aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br>2015-06-25 18:48:56 -0300
committerArmin Kuster <akuster808@gmail.com>2015-07-19 16:09:15 -0700
commitc580b62cb2226d2be7cdef77d4ff838fd4095a03 (patch)
tree9c15b53151a19d02e3e54e95f722f33dde7c743e
parente00844ed8cb964857c73acd8495ae98250c9020f (diff)
downloadmeta-openembedded-contrib-c580b62cb2226d2be7cdef77d4ff838fd4095a03.tar.gz
meta-openembedded-contrib-c580b62cb2226d2be7cdef77d4ff838fd4095a03.tar.bz2
meta-openembedded-contrib-c580b62cb2226d2be7cdef77d4ff838fd4095a03.zip
libssh2: fix CVE-2015-1782
Refer to: http://www.libssh2.org/adv_20150311.html Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch115
-rw-r--r--meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb4
2 files changed, 118 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch
new file mode 100644
index 0000000000..5f4a7c728d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/libssh2-1.4.3/CVE-2015-1782.patch
@@ -0,0 +1,115 @@
+From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001
+From: Mariusz Ziulek <mzet@owasp.org>
+Date: Sat, 21 Feb 2015 23:31:36 +0100
+Subject: [PATCH] kex: bail out on rubbish in the incoming packet
+
+Upstream-Status: Backport
+
+Signed-off-by: Hugo Vasconcelos Saldanha <hugo.saldanha@aker.com.br>
+
+---
+ src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 41 insertions(+), 32 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index fa4c4e1..ad7498a 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+
+ /* TODO: When in server mode we need to turn this logic on its head
+ * The Client gets to make the final call on "agreed methods"
+ */
+
++/*
++ * kex_string_pair() extracts a string from the packet and makes sure it fits
++ * within the given packet.
++ */
++static int kex_string_pair(unsigned char **sp, /* parsing position */
++ unsigned char *data, /* start pointer to packet */
++ size_t data_len, /* size of total packet */
++ size_t *lenp, /* length of the string */
++ unsigned char **strp) /* pointer to string start */
++{
++ unsigned char *s = *sp;
++ *lenp = _libssh2_ntohu32(s);
++
++ /* the length of the string must fit within the current pointer and the
++ end of the packet */
++ if (*lenp > (data_len - (s - data) -4))
++ return 1;
++ *strp = s + 4;
++ s += 4 + *lenp;
++
++ *sp = s;
++ return 0;
++}
++
+ /* kex_agree_methods
+ * Decide which specific method to use of the methods offered by each party
+ */
+ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+ unsigned data_len)
+@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+
+ /* Skip cookie, don't worry, it's preserved in the kexinit field */
+ s += 16;
+
+ /* Locate each string */
+- kex_len = _libssh2_ntohu32(s);
+- kex = s + 4;
+- s += 4 + kex_len;
+- hostkey_len = _libssh2_ntohu32(s);
+- hostkey = s + 4;
+- s += 4 + hostkey_len;
+- crypt_cs_len = _libssh2_ntohu32(s);
+- crypt_cs = s + 4;
+- s += 4 + crypt_cs_len;
+- crypt_sc_len = _libssh2_ntohu32(s);
+- crypt_sc = s + 4;
+- s += 4 + crypt_sc_len;
+- mac_cs_len = _libssh2_ntohu32(s);
+- mac_cs = s + 4;
+- s += 4 + mac_cs_len;
+- mac_sc_len = _libssh2_ntohu32(s);
+- mac_sc = s + 4;
+- s += 4 + mac_sc_len;
+- comp_cs_len = _libssh2_ntohu32(s);
+- comp_cs = s + 4;
+- s += 4 + comp_cs_len;
+- comp_sc_len = _libssh2_ntohu32(s);
+- comp_sc = s + 4;
+-#if 0
+- s += 4 + comp_sc_len;
+- lang_cs_len = _libssh2_ntohu32(s);
+- lang_cs = s + 4;
+- s += 4 + lang_cs_len;
+- lang_sc_len = _libssh2_ntohu32(s);
+- lang_sc = s + 4;
+- s += 4 + lang_sc_len;
+-#endif
++ if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
++ return -1;
++
+ /* If the server sent an optimistic packet, assume that it guessed wrong.
+ * If the guess is determined to be right (by kex_agree_kex_hostkey)
+ * This flag will be reset to zero so that it's not ignored */
+ session->burn_optimistic_kexinit = *(s++);
+ /* Next uint32 in packet is all zeros (reserved) */
+--
+2.1.4
+
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
index b53766333b..9af0f7fd10 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.4.3.bb
@@ -7,7 +7,9 @@ DEPENDS = "zlib openssl"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://COPYING;md5=d00afe44f336a79a2ca7e1681ce14509"
-SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz"
+SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
+ file://CVE-2015-1782.patch \
+"
SRC_URI[md5sum] = "071004c60c5d6f90354ad1b701013a0b"
SRC_URI[sha256sum] = "eac6f85f9df9db2e6386906a6227eb2cd7b3245739561cad7d6dc1d5d021b96d"