Browse Source

libssh: bump to 0.7.6 CVE-2018-10933 fix

Bump from 0.7.5 to 0.7.6.  Upstream changelog:

Fixed CVE-2018-10933
Added support for OpenSSL 1.1
Added SHA256 support for ssh_get_publickey_hash()
Fixed config parsing
Fixed random memory corruption when importing pubkeys

Backported upstream patches since 0.7.6 to fix interactive
authentication issues amongst other things:

9d5cf209 libcrypto: Fix memory leak in evp_final()
10397321 gssapi: Set correct state after sending GSSAPI_RESPONSE (select mechanism OID)
7ad80ba1 server: Fix compile error
acb0e4f4 examples: Explicitly track auth state in samplesshd-kbdint
3fe7510b messages: Check that the requested service is 'ssh-connection'
734e3ce6 server: Set correct state after sending INFO_REQUEST (Kbd Interactive)
e4c6d591 packet: Add missing break in ssh_packet_incoming_filter()
f81ca616 misc: Add strndup implementation if not provides by the OS

Refresh patches.
Remove local backport for OpenSSL 1.1 support as is now in release
Remove PKG_INSTALL & CMAKE vars that are defaulted anyway
Add PKG_CPE_ID:=cpe:/a:libssh:libssh for CVE tracking
Remove BROKEN tag as is no longer broken

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
lilik-openwrt-22.03
Kevin Darbyshire-Bryant 6 years ago
parent
commit
72096874d0
11 changed files with 318 additions and 1168 deletions
  1. +7
    -8
      libs/libssh/Makefile
  2. +83
    -0
      libs/libssh/patches/0001-misc-Add-strndup-implementation-if-not-provides-by-t.patch
  3. +24
    -0
      libs/libssh/patches/0002-packet-Add-missing-break-in-ssh_packet_incoming_filt.patch
  4. +24
    -0
      libs/libssh/patches/0003-server-Set-correct-state-after-sending-INFO_REQUEST-.patch
  5. +37
    -0
      libs/libssh/patches/0004-messages-Check-that-the-requested-service-is-ssh-con.patch
  6. +72
    -0
      libs/libssh/patches/0005-examples-Explicitly-track-auth-state-in-samplesshd-k.patch
  7. +22
    -0
      libs/libssh/patches/0006-server-Fix-compile-error.patch
  8. +24
    -0
      libs/libssh/patches/0007-gssapi-Set-correct-state-after-sending-GSSAPI_RESPON.patch
  9. +24
    -0
      libs/libssh/patches/0008-libcrypto-Fix-memory-leak-in-evp_final.patch
  10. +1
    -1
      libs/libssh/patches/001-compile.patch
  11. +0
    -1159
      libs/libssh/patches/005-openssl-1.1.patch

+ 7
- 8
libs/libssh/Makefile View File

@ -11,17 +11,18 @@ PKG_LICENSE:=LGPL-2.1+ BSD-2-Clause
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_NAME:=libssh
PKG_VERSION:=0.7.5
PKG_RELEASE:=2
PKG_VERSION:=0.7.6
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://red.libssh.org/attachments/download/218/
PKG_HASH:=54e86dd5dc20e5367e58f3caab337ce37675f863f80df85b6b1614966a337095
PKG_SOURCE_URL:=https://www.libssh.org/files/0.7/
PKG_HASH:=1d607d3859274f755942324afb0f887ee22edd157f9596a2e69e3a28ec6d1092
PKG_CPE_ID:=cpe:/a:libssh:libssh
CMAKE_INSTALL:=1
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_USE_MIPS16:=0
include $(INCLUDE_DIR)/package.mk
@ -32,7 +33,7 @@ define Package/libssh
CATEGORY:=Libraries
URL:=$(PKG_SOURCE_URL)
TITLE:=SSH library
DEPENDS:=+libpthread +librt +zlib +libopenssl @BROKEN
DEPENDS:=+libpthread +librt +zlib +libopenssl
endef
define Package/libssh/description
@ -41,8 +42,6 @@ define Package/libssh/description
endef
CMAKE_OPTIONS = \
-DCMAKE_INSTALL_PREFIX:PATH=/usr \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DHAVE_STRTOULL=1 \
-DHAVE_GETADDRINFO=1 \
-DHAVE_TERMIOS_H=1 \


+ 83
- 0
libs/libssh/patches/0001-misc-Add-strndup-implementation-if-not-provides-by-t.patch View File

