diff options
Diffstat (limited to 'external/meta-openembedded/meta-oe/recipes-support/libssh2')
3 files changed, 159 insertions, 26 deletions
diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch b/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch new file mode 100644 index 00000000..00108007 --- /dev/null +++ b/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch @@ -0,0 +1,131 @@ +From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. + +Upstream-Status: Backport +CVE: CVE-2019-17498 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/packet.c | 68 ++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 39 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab629..2e01bfc 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display = data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +-- +2.17.1 + diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb deleted file mode 100644 index 94bfb8f8..00000000 --- a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "A client-side C library implementing the SSH2 protocol" -HOMEPAGE = "http://www.libssh2.org/" -SECTION = "libs" - -DEPENDS = "zlib" - -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca" - -SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz" -SRC_URI[md5sum] = "3d1147cae66e2959ea5441b183de1b1c" -SRC_URI[sha256sum] = "39f34e2f6835f4b992cafe8625073a88e5a28ba78f83e8099610a7b3af4676d4" - -inherit autotools pkgconfig - -EXTRA_OECONF += "\ - --with-libz \ - --with-libz-prefix=${STAGING_LIBDIR} \ - " - -# only one of openssl and gcrypt could be set -PACKAGECONFIG ??= "openssl" -PACKAGECONFIG[openssl] = "--with-openssl --with-libssl-prefix=${STAGING_LIBDIR},--without-openssl,openssl" -PACKAGECONFIG[gcrypt] = "--with-libgcrypt --with-libgcrypt-prefix=${STAGING_EXECPREFIXDIR},--without-libgcrypt,libgcrypt" - -BBCLASSEXTEND = "native" diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb new file mode 100644 index 00000000..c1f337a4 --- /dev/null +++ b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb @@ -0,0 +1,28 @@ +SUMMARY = "A client-side C library implementing the SSH2 protocol" +HOMEPAGE = "http://www.libssh2.org/" +SECTION = "libs" + +DEPENDS = "zlib" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca" + +SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ + file://CVE-2019-17498.patch \ +" +SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927" +SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd" + +inherit autotools pkgconfig + +EXTRA_OECONF += "\ + --with-libz \ + --with-libz-prefix=${STAGING_LIBDIR} \ + " + +# only one of openssl and gcrypt could be set +PACKAGECONFIG ??= "openssl" +PACKAGECONFIG[openssl] = "--with-crypto=openssl --with-libssl-prefix=${STAGING_LIBDIR}, , openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto=libgcrypt --with-libgcrypt-prefix=${STAGING_EXECPREFIXDIR}, , libgcrypt" + +BBCLASSEXTEND = "native nativesdk" |