commit libssh.1120 for openSUSE:12.1:Update

Hello community, here is the log from the commit of package libssh.1120 for openSUSE:12.1:Update checked in at 2012-12-07 10:47:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/libssh.1120 (Old) and /work/SRC/openSUSE:12.1:Update/.libssh.1120.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libssh.1120", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-11-30 12:21:47.308011256 +0100 +++ /work/SRC/openSUSE:12.1:Update/.libssh.1120.new/libssh.changes 2012-12-07 10:47:40.000000000 +0100 @@ -0,0 +1,323 @@ +------------------------------------------------------------------- +Tue Nov 20 15:36:29 UTC 2012 - jmcdonough@suse.com + +- Fix multiple vulernabilities (bnc#789827): + * CVE-2012-4559 – Fix multiple double free() flaws + 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch + 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch + 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch + * CVE-2012-4560 – Fix multiple buffer overflow flaws + 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch + 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch + * CVE-2012-4561 – Fix multiple invalid free() flaws + 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch + 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch + * CVE-2012-4562 – Fix multiple improper overflow checks + 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch + 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch + 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch + 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch + +------------------------------------------------------------------- +Tue Sep 6 03:36:48 UTC 2011 - crrodriguez@opensuse.org + +- Build with OPENSSL_LOAD_CONF so we respect user's choice + of which "openssl engine" to use for crypto (aes-ni,intel-accel) + +------------------------------------------------------------------- +Tue Aug 9 15:12:39 UTC 2011 - asn@cryptomilk.org + +- Update to version 0.5.1 + * Added checks for NULL pointers in string.c. + * Set the channel max packet size to 32768. + * Don't (de)compress empty buffers. + * Fixed ssh_scp_write so it works when doing recursive copy. + * Fixed another source of endless wait. + * Fixed an endless loop in case of a channel_open error. + * Fixed session timeout handling. + * Fixed ssh_channel_from_local() loop. + * Fixed permissions of scp example when we copy a file. + * Workaround ssh_get_user_home_dir on LDAP users. + * Added pkg-config support for libssh_threads. + * Fixed compilation without server and sftp modes. + * Fix static .lib overwriting on Windows. + +------------------------------------------------------------------- +Tue May 31 14:32:09 UTC 2011 - asn@cryptomilk.org + +- Update to version 0.5.0 + * Added ssh_ prefix to all functions. + * Added complete Windows support. + * Added improved server support. + * Added unit tests for a lot of functions. + * Added asynchronous service request. + * Added a multiplatform ssh_getpass() function. + * Added a tutorial. + * Added a lot of documentation. + * Fixed a lot of bugs. + * Fixed several memory leaks. + +------------------------------------------------------------------- +Sat Jan 15 08:58:45 UTC 2011 - asn@cryptomilk.org + +- Update to version 0.4.8 + * Fixed memory leaks in session signing. + * Fixed memory leak in ssh_print_hexa. + * Fixed problem with ssh_connect w/ timeout and fd > 1024. + * Fixed some warnings on OS/2. + * Fixed installation path for OS/2. + +------------------------------------------------------------------- +Mon Dec 27 20:12:23 CET 2010 - asn@cynapses.org + +- Update to version 0.4.7 + * Fixed a possible memory leak in ssh_get_user_home(). + * Fixed a memory leak in sftp_xstat. + * Fixed uninitialized fd->revents member. + * Fixed timout value in ssh_channel_accept(). + * Fixed length checks in ssh_analyze_banner(). + * Fixed a possible data overread and crash bug. + * Fixed setting max_fd which breaks ssh_select(). + * Fixed some pedantic build warnings. + * Fixed a memory leak with session->bindaddr. + +------------------------------------------------------------------- +Sun Sep 