From 6c763143a08a56997ee6f88f9329cfc17d6b56b5 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 17 Oct 2019 09:15:12 +0000 Subject: main/libssh2: fix for CVE-2019-17498 fixes #10883 --- main/libssh2/APKBUILD | 9 +++-- main/libssh2/CVE-2019-17498.patch | 72 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 main/libssh2/CVE-2019-17498.patch diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD index 1779a9cfb2..6306a875fa 100644 --- a/main/libssh2/APKBUILD +++ b/main/libssh2/APKBUILD @@ -8,9 +8,13 @@ arch="all" license="BSD-3-Clause" makedepends="openssl-dev zlib-dev" subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc" -source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz" +source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz + CVE-2019-17498.patch + " # security fixes: +# 1.9.0-r1: +# - CVE-2019-17498 # 1.9.0-r0: # - CVE-2019-13115 # 1.8.1-r0: @@ -56,4 +60,5 @@ static() { mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib } -sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz" +sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz +fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813 CVE-2019-17498.patch" diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch new file mode 100644 index 0000000000..e858cca186 --- /dev/null +++ b/main/libssh2/CVE-2019-17498.patch @@ -0,0 +1,72 @@ +From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001 +From: Will Cosgrove +Date: Thu, 29 Aug 2019 15:24:22 -0700 +Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT + +SSH_MSG_DISCONNECT now also uses _libssh2_get API. +--- + src/packet.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 8908b2c5..97f0cdd4 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); -- cgit v1.2.3