diff --git a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch new file mode 100644 index 0000000000000000000000000000000000000000..383a759daa116ace423e47baca311c2572e17c80 --- /dev/null +++ b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch @@ -0,0 +1,97 @@ +From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Wed, 4 Sep 2019 12:16:52 -0700 +Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener + (#404) + +* improved bounds checking in packet_queue_listener + +file: packet.c + +notes: +improved parsing packet in packet_queue_listener +--- + src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 43 insertions(+), 20 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 2e01bfc..c83a68d 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data, + char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; + int rc; + +- (void) datalen; +- + if(listen_state->state == libssh2_NB_state_idle) { +- unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5; +- listen_state->sender_channel = _libssh2_ntohu32(s); +- s += 4; ++ unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5; ++ size_t temp_len = 0; ++ struct string_buf buf; ++ buf.data = data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ ++ if(datalen < offset) { ++ return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Unexpected packet size"); ++ } + +- listen_state->initial_window_size = _libssh2_ntohu32(s); +- s += 4; +- listen_state->packet_size = _libssh2_ntohu32(s); +- s += 4; ++ buf.dataptr += offset; + +- listen_state->host_len = _libssh2_ntohu32(s); +- s += 4; +- listen_state->host = s; +- s += listen_state->host_len; +- listen_state->port = _libssh2_ntohu32(s); +- s += 4; ++ if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting channel"); ++ } ++ if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting window size"); ++ } ++ if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting packet"); ++ } ++ if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting host"); ++ } ++ listen_state->host_len = (uint32_t)temp_len; + +- listen_state->shost_len = _libssh2_ntohu32(s); +- s += 4; +- listen_state->shost = s; +- s += listen_state->shost_len; +- listen_state->sport = _libssh2_ntohu32(s); ++ if(_libssh2_get_u32(&buf, &(listen_state->port))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting port"); ++ } ++ if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting shost"); ++ } ++ listen_state->shost_len = (uint32_t)temp_len; ++ ++ if(_libssh2_get_u32(&buf, &(listen_state->sport))) { ++ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, ++ "Data too short extracting sport"); ++ } + + _libssh2_debug(session, LIBSSH2_TRACE_CONN, + "Remote received connection from %s:%ld to %s:%ld", +-- +1.8.3.1 + diff --git a/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch b/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c76ad3ffc72aecb2b532942bdd4a9e97e653ecf --- /dev/null +++ b/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch @@ -0,0 +1,88 @@ +From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Fri, 13 Sep 2019 09:45:34 -0700 +Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410) + +Use new API to parse data in packet_x11_open() for better bounds checking. +--- + src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 49 insertions(+), 14 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index c83a68d..9897f77 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data, + LIBSSH2_CHANNEL *channel = x11open_state->channel; + int rc; + +- (void) datalen; +- + if(x11open_state->state == libssh2_NB_state_idle) { +- unsigned char *s = data + (sizeof("x11") - 1) + 5; +- x11open_state->sender_channel = _libssh2_ntohu32(s); +- s += 4; +- x11open_state->initial_window_size = _libssh2_ntohu32(s); +- s += 4; +- x11open_state->packet_size = _libssh2_ntohu32(s); +- s += 4; +- x11open_state->shost_len = _libssh2_ntohu32(s); +- s += 4; +- x11open_state->shost = s; +- s += x11open_state->shost_len; +- x11open_state->sport = _libssh2_ntohu32(s); ++ ++ unsigned long offset = (sizeof("x11") - 1) + 5; ++ size_t temp_len = 0; ++ struct string_buf buf; ++ buf.data = data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ ++ if(datalen < offset) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected data length"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } ++ ++ buf.dataptr += offset; ++ ++ if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected sender channel size"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } ++ if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected window size"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } ++ if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected window size"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } ++ if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected host size"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } ++ x11open_state->shost_len = (uint32_t)temp_len; ++ ++ if(_libssh2_get_u32(&buf, &(x11open_state->sport))) { ++ _libssh2_error(session, LIBSSH2_ERROR_INVAL, ++ "unexpected port size"); ++ failure_code = SSH_OPEN_CONNECT_FAILED; ++ goto x11_exit; ++ } + + _libssh2_debug(session, LIBSSH2_TRACE_CONN, + "X11 Connection Received from %s:%ld on channel %lu", +-- +1.8.3.1 + diff --git a/libssh2.spec b/libssh2.spec index f1bd8c2882d851d9234332f43b6206e19f3b9cae..86aadf705a793500baff4a659a6c7c25f582b526 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,15 +1,17 @@ Name: libssh2 Version: 1.9.0 -Release: 4 +Release: 5 Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz -Patch9000: 0001-libssh2-CVE-2019-17498.patch -Patch9001: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch -Patch9002: fix-use-of-uninitialized-value-476-478.patch -Patch9003: fix-heap-buffer-overflow-in-kex_agree_methods.patch +Patch0: 0001-libssh2-CVE-2019-17498.patch +Patch1: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch +Patch2: fix-use-of-uninitialized-value-476-478.patch +Patch3: fix-heap-buffer-overflow-in-kex_agree_methods.patch +Patch4: 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch +Patch5: 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server @@ -89,6 +91,12 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_mandir}/man3/libssh2_*.3* %changelog +* Thu Sep 24 2020 yuboyun - 1.9.0-5 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix heap-buffer-overflow in _libssh2_ntohu32 and wild-addr-read in _libssh2_ntohu32 + * Thu Jun 4 2020 songzifeng - 1.9.0-4 - Type:bugfix - ID:NA