diff --git a/0001-libssh2-CVE-2019-17498.patch b/0001-libssh2-CVE-2019-17498.patch deleted file mode 100644 index 4c9170842896aeaee9880209acfc70d863627ade..0000000000000000000000000000000000000000 --- a/0001-libssh2-CVE-2019-17498.patch +++ /dev/null @@ -1,116 +0,0 @@ -From ae6b894e43dabed9a93c1b5e47ab564de3f00d6c Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Sat, 21 Dec 2019 19:31:58 +0800 -Subject: [PATCH] packet.c: improve message parsing (#402) - ---- - src/packet.c | 66 +++++++++++++++++++++++++----------------------------------- - 1 file changed, 27 insertions(+), 39 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index 38ab629..52eed32 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - size_t datalen, int macstate) - { - int rc = 0; -- char *message = NULL; -- char *language = NULL; -+ unsigned char *message = NULL; -+ unsigned char *language = NULL; - size_t message_len = 0; - size_t language_len = 0; - LIBSSH2_CHANNEL *channelp = NULL; -@@ -472,32 +472,21 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - - case SSH_MSG_DISCONNECT: - if(datalen >= 5) { -- size_t reason = _libssh2_ntohu32(data + 1); -+ uint32_t reason = 0; -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr++; /* advance past type */ - -- if(datalen >= 9) { -- message_len = _libssh2_ntohu32(data + 5); -+ _libssh2_get_u32(&buf, &reason); -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); - -- if(message_len < datalen-13) { -- /* 9 = packet_type(1) + reason(4) + message_len(4) */ -- message = (char *) data + 9; -- -- language_len = -- _libssh2_ntohu32(data + 9 + message_len); -- language = (char *) data + 9 + message_len + 4; -- -- if(language_len > (datalen-13-message_len)) { -- /* bad input, clear info */ -- language = message = NULL; -- language_len = message_len = 0; -- } -- } -- else -- /* bad size, clear it */ -- message_len = 0; -- } - if(session->ssh_msg_disconnect) { -- LIBSSH2_DISCONNECT(session, reason, message, -- message_len, language, language_len); -+ LIBSSH2_DISCONNECT(session, reason, (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } - _libssh2_debug(session, LIBSSH2_TRACE_TRANS, - "Disconnect(%d): %s(%s)", reason, -@@ -539,22 +528,21 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - int always_display = data[1]; - - if(datalen >= 6) { -- message_len = _libssh2_ntohu32(data + 2); -- -- if(message_len <= (datalen - 10)) { -- /* 6 = packet_type(1) + display(1) + message_len(4) */ -- message = (char *) data + 6; -- language_len = _libssh2_ntohu32(data + 6 + -- message_len); -- -- if(language_len <= (datalen - 10 - message_len)) -- language = (char *) data + 10 + message_len; -- } -+ struct string_buf buf; -+ buf.data = (unsigned char *)data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ buf.dataptr += 2; /* advance past type & always display */ -+ -+ _libssh2_get_string(&buf, &message, &message_len); -+ _libssh2_get_string(&buf, &language, &language_len); - } - - if(session->ssh_msg_debug) { -- LIBSSH2_DEBUG(session, always_display, message, -- message_len, language, language_len); -+ LIBSSH2_DEBUG(session, always_display, -+ (const char *)message, -+ message_len, (const char *)language, -+ language_len); - } - } - /* -@@ -579,7 +567,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - uint32_t len = 0; - unsigned char want_reply = 0; - len = _libssh2_ntohu32(data + 1); -- if(datalen >= (6 + len)) { -+ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { - want_reply = data[5 + len]; - _libssh2_debug(session, - LIBSSH2_TRACE_CONN, --- -1.8.3.1 - diff --git a/0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch b/0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch deleted file mode 100644 index 50e5a343a155b912901316d1c4bed32ae3185b4f..0000000000000000000000000000000000000000 --- a/0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c2304e1ed951644bbe559348030bbb2844b348de Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Sat, 21 Dec 2019 19:35:22 +0800 -Subject: [PATCH] misc.c: _libssh2_ntohu32 cast bit shifting (#401) - ---- - src/misc.