSG_DISCONNECT now also uses _libssh2_get API. | ||
7 | --- | ||
8 | src/packet.c | 40 +++++++++++++++------------------------- | ||
9 | 1 file changed, 15 insertions(+), 25 deletions(-) | ||
10 | |||
11 | diff --git a/src/packet.c b/src/packet.c | ||
12 | index 8908b2c5..97f0cdd4 100644 | ||
13 | --- a/src/packet.c | ||
14 | +++ b/src/packet.c | ||
15 | @@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
16 | size_t datalen, int macstate) | ||
17 | { | ||
18 | int rc = 0; | ||
19 | - char *message = NULL; | ||
20 | - char *language = NULL; | ||
21 | + unsigned char *message = NULL; | ||
22 | + unsigned char *language = NULL; | ||
23 | size_t message_len = 0; | ||
24 | size_t language_len = 0; | ||
25 | LIBSSH2_CHANNEL *channelp = NULL; | ||
26 | @@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, | ||
27 | |||
28 | case SSH_MSG_DISCONNECT: | ||
29 | if(datalen >= 5) { | ||
30 | - size_t reason = _libssh2_ntohu32(data + 1); | ||
31 | + uint32_t reason = 0; | ||
32 | + struct string_buf buf; | ||
33 | + buf.data = (unsigned char *)data; | ||
34 | + buf.dataptr = buf.data; | ||
35 | + buf.len = datalen; | ||
36 | + buf.dataptr++; /* advance past type */ | ||
37 | |||
38 | - if(datalen >= 9) { | ||
39 | - message_len = _libssh2_ntohu32(data + 5); | ||
40 | + _libssh2_get_u32(&buf, &reason); | ||
41 | + _libssh2_get_string(&buf, &message, &message_len); | ||
42 | + _libssh2_get_string(&buf, &language, &language_len); | ||
43 | |||
44 | - if(message_len < datalen-13) { | ||
45 | - /* 9 = packet_type(1) + reason(4) + message_len(4) */ | ||
46 | - message = (char *) data + 9; | ||
47 | - | ||
48 | - language_len = | ||
49 | - _libssh2_ntohu32(data + 9 + message_len); | ||
50 | - language = (char *) data + 9 + message_len + 4; | ||
51 | - | ||
52 | - if(language_len > (datalen-13-message_len)) { | ||
53 | - /* bad input, clear info */ | ||
54 | - language = message = NULL; | ||
55 | - language_len = message_len = 0; | ||
56 | - } | ||
57 | - } | ||
58 | - else | ||
59 | - /* bad size, clear it */ | ||
60 | - message_len = 0; | ||
61 | - } | ||
62 | if(session->ssh_msg_disconnect) { | ||
63 | - LIBSSH2_DISCONNECT(session, reason, message, | ||
64 | - message_len, language, language_len); | ||
65 | + LIBSSH2_DISCONNECT(session, reason, (const char *)message, | ||
66 | + message_len, (const char *)language, | ||
67 | + language_len); | ||
68 | } | ||
69 | + | ||
70 | _libssh2_debug(session, LIBSSH2_TRACE_TRANS, | ||
71 | "Disconnect(%d): %s(%s)", reason, | ||
72 | message, language); | ||