5 19:30:28 CEST 2010 - asn@cynapses.org + +- Update to version 0.4.6 + * Added a cleanup function to free the ws2_32 library. + * Fixed build with gcc 3.4. + * Fixed the Windows build on Vista and newer. + * Fixed the usage of WSAPoll() on Windows. + * Fixed "@deprecated" in doxygen + * Fixed some mingw warnings. + * Fixed handling of opened channels. + * Fixed keepalive problem on older openssh servers. + * Fixed testing for big endian on Windows. + * Fixed the Windows preprocessor macros and defines. + +------------------------------------------------------------------- +Tue Jul 13 10:27:13 CEST 2010 - anschneider@exsuse.de + +- Update to version 0.4.5 + * Added option to bind a client to an ip address. + * Fixed the ssh socket polling function. + * Fixed Windows related bugs in bsd_poll(). + * Fixed serveral build warnings. + +------------------------------------------------------------------- +Mon May 31 14:13:55 CEST 2010 - anschneider@exsuse.de + +- Update to version 0.4.4 + * Fixed some bugs ein path expand functions. + +------------------------------------------------------------------- +Mon May 17 23:50:11 CEST 2010 - anschneider@exsuse.de + +- Update to version 0.4.3 + * Added global/keepalive responses. + * Added runtime detection of WSAPoll(). + * Added a select(2) based poll-emulation if poll(2) is not available. + * Added a function to expand an escaped string. + * Added a function to expand the tilde from a path. + * Added a proxycommand support. + * Added ssh_privatekey_type public function + * Added the possibility to define _OPENSSL_DIR and _ZLIB_DIR. + * Fixed sftp_chown. + * Fixed sftp_rename on protocol version 3. + * Fixed a blocking bug in channel_poll. + * Fixed config parsing wich has overwritten user specified values. + * Fixed hashed [host]:port format in knownhosts + * Fixed Windows build. + * Fixed doublefree happening after a negociation error. + * Fixed aes*-ctr with <= OpenSSL 0.9.7b. + * Fixed some documentation. + * Fixed exec example which has broken read usage. + * Fixed broken algorithm choice for server. + * Fixed a typo that we don't export all symbols. + * Removed the unneeded dependency to doxygen. + * Build examples only on the Linux plattform. + +------------------------------------------------------------------- +Mon Mar 15 19:40:44 CET 2010 - anschneider@exsuse.de + +- Update to version 0.4.2 + * Added owner and group information in sftp attributes. + * Added missing SSH_OPTIONS_FD option. + * Added printout of owner and group in the sftp example. + * Added a prepend function for ssh_list. + * Added send back replies to openssh's keepalives. + * Fixed documentation in scp code + * Fixed longname parsing, this only workings with readdir. + * Fixed and added support for several identity files. + * Fixed sftp_parse_longname() on Windows. + * Fixed a race condition bug in ssh_scp_close() + * Remove config support for SSHv1 Cipher variable. + * Rename ssh_list_add to ssh_list_append. + * Rename ssh_list_get_head to ssh_list_pop_head + +------------------------------------------------------------------- +Mon Feb 15 12:41:47 CET 2010 - anschneider@exsuse.de + +- Fixed Requires. + +------------------------------------------------------------------- +Sat Feb 13 15:29:14 CET 2010 - anschneider@exsuse.de + +- Update to version 0.4.1 + * Added support for aes128-ctr, aes192-ctr and aes256-ctr encryption. + * Added an example for exec. + * Added private key type detection feature in privatekey_from_file(). + * Fixed zlib compression fallback. + * Fixed kex bug that client preference should be prioritary + * Fixed known_hosts file set by the user. + * Fixed a memleak in channel_accept(). + * Fixed underflow when leave_function() are unbalanced + * Fixed memory corruption in handle_channel_request_open(). + * Fixed closing of a file handle case of errors in privatekey_from_file(). + * Fixed ssh_get_user_home_dir() to be thread safe. + * Fixed the doxygen documentation. + +------------------------------------------------------------------- +Thu Dec 10 23:43:19 CET 2009 - anschneider@exsuse.de + +- Update to version 0.4.0 + * Added scp support. + * Added