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/misc.c b/src/misc.c -index bd084c8..b307260 100644 ---- a/src/misc.c -+++ b/src/misc.c -@@ -196,7 +196,10 @@ _libssh2_send(libssh2_socket_t sock, const void *buffer, size_t length, - unsigned int - _libssh2_ntohu32(const unsigned char *buf) - { -- return (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]; -+ return (((unsigned int)buf[0] << 24) -+ | ((unsigned int)buf[1] << 16) -+ | ((unsigned int)buf[2] << 8) -+ | ((unsigned int)buf[3])); - } - - --- -1.8.3.1 - diff --git a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch b/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch deleted file mode 100644 index 383a759daa116ace423e47baca311c2572e17c80..0000000000000000000000000000000000000000 --- a/0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 80d3ea5b413d269ec77aebbb0aabbe738ba31796 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Wed, 4 Sep 2019 12:16:52 -0700 -Subject: [PATCH] packet.c: improved packet parsing in packet_queue_listener - (#404) - -* improved bounds checking in packet_queue_listener - -file: packet.c - -notes: -improved parsing packet in packet_queue_listener ---- - src/packet.c | 63 +++++++++++++++++++++++++++++++++++++++++------------------- - 1 file changed, 43 insertions(+), 20 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index 2e01bfc..c83a68d 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -85,30 +85,53 @@ packet_queue_listener(LIBSSH2_SESSION * session, unsigned char *data, - char failure_code = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; - int rc; - -- (void) datalen; -- - if(listen_state->state == libssh2_NB_state_idle) { -- unsigned char *s = data + (sizeof("forwarded-tcpip") - 1) + 5; -- listen_state->sender_channel = _libssh2_ntohu32(s); -- s += 4; -+ unsigned long offset = (sizeof("forwarded-tcpip") - 1) + 5; -+ size_t temp_len = 0; -+ struct string_buf buf; -+ buf.data = data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ -+ if(datalen < offset) { -+ return _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, -+ "Unexpected packet size"); -+ } - -- listen_state->initial_window_size = _libssh2_ntohu32(s); -- s += 4; -- listen_state->packet_size = _libssh2_ntohu32(s); -- s += 4; -+ buf.dataptr += offset; - -- listen_state->host_len = _libssh2_ntohu32(s); -- s += 4; -- listen_state->host = s; -- s += listen_state->host_len; -- listen_state->port = _libssh2_ntohu32(s); -- s += 4; -+ if(_libssh2_get_u32(&buf, &(listen_state->sender_channel))) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting channel"); -+ } -+ if(_libssh2_get_u32(&buf, &(listen_state->initial_window_size))) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting window size"); -+ } -+ if(_libssh2_get_u32(&buf, &(listen_state->packet_size))) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting packet"); -+ } -+ if(_libssh2_get_string(&buf, &(listen_state->host), &temp_len)) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting host"); -+ } -+ listen_state->host_len = (uint32_t)temp_len; - -- listen_state->shost_len = _libssh2_ntohu32(s); -- s += 4; -- listen_state->shost = s; -- s += listen_state->shost_len; -- listen_state->sport = _libssh2_ntohu32(s); -+ if(_libssh2_get_u32(&buf, &(listen_state->port))) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting port"); -+ } -+ if(_libssh2_get_string(&buf, &(listen_state->shost), &temp_len)) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting shost"); -+ } -+ listen_state->shost_len = (uint32_t)temp_len; -+ -+ if(_libssh2_get_u32(&buf, &(listen_state->sport))) { -+ return _libssh2_error(session, LIBSSH2_ERROR_BUFFER_TOO_SMALL, -+ "Data too short extracting sport"); -+ } - - _libssh2_debug(session, LIBSSH2_TRACE_CONN, - "Remote received connection from %s:%ld to %s:%ld", --- -1.8.3.1 - diff --git a/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch b/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch deleted file mode 100644 index 4c76ad3ffc72aecb2b532942bdd4a9e97e653ecf..0000000000000000000000000000000000000000 --- a/0001-packet.c-improved-parsing-in-packet_x11_open-410.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 336bd86d2ca4030b808d76e56a0387914982e289 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Fri, 13 Sep 2019 09:45:34 -0700 -Subject: [PATCH] packet.c: improved parsing in packet_x11_open (#410) - -Use new API to parse data in packet_x11_open() for better bounds checking. ---- - src/packet.