main/libssh: security fix (CVE-2016-0739). Fixes #5174

author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-02-25 11:03:37 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-02-25 11:22:06 +0000
commit: 8fd14512598c4438817e0c3b405cfa648fc72898 (patch)
tree: dd9b6a426a0baefe44655a7bea7deec15b7df75e /main/libssh
parent: 775b25076f747d4d008d25adbc59ec3bedd69e39 (diff)
download: aports-8fd14512598c4438817e0c3b405cfa648fc72898.tar.bz2
aports-8fd14512598c4438817e0c3b405cfa648fc72898.tar.xz
2 files changed, 72 insertions, 4 deletions
diff --git a/main/libssh/APKBUILD b/main/libssh/APKBUILD
index d16291bd7a..4af3df7f96 100644
--- a/main/libssh/APKBUILD
+++ b/main/libssh/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libssh
 pkgver=0.6.5
-pkgrel=0
+pkgrel=1
 pkgdesc="Library for accessing ssh client services through C libraries"
 url="http://www.libssh.org/"
 arch="all"
@@ -12,6 +12,7 @@ makedepends="openssl-dev cmake doxygen"
 subpackages="$pkgname-dev"
 source="https://red.libssh.org/attachments/download/121/libssh-$pkgver.tar.xz
 	fix-includes.patch
+	CVE-2016-0739.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -44,8 +45,11 @@ package() {
 }
 
 md5sums="fdf107011ae1847d86620b39ae37d4f3  libssh-0.6.5.tar.xz
-8257f5a2a6be16b158a83d76b5eed4fd  fix-includes.patch"
+8257f5a2a6be16b158a83d76b5eed4fd  fix-includes.patch
+c7e390faeadadbef2013026b6b0df99d  CVE-2016-0739.patch"
 sha256sums="0fd52763e033d5e9b1cd55f60a74e619731c5ba630938eec95682dbe4cf7dc2c  libssh-0.6.5.tar.xz
-d1798cd15d8682464a0b1b1853a9e17e63fed2fa732849570e595347d91b160c  fix-includes.patch"
+d1798cd15d8682464a0b1b1853a9e17e63fed2fa732849570e595347d91b160c  fix-includes.patch
+7ed3eb7c5cecae5ccd2f9f319a846c0d7c00d798d289ca45d9b81473a237f183  CVE-2016-0739.patch"
 sha512sums="55d614ff311a29a20b93094ac1dd16a2ad1345368b874a0e385f0c235e8defde8816948ab04eab68ade477a0a6901b317c7884df1ba3078cf12db89dfc4169cc  libssh-0.6.5.tar.xz
-055a8f6b97c65384a5a3ab8fe00c69d94cc30092fe926093dbbc122ce301fbe9d76127aa07b5e6107d7fa9dd2aad6b165fa0958b56520253b5d64428ff42a318  fix-includes.patch"
+055a8f6b97c65384a5a3ab8fe00c69d94cc30092fe926093dbbc122ce301fbe9d76127aa07b5e6107d7fa9dd2aad6b165fa0958b56520253b5d64428ff42a318  fix-includes.patch
+0dc455d073e94e3bab3fed861e5acd7e57654b12bf7b6b90563bc1b99a17ebac580c8e32de2d91292185585deee3b477c1f19bb0e03a39e681b7fc730df46a88  CVE-2016-0739.patch"
diff --git a/main/libssh/CVE-2016-0739.patch b/main/libssh/CVE-2016-0739.patch
new file mode 100644
index 0000000000..caa39a298d
--- /dev/null
+++ b/main/libssh/CVE-2016-0739.patch
@@ -0,0 +1,64 @@
+Description: CVE-2016-0739: Truncated Diffie-Hellman secret length
+Origin: upstream, https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86
+Bug-Debian: https://bugs.debian.org/815663
+Forwarded: not-needed
+Author: Aris Adamantiadis <aris@0xbadc0de.be>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-02-22
+Applied-Upstream: 0.7.3
+
+---
+ src/dh.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/src/dh.c
++++ b/src/dh.c
+@@ -240,15 +240,21 @@ void ssh_print_bignum(const char *which,
+ }
+ 
+ int dh_generate_x(ssh_session session) {
++  int keysize;
++  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++    keysize = 1023;
++  } else {
++    keysize = 2047;
++  }
+   session->next_crypto->x = bignum_new();
+   if (session->next_crypto->x == NULL) {
+     return -1;
+   }
+ 
+ #ifdef HAVE_LIBGCRYPT
+-  bignum_rand(session->next_crypto->x, 128);
++  bignum_rand(session->next_crypto->x, keysize);
+ #elif defined HAVE_LIBCRYPTO
+-  bignum_rand(session->next_crypto->x, 128, 0, -1);
++  bignum_rand(session->next_crypto->x, keysize, -1, 0);
+ #endif
+ 
+   /* not harder than this */
+@@ -261,15 +267,21 @@ int dh_generate_x(ssh_session session) {
+ 
+ /* used by server */
+ int dh_generate_y(ssh_session session) {
+-    session->next_crypto->y = bignum_new();
++  int keysize;
++  if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
++    keysize = 1023;
++  } else {
++    keysize = 2047;
++  }
++  session->next_crypto->y = bignum_new();
+   if (session->next_crypto->y == NULL) {
+     return -1;
+   }
+ 
+ #ifdef HAVE_LIBGCRYPT
+-  bignum_rand(session->next_crypto->y, 128);
++  bignum_rand(session->next_crypto->y, keysize);
+ #elif defined HAVE_LIBCRYPTO
+-  bignum_rand(session->next_crypto->y, 128, 0, -1);
++  bignum_rand(session->next_crypto->y, keysize, -1, 0);
+ #endif
+ 
+   /* not harder than this */
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-02-25 11:03:37 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-02-25 11:22:06 +0000
commit	8fd14512598c4438817e0c3b405cfa648fc72898 (patch)
tree	dd9b6a426a0baefe44655a7bea7deec15b7df75e /main/libssh
parent	775b25076f747d4d008d25adbc59ec3bedd69e39 (diff)
download	aports-8fd14512598c4438817e0c3b405cfa648fc72898.tar.bz2 aports-8fd14512598c4438817e0c3b405cfa648fc72898.tar.xz