From 55575567a740c972a0b813823ec9d70513e41d65 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 14 Jul 2020 01:34:17 +0000 Subject: [PATCH] import libssh-0.9.4-2.el8 --- ...libssh-0.9.4-add-cve-2019-14889-test.patch | 125 ++++++++++++++++++ ...9.4-do-not-parse-config-during-tests.patch | 58 ++++++++ ...t-return-error-server-closed-channel.patch | 43 ++++++ SPECS/libssh.spec | 10 +- 4 files changed, 235 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch create mode 100644 SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch create mode 100644 SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch diff --git a/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch b/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch new file mode 100644 index 0000000..ce149b4 --- /dev/null +++ b/SOURCES/libssh-0.9.4-add-cve-2019-14889-test.patch @@ -0,0 +1,125 @@ +From 1694606e12d8950b003ff86248883732ef05e00c Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Fri, 19 Jun 2020 11:59:33 +0200 +Subject: [PATCH] tests: Add test for CVE-2019-14889 + +The test checks if a command appended to the file path is not executed. + +Signed-off-by: Anderson Toshiyuki Sasaki +Reviewed-by: Andreas Schneider +--- + tests/client/torture_scp.c | 84 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 84 insertions(+) + +diff --git a/tests/client/torture_scp.c b/tests/client/torture_scp.c +index 8f080af3..59a00bae 100644 +--- a/tests/client/torture_scp.c ++++ b/tests/client/torture_scp.c +@@ -37,6 +37,7 @@ + #define BUF_SIZE 1024 + + #define TEMPLATE BINARYDIR "/tests/home/alice/temp_dir_XXXXXX" ++#define ALICE_HOME BINARYDIR "/tests/home/alice" + + struct scp_st { + struct torture_state *s; +@@ -540,6 +541,86 @@ static void torture_scp_upload_newline(void **state) + fclose(file); + } + ++static void torture_scp_upload_appended_command(void **state) ++{ ++ struct scp_st *ts = NULL; ++ struct torture_state *s = NULL; ++ ++ ssh_session session = NULL; ++ ssh_scp scp = NULL; ++ ++ FILE *file = NULL; ++ ++ char buf[1024]; ++ char *rs = NULL; ++ int rc; ++ ++ assert_non_null(state); ++ ts = *state; ++ ++ assert_non_null(ts->s); ++ s = ts->s; ++ ++ session = s->ssh.session; ++ assert_non_null(session); ++ ++ assert_non_null(ts->tmp_dir_basename); ++ assert_non_null(ts->tmp_dir); ++ ++ /* Upload a file path with a command appended */ ++ ++ /* Append a command to the file path */ ++ snprintf(buf, BUF_SIZE, "%s" ++ "/;touch hack", ++ ts->tmp_dir); ++ ++ /* When writing the file_name must be the directory name */ ++ scp = ssh_scp_new(session, SSH_SCP_WRITE | SSH_SCP_RECURSIVE, ++ buf); ++ assert_non_null(scp); ++ ++ rc = ssh_scp_init(scp); ++ assert_ssh_return_code(session, rc); ++ ++ /* Push directory where the new file will be copied */ ++ rc = ssh_scp_push_directory(scp, ";touch hack", 0755); ++ assert_ssh_return_code(session, rc); ++ ++ /* Try to push file */ ++ rc = ssh_scp_push_file(scp, "original", 8, 0644); ++ assert_ssh_return_code(session, rc); ++ ++ rc = ssh_scp_write(scp, "original", 8); ++ assert_ssh_return_code(session, rc); ++ ++ /* Leave the directory */ ++ rc = ssh_scp_leave_directory(scp); ++ assert_ssh_return_code(session, rc); ++ ++ /* Cleanup */ ++ ssh_scp_close(scp); ++ ssh_scp_free(scp); ++ ++ /* Make sure the command was not executed */ ++ snprintf(buf, BUF_SIZE, ALICE_HOME "/hack"); ++ file = fopen(buf, "r"); ++ assert_null(file); ++ ++ /* Open the file and check content */ ++ snprintf(buf, BUF_SIZE, "%s" ++ "/;touch hack/original", ++ ts->tmp_dir); ++ ++ file = fopen(buf, "r"); ++ assert_non_null(file); ++ ++ rs = fgets(buf, 1024, file); ++ assert_non_null(rs); ++ assert_string_equal(buf, "original"); ++ ++ fclose(file); ++} ++ + int torture_run_tests(void) + { + int rc; +@@ -559,6 +640,9 @@ int torture_run_tests(void) + cmocka_unit_test_setup_teardown(torture_scp_upload_newline, + session_setup, + session_teardown), ++ cmocka_unit_test_setup_teardown(torture_scp_upload_appended_command, ++ session_setup, ++ session_teardown), + }; + + ssh_init(); +-- +2.26.2 + diff --git a/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch b/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch new file mode 100644 index 0000000..ac5ee0d --- /dev/null +++ b/SOURCES/libssh-0.9.4-do-not-parse-config-during-tests.patch @@ -0,0 +1,58 @@ +From f10d80047c660e33f5c365bf3cf436a0c2a300f1 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 23 Jun 2020 18:31:47 +0200 +Subject: [PATCH] tests: Do not parse configuration file in torture_knownhosts + +The test might fail if there is a local configuration file that changes +the location of the known_hosts file. The test should not be affected +by configuration files present in the testing environment. + +Signed-off-by: Anderson Toshiyuki Sasaki +Reviewed-by: Jakub Jelen +--- + tests/client/torture_knownhosts.