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++-------------- - 1 file changed, 49 insertions(+), 14 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index c83a68d..9897f77 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -295,21 +295,56 @@ packet_x11_open(LIBSSH2_SESSION * session, unsigned char *data, - LIBSSH2_CHANNEL *channel = x11open_state->channel; - int rc; - -- (void) datalen; -- - if(x11open_state->state == libssh2_NB_state_idle) { -- unsigned char *s = data + (sizeof("x11") - 1) + 5; -- x11open_state->sender_channel = _libssh2_ntohu32(s); -- s += 4; -- x11open_state->initial_window_size = _libssh2_ntohu32(s); -- s += 4; -- x11open_state->packet_size = _libssh2_ntohu32(s); -- s += 4; -- x11open_state->shost_len = _libssh2_ntohu32(s); -- s += 4; -- x11open_state->shost = s; -- s += x11open_state->shost_len; -- x11open_state->sport = _libssh2_ntohu32(s); -+ -+ unsigned long offset = (sizeof("x11") - 1) + 5; -+ size_t temp_len = 0; -+ struct string_buf buf; -+ buf.data = data; -+ buf.dataptr = buf.data; -+ buf.len = datalen; -+ -+ if(datalen < offset) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected data length"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } -+ -+ buf.dataptr += offset; -+ -+ if(_libssh2_get_u32(&buf, &(x11open_state->sender_channel))) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected sender channel size"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } -+ if(_libssh2_get_u32(&buf, &(x11open_state->initial_window_size))) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected window size"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } -+ if(_libssh2_get_u32(&buf, &(x11open_state->packet_size))) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected window size"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } -+ if(_libssh2_get_string(&buf, &(x11open_state->shost), &temp_len)) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected host size"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } -+ x11open_state->shost_len = (uint32_t)temp_len; -+ -+ if(_libssh2_get_u32(&buf, &(x11open_state->sport))) { -+ _libssh2_error(session, LIBSSH2_ERROR_INVAL, -+ "unexpected port size"); -+ failure_code = SSH_OPEN_CONNECT_FAILED; -+ goto x11_exit; -+ } - - _libssh2_debug(session, LIBSSH2_TRACE_CONN, - "X11 Connection Received from %s:%ld on channel %lu", --- -1.8.3.1 - diff --git a/fix-heap-buffer-overflow-in-kex_agree_methods.patch b/fix-heap-buffer-overflow-in-kex_agree_methods.patch deleted file mode 100644 index 47b2674c52dc203f76360bb158e36ffe97c3c4b0..0000000000000000000000000000000000000000 --- a/fix-heap-buffer-overflow-in-kex_agree_methods.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 43f24eb152b8ec62473d2de6108d7c0b267b2419 Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Tue, 27 Aug 2019 10:58:52 -0700 -Subject: [PATCH] kex.c: improve bounds checking in kex_agree_methods() (#399) - -file: kex.c - -notes: -use _libssh2_get_string instead of kex_string_pair which does additional checks ---- - src/kex.c | 65 ++++++++++++++++++++----------------------------------- - 1 file changed, 24 insertions(+), 41 deletions(-) - -diff --git a/src/kex.c b/src/kex.c -index df9a4fdd6..7b111feaa 100644 ---- a/src/kex.c -+++ b/src/kex.c -@@ -3937,35 +3937,10 @@ static int kex_agree_comp(LIBSSH2_SESSION *session, - } - - -- - /* TODO: When in server mode we need to turn this logic on its head - * The Client gets to make the final call on "agreed methods" - */ - --/* -- * kex_string_pair() extracts a string from the packet and makes sure it fits -- * within the given packet. -- */ --static int kex_string_pair(unsigned char **sp, /* parsing position */ -- unsigned char *data, /* start pointer to packet */ -- size_t data_len, /* size of total packet */ -- size_t *lenp, /* length of the string */ -- unsigned char **strp) /* pointer to string start */ --{ -- unsigned char *s = *sp; -- *lenp = _libssh2_ntohu32(s); -- -- /* the length of the string must fit within the current pointer and the -- end of the packet */ -- if(*lenp > (data_len - (s - data) -4)) -- return 1; -- *strp = s + 4; -- s += 4 + *lenp; -- -- *sp = s; -- return 0; --} -- - /* kex_agree_methods - * Decide which specific method to use of the methods offered by each party - */ -@@ -3976,40 +3951,48 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data, - *mac_cs, *mac_sc; - size_t kex_len, hostkey_len, crypt_cs_len, crypt_sc_len, comp_cs_len; - size_t comp_sc_len, mac_cs_len, mac_sc_len; -- unsigned char *s = data; -+ struct string_buf buf; - -- /* Skip packet_type, we know it already */ -- s++; -+ if(data_len < 17) -+ return -1; -+ -+ buf.data = (unsigned char *)data; -+ buf.len = data_len; -+ buf.dataptr = buf.data; -+ buf.dataptr++; /* advance past packet type */ - - /* Skip cookie, don't worry, it's preserved in the kexinit field */ -- s += 16; -+ buf.dataptr += 16; - - /* Locate each