rpms/libssh
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2023-1667 and CVE-2023-2283

Browse Source 
- Fix CVEs and fix issues found by cosvcan after the change

Resolves: rhbz#2182252, rhbz#2189740

Signed-off-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
Norbert Pocs 2023-05-15 11:36:03 +02:00
parent 037a76b81c
commit e3ddbe6a80
5 changed files with 2202 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
auth_bypass.patch Normal file
View File

@ -0,0 +1,82 @@
diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
--- ../libssh-0.10.4/src/pki_crypto.c 2023-04-27 13:24:03.105744519 +0200
+++ ./src/pki_crypto.c 2023-04-27 13:30:24.016756496 +0200
@@ -3186,8 +3186,12 @@
unsigned char *raw_sig_data = NULL;
unsigned int raw_sig_len;
+ /* Function return code
+ * Do not change this variable throughout the function until the signature
+ * is successfully verified!
+ */
int rc = SSH_ERROR;
- int evp_rc;
+ int ok;
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
signature == NULL || (signature->raw_sig == NULL
@@ -3202,8 +3206,8 @@
}
/* Check if public key and hash type are compatible */
- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
- if (rc != SSH_OK) {
+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+ if (ok != SSH_OK) {
return SSH_ERROR;
}
@@ -3248,8 +3252,8 @@
}
/* Verify the signature */
- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
- if (evp_rc != 1){
+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+ if (ok != 1){
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyInit() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -3257,32 +3261,30 @@
}
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
#else
- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
- if (evp_rc != 1) {
+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyUpdate() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto out;
}
- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
#endif
- if (evp_rc == 1) {
- SSH_LOG(SSH_LOG_TRACE, "Signature valid");
- rc = SSH_OK;
- } else {
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"Signature invalid: %s",
ERR_error_string(ERR_get_error(), NULL));
- rc = SSH_ERROR;
+ goto out;
}
+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+ rc = SSH_OK;
+
out:
- if (ctx != NULL) {
- EVP_MD_CTX_free(ctx);
- }
+ EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
return rc;
}

228
covscan23.patch Normal file
View File

@ -0,0 +1,228 @@
diff --color -ru ../libssh-0.10.4/src/buffer.c ./src/buffer.c
--- ../libssh-0.10.4/src/buffer.c 2023-05-03 12:22:40.304114511 +0200
+++ ./src/buffer.c 2023-05-03 12:24:11.578110236 +0200
@@ -747,7 +747,8 @@
*/
int ssh_buffer_validate_length(struct ssh_buffer_struct *buffer, size_t len)
{
- if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+ if (buffer == NULL || buffer->pos + len < len ||
+ buffer->pos + len > buffer->used) {
return SSH_ERROR;
}
diff --color -ru ../libssh-0.10.4/src/gssapi.c ./src/gssapi.c
--- ../libssh-0.10.4/src/gssapi.c 2023-05-03 12:22:40.356115078 +0200
+++ ./src/gssapi.c 2023-05-03 12:24:11.566110105 +0200
@@ -444,11 +444,18 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ ssh_auth_reply_default(session, 0);
+ ssh_gssapi_free(session);
+ session->gssapi = NULL;
+ return SSH_PACKET_USED;
+ }
ssh_packet_send(session);
}
@@ -857,6 +864,7 @@
}
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
+ int rc;
ssh_string oid_s;
gss_uint32 maj_stat, min_stat;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
@@ -908,11 +916,15 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s", hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ goto error;
+ }
ssh_packet_send(session);
session->auth.state = SSH_AUTH_STATE_GSSAPI_TOKEN;
}
@@ -975,6 +987,7 @@
}
SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
+ int rc;
ssh_string token;
char *hexa;
OM_uint32 maj_stat, min_stat;
@@ -1027,11 +1040,15 @@
hexa = ssh_get_hexa(output_token.value, output_token.length);
SSH_LOG(SSH_LOG_PACKET, "GSSAPI: sending token %s",hexa);
SAFE_FREE(hexa);
- ssh_buffer_pack(session->out_buffer,
- "bdP",
- SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
- output_token.length,
- (size_t)output_token.length, output_token.value);
+ rc = ssh_buffer_pack(session->out_buffer,
+ "bdP",
+ SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
+ output_token.length,
+ (size_t)output_token.length, output_token.value);
+ if (rc != SSH_OK) {
+ ssh_set_error_oom(session);
+ goto error;
+ }
ssh_packet_send(session);
}
diff --color -ru ../libssh-0.10.4/src/options.c ./src/options.c
--- ../libssh-0.10.4/src/options.c 2023-05-03 12:22:40.342114926 +0200
+++ ./src/options.c 2023-05-03 12:24:11.582110280 +0200
@@ -614,7 +614,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
+ SSH_LOG(SSH_LOG_DEBUG, "No port number was parsed");
SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
if (i <= 0) {
@@ -816,7 +818,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
if (i < 0) {
@@ -2035,7 +2039,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
- SAFE_FREE(q);
+ SSH_LOG(SSH_LOG_DEBUG, "No bind port was parsed");
+ SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
@@ -2062,7 +2068,9 @@
}
i = strtol(q, &p, 10);
if (q == p) {
- SAFE_FREE(q);
+ SSH_LOG(SSH_LOG_DEBUG, "No log verbositiy was parsed");
+ SAFE_FREE(q);
+ return -1;
}
SAFE_FREE(q);
diff --color -ru ../libssh-0.10.4/src/pki_container_openssh.c ./src/pki_container_openssh.c
--- ../libssh-0.10.4/src/pki_container_openssh.c 2023-05-03 12:22:40.314114620 +0200
+++ ./src/pki_container_openssh.c 2023-05-03 12:24:11.566110105 +0200
@@ -630,7 +630,11 @@
goto error;
}
- ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+ rc = ssh_buffer_pack(kdf_buf, "Sd", salt, rounds);
+ if (rc != SSH_OK) {
+ SSH_BUFFER_FREE(kdf_buf);
+ goto error;
+ }
kdf_options = ssh_string_new(ssh_buffer_get_len(kdf_buf));
if (kdf_options == NULL){
SSH_BUFFER_FREE(kdf_buf);
diff --color -ru ../libssh-0.10.4/tests/unittests/torture_options.c ./tests/unittests/torture_options.c
--- ../libssh-0.10.4/tests/unittests/torture_options.c 2023-05-03 12:22:40.343114937 +0200
+++ ./tests/unittests/torture_options.c 2023-05-03 12:24:11.587110335 +0200
@@ -319,6 +319,7 @@
rc = ssh_options_set(session, SSH_OPTIONS_PORT_STR, "five");
assert_true(rc == -1);
+ assert_int_not_equal(session->opts.port, 0);
rc = ssh_options_set(session, SSH_OPTIONS_PORT, NULL);
assert_true(rc == -1);
@@ -1496,6 +1497,26 @@
ssh_list_free(awaited_list);
}
+static void torture_options_set_verbosity (void **state)
+{
+ ssh_session session = *state;
+ int rc, new_level;
+
+ rc = ssh_options_set(session,
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
+ "3");
+ assert_int_equal(rc, SSH_OK);
+ new_level = ssh_get_log_level();
+ assert_int_equal(new_level, SSH_LOG_PACKET);
+
+ rc = ssh_options_set(session,
+ SSH_OPTIONS_LOG_VERBOSITY_STR,
+ "datsun");
+ assert_int_equal(rc, -1);
+ new_level = ssh_get_log_level();
+ assert_int_not_equal(new_level, 0);
+}
+
#ifdef WITH_SERVER
const char template[] = "temp_dir_XXXXXX";
@@ -1750,6 +1771,10 @@
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "23");
assert_int_equal(rc, 0);
assert_int_equal(bind->bindport, 23);
+
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_BINDPORT_STR, "twentythree");
+ assert_int_equal(rc, -1);
+ assert_int_not_equal(bind->bindport, 0);
}
static void torture_bind_options_log_verbosity(void **state)
@@ -1799,6 +1824,11 @@
new_level = ssh_get_log_level();
assert_int_equal(new_level, SSH_LOG_PACKET);
+ rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, "verbosity");
+ assert_int_equal(rc, -1);
+ new_level = ssh_get_log_level();
+ assert_int_not_equal(new_level, 0);
+
rc = ssh_set_log_level(previous_level);
assert_int_equal(rc, SSH_OK);
}
@@ -2297,6 +2327,7 @@
cmocka_unit_test_setup_teardown(torture_options_caret_sign,
setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_apply, setup, teardown),
+ cmocka_unit_test_setup_teardown(torture_options_set_verbosity, setup, teardown),
};
#ifdef WITH_SERVER