@ -0,0 +1,83 @@
From f81ca6161223e3566ce78a427571235fb6848fe9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 29 Aug 2018 18:41:15 +0200
Subject: [PATCH 1/8] misc: Add strndup implementation if not provides by the
OS
Fixes T112
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 247983e9820fd264cb5a59c14cc12846c028bd08)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
ConfigureChecks.cmake | 1 +
config.h.cmake | 3 +++
include/libssh/priv.h | 4 ++++
src/misc.c | 21 +++++++++++++++++++++
4 files changed, 29 insertions(+)
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -115,6 +115,7 @@ endif (NOT WITH_GCRYPT)
check_function_exists(isblank HAVE_ISBLANK)
check_function_exists(strncpy HAVE_STRNCPY)
+check_function_exists(strndup HAVE_STRNDUP)
check_function_exists(strtoull HAVE_STRTOULL)
if (NOT WIN32)
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -103,6 +103,9 @@
/* Define to 1 if you have the `strncpy' function. */
#cmakedefine HAVE_STRNCPY 1
+/* Define to 1 if you have the `strndup' function. */
+#cmakedefine HAVE_STRNDUP 1
+
/* Define to 1 if you have the `cfmakeraw' function. */
#cmakedefine HAVE_CFMAKERAW 1
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -43,6 +43,10 @@
# endif
#endif /* !defined(HAVE_STRTOULL) */
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n);
+#endif /* ! HAVE_STRNDUP */
+
#ifdef HAVE_BYTESWAP_H
#include <byteswap.h>
#endif
--- a/src/misc.c
+++ b/src/misc.c
@@ -1028,6 +1028,27 @@ int ssh_match_group(const char *group, c
return 0;
}
+#if !defined(HAVE_STRNDUP)
+char *strndup(const char *s, size_t n)
+{
+ char *x = NULL;
+
+ if (n + 1 < n) {
+ return NULL;
+ }
+
+ x = malloc(n + 1);
+ if (x == NULL) {
+ return NULL;
+ }
+
+ memcpy(x, s, n);
+ x[n] = '\0';
+
+ return x;
+}
+#endif /* ! HAVE_STRNDUP */
+
/** @} */
/* vim: set ts=4 sw=4 et cindent: */

+ 24
- 0
libs/libssh/patches/0002-packet-Add-missing-break-in-ssh_packet_incoming_filt.patch View File

@ -0,0 +1,24 @@
From e4c6d591df6a9c34c1ff3ec9f367c7257122bef3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 17 Oct 2018 07:23:10 +0200
Subject: [PATCH 2/8] packet: Add missing break in ssh_packet_incoming_filter()
CID 1396239
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit fe618a35dc4be3e73ddf29d0c4a96b98d3b9c48f)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/packet.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/packet.c
+++ b/src/packet.c
@@ -285,6 +285,7 @@ static enum ssh_packet_filter_result_e s
(session->dh_handshake_state != DH_STATE_FINISHED))
{
rc = SSH_PACKET_DENIED;
+ break;
}
rc = SSH_PACKET_ALLOWED;

+ 24
- 0
libs/libssh/patches/0003-server-Set-correct-state-after-sending-INFO_REQUEST-.patch View File

@ -0,0 +1,24 @@
From 734e3ce6747a5ed120b93a1ff253b3fde5f20024 Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@wallix.com>
Date: Wed, 17 Oct 2018 14:50:08 +0200
Subject: [PATCH 3/8] server: Set correct state after sending INFO_REQUEST (Kbd
Interactive)
Signed-off-by: Meng Tan <mtan@wallix.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 4ea46eecce9f4e676150fe27fec34e1570b70ace)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/server.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/server.c
+++ b/src/server.c
@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request
msg->session->kbdint->prompts = NULL;
msg->session->kbdint->echo = NULL;
}
+ msg->session->auth.state = SSH_AUTH_STATE_INFO;
return rc;
}

+ 37
- 0
libs/libssh/patches/0004-messages-Check-that-the-requested-service-is-ssh-con.patch View File

@ -0,0 +1,37 @@
From 3fe7510b261098e3937ab5417935916a46e6727b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 19 Oct 2018 11:40:44 +0200
Subject: [PATCH 4/8] messages: Check that the requested service is
'ssh-connection'
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 9c200d3ef4f62d724d3bae2563b81c38cc31e215)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/messages.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/src/messages.c
+++ b/src/messages.c
@@ -649,6 +649,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
ssh_message msg = NULL;
char *service = NULL;
char *method = NULL;
+ int cmp;
int rc;
(void)user;
@@ -675,6 +676,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
service, method,
msg->auth_request.username);
+ cmp = strcmp(service, "ssh-connection");
+ if (cmp != 0) {
+ SSH_LOG(SSH_LOG_WARNING,
+ "Invalid service request: %s",
+ service);
+ goto end;
+ }
if (strcmp(method, "none") == 0) {
msg->auth_request.method = SSH_AUTH_METHOD_NONE;

+ 72
- 0
libs/libssh/patches/0005-examples-Explicitly-track-auth-state-in-samplesshd-k.patch View File