string */ -- if(kex_string_pair(&s, data, data_len, &kex_len, &kex)) -+ if(_libssh2_get_string(&buf, &kex, &kex_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey)) -+ if(_libssh2_get_string(&buf, &hostkey, &hostkey_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs)) -+ if(_libssh2_get_string(&buf, &crypt_cs, &crypt_cs_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc)) -+ if(_libssh2_get_string(&buf, &crypt_sc, &crypt_sc_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs)) -+ if(_libssh2_get_string(&buf, &mac_cs, &mac_cs_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc)) -+ if(_libssh2_get_string(&buf, &mac_sc, &mac_sc_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs)) -+ if(_libssh2_get_string(&buf, &comp_cs, &comp_cs_len)) - return -1; -- if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc)) -+ if(_libssh2_get_string(&buf, &comp_sc, &comp_sc_len)) - return -1; - - /* If the server sent an optimistic packet, assume that it guessed wrong. - * If the guess is determined to be right (by kex_agree_kex_hostkey) - * This flag will be reset to zero so that it's not ignored */ -- session->burn_optimistic_kexinit = *(s++); -- /* Next uint32 in packet is all zeros (reserved) */ -+ if(_libssh2_check_length(&buf, 1)) { -+ session->burn_optimistic_kexinit = *(buf.dataptr++); -+ } -+ else { -+ return -1; -+ } - -- if(data_len < (unsigned) (s - data)) -- return -1; /* short packet */ -+ /* Next uint32 in packet is all zeros (reserved) */ - - if(kex_agree_kex_hostkey(session, kex, kex_len, hostkey, hostkey_len)) { - return -1; - diff --git a/fix-use-of-uninitialized-value-476-478.patch b/fix-use-of-uninitialized-value-476-478.patch deleted file mode 100644 index 040094dbc8fb98e563022c7a542ff142784a3d30..0000000000000000000000000000000000000000 --- a/fix-use-of-uninitialized-value-476-478.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0b44e558f311671f6e6d14c559bc1c9bda59b8df Mon Sep 17 00:00:00 2001 -From: Will Cosgrove -Date: Thu, 28 May 2020 14:20:08 -0700 -Subject: [PATCH 2/2] transport.c: moving total_num check from #476 (#478) - -file: transport.c - -notes: -moving total_num zero length check from #476 up to the prior bounds check which already includes a total_num check. Makes it slightly more readable. - -credit: -Will Cosgrove ---- - src/transport.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/transport.c b/src/transport.c -index adf96c2..11e5614 100644 ---- a/src/transport.c -+++ b/src/transport.c -@@ -465,7 +465,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) - * or less (including length, padding length, payload, - * padding, and MAC.)." - */ -- if(total_num > LIBSSH2_PACKET_MAXPAYLOAD) { -+ if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) { - return LIBSSH2_ERROR_OUT_OF_BOUNDARY; - } - --- -1.8.3.1 - diff --git a/libssh2-1.10.0.tar.gz b/libssh2-1.10.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..675581d990ecaf32f5c078542b66efe956255393 Binary files /dev/null and b/libssh2-1.10.0.tar.gz differ diff --git a/libssh2-1.9.0.tar.gz b/libssh2-1.9.0.tar.gz deleted file mode 100644 index 55c3ddff2a2d1afd4771e5b0505feb278a773f3d..0000000000000000000000000000000000000000 Binary files a/libssh2-1.9.0.tar.gz and /dev/null differ diff --git a/libssh2.spec b/libssh2.spec index 6bb48379117afef0a44a406f6ee59de9d9c68824..3f1e5b788a6054840ba8cc941901660cae16db1a 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,21 +1,14 @@ Name: libssh2 -Version: 1.9.0 -Release: 6 +Version: 1.10.0 +Release: 1 Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz -Patch0: 0001-libssh2-CVE-2019-17498.patch -Patch1: 0001-libssh2-misc.c-_libssh2_ntohu32-cast-bit-shifting-40.patch -Patch2: fix-use-of-uninitialized-value-476-478.patch -Patch3: fix-heap-buffer-overflow-in-kex_agree_methods.patch -Patch4: 0001-packet.c-improved-parsing-in-packet_x11_open-410.patch -Patch5: 0001-packet.c-improved-packet-parsing-in-packet_queue_lis.patch - BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: gcc make sed openssl-devel > 1:1.0.1 openssh-server -BuildRequires: glibc-langpack-en +BuildRequires: glibc-langpack-en groff %description libssh2 is a library implementing the SSH2 protocol as defined by @@ -91,6 +84,12 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_mandir}/man3/libssh2_*.3* %changelog +* Fri Dec 03 2021 gaihuiying - 1.10.0-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update libssh2 to 1.10.0 + * Thu Sep 24 2020 yuboyun - 1.9.0-6 - Type:bugfix - ID:NA