diff --git a/backport-Add-NULL-pointer-check-for-outlen-before-use-1109.patch b/backport-Add-NULL-pointer-check-for-outlen-before-use-1109.patch new file mode 100644 index 0000000000000000000000000000000000000000..93c12febdbcdcb25944aa5be0965e2eb10f27398 --- /dev/null +++ b/backport-Add-NULL-pointer-check-for-outlen-before-use-1109.patch @@ -0,0 +1,32 @@ +From 724effcb47ebb713d3ef1776684b8f6407b4b6a5 Mon Sep 17 00:00:00 2001 +From: ren mingshuai <78132473+rmsh1216@users.noreply.github.com> +Date: Sat, 1 Jul 2023 01:34:44 +0800 +Subject: [PATCH] Add NULL pointer check for outlen before use (#1109) + +Before assigning a value to the outlen, we need to check whether it is NULL. + +Credit: Ren Mingshuai + +Reference:https://github.com/libssh2/libssh2/commit/724effcb47ebb713d3ef1776684b8f6407b4b6a5 +Conflict:NA +--- + src/misc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/misc.c b/src/misc.c +index b386e3d6..398457d4 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -901,7 +901,8 @@ int _libssh2_copy_string(LIBSSH2_SESSION *session, struct string_buf *buf, + } + } + else { +- *outlen = 0; ++ if(outlen) ++ *outlen = 0; + *outbuf = NULL; + } + +-- +2.27.0 + diff --git a/backport-Add-a-new-structure-to-separate-memory-read-and-file.patch b/backport-Add-a-new-structure-to-separate-memory-read-and-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..562d3ecae910796f9a31a9286b42571f31ff2182 --- /dev/null +++ b/backport-Add-a-new-structure-to-separate-memory-read-and-file.patch @@ -0,0 +1,74 @@ +From 63b4c20eb031227d040a3aca3224c80189411464 Mon Sep 17 00:00:00 2001 +From: renmingshuai +Date: Tue, 1 Aug 2023 12:36:24 +0800 +Subject: [PATCH] Add a new structure to separate memory read and file read. We + use different APIs when we read one private key from memory, so it is + improper to store the private key information in the structure that stores + the private key file information. + +Fixes https://github.com/libssh2/libssh2/issues/773 +Reported-by: mike-jumper + +Reference:https://github.com/libssh2/libssh2/commit/63b4c20eb031227d040a3aca3224c80189411464 +Conflict:NA +--- + src/userauth.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index 5ce4ccb1..c382e661 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -818,11 +818,17 @@ struct privkey_file { + const char *passphrase; + }; + ++struct privkey_mem { ++ const char *passphrase; ++ const char *data; ++ size_t data_len; ++}; ++ + static int + sign_frommemory(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, + const unsigned char *data, size_t data_len, void **abstract) + { +- struct privkey_file *pk_file = (struct privkey_file *) (*abstract); ++ struct privkey_mem *pk_mem = (struct privkey_mem *) (*abstract); + const LIBSSH2_HOSTKEY_METHOD *privkeyobj; + void *hostkey_abstract; + struct iovec datavec; +@@ -831,9 +837,9 @@ sign_frommemory(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, + rc = memory_read_privatekey(session, &privkeyobj, &hostkey_abstract, + session->userauth_pblc_method, + session->userauth_pblc_method_len, +- pk_file->filename, +- strlen(pk_file->filename), +- pk_file->passphrase); ++ pk_mem->data, ++ pk_mem->data_len, ++ pk_mem->passphrase); + if(rc) + return rc; + +@@ -1835,12 +1841,13 @@ userauth_publickey_frommemory(LIBSSH2_SESSION *session, + { + unsigned char *pubkeydata = NULL; + size_t pubkeydata_len = 0; +- struct privkey_file privkey_file; +- void *abstract = &privkey_file; ++ struct privkey_mem privkey_mem; ++ void *abstract = &privkey_mem; + int rc; + +- privkey_file.filename = privatekeydata; +- privkey_file.passphrase = passphrase; ++ privkey_mem.data = privatekeydata; ++ privkey_mem.data_len = privatekeydata_len; ++ privkey_mem.passphrase = passphrase; + + if(session->userauth_pblc_state == libssh2_NB_state_idle) { + if(publickeydata_len && publickeydata) { +-- +2.27.0 + diff --git a/backport-Fix-an-out-of-bounds-read-in-_libssh2_kex_agree_inst.patch b/backport-Fix-an-out-of-bounds-read-in-_libssh2_kex_agree_inst.patch new file mode 100644 index 0000000000000000000000000000000000000000..59e10ff8971dd449c993a3481fff8ccddb7ef3ae --- /dev/null +++ b/backport-Fix-an-out-of-bounds-read-in-_libssh2_kex_agree_inst.patch @@ -0,0 +1,27 @@ +From f52ffc1ccdedcd5a885e85c2d0f0cb872b2b0a7f Mon Sep 17 00:00:00 2001 +From: Michael Buckley +Date: Mon, 8 Jan 2024 15:04:52 -0800 +Subject: [PATCH] Fix an out-of-bounds read in _libssh2_kex_agree_instr when + searching for a KEX not in the server list (#1302) + +Reference:https://github.com/libssh2/libssh2/commit/f52ffc1ccdedcd5a885e85c2d0f0cb872b2b0a7f +Conflict:NA +--- + src/kex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kex.c b/src/kex.c +index a7b301e1..65973297 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -3349,6 +3349,7 @@ _libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len, + left = end_haystack - s; + if((left >= 1) && (left <= haystack_len) && (left > needle_len)) { + s++; ++ left--; + } + else { + return NULL; +-- +2.33.0 + diff --git a/backport-Fix-unstable-connections-over-nonblocking-sockets.patch b/backport-Fix-unstable-connections-over-nonblocking-sockets.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a37e18aef373d7c710dd6cb0b7ceee087890e9f --- /dev/null +++ b/backport-Fix-unstable-connections-over-nonblocking-sockets.patch @@ -0,0 +1,47 @@ +From de0048759b871ee61bbd98619daff16be95a3e67 Mon Sep 17 00:00:00 2001 +From: rolag <10981866+rolag@users.noreply.github.com> +Date: Fri, 27 Sep 2024 15:52:47 +0000 +Subject: [PATCH] Fix unstable connections over nonblocking sockets (#1454) + + The `send_existing()` function allows partially sent packets to be sent + fully before any further packets are sent. Originally this returned + `LIBSSH2_ERROR_BAD_USE` when a different caller or thread tried to send + an existing packet created by a different caller or thread causing the + connection to disconnect. Commit 33dddd2f8ac3bc81 removed the return + allowing any caller to continue sending another caller's packet. This + caused connection instability as discussed in #1397 and confused the + client and server causing occasional duplicate packets to be sent and + giving the error `rcvd too much data` as discussed in #1431. We return + `LIBSSH2_ERROR_EAGAIN` instead to allow existing callers to finish + sending their own packets. + + Fixes #1397 + Fixes #1431 + Related #720 + + Credit: klux21, rolag + +Conflict:NA +Reference:https://github.com/libssh2/libssh2/commit/de0048759b871ee61bbd98619daff16be95a3e67 + +--- + src/transport.