support for sending signals (RFC 4254, section 6.9). + * Added MSVC support. + * Added support for ~/.ssh/config. + * Added sftp extension support. + * Added X11 forwarding support for client. + * Added forward listening. + * Added support for openssh extensions (statvfs, fstatvfs). + * Added a cleaned up interface for setting options. + * Added a generic way to handle sockets asynchronously. + * Added logging of the sftp flags used to open a file. + * Added full poll() support and poll-emulation for win32. + * Added missing 64bit functions in sftp. ++++ 126 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.1:Update/.libssh.1120.new/libssh.changes New: ---- 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch libssh-0.5.1.tar.bz2 libssh.changes libssh.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libssh.spec ++++++ # # spec file for package libssh # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Url: http://www.libssh.org Name: libssh BuildRequires: cmake BuildRequires: doxygen BuildRequires: gcc-c++ BuildRequires: openssl-devel Version: 0.5.1 Release: 0 Summary: SSH library License: LGPL-2.1+ Group: System/Libraries Source0: %{name}-%{version}.tar.bz2 Patch1: 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch Patch2: 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch Patch3: 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch Patch4: 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch Patch5: 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch Patch6: 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch Patch7: 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch Patch8: 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch Patch9: 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch Patch10: 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch Patch11: 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libssh4 = %{version}-%{release} %description The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). This package provides libssh from http://www.libssh.org that should not be confused with libssh2 available from http://www.libssh2.org (libssh2 package) Authors: -------- Aris Adamantiadis Andreas Schneider Nick Zitzmann %package -n libssh4 Summary: SSH library Group: System/Libraries %description -n libssh4 The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). This package provides libssh from http://www.libssh.org that should not be confused with libssh2 available from http://www.libssh2.org (libssh2 package) Authors: -------- Aris Adamantiadis Andreas Schneider Nick Zitzmann %package devel Summary: SSH library development headers Group: Development/Libraries/C and C++ Requires: libssh4 = %{version} %description devel Development headers for the SSH library. Authors: -------- Aris Adamantiadis Andreas Schneider Nick Zitzmann %package devel-doc Summary: SSH library api documentation Group: Development/Languages/C and C++ %description devel-doc Documentation for libssh development. Authors: -------- Aris Adamantiadis Andreas Schneider Nick Zitzmann %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %build if test ! -e "build"; then mkdir build fi pushd build cmake \ -DCMAKE_C_FLAGS:STRING="%{optflags} -DOPENSSL_LOAD_CONF" \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ -DCMAKE_SKIP_RPATH=ON \ -DCMAKE_INSTALL_PREFIX=%{_prefix} \ %if %{_lib} == lib64 -DLIB_SUFFIX=64 \ %endif %{_builddir}/%{name}-%{version} %__make %{?jobs:-j%jobs} VERBOSE=1 %__make doc popd build %install pushd build %if 0%{?suse_version} %makeinstall %else %__make DESTDIR=%{buildroot} install %endif popd build %post -n libssh4 /sbin/ldconfig %postun -n libssh4 /sbin/ldconfig %clean %{__rm} -rf %{buildroot} %files -n libssh4 %defattr(-,root,root) %doc AUTHORS README ChangeLog %{_libdir}/libssh.so.* %{_libdir}/libssh_threads.so.* %files devel %defattr(-,root,root) %{_includedir}/libssh %{_libdir}/libssh.so %{_libdir}/libssh_threads.so %{_libdir}/pkgconfig/libssh.pc %{_libdir}/pkgconfig/libssh_threads.pc %files devel-doc %defattr(-,root,root) %doc build/doc/html %changelog ++++++ 0001-CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch ++++++

