asn pushed to libssh (el6). "Security fix for CVE-2015-3146 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon May 4 15:32:38 UTC 2015
>From 56cb424c4014d731ad240e6d357839a21e0bf293 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at cryptomilk.org>
Date: Mon, 4 May 2015 16:10:29 +0200
Subject: Security fix for CVE-2015-3146
resolves: #1213775
resolves: #1218077
diff --git a/CVE-2015-3146-libssh-0.5.5.patch b/CVE-2015-3146-libssh-0.5.5.patch
new file mode 100644
index 0000000..e3232b8
--- /dev/null
+++ b/CVE-2015-3146-libssh-0.5.5.patch
@@ -0,0 +1,98 @@
+From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris at 0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:08:37 +0200
+Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers
+
+The state validation in the packet handlers for SSH_MSG_NEWKEYS and
+SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.
+
+The issue has been found and reported by Mariusz Ziule.
+
+Signed-off-by: Aris Adamantiadis <aris at 0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
+---
+ src/client.c | 4 ++--
+ src/server.c | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 0e50497..6919e7a 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
+ (void)type;
+ (void)user;
+ ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
++ if(session->session_state!= SSH_SESSION_STATE_DH ||
+ session->dh_handshake_state != DH_STATE_INIT_SENT){
+ ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
+ session->session_state,session->dh_handshake_state);
+@@ -246,7 +246,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+ (void)user;
+ (void)type;
+ ssh_log(session, SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
++ if (session->session_state != SSH_SESSION_STATE_DH ||
+ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
+ ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
+ session->session_state,session->dh_handshake_state);
+diff --git a/src/server.c b/src/server.c
+index 9a611c1..c07dd8a 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -133,6 +133,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+ ssh_log(session,SSH_LOG_PACKET,"Received SSH_MSG_KEXDH_INIT");
+ if(session->dh_handshake_state != DH_STATE_INIT){
+ ssh_log(session,SSH_LOG_RARE,"Invalid state for SSH_MSG_KEXDH_INIT");
++ session->session_state=SSH_SESSION_STATE_ERROR;
+ goto error;
+ }
+ e = buffer_get_ssh_string(packet);
+--
+2.3.5
+
+
+From ac683699201a3233b3659baa5f22c96ddab83cd4 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris at 0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:25:29 +0200
+Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference
+
+This is an addition to CVE-2015-3146 to fix the null pointer
+dereference. The patch is not required to fix the CVE but prevents
+issues in future.
+
+Signed-off-by: Aris Adamantiadis <aris at 0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
+(cherry picked from commit 59b316623ee723a5b6d4c980d0617bbaff4094c6)
+---
+ src/buffer.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index aef7e44..9808399 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -188,6 +188,9 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) {
+ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
+ buffer_verify(buffer);
+
++ if (data == NULL){
++ return -1;
++ }
+ if (buffer->used + len < len)
+ return -1;
+
+@@ -220,6 +223,9 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer,
+ struct ssh_string_struct *string) {
+ uint32_t len = 0;
+
++ if (string == NULL){
++ return -1;
++ }
+ len = ssh_string_len(string);
+ if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
+ return -1;
+--
+2.3.5
+
diff --git a/libssh.spec b/libssh.spec
index ce67adf..f55a260 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
Name: libssh
Version: 0.5.5
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: A library implementing the SSH2 protocol (0xbadc0de version)
License: LGPLv2+
URL: http://www.libssh.org/
@@ -13,6 +13,7 @@ Patch0: libssh-0.5.4-disable-latex-documentation.patch
Patch1: libssh-0.5.4-fix-html-doc-generation.patch
Patch2: libssh-0.5.5-CVE-2014-0017.patch
Patch3: CVE-2014-8132-libssh-0.5.5.patch
+Patch4: CVE-2015-3146-libssh-0.5.5.patch
BuildRequires: cmake
BuildRequires: doxygen
@@ -42,6 +43,7 @@ applications that use %{name}.
%patch1 -p1 -b .fix-html-doc-generation
%patch2 -p1 -b .libssh-0.5.5-CVE-2014-0017.patch
%patch3 -p1 -b .CVE-2014-8132-libssh-0.5.5.patch
+%patch4 -p1 -b .CVE-2015-3146-libssh-0.5.5.patch
# Remove examples, they are not packaged and do not build on EPEL 5
sed -i -e 's|add_subdirectory(examples)||g' CMakeLists.txt
@@ -91,6 +93,10 @@ rm -rf %{buildroot}
%{_libdir}/libssh_threads.so
%changelog
+* Thu Apr 30 2015 Andreas Schneider <asn at redhat.com> - 0.5.5-4
+- resolves: #1213775 - Security fix for CVE-2015-3146
+- resolves: #1218077 - Security fix for CVE-2015-3146
+
* Fri Dec 19 2014 - Andreas Schneider <asn at redhat.com> - 0.5.5-3
- Security fix for CVE-2014-8132.
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/libssh.git/commit/?h=el6&id=56cb424c4014d731ad240e6d357839a21e0bf293
More information about the scm-commits
mailing list