forked from rpms/openssh
Minor cleanups from upstream
Fix one-byte overflow in SSH banner processing Resolves: rhbz#2138345 Fix double free() in error path Resolves: rhbz#2138347
This commit is contained in:
parent
b0f3205a21
commit
6f747825fa
57
openssh-9.1p1-sshbanner.patch
Normal file
57
openssh-9.1p1-sshbanner.patch
Normal file
@ -0,0 +1,57 @@
|
||||
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
|
||||
index d29a03b4..d7283136 100644
|
||||
--- a/ssh-keyscan.c
|
||||
+++ b/ssh-keyscan.c
|
||||
@@ -490,6 +490,15 @@ congreet(int s)
|
||||
return;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Read the server banner as per RFC4253 section 4.2. The "SSH-"
|
||||
+ * protocol identification string may be preceeded by an arbitarily
|
||||
+ * large banner which we must read and ignore. Loop while reading
|
||||
+ * newline-terminated lines until we have one starting with "SSH-".
|
||||
+ * The ID string cannot be longer than 255 characters although the
|
||||
+ * preceeding banner lines may (in which case they'll be discarded
|
||||
+ * in multiple iterations of the outer loop).
|
||||
+ */
|
||||
for (;;) {
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
bufsiz = sizeof(buf);
|
||||
@@ -517,6 +526,11 @@ congreet(int s)
|
||||
conrecycle(s);
|
||||
return;
|
||||
}
|
||||
+ if (cp >= buf + sizeof(buf)) {
|
||||
+ error("%s: greeting exceeds allowable length", c->c_name);
|
||||
+ confree(s);
|
||||
+ return;
|
||||
+ }
|
||||
if (*cp != '\n' && *cp != '\r') {
|
||||
error("%s: bad greeting", c->c_name);
|
||||
confree(s);
|
||||
diff --git a/sshsig.c b/sshsig.c
|
||||
index 1e3b6398..eb2a931e 100644
|
||||
--- a/sshsig.c
|
||||
+++ b/sshsig.c
|
||||
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
|
||||
{
|
||||
char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
|
||||
ssize_t n, total = 0;
|
||||
- struct ssh_digest_ctx *ctx;
|
||||
+ struct ssh_digest_ctx *ctx = NULL;
|
||||
int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
|
||||
struct sshbuf *b = NULL;
|
||||
|
||||
@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
|
||||
/* success */
|
||||
r = 0;
|
||||
out:
|
||||
+ oerrno = errno;
|
||||
sshbuf_free(b);
|
||||
ssh_digest_free(ctx);
|
||||
explicit_bzero(hash, sizeof(hash));
|
||||
+ errno = oerrno;
|
||||
return r;
|
||||
}
|
||||
|
11
openssh.spec
11
openssh.spec
@ -51,7 +51,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.7p1
|
||||
%global openssh_rel 25
|
||||
%global openssh_rel 26
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch
|
||||
# downstream only, IBMCA tentative fix
|
||||
# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
|
||||
Patch984: openssh-8.7p1-ibmca.patch
|
||||
# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566
|
||||
Patch986: openssh-9.1p1-sshbanner.patch
|
||||
|
||||
# Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
|
||||
# upstream commits:
|
||||
@ -442,6 +444,7 @@ popd
|
||||
%patch982 -p1 -b .minrsabits
|
||||
%patch983 -p1 -b .evpgenrsa
|
||||
%patch984 -p1 -b .ibmca
|
||||
%patch986 -p1 -b .91cleanup
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-26
|
||||
- Fix one-byte overflow in SSH banner processing
|
||||
Resolves: rhbz#2138345
|
||||
- Fix double free() in error path
|
||||
Resolves: rhbz#2138347
|
||||
|
||||
* Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25
|
||||
- Build fix after OpenSSL rebase
|
||||
Resolves: rhbz#2153626
|
||||
|
Loading…
Reference in New Issue
Block a user