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 3b30ff8..bbe7f5b 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -782,7 +782,8 @@ send_existing(LIBSSH2_SESSION *session, const unsigned char *data, + make the caller really notice his/hers flaw, we return error for + this case */ + _libssh2_debug((session, LIBSSH2_TRACE_SOCKET, +- "Address is different, but will resume nonetheless")); ++ "Address is different, returning EAGAIN")); ++ return LIBSSH2_ERROR_EAGAIN; + } + + *ret = 1; /* set to make our parent return */ +-- +2.43.0 + diff --git a/backport-Prevent-possible-double-free-of-hostkey.patch b/backport-Prevent-possible-double-free-of-hostkey.patch new file mode 100644 index 0000000000000000000000000000000000000000..cf199772fbcd13af1c65e2c3842a5cf8fcd4f152 --- /dev/null +++ b/backport-Prevent-possible-double-free-of-hostkey.patch @@ -0,0 +1,33 @@ +From b3465418471ffa4cf0bbe1e8f28c4d007f060f99 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Tue, 10 Sep 2024 09:35:26 -0700 +Subject: [PATCH] Prevent possible double free of hostkey (#1452) + NULL server hostkey based on fuzzer failure case. + +Conflict:NA +Reference:https://github.com/libssh2/libssh2/commit/b3465418471ffa4cf0bbe1e8f28c4d007f060f99 + +--- + src/kex.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/kex.c b/src/kex.c +index 5f381ec..7053316 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -379,8 +379,11 @@ static int diffie_hellman_sha_algo(LIBSSH2_SESSION *session, + buf.dataptr = buf.data; + buf.dataptr++; /* advance past type */ + +- if(session->server_hostkey) ++ if(session->server_hostkey) { + LIBSSH2_FREE(session, session->server_hostkey); ++ session->server_hostkey = NULL; ++ session->server_hostkey_len = 0; ++ } + + if(_libssh2_copy_string(session, &buf, &(session->server_hostkey), + &host_key_len)) { +-- +2.43.0 + diff --git a/backport-We-should-check-whether-key_method-is-a-NULL-pointer.patch b/backport-We-should-check-whether-key_method-is-a-NULL-pointer.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c86e25ca58141ed81057fd0f16f67dedf77a305 --- /dev/null +++ b/backport-We-should-check-whether-key_method-is-a-NULL-pointer.patch @@ -0,0 +1,30 @@ +From bec57c409d40822a23f03d2136f33b75b01b4b58 Mon Sep 17 00:00:00 2001 +From: renmingshuai +Date: Sat, 1 Jul 2023 10:14:48 +0800 +Subject: [PATCH] We should check whether *key_method is a NULL pointer instead + of key_method + +Signed-off-by: renmingshuai + +Reference:https://github.com/libssh2/libssh2/commit/bec57c409d40822a23f03d2136f33b75b01b4b58 +Conflict:NA +--- + src/userauth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/userauth.c b/src/userauth.c +index e7578759..5ce4ccb1 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1410,7 +1410,7 @@ _libssh2_key_sign_algorithm(LIBSSH2_SESSION *session, + LIBSSH2_FREE(session, *key_method); + + *key_method = LIBSSH2_ALLOC(session, match_len); +- if(key_method) { ++ if(*key_method) { + memcpy(*key_method, match, match_len); + *key_method_len = match_len; + } +-- +2.27.0 + diff --git a/backport-buildconf-drop.patch b/backport-buildconf-drop.