diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-12-02 21:05:15 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-12-02 21:05:20 +0300 |
commit | 996bc45c6b2ab1ef612fa4710088373f1f627ea9 (patch) | |
tree | 5a16fa220483d7427ab4cec7612852a3149439dc /meta-openembedded/meta-oe/recipes-support/libssh2/files | |
parent | 2eda1a371b06865fd2d4d84af3de14440e3bafa3 (diff) | |
download | openbmc-996bc45c6b2ab1ef612fa4710088373f1f627ea9.tar.xz |
meta-openembedded: subtree update:e4ac09169d..459dbf1078
Alex Kiernan (1):
leveldb: Upgrade 1.20 -> 1.22
Cengiz Can (1):
recipes-support: gperftools: RDEPENDS for pprof
Changqing Li (2):
python3-django: upgrade 1.11.14 -> 2.2.7
python-sqlparse/python3-sqlparse: move from meta-cloud-services
Christopher Larson (1):
kconfig-frontends: drop unneeded target flex/bison deps
Daniels Umanovskis (1):
gattlib: add recipe
Fabio Berton (3):
mdbus2: Add recipe
jpnevulator: Add recipe
emlog: Add recipe
Jacopo Dall'Aglio (1):
python-netifaces: add recipes
Khem Raj (8):
packagegroup-meta-oe: Drop gperftools for mips/musl as well
python-slip-dbus: Add missing rdep on six module
htop: Use python3
pidgin: Use python3
mercurial: Upgrade to 5.2 and switch to py3
a2jmidid: Upgrade to release 9
pidgin: Use python3 during build
tvheadend: Demand use of py3 during build
Lei YU (1):
googletest: Add PV and set to 1.10.0
Leon Anavi (1):
stalonetray: Add a simple stand-alone system tray
Li Zhou (1):
libssh2: Security Advisory - libssh2 - CVE-2019-17498
Michael Haener (1):
libmbim: upgrade 1.20.0 -> 1.20.2
Nicola Lunghi (2):
python-configargparse: add package (version 0.15.1)
python3-dbussy: add recipe (v1.2.1)
Qi.Chen@windriver.com (1):
python3-pid: upgrade to 2.2.5
Ross Burton (3):
glmark2: upgrade to latest HEAD
glmark2: use Python 3 to build
jack: upgrade to 1.19.14
Ulrich Ölmann (1):
python3-yarl: add missing dependencies
Zang Ruochen (6):
p910nd: upgrade 0.95 -> 0.97
links: upgrade 2.16 -> 2.20.2
links-x11: upgrade 2.16 -> 2.20.2
libmicrohttpd: upgrade 0.9.67 -> 0.9.68
gsoap: upgrade 2.8.51 -> 2.8.95
mksh: upgrade 56 -> 57
Zheng Ruoqin (1):
libsdl: Refresh patch
zhangxiao (1):
syslog-ng: Fix multilib header conflict - syslog-ng-config.h
Change-Id: I8557e00b893b61c10ee305fb3229db773b4b894f
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-support/libssh2/files')
-rw-r--r-- | meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch b/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch new file mode 100644 index 000000000..001080072 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/libssh2/files/CVE-2019-17498.patch @@ -0,0 +1,131 @@ +From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Fri, 30 Aug 2019 09:57:38 -0700 +Subject: [PATCH] packet.c: improve message parsing (#402) + +* packet.c: improve parsing of packets + +file: packet.c + +notes: +Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST. + +Upstream-Status: Backport +CVE: CVE-2019-17498 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/packet.c | 68 ++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 39 deletions(-) + +diff --git a/src/packet.c b/src/packet.c +index 38ab629..2e01bfc 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + size_t datalen, int macstate) + { + int rc = 0; +- char *message = NULL; +- char *language = NULL; ++ unsigned char *message = NULL; ++ unsigned char *language = NULL; + size_t message_len = 0; + size_t language_len = 0; + LIBSSH2_CHANNEL *channelp = NULL; +@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + + case SSH_MSG_DISCONNECT: + if(datalen >= 5) { +- size_t reason = _libssh2_ntohu32(data + 1); ++ uint32_t reason = 0; ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr++; /* advance past type */ + +- if(datalen >= 9) { +- message_len = _libssh2_ntohu32(data + 5); ++ _libssh2_get_u32(&buf, &reason); ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + +- if(message_len < datalen-13) { +- /* 9 = packet_type(1) + reason(4) + message_len(4) */ +- message = (char *) data + 9; +- +- language_len = +- _libssh2_ntohu32(data + 9 + message_len); +- language = (char *) data + 9 + message_len + 4; +- +- if(language_len > (datalen-13-message_len)) { +- /* bad input, clear info */ +- language = message = NULL; +- language_len = message_len = 0; +- } +- } +- else +- /* bad size, clear it */ +- message_len = 0; +- } + if(session->ssh_msg_disconnect) { +- LIBSSH2_DISCONNECT(session, reason, message, +- message_len, language, language_len); ++ LIBSSH2_DISCONNECT(session, reason, (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } ++ + _libssh2_debug(session, LIBSSH2_TRACE_TRANS, + "Disconnect(%d): %s(%s)", reason, + message, language); +@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + int always_display = data[1]; + + if(datalen >= 6) { +- message_len = _libssh2_ntohu32(data + 2); +- +- if(message_len <= (datalen - 10)) { +- /* 6 = packet_type(1) + display(1) + message_len(4) */ +- message = (char *) data + 6; +- language_len = _libssh2_ntohu32(data + 6 + +- message_len); +- +- if(language_len <= (datalen - 10 - message_len)) +- language = (char *) data + 10 + message_len; +- } ++ struct string_buf buf; ++ buf.data = (unsigned char *)data; ++ buf.dataptr = buf.data; ++ buf.len = datalen; ++ buf.dataptr += 2; /* advance past type & always display */ ++ ++ _libssh2_get_string(&buf, &message, &message_len); ++ _libssh2_get_string(&buf, &language, &language_len); + } + + if(session->ssh_msg_debug) { +- LIBSSH2_DEBUG(session, always_display, message, +- message_len, language, language_len); ++ LIBSSH2_DEBUG(session, always_display, ++ (const char *)message, ++ message_len, (const char *)language, ++ language_len); + } + } ++ + /* + * _libssh2_debug will actually truncate this for us so + * that it's not an inordinate about of data +@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, + uint32_t len = 0; + unsigned char want_reply = 0; + len = _libssh2_ntohu32(data + 1); +- if(datalen >= (6 + len)) { ++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) { + want_reply = data[5 + len]; + _libssh2_debug(session, + LIBSSH2_TRACE_CONN, +-- +2.17.1 + |