11
libssh.spec
View File

@ -1,6 +1,6 @@
Name: libssh
Version: 0.10.4
Release: 8%{?dist}
Release: 9%{?dist}
Summary: A library implementing the SSH protocol
License: LGPLv2+
URL: http://www.libssh.org
@ -46,6 +46,10 @@ Patch4: plus_sign.patch
Patch5: memory_leak.patch
Patch6: options_apply.patch
Patch7: enable_sk_keys_by_config.patch
Patch8: null_dereference_rekey.patch
Patch9: auth_bypass.patch
Patch10: covscan23.patch
Patch11: rekey_test_fixup.patch
%description
The ssh library was designed to be used by programmers needing a working SSH
@ -138,6 +142,11 @@ popd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
%changelog
* Wed May 10 2023 Norbert Pocs <npocs@redhat.com> - 0.10.4-9
- Fix CVE-2023-1667 and CVE-2023-2283
- Fix issues found by cosvcan
- Resolves: rhbz#2182252, rhbz#2189740
* Mon Jan 23 2023 Stanislav Zidek <szidek@redhat.com> - 0.10.4-8
+ libssh-0.10.4-8
- Extended CI to run internal tests in RHEL

1861
null_dereference_rekey.patch Normal file
View File

File diff suppressed because it is too large Load Diff

21
rekey_test_fixup.patch Normal file
View File

@ -0,0 +1,21 @@
diff --color -ru ../libssh-0.10.4/tests/client/torture_rekey.c ./tests/client/torture_rekey.c
--- ../libssh-0.10.4/tests/client/torture_rekey.c 2023-05-17 10:55:23.384684129 +0200
+++ ./tests/client/torture_rekey.c 2023-05-17 10:56:29.819334665 +0200
@@ -504,7 +504,7 @@
memset(data, 'A', 128);
for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 100);
+ ssh_handle_packets(s->ssh.session, 1000);
c = s->ssh.session->current_crypto;
/* SHA256 len */
@@ -582,7 +582,7 @@
memset(data, 'A', 128);
for (i = 0; i < KEX_RETRY; i++) {
ssh_send_ignore(s->ssh.session, data);
- ssh_handle_packets(s->ssh.session, 100);
+ ssh_handle_packets(s->ssh.session, 1000);
c = s->ssh.session->current_crypto;
/* SHA256 len */