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c +index fcc54846..55aee217 100644 +--- a/tests/client/torture_knownhosts.c ++++ b/tests/client/torture_knownhosts.c +@@ -307,6 +307,7 @@ static void torture_knownhosts_other_auto(void **state) { + char tmp_file[1024] = {0}; + char *known_hosts_file = NULL; + int rc; ++ bool process_config = false; + + snprintf(tmp_file, + sizeof(tmp_file), +@@ -344,6 +345,9 @@ static void torture_knownhosts_other_auto(void **state) { + + s->ssh.session = session; + ++ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config); ++ assert_ssh_return_code(session, rc); ++ + rc = ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER); + assert_ssh_return_code(session, rc); + +@@ -368,6 +372,7 @@ static void torture_knownhosts_conflict(void **state) { + char *known_hosts_file = NULL; + FILE *file; + int rc; ++ bool process_config = false; + + snprintf(tmp_file, + sizeof(tmp_file), +@@ -411,6 +416,9 @@ static void torture_knownhosts_conflict(void **state) { + + s->ssh.session = session; + ++ rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &process_config); ++ assert_ssh_return_code(session, rc); ++ + ssh_options_set(session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER); + ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file); + rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, "rsa-sha2-256"); +-- +2.26.2 + diff --git a/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch b/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch new file mode 100644 index 0000000..387b9c0 --- /dev/null +++ b/SOURCES/libssh-0.9.4-do-not-return-error-server-closed-channel.patch @@ -0,0 +1,43 @@ +From 750e4f3f9d3ec879929801d65a500ec3ad84ff67 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Thu, 18 Jun 2020 19:08:54 +0200 +Subject: [PATCH] channel: Do not return error if the server closed the channel + +If the server properly closed the channel, the client should not return +error if it finds the channel closed. + +Fixes T231 + +Signed-off-by: Anderson Toshiyuki Sasaki +Reviewed-by: Jakub Jelen +--- + src/channels.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/channels.c b/src/channels.c +index 9fe309d0..607bd568 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -2932,15 +2932,16 @@ int ssh_channel_read_timeout(ssh_channel channel, + if (session->session_state == SSH_SESSION_STATE_ERROR) { + return SSH_ERROR; + } ++ /* If the server closed the channel properly, there is nothing to do */ ++ if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) { ++ return 0; ++ } + if (channel->state == SSH_CHANNEL_STATE_CLOSED) { + ssh_set_error(session, + SSH_FATAL, + "Remote channel is closed."); + return SSH_ERROR; + } +- if (channel->remote_eof && ssh_buffer_get_len(stdbuf) == 0) { +- return 0; +- } + len = ssh_buffer_get_len(stdbuf); + /* Read count bytes if len is greater, everything otherwise */ + len = (len > count ? count : len); +-- +2.26.2 + diff --git a/SPECS/libssh.spec b/SPECS/libssh.spec index fa5ea10..c61df8b 100644 --- a/SPECS/libssh.spec +++ b/SPECS/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.9.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -13,6 +13,9 @@ Source4: libssh_server.config Patch0: libssh-0.9.4-enable-sshd-sha1-algorithms.patch Patch1: libssh-0.9.4-fix-version.patch +Patch2: libssh-0.9.4-do-not-return-error-server-closed-channel.patch +Patch3: libssh-0.9.4-add-cve-2019-14889-test.patch +Patch4: libssh-0.9.4-do-not-parse-config-during-tests.patch BuildRequires: cmake BuildRequires: doxygen @@ -132,6 +135,11 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Wed Jun 24 2020 Anderson Sasaki - 0.9.4-2 +- Do not return error when server properly closed the channel (#1849071) +- Add a test for CVE-2019-14889 +- Do not parse configuration file in torture_knownhosts test + * Tue May 26 2020 Anderson Sasaki - 0.9.4-1 - Update to version 0.9.4 https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/