summaryrefslogtreecommitdiffstats
path: root/external/meta-openembedded/meta-oe/recipes-support/libssh2
diff options
context:
space:
mode:
Diffstat (limited to 'external/meta-openembedded/meta-oe/recipes-support/libssh2')
-rw-r--r--external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch131
-rw-r--r--external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb26
-rw-r--r--external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb28
3 files changed, 159 insertions, 26 deletions
diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch b/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch
new file mode 100644
index 00000000..00108007
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+
+Upstream-Status: Backport
+CVE: CVE-2019-17498
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab629..2e01bfc 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message = NULL;
+- char *language = NULL;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
+ size_t message_len = 0;
+ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
+
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len =
+- _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len = 0;
+- }
+ if(session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ int always_display = data[1];
+
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 +
+- message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+ if(session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len = 0;
+ unsigned char want_reply = 0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+--
+2.17.1
+
diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb
deleted file mode 100644
index 94bfb8f8..00000000
--- a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.8.0.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SUMMARY = "A client-side C library implementing the SSH2 protocol"
-HOMEPAGE = "http://www.libssh2.org/"
-SECTION = "libs"
-
-DEPENDS = "zlib"
-
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca"
-
-SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"
-SRC_URI[md5sum] = "3d1147cae66e2959ea5441b183de1b1c"
-SRC_URI[sha256sum] = "39f34e2f6835f4b992cafe8625073a88e5a28ba78f83e8099610a7b3af4676d4"
-
-inherit autotools pkgconfig
-
-EXTRA_OECONF += "\
- --with-libz \
- --with-libz-prefix=${STAGING_LIBDIR} \
- "
-
-# only one of openssl and gcrypt could be set
-PACKAGECONFIG ??= "openssl"
-PACKAGECONFIG[openssl] = "--with-openssl --with-libssl-prefix=${STAGING_LIBDIR},--without-openssl,openssl"
-PACKAGECONFIG[gcrypt] = "--with-libgcrypt --with-libgcrypt-prefix=${STAGING_EXECPREFIXDIR},--without-libgcrypt,libgcrypt"
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
new file mode 100644
index 00000000..c1f337a4
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb
@@ -0,0 +1,28 @@
+SUMMARY = "A client-side C library implementing the SSH2 protocol"
+HOMEPAGE = "http://www.libssh2.org/"
+SECTION = "libs"
+
+DEPENDS = "zlib"
+
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca"
+
+SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
+ file://CVE-2019-17498.patch \
+"
+SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927"
+SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF += "\
+ --with-libz \
+ --with-libz-prefix=${STAGING_LIBDIR} \
+ "
+
+# only one of openssl and gcrypt could be set
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = "--with-crypto=openssl --with-libssl-prefix=${STAGING_LIBDIR}, , openssl"
+PACKAGECONFIG[gcrypt] = "--with-crypto=libgcrypt --with-libgcrypt-prefix=${STAGING_EXECPREFIXDIR}, , libgcrypt"
+
+BBCLASSEXTEND = "native nativesdk"