Minor cleanups from upstream

Fix one-byte overflow in SSH banner processing
Resolves: rhbz#2138345
Fix double free() in error path
Resolves: rhbz#2138347
This commit is contained in:
Dmitry Belyavskiy 2023-01-06 11:57:27 +01:00
parent b0f3205a21
commit 6f747825fa
2 changed files with 67 additions and 1 deletions

View File

@ -0,0 +1,57 @@
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index d29a03b4..d7283136 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -490,6 +490,15 @@ congreet(int s)
return;
}
+ /*
+ * Read the server banner as per RFC4253 section 4.2. The "SSH-"
+ * protocol identification string may be preceeded by an arbitarily
+ * large banner which we must read and ignore. Loop while reading
+ * newline-terminated lines until we have one starting with "SSH-".
+ * The ID string cannot be longer than 255 characters although the
+ * preceeding banner lines may (in which case they'll be discarded
+ * in multiple iterations of the outer loop).
+ */
for (;;) {
memset(buf, '\0', sizeof(buf));
bufsiz = sizeof(buf);
@@ -517,6 +526,11 @@ congreet(int s)
conrecycle(s);
return;
}
+ if (cp >= buf + sizeof(buf)) {
+ error("%s: greeting exceeds allowable length", c->c_name);
+ confree(s);
+ return;
+ }
if (*cp != '\n' && *cp != '\r') {
error("%s: bad greeting", c->c_name);
confree(s);
diff --git a/sshsig.c b/sshsig.c
index 1e3b6398..eb2a931e 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
{
char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
ssize_t n, total = 0;
- struct ssh_digest_ctx *ctx;
+ struct ssh_digest_ctx *ctx = NULL;
int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
/* success */
r = 0;
out:
+ oerrno = errno;
sshbuf_free(b);
ssh_digest_free(ctx);
explicit_bzero(hash, sizeof(hash));
+ errno = oerrno;
return r;
}

View File

@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1 %global openssh_ver 8.7p1
%global openssh_rel 25 %global openssh_rel 26
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5 %global pam_ssh_agent_rel 5
@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch
# downstream only, IBMCA tentative fix # downstream only, IBMCA tentative fix
# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
Patch984: openssh-8.7p1-ibmca.patch Patch984: openssh-8.7p1-ibmca.patch
# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566
Patch986: openssh-9.1p1-sshbanner.patch
# Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
# upstream commits: # upstream commits:
@ -442,6 +444,7 @@ popd
%patch982 -p1 -b .minrsabits %patch982 -p1 -b .minrsabits
%patch983 -p1 -b .evpgenrsa %patch983 -p1 -b .evpgenrsa
%patch984 -p1 -b .ibmca %patch984 -p1 -b .ibmca
%patch986 -p1 -b .91cleanup
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Fri Jan 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-26
- Fix one-byte overflow in SSH banner processing
Resolves: rhbz#2138345
- Fix double free() in error path
Resolves: rhbz#2138347
* Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25 * Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25
- Build fix after OpenSSL rebase - Build fix after OpenSSL rebase
Resolves: rhbz#2153626 Resolves: rhbz#2153626