From 0b6d7c05c872e5d8e348e9fe2d9fb0340446fbeb Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 25 Nov 2011 23:02:06 -0500 Subject: [PATCH 01/11] CVE-2012-4562: Fix possible integer overflow in ssh_get_hexa().

No exploit known, but it is better to check the string length. Signed-off-by: Andreas Schneider (cherry picked from commit a64247daa4ae5c82bc283907fa9ea57923ad9540) --- src/dh.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/dh.c b/src/dh.c index 30625db..e415b02 100644 --- a/src/dh.c +++ b/src/dh.c @@ -44,6 +44,7 @@ #include #include #include +#include #ifndef _WIN32 #include @@ -193,6 +194,9 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) { char *hexa = NULL; size_t i; + if (len > (UINT_MAX - 1) / 3) + return NULL; + hexa = malloc(len * 3 + 1); if (hexa == NULL) { return NULL; -- 1.7.10.4 ++++++ 0002-CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch ++++++

From 59a6f5f7338f26efff6c57dc6853c830218664e7 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Mon, 28 Nov 2011 04:42:54 -0500 Subject: [PATCH 02/11] CVE-2012-4562: Fix multiple integer overflows in buffer-related functions.

Signed-off-by: Andreas Schneider (cherry picked from commit ac1ef5d2caa8cb6e44c353ff542af09529bc94e8) --- src/buffer.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/buffer.c b/src/buffer.c index 27d2592..9e93a4a 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -21,6 +21,7 @@ * MA 02111-1307, USA. */ +#include #include #include @@ -180,6 +181,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) { */ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { buffer_verify(buffer); + + if (buffer->used + len < len) + return -1; + if (buffer->allocated < (buffer->used + len)) { if(buffer->pos > 0) buffer_shift(buffer); @@ -318,6 +323,8 @@ int buffer_prepend_data(struct ssh_buffer_struct *buffer, const void *data, return 0; } /* pos isn't high enough */ + if (buffer->used - buffer->pos + len < len) + return -1; if (buffer->allocated < (buffer->used - buffer->pos + len)) { if (realloc_buffer(buffer, buffer->used - buffer->pos + len) < 0) { return -1; @@ -429,7 +436,7 @@ uint32_t buffer_get_rest_len(struct ssh_buffer_struct *buffer){ */ uint32_t buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){ buffer_verify(buffer); - if(buffer->used < buffer->pos+len) + if (buffer->pos + len < len || buffer->used < buffer->pos + len) return 0; buffer->pos+=len; /* if the buffer is empty after having passed the whole bytes into it, we can clean it */ @@ -454,8 +461,11 @@ uint32_t buffer_pass_bytes(struct ssh_buffer_struct *buffer, uint32_t len){ */ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){ buffer_verify(buffer); - if(buffer->used < buffer->pos + len) - return 0; + + if (buffer->used < len) { + return 0; + } + buffer->used-=len; buffer_verify(buffer); return len; @@ -548,7 +558,7 @@ struct ssh_string_struct *buffer_get_ssh_string(struct ssh_buffer_struct *buffer } hostlen = ntohl(stringlen); /* verify if there is enough space in buffer to get it */ - if ((buffer->pos + hostlen) > buffer->used) { + if (buffer->pos + hostlen < hostlen || buffer->pos + hostlen > buffer->used) { return NULL; /* it is indeed */ } str = ssh_string_new(hostlen); @@ -585,7 +595,7 @@ struct ssh_string_struct *buffer_get_mpint(struct ssh_buffer_struct *buffer) { } bits = ntohs(bits); len = (bits + 7) / 8; - if ((buffer->pos + len) > buffer->used) { + if (buffer->pos + len < len || buffer->pos + len > buffer->used) { return NULL; } str = ssh_string_new(len); -- 1.7.10.4 ++++++ 0003-CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch ++++++

From 66c524db6fd3063e806d14239a98048a4c63337a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 12 Oct 2012 11:35:20 +0200 Subject: [PATCH 03/11] CVE-2012-4562: Fix a possible infinite loop in buffer_reinit().

If needed is bigger than the highest power of two or a which fits in an integer we will loop forever. Signed-off-by: Andreas Schneider (cherry picked from commit fd09523c19be8dcdf7f83387d1f2f80f1bb0730d) --- src/buffer.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/buffer.c b/src/buffer.c index 9e93a4a..79f81f5 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -110,13 +110,18 @@ void ssh_buffer_free(struct ssh_buffer_struct *buffer) { SAFE_FREE(buffer); } -static int realloc_buffer(struct ssh_buffer_struct *buffer, int needed) { - int smallest = 1; - char *new = NULL; +static int realloc_buffer(struct ssh_buffer_struct *buffer, size_t needed) { + size_t smallest = 1; + char *new; + buffer_verify(buffer); + /* Find the smallest power of two which is greater or equal to needed */ while(smallest <= needed) { - smallest <<= 1; + if (smallest == 0) { + return -1; + } + smallest <<= 1; } needed = smallest; new = realloc(buffer->data, needed); -- 1.7.10.4 ++++++ 0004-CVE-2012-4562-Fix-possible-string-related-integer-ov.patch ++++++

