Minor cleanups from upstream

Fix one-byte overflow in SSH banner processing Resolves: rhbz#2138345 Fix double free() in error path Resolves: rhbz#2138347
2023-01-06 11:57:27 +01:00 · 2023-01-06 11:57:27 +01:00 · 6f747825fa
commit 6f747825fa
parent b0f3205a21
2 changed files with 67 additions and 1 deletions
--- a/openssh-9.1p1-sshbanner.patch
+++ b/openssh-9.1p1-sshbanner.patch
@ -0,0 +1,57 @@
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index d29a03b4..d7283136 100644
+--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
+@@ -490,6 +490,15 @@ congreet(int s)
+ 		return;
+ 	}
+ 
+	/*
+	 * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
+	 * protocol identification string may be preceeded by an arbitarily
+	 * large banner which we must read and ignore.  Loop while reading
+	 * newline-terminated lines until we have one starting with "SSH-".
+	 * The ID string cannot be longer than 255 characters although the
+	 * preceeding banner lines may (in which case they'll be discarded
+	 * in multiple iterations of the outer loop).
+	 */
+ 	for (;;) {
+ 		memset(buf, '\0', sizeof(buf));
+ 		bufsiz = sizeof(buf);
+@@ -517,6 +526,11 @@ congreet(int s)
+ 		conrecycle(s);
+ 		return;
+ 	}
+	if (cp >= buf + sizeof(buf)) {
+		error("%s: greeting exceeds allowable length", c->c_name);
+		confree(s);
+		return;
+	}
+ 	if (*cp != '\n' && *cp != '\r') {
+ 		error("%s: bad greeting", c->c_name);
+ 		confree(s);
+diff --git a/sshsig.c b/sshsig.c
+index 1e3b6398..eb2a931e 100644
+--- a/sshsig.c
+++ b/sshsig.c
+@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ {
+ 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
+ 	ssize_t n, total = 0;
+-	struct ssh_digest_ctx *ctx;
+	struct ssh_digest_ctx *ctx = NULL;
+ 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
+ 	struct sshbuf *b = NULL;
+ 
+@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ 	/* success */
+ 	r = 0;
+  out:
+	oerrno = errno;
+ 	sshbuf_free(b);
+ 	ssh_digest_free(ctx);
+ 	explicit_bzero(hash, sizeof(hash));
+	errno = oerrno;
+ 	return r;
+ }
+ 
--- a/openssh.spec
+++ b/openssh.spec
@ -51,7 +51,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 25
+%global openssh_rel 26
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5

@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch
 # downstream only, IBMCA tentative fix
 # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
 Patch984: openssh-8.7p1-ibmca.patch
+# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566
+Patch986: openssh-9.1p1-sshbanner.patch

 # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
 # upstream commits:
@ -442,6 +444,7 @@ popd
 %patch982 -p1 -b .minrsabits
 %patch983 -p1 -b .evpgenrsa
 %patch984 -p1 -b .ibmca
+%patch986 -p1 -b .91cleanup

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \
 %endif

 %changelog
+* Fri Jan 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-26
+- Fix one-byte overflow in SSH banner processing
+  Resolves: rhbz#2138345
+- Fix double free() in error path
+  Resolves: rhbz#2138347
+
 * Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25
 - Build fix after OpenSSL rebase
  Resolves: rhbz#2153626