summaryrefslogtreecommitdiffstats
path: root/0008-libssh2-1.8.0-CVE-2019-3862.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2022-06-26 17:42:09 +0200
committerRemi Collet <remi@php.net>2022-06-26 17:42:09 +0200
commit20e61c0a1471086c99fd346cfd200b865b30bf57 (patch)
tree629172d26f48a80e34e3b06866f7db5c19d2a2d2 /0008-libssh2-1.8.0-CVE-2019-3862.patch
parent6c2df6054475dd31fa2ce3f5ebeef77bc4537f4a (diff)
rename to remi-libssh2 for EL-7 and EL-8HEADmaster
update to 1.10.0
Diffstat (limited to '0008-libssh2-1.8.0-CVE-2019-3862.patch')
-rw-r--r--0008-libssh2-1.8.0-CVE-2019-3862.patch75
1 files changed, 0 insertions, 75 deletions
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch
deleted file mode 100644
index f1632a5..0000000
--- a/0008-libssh2-1.8.0-CVE-2019-3862.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Tue, 19 Mar 2019 13:45:22 +0100
-Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
-
-... with specially crafted message channel request
-
-Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
----
- src/packet.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index aa10633..c950b5d 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- uint32_t len = _libssh2_ntohu32(data + 5);
- unsigned char want_reply = 1;
-
-- if(len < (datalen - 10))
-- want_reply = data[9 + len];
-+ if((len + 9) < datalen)
-+ want_reply = data[len + 9];
-
- _libssh2_debug(session,
- LIBSSH2_TRACE_CONN,
-@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- channel, len, data + 9, want_reply);
-
- if (len == sizeof("exit-status") - 1
-+ && (sizeof("exit-status") - 1 + 9) <= datalen
- && !memcmp("exit-status", data + 9,
- sizeof("exit-status") - 1)) {
-
-@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- channelp =
- _libssh2_channel_locate(session, channel);
-
-- if (channelp) {
-+ if (channelp && (sizeof("exit-status") + 13) <= datalen) {
- channelp->exit_status =
- _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
- _libssh2_debug(session, LIBSSH2_TRACE_CONN,
-@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-
- }
- else if (len == sizeof("exit-signal") - 1
-+ && (sizeof("exit-signal") - 1 + 9) <= datalen
- && !memcmp("exit-signal", data + 9,
- sizeof("exit-signal") - 1)) {
- /* command terminated due to signal */
- if(datalen >= 20)
- channelp = _libssh2_channel_locate(session, channel);
-
-- if (channelp) {
-+ if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
- /* set signal name (without SIG prefix) */
- uint32_t namelen =
- _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
-@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- if (!channelp->exit_signal)
- rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
- "memory for signal name");
-- else {
-+ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
- memcpy(channelp->exit_signal,
-- data + 13 + sizeof("exit_signal"), namelen);
-+ data + 13 + sizeof("exit-signal"), namelen);
- channelp->exit_signal[namelen] = '\0';
- /* TODO: save error message and language tag */
- _libssh2_debug(session, LIBSSH2_TRACE_CONN,
---
-2.17.2
-