From 7dfb17d3cbfbeab5f6730ce1bcfba1d79a72cd1f Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Mar 19 2019 12:20:07 +0000 Subject: Update to 1.8.1 - New upstream release 1.8.1 - Fixed possible integer overflow when reading a specially crafted packet (CVE-2019-3855) - Fixed possible integer overflow in userauth_keyboard_interactive with a number of extremely long prompt strings (CVE-2019-3863) - Fixed possible integer overflow if the server sent an extremely large number of keyboard prompts (CVE-2019-3856) - Fixed possible out of bounds read when processing a specially crafted packet (CVE-2019-3861) - Fixed possible integer overflow when receiving a specially crafted exit signal message channel packet (CVE-2019-3857) - Fixed possible out of bounds read when receiving a specially crafted exit status message channel packet (CVE-2019-3862) - Fixed possible zero byte allocation when reading a specially crafted SFTP packet (CVE-2019-3858) - Fixed possible out of bounds reads when processing specially crafted SFTP packets (CVE-2019-3860) - Fixed possible out of bounds reads in _libssh2_packet_require(v) (CVE-2019-3859) - Fix mis-applied patch in the fix of CVE-2019-3859 - https://github.com/libssh2/libssh2/issues/325 - https://github.com/libssh2/libssh2/pull/327 --- diff --git a/74ecd0e1.patch b/74ecd0e1.patch new file mode 100644 index 0000000..9507602 --- /dev/null +++ b/74ecd0e1.patch @@ -0,0 +1,50 @@ +From 74ecd0e10ced2237f32d273784ef8eaf553b9c30 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Mon, 18 Mar 2019 17:36:04 -0700 +Subject: [PATCH] Fixed misapplied patch + +Fixes for user auth +--- + src/userauth.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index ed804629..c02d81d0 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -107,7 +107,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + LIBSSH2_FREE(session, session->userauth_list_data); + session->userauth_list_data = NULL; + +- if (rc || (session->userauth_list_data_len < 1)) { ++ if (rc) { + _libssh2_error(session, LIBSSH2_ERROR_SOCKET_SEND, + "Unable to send userauth-none request"); + session->userauth_list_state = libssh2_NB_state_idle; +@@ -127,7 +127,7 @@ static char *userauth_list(LIBSSH2_SESSION *session, const char *username, + _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, + "Would block requesting userauth list"); + return NULL; +- } else if (rc) { ++ } else if (rc || (session->userauth_list_data_len < 1)) { + _libssh2_error(session, rc, "Failed getting response"); + session->userauth_list_state = libssh2_NB_state_idle; + return NULL; +@@ -1172,7 +1172,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + NULL, 0); + if (rc == LIBSSH2_ERROR_EAGAIN) + return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); +- else if (rc || (session->userauth_pblc_data_len < 1)) { ++ else if (rc) { + LIBSSH2_FREE(session, session->userauth_pblc_packet); + session->userauth_pblc_packet = NULL; + LIBSSH2_FREE(session, session->userauth_pblc_method); +@@ -1195,7 +1195,7 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session, + if (rc == LIBSSH2_ERROR_EAGAIN) { + return _libssh2_error(session, LIBSSH2_ERROR_EAGAIN, "Would block"); + } +- else if (rc) { ++ else if (rc || (session->userauth_pblc_data_len < 1)) { + LIBSSH2_FREE(session, session->userauth_pblc_packet); + session->userauth_pblc_packet = NULL; + LIBSSH2_FREE(session, session->userauth_pblc_method); diff --git a/libssh2.spec b/libssh2.spec index 92b352c..36cd9ce 100644 --- a/libssh2.spec +++ b/libssh2.spec @@ -1,11 +1,12 @@ Name: libssh2 -Version: 1.8.0 -Release: 10%{?dist} +Version: 1.8.1 +Release: 1%{?dist} Summary: A library implementing the SSH2 protocol License: BSD URL: http://www.libssh2.org/ Source0: http://libssh2.org/download/libssh2-%{version}.tar.gz Patch1: 0001-scp-do-not-NUL-terminate-the-command-for-remote-exec.patch +Patch2: https://github.com/libssh2/libssh2/commit/74ecd0e1.patch BuildRequires: coreutils BuildRequires: findutils @@ -62,6 +63,11 @@ developing applications that use libssh2. # https://github.com/libssh2/libssh2/pull/208 %patch1 -p1 +# userauth: fix mis-applied patch in the fix of CVE-2019-3859 +# https://github.com/libssh2/libssh2/issues/325 +# https://github.com/libssh2/libssh2/pull/327 +%patch2 -p1 + # Replace hard wired port number in the test suite to avoid collisions # between 32-bit and 64-bit builds running on a single build-host sed -i s/4711/47%{__isa_bits}/ tests/ssh2.{c,sh} @@ -131,6 +137,30 @@ LC_ALL=en_US.UTF-8 make -C tests check %{_libdir}/pkgconfig/libssh2.pc %changelog +* Tue Mar 19 2019 Paul Howarth - 1.8.1-1 +- Update to 1.8.1 + - Fixed possible integer overflow when reading a specially crafted packet + (CVE-2019-3855) + - Fixed possible integer overflow in userauth_keyboard_interactive with a + number of extremely long prompt strings (CVE-2019-3863) + - Fixed possible integer overflow if the server sent an extremely large + number of keyboard prompts (CVE-2019-3856) + - Fixed possible out of bounds read when processing a specially crafted + packet (CVE-2019-3861) + - Fixed possible integer overflow when receiving a specially crafted exit + signal message channel packet (CVE-2019-3857) + - Fixed possible out of bounds read when receiving a specially crafted exit + status message channel packet (CVE-2019-3862) + - Fixed possible zero byte allocation when reading a specially crafted SFTP + packet (CVE-2019-3858) + - Fixed possible out of bounds reads when processing specially crafted SFTP + packets (CVE-2019-3860) + - Fixed possible out of bounds reads in _libssh2_packet_require(v) + (CVE-2019-3859) +- Fix mis-applied patch in the fix of CVE-2019-3859 + - https://github.com/libssh2/libssh2/issues/325 + - https://github.com/libssh2/libssh2/pull/327 + * Mon Feb 4 2019 Paul Howarth - 1.8.0-10 - Explicitly run the test suite in the en_US.UTF-8 locale to work around flaky locale settings in mock builders diff --git a/sources b/sources index 8551b1a..d5b4033 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -3d1147cae66e2959ea5441b183de1b1c libssh2-1.8.0.tar.gz +SHA512 (libssh2-1.8.1.tar.gz) = f09ad9ed04d25305b966e7f8c210082fe06c2b236dcd5018b009bd0bd6aaff123d16559d280892a5060760ed055ffe295bc02dc6e8dd1e7b8383c6c703f09290