From ba42ece534e50bb35b25a0d7bf4341500e728ba8 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Fri, 25 Nov 2011 23:02:57 -0500 Subject: [PATCH 04/11] CVE-2012-4562: Fix possible string related integer overflows.

Signed-off-by: Andreas Schneider (cherry picked from commit 743ace04331aa3e15fed4c972a884a2d2d3cab47) --- src/string.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/src/string.c b/src/string.c index 6be7c2a..f43c826 100644 --- a/src/string.c +++ b/src/string.c @@ -22,6 +22,7 @@ */ #include +#include #include #include @@ -51,7 +52,11 @@ struct ssh_string_struct *ssh_string_new(size_t size) { struct ssh_string_struct *str = NULL; - str = malloc(size + 4); + if (size > UINT_MAX - sizeof(struct ssh_string_struct)) { + return NULL; + } + + str = malloc(sizeof(struct ssh_string_struct) + size); if (str == NULL) { return NULL; } @@ -141,16 +146,22 @@ size_t ssh_string_len(struct ssh_string_struct *s) { char *ssh_string_to_char(struct ssh_string_struct *s) { size_t len; char *new; - if(s==NULL || s->string == NULL) - return NULL; - len = ntohl(s->size) + 1; - new = malloc(len); + if (s == NULL || s->string == NULL) { + return NULL; + } + len = ssh_string_len(s); + if (len + 1 < len) { + return NULL; + } + + new = malloc(len + 1); if (new == NULL) { return NULL; } - memcpy(new, s->string, len - 1); - new[len - 1] = '\0'; + memcpy(new, s->string, len); + new[len] = '\0'; + return new; } -- 1.7.10.4 ++++++ 0005-CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch ++++++

From 5d15e5a268f74f661168c4ff4afe213327d6105e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 11:37:09 +0200 Subject: [PATCH 05/11] CVE-2012-4560: Fix a write one past the end of the 'u' buffer.

Signed-off-by: Andreas Schneider (cherry picked from commit 1daa4057144aec1f52686ce4a5c347fd0d42599c) --- src/misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/misc.c b/src/misc.c index 361fc2d..9dfe414 100644 --- a/src/misc.c +++ b/src/misc.c @@ -643,7 +643,7 @@ char *ssh_path_expand_tilde(const char *d) { size_t s = p - d; char u[128]; - if (s > sizeof(u)) { + if (s >= sizeof(u)) { return NULL; } memcpy(u, d, s); -- 1.7.10.4 ++++++ 0006-CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch ++++++

From 1caf97b289727ca5af00a4f8acc07d084889080f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 11:39:47 +0200 Subject: [PATCH 06/11] CVE-2012-4560: Fix a write one past the end of 'buf'.

Signed-off-by: Andreas Schneider (cherry picked from commit aaffc79d585b3fc1a10525fd3d3b1a7e5e23286d) --- src/misc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/misc.c b/src/misc.c index 9dfe414..fe3eaa4 100644 --- a/src/misc.c +++ b/src/misc.c @@ -707,7 +707,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { if (*p != '%') { buf[i] = *p; i++; - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { + free(r); return NULL; } buf[i] = '\0'; @@ -757,7 +758,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { } i += strlen(x); - if (i > MAX_BUF_SIZE) { + if (i >= MAX_BUF_SIZE) { ssh_set_error(session, SSH_FATAL, "String too long"); return NULL; -- 1.7.10.4 ++++++ 0007-CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch ++++++

From cdddfd1947f9bccd8a1e2a1c13e135a42dfcfe3a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 14:33:29 +0200 Subject: [PATCH 07/11] CVE-2012-4559: Ensure we don't free blob or request twice.

