Date: Monday, August 24, 2020 @ 08:09:33 Author: eworm Revision: 394633
upgpkg: libssh 0.9.4-2: security update https://bugs.libssh.org/T232 FS#67693 Added: libssh/trunk/0001-CVE-2020-16135.patch Modified: libssh/trunk/PKGBUILD ---------------------------+ 0001-CVE-2020-16135.patch | 165 ++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 11 ++ 2 files changed, 173 insertions(+), 3 deletions(-) Added: 0001-CVE-2020-16135.patch =================================================================== --- 0001-CVE-2020-16135.patch (rev 0) +++ 0001-CVE-2020-16135.patch 2020-08-24 08:09:33 UTC (rev 394633) @@ -0,0 +1,165 @@ +From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:04:09 +0200 +Subject: [PATCH 1/4] sftpserver: Add missing NULL check for ssh_buffer_new() + +Thanks to Ramin Farajpour Cami for spotting this. + +Fixes T232 + +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansas...@redhat.com> +Reviewed-by: Jakub Jelen <jje...@redhat.com> +Signed-off-by: Christian Hesse <m...@eworm.de> +--- + src/sftpserver.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 5a2110e5..b639a2ce 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + + /* take a copy of the whole packet */ + msg->complete_message = ssh_buffer_new(); ++ if (msg->complete_message == NULL) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } ++ + ssh_buffer_add_data(msg->complete_message, + ssh_buffer_get(payload), + ssh_buffer_get_len(payload)); + +From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:05:51 +0200 +Subject: [PATCH 2/4] sftpserver: Add missing return check for + ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansas...@redhat.com> +Reviewed-by: Jakub Jelen <jje...@redhat.com> +Signed-off-by: Christian Hesse <m...@eworm.de> +--- + src/sftpserver.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b639a2ce..9117f155 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + return NULL; + } + +- ssh_buffer_add_data(msg->complete_message, +- ssh_buffer_get(payload), +- ssh_buffer_get_len(payload)); ++ rc = ssh_buffer_add_data(msg->complete_message, ++ ssh_buffer_get(payload), ++ ssh_buffer_get_len(payload)); ++ if (rc < 0) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } + + ssh_buffer_get_u32(payload, &msg->id); + + +From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:10:11 +0200 +Subject: [PATCH 3/4] buffer: Reformat ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansas...@redhat.com> +Reviewed-by: Jakub Jelen <jje...@redhat.com> +Signed-off-by: Christian Hesse <m...@eworm.de> +--- + src/buffer.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index a2e6246a..476bc135 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { +- buffer_verify(buffer); ++ buffer_verify(buffer); + +- if (data == NULL) { +- return -1; +- } ++ if (data == NULL) { ++ return -1; ++ } + +- if (buffer->used + len < len) { +- return -1; +- } ++ if (buffer->used + len < len) { ++ return -1; ++ } + +- if (buffer->allocated < (buffer->used + len)) { +- if(buffer->pos > 0) +- buffer_shift(buffer); +- if (realloc_buffer(buffer, buffer->used + len) < 0) { +- return -1; ++ if (buffer->allocated < (buffer->used + len)) { ++ if (buffer->pos > 0) { ++ buffer_shift(buffer); ++ } ++ if (realloc_buffer(buffer, buffer->used + len) < 0) { ++ return -1; ++ } + } +- } + +- memcpy(buffer->data+buffer->used, data, len); +- buffer->used+=len; +- buffer_verify(buffer); +- return 0; ++ memcpy(buffer->data + buffer->used, data, len); ++ buffer->used += len; ++ buffer_verify(buffer); ++ return 0; + } + + /** + +From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <a...@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:11:21 +0200 +Subject: [PATCH 4/4] buffer: Add NULL check for 'buffer' argument + +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansas...@redhat.com> +Reviewed-by: Jakub Jelen <jje...@redhat.com> +Signed-off-by: Christian Hesse <m...@eworm.de> +--- + src/buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 476bc135..ce12f491 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { ++ if (buffer == NULL) { ++ return -1; ++ } ++ + buffer_verify(buffer); + + if (data == NULL) { Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-08-24 08:00:56 UTC (rev 394632) +++ PKGBUILD 2020-08-24 08:09:33 UTC (rev 394633) @@ -7,7 +7,7 @@ pkgbase=libssh pkgname=(libssh libssh-docs) pkgver=0.9.4 -pkgrel=1 +pkgrel=2 pkgdesc="Library for accessing ssh client services through C libraries" url="https://www.libssh.org/" license=(LGPL) @@ -14,9 +14,11 @@ arch=(x86_64) depends=(zlib openssl) makedepends=(cmake cmocka doxygen python) -source=(https://www.libssh.org/files/${pkgver%.*}/$pkgname-$pkgver.tar.xz{,.asc}) +source=(https://www.libssh.org/files/${pkgver%.*}/$pkgname-$pkgver.tar.xz{,.asc} + '0001-CVE-2020-16135.patch') sha256sums=('150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b' - 'SKIP') + 'SKIP' + '5668b4fa30cea2fb998e7e8084639ac4d6a76972778ba24d477f6aa79cd84ec8') validpgpkeys=('8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D') # Andreas Schneider <a...@cryptomilk.org> prepare() { @@ -26,6 +28,9 @@ sed 's/cmocka_unit_test(torture_path_expand_tilde_unix),//' -i libssh-${pkgver}/tests/unittests/torture_misc.c mkdir -p build + + cd "$srcdir/$pkgname-$pkgver" + patch -Np1 < ../0001-CVE-2020-16135.patch } build() {