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee79c06a17546cbd9d0454c9efcbcd0732959fbf --- /dev/null +++ b/backport-buildconf-drop.patch @@ -0,0 +1,72 @@ +From 814a850c97b0d535341868b4aefdfe76179330e9 Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Tue, 6 Aug 2024 12:55:05 +0200 +Subject: [PATCH] buildconf: drop + Use `autoreconf -fi` instead. + +Conflict:NA +Reference:https://github.com/libssh2/libssh2/commit/814a850c97b0d535341868b4aefdfe76179330e9 +--- + Makefile.am | 2 +- + Makefile.in | 2 +- + buildconf | 8 -------- + tests/ossfuzz/ossfuzz.sh | 2 +- + 4 files changed, 3 insertions(+), 11 deletions(-) + delete mode 100755 buildconf + +diff --git a/Makefile.am b/Makefile.am +index 677be76..9f4252e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -38,7 +38,7 @@ OS400FILES = os400/README400 os400/initscript.sh os400/make.sh \ + EXTRA_DIST = $(WIN32FILES) get_ver.awk \ + maketgz RELEASE-NOTES libssh2.pc.in $(VMSFILES) config.rpath \ + CMakeLists.txt cmake git2news.pl libssh2-style.el README.md $(OS400FILES) \ +- buildconf Makefile.mk ++ Makefile.mk + + ACLOCAL_AMFLAGS = -I m4 + +diff --git a/Makefile.in b/Makefile.in +index ec124e2..e45cabc 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -427,7 +427,7 @@ OS400FILES = os400/README400 os400/initscript.sh os400/make.sh \ + EXTRA_DIST = $(WIN32FILES) get_ver.awk \ + maketgz RELEASE-NOTES libssh2.pc.in $(VMSFILES) config.rpath \ + CMakeLists.txt cmake git2news.pl libssh2-style.el README.md $(OS400FILES) \ +- buildconf Makefile.mk ++ Makefile.mk + + ACLOCAL_AMFLAGS = -I m4 + all: all-recursive +diff --git a/buildconf b/buildconf +deleted file mode 100755 +index 1649f37..0000000 +--- a/buildconf ++++ /dev/null +@@ -1,8 +0,0 @@ +-#!/bin/sh +- +-echo "***" >&2 +-echo "*** Do not use buildconf. Instead, use: autoreconf -fi" >&2 +-echo "*** Doing it for you now, but buildconf may disappear in the future." >&2 +-echo "***" >&2 +- +-exec ${AUTORECONF:-autoreconf} -fi "${@}" +diff --git a/tests/ossfuzz/ossfuzz.sh b/tests/ossfuzz/ossfuzz.sh +index 7925fb7..032b686 100755 +--- a/tests/ossfuzz/ossfuzz.sh ++++ b/tests/ossfuzz/ossfuzz.sh +@@ -22,7 +22,7 @@ export MAKEFLAGS + apt-get -y install automake libtool libssl-dev zlib1g-dev + + # Compile the fuzzer. +-./buildconf ++autoreconf -fi + ./configure --disable-shared \ + --enable-ossfuzzers \ + --disable-examples-build \ +-- +2.43.0 + diff --git a/backport-openssl-fix-cppcheck-found-NULL-dereferences-1304.patch b/backport-openssl-fix-cppcheck-found-NULL-dereferences-1304.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b1dd6905bd39c34331c022de4f27310a3fc1247 --- /dev/null +++ b/backport-openssl-fix-cppcheck-found-NULL-dereferences-1304.patch @@ -0,0 +1,170 @@ +From f2945905fbae7728869bffb9e034604cafcffb49 Mon Sep 17 00:00:00 2001 +From: Ryan Kelley +Date: Thu, 18 Jan 2024 14:37:52 -0500 +Subject: [PATCH] openssl: fix cppcheck found NULL dereferences (#1304) + +* Fix NULL dereference in gen_publickey_from_rsa_evp and + gen_publickey_from_dsa_evp. +* Add checks for en_publickey_from_ec_evp and en_publickey_from_ed_evp + +Reference:https://github.com/libssh2/libssh2/commit/f2945905fbae7728869bffb9e034604cafcffb49 +Conflict:b0ab005fe792(openssl: use non-deprecated APIs with