Signed-off-by: Andreas Schneider (cherry picked from commit 84049cf4640f525aebefad351083ebcdd7e03fb6) --- src/agent.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/agent.c b/src/agent.c index a457d5e..0af2f15 100644 --- a/src/agent.c +++ b/src/agent.c @@ -438,6 +438,7 @@ ssh_string agent_sign_data(struct ssh_session_struct *session, } ssh_string_free(blob); + blob = NULL; reply = ssh_buffer_new(); if (reply == NULL) { @@ -450,6 +451,7 @@ ssh_string agent_sign_data(struct ssh_session_struct *session, return NULL; } ssh_buffer_free(request); + request = NULL; /* check if reply is valid */ if (buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) { -- 1.7.10.4 ++++++ 0008-CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch ++++++

From d8b03cfe3869a57e4a6367b4a03681715d38102e Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 14:39:51 +0200 Subject: [PATCH 08/11] CVE-2012-4559: Ensure that we don't free req twice.

Signed-off-by: Andreas Schneider (cherry picked from commit b9e249a396f4f0f135817e59f4d8323b58231e97) --- src/channels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/channels.c b/src/channels.c index b6ad996..0d63fe7 100644 --- a/src/channels.c +++ b/src/channels.c @@ -1400,6 +1400,7 @@ static int channel_request(ssh_channel channel, const char *request, buffer_add_ssh_string(session->out_buffer, req) < 0 || buffer_add_u8(session->out_buffer, reply == 0 ? 0 : 1) < 0) { ssh_set_error_oom(session); + ssh_string_free(req); goto error; } ssh_string_free(req); @@ -1459,7 +1460,6 @@ static int channel_request(ssh_channel channel, const char *request, return rc; error: buffer_reinit(session->out_buffer); - ssh_string_free(req); leave_function(); return rc; -- 1.7.10.4 ++++++ 0009-CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch ++++++

From f12bf9ee2f05af398d341c6836f157cc6598f564 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 14:46:36 +0200 Subject: [PATCH 09/11] CVE-2012-4559: Make sure we don't free name and longname twice on error.

From 1164c4ade5d39213a90e329042ae76d9a7f98f74 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 14:56:56 +0200 Subject: [PATCH 10/11] CVE-2012-4561: Fix error handling of

From 8f2305c18c27ea8e2309bb897eef64e0351b170a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 5 Oct 2012 15:07:17 +0200 Subject: [PATCH 11/11] CVE-2012-4561: Fix possible free's on invalid

