import libssh-0.9.4-3.el8

2021-10-06 07:14:43 -04:00 · 2021-10-06 07:14:43 -04:00 · 6442aaae0e
commit 6442aaae0e
parent 4f9d93effb
2 changed files with 47 additions and 1 deletions
--- a/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
+++ b/SOURCES/libssh-0.9.4-fix-cve-2020-16135.patch
@ -0,0 +1,41 @@
+diff -up libssh-0.9.4/src/buffer.c.fix-cve-2020-16135 libssh-0.9.4/src/buffer.c
+--- libssh-0.9.4/src/buffer.c.fix-cve-2020-16135	2021-04-21 10:27:53.562473773 +0200
+++ libssh-0.9.4/src/buffer.c	2021-04-21 10:29:21.768165663 +0200
+@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+  if (buffer == NULL) {
+      return -1;
+  }
+
+   buffer_verify(buffer);
+ 
+   if (data == NULL) {
+diff -up libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135 libssh-0.9.4/src/sftpserver.c
+--- libssh-0.9.4/src/sftpserver.c.fix-cve-2020-16135	2021-04-21 10:30:43.864796642 +0200
+++ libssh-0.9.4/src/sftpserver.c	2021-04-21 10:41:52.166933113 +0200
+@@ -67,9 +67,20 @@ sftp_client_message sftp_get_client_mess
+ 
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
+-  ssh_buffer_add_data(msg->complete_message,
+-                      ssh_buffer_get(payload),
+-                      ssh_buffer_get_len(payload));
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
+  rc = ssh_buffer_add_data(msg->complete_message,
+                           ssh_buffer_get(payload),
+                           ssh_buffer_get_len(payload));
+  if (rc < 0) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+ 
+   ssh_buffer_get_u32(payload, &msg->id);
+ 
--- a/SPECS/libssh.spec
+++ b/SPECS/libssh.spec
@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.9.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
@ -16,6 +16,7 @@ Patch1:         libssh-0.9.4-fix-version.patch
 Patch2:         libssh-0.9.4-do-not-return-error-server-closed-channel.patch
 Patch3:         libssh-0.9.4-add-cve-2019-14889-test.patch
 Patch4:         libssh-0.9.4-do-not-parse-config-during-tests.patch
+Patch5:         libssh-0.9.4-fix-cve-2020-16135.patch

 BuildRequires:  cmake
 BuildRequires:  doxygen
@ -135,6 +136,10 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config

 %changelog
+* Wed Apr 21 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-3
+- Fix CVE-2020-16135 NULL pointer dereference in sftpserver.c if
+  ssh_buffer_new returns NULL (#1862646)
+
 * Wed Jun 24 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.9.4-2
 - Do not return error when server properly closed the channel (#1849071)
 - Add a test for CVE-2019-14889