OpenSSL3.x) + ed439a29bb04(Support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys) + +--- + src/openssl.c | 83 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 53 insertions(+), 30 deletions(-) + +diff --git a/src/openssl.c b/src/openssl.c +index 919a8d9..905af3e 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -820,10 +820,14 @@ gen_publickey_from_rsa_evp(LIBSSH2_SESSION *session, + RSA_free(rsa); + + memcpy(method_buf, "ssh-rsa", 7); +- *method = method_buf; +- *method_len = 7; +- *pubkeydata = key; +- *pubkeydata_len = key_len; ++ *method = method_buf; ++ if(method_len) { ++ *method_len = 7; ++ } ++ *pubkeydata = key; ++ if(pubkeydata_len) { ++ *pubkeydata_len = key_len; ++ } + return 0; + + __alloc_error: +@@ -1219,10 +1223,14 @@ gen_publickey_from_dsa_evp(LIBSSH2_SESSION *session, + DSA_free(dsa); + + memcpy(method_buf, "ssh-dss", 7); +- *method = method_buf; +- *method_len = 7; +- *pubkeydata = key; +- *pubkeydata_len = key_len; ++ *method = method_buf; ++ if(method_len) { ++ *method_len = 7; ++ } ++ *pubkeydata = key; ++ if(pubkeydata_len) { ++ *pubkeydata_len = key_len; ++ } + return 0; + + __alloc_error: +@@ -1589,10 +1597,14 @@ gen_publickey_from_ed_evp(LIBSSH2_SESSION *session, + goto fail; + } + +- *method = methodBuf; +- *method_len = sizeof(methodName) - 1; +- *pubkeydata = keyBuf; +- *pubkeydata_len = bufLen; ++ *method = methodBuf; ++ if(method_len) { ++ *method_len = sizeof(methodName) - 1; ++ } ++ *pubkeydata = keyBuf; ++ if(pubkeydata_len) { ++ *pubkeydata_len = bufLen; ++ } + return 0; + + fail: +@@ -2561,6 +2573,7 @@ gen_publickey_from_ec_evp(LIBSSH2_SESSION *session, + unsigned char *p; + unsigned char *method_buf = NULL; + unsigned char *key; ++ size_t method_buf_len = 0; + size_t key_len = 0; + unsigned char *octal_value = NULL; + size_t octal_len; +@@ -2588,24 +2601,29 @@ gen_publickey_from_ec_evp(LIBSSH2_SESSION *session, + type = _libssh2_ecdsa_get_curve_type(ec); + + if(is_sk) +- *method_len = 34; ++ method_buf_len = 34; + else +- *method_len = 19; ++ method_buf_len = 19; + +- method_buf = LIBSSH2_ALLOC(session, *method_len); ++ method_buf = LIBSSH2_ALLOC(session, method_buf_len); + if(!method_buf) { + return _libssh2_error(session, LIBSSH2_ERROR_ALLOC, + "out of memory"); + } + +- if(is_sk) +- memcpy(method_buf, "sk-ecdsa-sha2-nistp256@openssh.com", *method_len); +- else if(type == LIBSSH2_EC_CURVE_NISTP256) +- memcpy(method_buf, "ecdsa-sha2-nistp256", *method_len); +- else if(type == LIBSSH2_EC_CURVE_NISTP384) +- memcpy(method_buf, "ecdsa-sha2-nistp384", *method_len); +- else if(type == LIBSSH2_EC_CURVE_NISTP521) +- memcpy(method_buf, "ecdsa-sha2-nistp521", *method_len); ++ if(is_sk) { ++ memcpy(method_buf, "sk-ecdsa-sha2-nistp256@openssh.com", ++ method_buf_len); ++ } ++ else if(type == LIBSSH2_EC_CURVE_NISTP256) { ++ memcpy(method_buf, "ecdsa-sha2-nistp256", method_buf_len); ++ } ++ else if(type == LIBSSH2_EC_CURVE_NISTP384) { ++ memcpy(method_buf, "ecdsa-sha2-nistp384", method_buf_len); ++ } ++ else if(type == LIBSSH2_EC_CURVE_NISTP521) { ++ memcpy(method_buf, "ecdsa-sha2-nistp521", method_buf_len); ++ } + else { + _libssh2_debug((session, + LIBSSH2_TRACE_ERROR, +@@ -2636,9 +2654,9 @@ gen_publickey_from_ec_evp(LIBSSH2_SESSION *session, + goto clean_exit; + } + +- /* Key form is: type_len(4) + type(method_len) + domain_len(4) + domain(8) +- + pub_key_len(4) + pub_key(~65). */ +- key_len = 4 + *method_len + 4 + 8 + 4 + octal_len; ++ /* Key form is: type_len(4) + type(method_buf_len) + domain_len(4) ++ + domain(8) + pub_key_len(4) + pub_key(~65). */ ++ key_len = 4 + method_buf_len + 4 + 8 + 4 + octal_len; + key = LIBSSH2_ALLOC(session, key_len); + if(!key) { + rc = -1; +@@ -2649,7 +2667,7 @@ gen_publickey_from_ec_evp(LIBSSH2_SESSION *session, + p = key; + + /* Key type */ +- _libssh2_store_str(&p, (const char *)method_buf, *method_len); ++ _libssh2_store_str(&p, (const char *)method_buf, method_buf_len); + + /* Name domain */ + if(is_sk) { +@@ -2662,9 +2680,14 @@ gen_publickey_from_ec_evp(LIBSSH2_SESSION *session, + /* Public key */ + _libssh2_store_str(&p, (const char *)octal_value, octal_len); + +- *method = method_buf; +- *pubkeydata = key; +- *pubkeydata_len = key_len; ++ *method = method_buf; ++ if(method_len) { ++ *method_len = method_buf_len; ++ } ++ *pubkeydata = key; ++ if(pubkeydata_len) { ++ *pubkeydata_len = key_len; ++ } + + clean_exit: + +-- +2.33.0 + diff --git a/backport-session-support-server-banners-up-to-8192-bytes-was-256.patch b/backport-session-support-server-banners-up-to-8192-bytes-was-256.patch new file mode 100644 index 0000000000000000000000000000000000000000..98e6b849910a806ee5642615af2961e521e9befa --- /dev/null +++ b/backport-session-support-server-banners-up-to-8192-bytes-was-256.patch @@ -0,0 +1,38 @@ +From 1a9e8811f7fa7538a52e2dd0150a094368471bf3 Mon Sep 17 00:00:00 2001 +From: Anders Borum +Date: Tue, 8 Oct 2024 08:11:02 +0200 +Subject: [PATCH] session: support server banners up to 8192 bytes (was: 256) + + If server had banner exceeding 256 bytes there wasn't enough room in + `_LIBSSH2_SESSION.banner_TxRx_banner`. Only the first 256 bytes would be + read making the first packet read fail but also dooming key exchange as + `session->remote.banner` didn't include everything. + + This change bumps the banner buffer to 8KB to match OpenSSH. + + Fixes #1442 + Closes #1443 + +Reference:https://github.com/libssh2/libssh2/commit/1a9e8811f7fa7538a52e2dd0150a094368471bf3 +Conflict:NA + +--- + src/libssh2_priv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h +index ee1d8b5..b1f32b1 100644 +--- a/src/libssh2_priv.h ++++ b/src/libssh2_priv.h +@@ -742,7 +742,7 @@ struct _LIBSSH2_SESSION + + /* State variables used in libssh2_banner_send() */ + libssh2_nonblocking_states banner_TxRx_state; +- char banner_TxRx_banner[256]; ++ char banner_TxRx_banner[8192]; + ssize_t banner_TxRx_total_send; + + /* State variables used in libssh2_kexinit() */ +-- +2.43.0 + diff --git a/backport-userauth-avoid-oob-with-huge-interactive-kbd-respons.patch b/backport-userauth-avoid-oob-with-huge-interactive-kbd-respons.