@ -0,0 +1,72 @@
From acb0e4f401440ca325e441064d2cb4b896fb9a3d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 17 Oct 2018 17:32:54 +0200
Subject: [PATCH 5/8] examples: Explicitly track auth state in
samplesshd-kbdint
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 0ff566b6dde5cd27653aa35280feceefad5d5224)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
examples/samplesshd-kbdint.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/examples/samplesshd-kbdint.c
+++ b/examples/samplesshd-kbdint.c
@@ -23,6 +23,7 @@ clients must be made or how a client sho
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
+#include <stdbool.h>
#define SSHD_USER "libssh"
#define SSHD_PASSWORD "libssh"
@@ -36,6 +37,7 @@ clients must be made or how a client sho
#endif
static int port = 22;
+static bool authenticated = false;
#ifdef WITH_PCAP
static const char *pcap_file = "debug.server.pcap";
@@ -61,11 +63,20 @@ static void cleanup_pcap(void) {
#endif
-static int auth_password(const char *user, const char *password){
- if(strcmp(user, SSHD_USER))
+static int auth_password(const char *user, const char *password)
+{
+ int cmp;
+
+ cmp = strcmp(user, SSHD_USER);
+ if (cmp != 0) {
return 0;
- if(strcmp(password, SSHD_PASSWORD))
+ }
+ cmp = strcmp(password, SSHD_PASSWORD);
+ if (cmp != 0) {
return 0;
+ }
+
+ authenticated = true;
return 1; // authenticated
}
#ifdef HAVE_ARGP_H
@@ -200,6 +211,7 @@ static int kbdint_check_response(ssh_ses
return 0;
}
+ authenticated = true;
return 1;
}
@@ -328,7 +340,7 @@ int main(int argc, char **argv){
/* proceed to authentication */
auth = authenticate(session);
- if(!auth){
+ if (!auth || !authenticated) {
printf("Authentication error: %s\n", ssh_get_error(session));
ssh_disconnect(session);
return 1;

+ 22
- 0
libs/libssh/patches/0006-server-Fix-compile-error.patch View File

@ -0,0 +1,22 @@
From 7ad80ba1cc48f7af1f192692d100a6255d97b843 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 24 Oct 2018 19:57:17 +0200
Subject: [PATCH 6/8] server: Fix compile error
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/server.c
+++ b/src/server.c
@@ -976,7 +976,7 @@ int ssh_message_auth_interactive_request
msg->session->kbdint->prompts = NULL;
msg->session->kbdint->echo = NULL;
}
- msg->session->auth.state = SSH_AUTH_STATE_INFO;
+ msg->session->auth_state = SSH_AUTH_STATE_INFO;
return rc;
}

+ 24
- 0
libs/libssh/patches/0007-gssapi-Set-correct-state-after-sending-GSSAPI_RESPON.patch View File

@ -0,0 +1,24 @@
From 103973215443f6e02e010114a3f7ac19eb6f3c8c Mon Sep 17 00:00:00 2001
From: Meng Tan <mtan@wallix.com>
Date: Thu, 25 Oct 2018 17:06:06 +0200
Subject: [PATCH 7/8] gssapi: Set correct state after sending GSSAPI_RESPONSE
(select mechanism OID)
Signed-off-by: Meng Tan <mtan@wallix.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit bce8d567053232debd6ec490af5a7d27e1160f39)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/gssapi.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_
ssh_set_error_oom(session);
return SSH_ERROR;
}
+ session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN;
packet_send(session);
SSH_LOG(SSH_LOG_PACKET,

+ 24
- 0
libs/libssh/patches/0008-libcrypto-Fix-memory-leak-in-evp_final.patch View File

@ -0,0 +1,24 @@
From 9d5cf209df4c260546e1468cc15fbbbfba3097c6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Sat, 27 Oct 2018 22:15:56 +0200
Subject: [PATCH 8/8] libcrypto: Fix memory leak in evp_final()
Fixes T116
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit a2807474621e51b386ea26ce2a01d2b1aa295c7b)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
src/libcrypto.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -165,6 +165,7 @@ void evp_update(EVPCTX ctx, const void *
void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen)
{
EVP_DigestFinal(ctx, md, mdlen);
+ EVP_MD_CTX_free(ctx);
}
#endif

+ 1
- 1
libs/libssh/patches/001-compile.patch View File

@ -21,7 +21,7 @@
set(PACKAGE ${APPLICATION_NAME})
set(VERSION ${APPLICATION_VERSION})
@@ -270,6 +269,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
@@ -272,6 +271,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
endif (WITH_GSSAPI AND NOT GSSAPI_FOUND)
# ENDIAN


+ 0
- 1159
libs/libssh/patches/005-openssl-1.1.patch
File diff suppressed because it is too large
View File


Loading…
Cancel
Save