048ffad847
Resolves: RHEL-150661 Resolves: CVE-2025-4877 Resolves: CVE-2025-4878 Resolves: CVE-2025-5351 Resolves: CVE-2025-8114 Resolves: CVE-2025-8277 Resolves: CVE-2026-0964 Resolves: CVE-2026-0965 Resolves: CVE-2026-0966 Resolves: CVE-2026-0967 Resolves: CVE-2026-0968
101 lines
2.9 KiB
Diff
101 lines
2.9 KiB
Diff
From e868036a8e496e36cf986e000e050974cc30a0ae Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Thu, 8 Jan 2026 12:09:50 +0100
|
|
Subject: [PATCH 1/2] CVE-2026-0966 misc: Avoid heap buffer underflow in
|
|
ssh_get_hexa
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
|
|
(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401)
|
|
---
|
|
src/misc.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/misc.c b/src/misc.c
|
|
index 6607775e..0cca373a 100644
|
|
--- a/src/misc.c
|
|
+++ b/src/misc.c
|
|
@@ -452,7 +452,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len)
|
|
size_t i;
|
|
size_t hlen = len * 3;
|
|
|
|
- if (len > (UINT_MAX - 1) / 3) {
|
|
+ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) {
|
|
return NULL;
|
|
}
|
|
|
|
--
|
|
2.53.0
|
|
|
|
|
|
From c112289ce14ef29f173d87b6cc507f066d6ca751 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Thu, 8 Jan 2026 12:10:16 +0100
|
|
Subject: [PATCH 2/2] CVE-2026-0966 tests: Test coverage for ssh_get_hexa
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
|
Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
|
|
(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52)
|
|
---
|
|
tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++
|
|
1 file changed, 31 insertions(+)
|
|
|
|
diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c
|
|
index 77166759..4470c358 100644
|
|
--- a/tests/unittests/torture_misc.c
|
|
+++ b/tests/unittests/torture_misc.c
|
|
@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) {
|
|
assert_int_equal(rc, 0);
|
|
}
|
|
|
|
+static void torture_ssh_get_hexa(void **state)
|
|
+{
|
|
+ const unsigned char *bin = NULL;
|
|
+ char *hex = NULL;
|
|
+
|
|
+ (void)state;
|
|
+
|
|
+ /* Null pointer should not crash */
|
|
+ bin = NULL;
|
|
+ hex = ssh_get_hexa(bin, 0);
|
|
+ assert_null(hex);
|
|
+
|
|
+ /* Null pointer should not crash regardless the length */
|
|
+ bin = NULL;
|
|
+ hex = ssh_get_hexa(bin, 99);
|
|
+ assert_null(hex);
|
|
+
|
|
+ /* Zero length input is not much useful. Just expect NULL too */
|
|
+ bin = (const unsigned char *)"";
|
|
+ hex = ssh_get_hexa(bin, 0);
|
|
+ assert_null(hex);
|
|
+
|
|
+ /* Valid inputs */
|
|
+ bin = (const unsigned char *)"\x00\xFF";
|
|
+ hex = ssh_get_hexa(bin, 2);
|
|
+ assert_non_null(hex);
|
|
+ assert_string_equal(hex, "00:ff");
|
|
+ ssh_string_free_char(hex);
|
|
+}
|
|
+
|
|
int torture_run_tests(void) {
|
|
int rc;
|
|
struct CMUnitTest tests[] = {
|
|
@@ -903,6 +933,7 @@ int torture_run_tests(void) {
|
|
cmocka_unit_test(torture_ssh_strerror),
|
|
cmocka_unit_test(torture_ssh_check_hostname_syntax),
|
|
cmocka_unit_test(torture_ssh_is_ipaddr),
|
|
+ cmocka_unit_test(torture_ssh_get_hexa),
|
|
};
|
|
|
|
ssh_init();
|
|
--
|
|
2.53.0
|
|
|