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab40fe01a334dd009a48d29cec076dc8e5b8aa7d --- /dev/null +++ b/backport-userauth-avoid-oob-with-huge-interactive-kbd-respons.patch @@ -0,0 +1,52 @@ +From a6a9093b39824a00258f96a5301a844b4d870cdc Mon Sep 17 00:00:00 2001 +From: Viktor Szakats +Date: Thu, 28 Mar 2024 16:59:58 +0000 +Subject: [PATCH] userauth: avoid oob with huge interactive kbd response + +- If the length of a response is `UINT_MAX - 3` or larger, an unsigned + integer overflow occurs on 64-bit systems. Avoid such truncation to + always allocate enough memory to avoid subsequent out of boundary + writes. + + Patch-by: Tobias Stoeckmann + +- also add FIXME to bump up length field to `size_t` (ABI break) + +Closes #1337 + +Reference:https://github.com/libssh2/libssh2/commit/a6a9093b39824a00258f96a5301a844b4d870cdc +Conflict:NA +--- + include/libssh2.h | 2 +- + src/userauth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/libssh2.h b/include/libssh2.h +index 8bc8a138..71673801 100644 +--- a/include/libssh2.h ++++ b/include/libssh2.h +@@ -292,7 +292,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_PROMPT + typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE + { + char *text; +- unsigned int length; ++ unsigned int length; /* FIXME: change type to size_t */ + } LIBSSH2_USERAUTH_KBDINT_RESPONSE; + + typedef struct _LIBSSH2_SK_SIG_INFO { +diff --git a/src/userauth.c b/src/userauth.c +index 60fd48e4..43df3e15 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -2188,7 +2188,7 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + if(session->userauth_kybd_responses[i].length <= + (SIZE_MAX - 4 - session->userauth_kybd_packet_len)) { + session->userauth_kybd_packet_len += +- 4 + session->userauth_kybd_responses[i].length; ++ 4 + (size_t)session->userauth_kybd_responses[i].length; + } + else { + _libssh2_error(session, LIBSSH2_ERROR_ALLOC, +-- +2.33.0 + diff --git a/libssh2.spec b/libssh2.spec index eafd8b1e25c3dac01b350aaf03e9ac85d2947788..bf71ec392e93f8170b6041a0f64a4617cfb7ec0e 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,6 +1,6 @@ Name: libssh2 Version: 1.11.0 -Release: 3 +Release: 4 Summary: A library implementing the SSH2 protocol License: BSD URL: https://www.libssh2.org/ @@ -8,6 +8,16 @@ Source0: https://libssh2.org/download/libssh2-%{version}.tar.gz Patch0: backport-src-add-strict-KEX-to-fix-CVE-2023-48795-Terrapin-At.patch Patch1: libssh2-1.11.0-strict-modes.patch +Patch2: backport-Add-NULL-pointer-check-for-outlen-before-use-1109.patch +Patch3: backport-We-should-check-whether-key_method-is-a-NULL-pointer.patch +Patch4: backport-Add-a-new-structure-to-separate-memory-read-and-file.patch +Patch5: backport-Fix-an-out-of-bounds-read-in-_libssh2_kex_agree_inst.patch +Patch6: backport-openssl-fix-cppcheck-found-NULL-dereferences-1304.patch +Patch7: backport-userauth-avoid-oob-with-huge-interactive-kbd-respons.patch +Patch8: backport-buildconf-drop.patch +Patch9: backport-Prevent-possible-double-free-of-hostkey.patch +Patch10: backport-Fix-unstable-connections-over-nonblocking-sockets.patch +Patch11: backport-session-support-server-banners-up-to-8192-bytes-was-256.patch BuildRequires: coreutils findutils /usr/bin/man zlib-devel BuildRequires: gcc make sed openssl-devel > 1:1.0.2 openssh-server @@ -87,6 +97,12 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_mandir}/man3/libssh2_*.3* %changelog +* Tue Oct 29 2024 bitianyuan - 1.11.0-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:backport some upstream patches + * Tue Jun 04 2024 yueyuankun - 1.11.0-3 - Type:bugfix - ID:NA