From 28be644ac55f27013fb426cbbbf42d74faa7d6c9 Mon Sep 17 00:00:00 2001 From: Diego Herrera Date: Nov 28 2022 21:04:54 +0000 Subject: Backported CVE-2022-21716 fix from upstream --- diff --git a/0002-CVE-2022-21716.patch b/0002-CVE-2022-21716.patch new file mode 100644 index 0000000..21168f0 --- /dev/null +++ b/0002-CVE-2022-21716.patch @@ -0,0 +1,51 @@ +diff --git a/src/twisted/conch/ssh/transport.py b/src/twisted/conch/ssh/transport.py +index bd76b0a..a477d27 100644 +--- a/src/twisted/conch/ssh/transport.py ++++ b/src/twisted/conch/ssh/transport.py +@@ -677,6 +677,14 @@ class SSHTransportBase(protocol.Protocol): + """ + self.buf = self.buf + data + if not self.gotVersion: ++ if len(self.buf) > 4096: ++ self.sendDisconnect( ++ DISCONNECT_CONNECTION_LOST, ++ b"Peer version string longer than 4KB. " ++ b"Preventing a denial of service attack.", ++ ) ++ return ++ + if self.buf.find(b'\n', self.buf.find(b'SSH-')) == -1: + return + +diff --git a/src/twisted/conch/test/test_transport.py b/src/twisted/conch/test/test_transport.py +index 98a3515..449dd3f 100644 +--- a/src/twisted/conch/test/test_transport.py ++++ b/src/twisted/conch/test/test_transport.py +@@ -522,6 +522,27 @@ class BaseSSHTransportTests(BaseSSHTransportBaseCase, TransportTestCase): + r')*$') + self.assertRegex(softwareVersion, softwareVersionRegex) + ++ def test_dataReceiveVersionNotSentMemoryDOS(self): ++ """ ++ When the peer is not sending its SSH version but keeps sending data, ++ the connection is disconnected after 4KB to prevent buffering too ++ much and running our of memory. ++ """ ++ sut = MockTransportBase() ++ sut.makeConnection(self.transport) ++ ++ # Data can be received over multiple chunks. ++ sut.dataReceived(b"SSH-2-Server-Identifier") ++ sut.dataReceived(b"1234567890" * 406) ++ sut.dataReceived(b"1235678") ++ self.assertFalse(self.transport.disconnecting) ++ ++ # Here we are going over the limit. ++ sut.dataReceived(b"1234567") ++ # Once a lot of data is received without an SSH version string, ++ # the transport is disconnected. ++ self.assertTrue(self.transport.disconnecting) ++ self.assertIn(b"Preventing a denial of service attack", self.transport.value()) + + def test_sendPacketPlain(self): + """ diff --git a/python-twisted.spec b/python-twisted.spec index f962334..dfce909 100644 --- a/python-twisted.spec +++ b/python-twisted.spec @@ -7,7 +7,7 @@ and more.} Name: python-%{pypi_name} Version: 19.10.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Twisted is a networking engine written in Python License: MIT @@ -20,6 +20,9 @@ Patch1: 0001-Import-gobject-from-gi.repository-in-Python-3.patch # CVE-2020-10109 Patch2: https://github.com/twisted/twisted/commit/d2f6dd9b3766509f40c980aac67ca8475da67c6f.patch#/0001-Refactor-to-reduce-duplication.patch Patch3: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281.patch#/0001-Fix-several-request-smuggling-attacks.patch +# Backported CVE-2022-21716 fix +# https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1.patch +Patch4: 0002-CVE-2022-21716.patch %description %{common_description} @@ -134,6 +137,9 @@ PATH=%{buildroot}%{_bindir}:$PATH PYTHONPATH=%{buildroot}%{python3_sitearch} %{b %changelog +* Mon Nov 28 17:45:05 CLT 2022 Diego Herrera - 19.10.0-3 +- Backported CVE-2022-21716 fix from upstream + * Tue Mar 17 16:31:05 CET 2020 Robert-André Mauchin - 19.10.0-2 - Security fix for CVE-2020-10108 (#1813439, #1813442) - Security fix for CVE-2020-10109 (#1813447, #1813450)