Signed-off-by: Andreas Schneider (cherry picked from commit f6e6f3e5e5c5242df1e0bf7d9311eba6e8ba376a) --- src/sftp.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/sftp.c b/src/sftp.c index 99798e7..127d062 100644 --- a/src/sftp.c +++ b/src/sftp.c @@ -1193,8 +1193,8 @@ static char *sftp_parse_longname(const char *longname, so that number of pairs equals extended_count */ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, int expectname) { - ssh_string longname = NULL; - ssh_string name = NULL; + ssh_string longname; + ssh_string name; sftp_attributes attr; uint32_t flags = 0; int ok = 0; @@ -1209,19 +1209,27 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, /* This isn't really a loop, but it is like a try..catch.. */ do { if (expectname) { - if ((name = buffer_get_ssh_string(buf)) == NULL || - (attr->name = ssh_string_to_char(name)) == NULL) { - break; + name = buffer_get_ssh_string(buf); + if (name == NULL) { + break; } + attr->name = ssh_string_to_char(name); ssh_string_free(name); + if (attr->name == NULL) { + break; + } ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name); - if ((longname=buffer_get_ssh_string(buf)) == NULL || - (attr->longname=ssh_string_to_char(longname)) == NULL) { - break; + longname = buffer_get_ssh_string(buf); + if (longname == NULL) { + break; } + attr->longname = ssh_string_to_char(longname); ssh_string_free(longname); + if (attr->longname == NULL) { + break; + } /* Set owner and group if we talk to openssh and have the longname */ if (ssh_get_openssh_version(sftp->session)) { @@ -1326,8 +1334,6 @@ static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf, if (!ok) { /* break issued somewhere */ - ssh_string_free(name); - ssh_string_free(longname); ssh_string_free(attr->extended_type); ssh_string_free(attr->extended_data); SAFE_FREE(attr->name); -- 1.7.10.4 ++++++ 0010-CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch ++++++ try_publickey_from_file(). Signed-off-by: Andreas Schneider (cherry picked from commit a7e3f34c1e0e29ddedb47716e9dd7b1188b53305) --- src/keyfiles.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/keyfiles.c b/src/keyfiles.c index e160f71..584f60c 100644 --- a/src/keyfiles.c +++ b/src/keyfiles.c @@ -1214,7 +1214,7 @@ ssh_string try_publickey_from_file(ssh_session session, struct ssh_keys_struct k const char *priv; const char *pub; char *new; - ssh_string pubkey=NULL; + ssh_string pubkey; pub = keytab.publickey; if (pub == NULL) { @@ -1234,13 +1234,13 @@ ssh_string try_publickey_from_file(ssh_session session, struct ssh_keys_struct k ssh_log(session, SSH_LOG_PACKET, "Trying to open publickey %s", pub); if (!ssh_file_readaccess_ok(pub)) { ssh_log(session, SSH_LOG_PACKET, "Failed to open publickey %s", pub); - goto error; + return NULL; } ssh_log(session, SSH_LOG_PACKET, "Trying to open privatekey %s", priv); if (!ssh_file_readaccess_ok(priv)) { ssh_log(session, SSH_LOG_PACKET, "Failed to open privatekey %s", priv); - goto error; + return NULL; } ssh_log(session, SSH_LOG_PACKET, "Success opening public and private key"); @@ -1255,18 +1255,18 @@ ssh_string try_publickey_from_file(ssh_session session, struct ssh_keys_struct k "Wasn't able to open public key file %s: %s", pub, ssh_get_error(session)); - goto error; + return NULL; } new = realloc(*privkeyfile, strlen(priv) + 1); if (new == NULL) { ssh_string_free(pubkey); - goto error; + return NULL; } strcpy(new, priv); *privkeyfile = new; -error: + return pubkey; } -- 1.7.10.4 ++++++ 0011-CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch ++++++ pointers. Signed-off-by: Andreas Schneider (cherry picked from commit a211a6ee1a6aee251a5b45890c6cf870178b5ea4) --- src/keys.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/keys.c b/src/keys.c index de6b8f2..9ae25a3 100644 --- a/src/keys.c +++ b/src/keys.c @@ -88,6 +88,7 @@ ssh_public_key publickey_make_dss(ssh_session session, ssh_buffer buffer) { ssh_buffer_free(buffer); return NULL; } + ZERO_STRUCTP(key); key->type = SSH_KEYTYPE_DSS; key->type_c = ssh_type_to_char(key->type); @@ -173,6 +174,7 @@ ssh_public_key publickey_make_rsa(ssh_session session, ssh_buffer buffer, ssh_buffer_free(buffer); return NULL; } + ZERO_STRUCTP(key); key->type = type; key->type_c = ssh_type_to_char(key->type); @@ -897,6 +899,7 @@ SIGNATURE *signature_from_string(ssh_session session, ssh_string signature, ssh_set_error(session, SSH_FATAL, "Not enough space"); return NULL; } + ZERO_STRUCTP(sign); tmpbuf = ssh_buffer_new(); if (tmpbuf == NULL) { @@ -1280,6 +1283,7 @@ ssh_string ssh_do_sign(ssh_session session, ssh_buffer sigbuf, if (sign == NULL) { return NULL; } + ZERO_STRUCTP(sign); switch(privatekey->type) { case SSH_KEYTYPE_DSS: @@ -1436,6 +1440,7 @@ ssh_string ssh_sign_session_id(ssh_session session, ssh_private_key privatekey) if (sign == NULL) { return NULL; } + ZERO_STRUCTP(sign); switch(privatekey->type) { case SSH_KEYTYPE_DSS: -- 1.7.10.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org