diff options
author | Remi Collet <remi@remirepo.net> | 2022-06-26 17:42:09 +0200 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2022-06-26 17:42:09 +0200 |
commit | 20e61c0a1471086c99fd346cfd200b865b30bf57 (patch) | |
tree | 629172d26f48a80e34e3b06866f7db5c19d2a2d2 /0008-libssh2-1.8.0-CVE-2019-3862.patch | |
parent | 6c2df6054475dd31fa2ce3f5ebeef77bc4537f4a (diff) |
update to 1.10.0
Diffstat (limited to '0008-libssh2-1.8.0-CVE-2019-3862.patch')
-rw-r--r-- | 0008-libssh2-1.8.0-CVE-2019-3862.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/0008-libssh2-1.8.0-CVE-2019-3862.patch b/0008-libssh2-1.8.0-CVE-2019-3862.patch deleted file mode 100644 index f1632a5..0000000 --- a/0008-libssh2-1.8.0-CVE-2019-3862.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 19 Mar 2019 13:45:22 +0100 -Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison - -... with specially crafted message channel request - -Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch ---- - src/packet.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/packet.c b/src/packet.c -index aa10633..c950b5d 100644 ---- a/src/packet.c -+++ b/src/packet.c -@@ -775,8 +775,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - uint32_t len = _libssh2_ntohu32(data + 5); - unsigned char want_reply = 1; - -- if(len < (datalen - 10)) -- want_reply = data[9 + len]; -+ if((len + 9) < datalen) -+ want_reply = data[len + 9]; - - _libssh2_debug(session, - LIBSSH2_TRACE_CONN, -@@ -784,6 +784,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - channel, len, data + 9, want_reply); - - if (len == sizeof("exit-status") - 1 -+ && (sizeof("exit-status") - 1 + 9) <= datalen - && !memcmp("exit-status", data + 9, - sizeof("exit-status") - 1)) { - -@@ -792,7 +793,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - channelp = - _libssh2_channel_locate(session, channel); - -- if (channelp) { -+ if (channelp && (sizeof("exit-status") + 13) <= datalen) { - channelp->exit_status = - _libssh2_ntohu32(data + 9 + sizeof("exit-status")); - _libssh2_debug(session, LIBSSH2_TRACE_CONN, -@@ -805,13 +806,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - - } - else if (len == sizeof("exit-signal") - 1 -+ && (sizeof("exit-signal") - 1 + 9) <= datalen - && !memcmp("exit-signal", data + 9, - sizeof("exit-signal") - 1)) { - /* command terminated due to signal */ - if(datalen >= 20) - channelp = _libssh2_channel_locate(session, channel); - -- if (channelp) { -+ if (channelp && (sizeof("exit-signal") + 13) <= datalen) { - /* set signal name (without SIG prefix) */ - uint32_t namelen = - _libssh2_ntohu32(data + 9 + sizeof("exit-signal")); -@@ -827,9 +829,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data, - if (!channelp->exit_signal) - rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC, - "memory for signal name"); -- else { -+ else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) { - memcpy(channelp->exit_signal, -- data + 13 + sizeof("exit_signal"), namelen); -+ data + 13 + sizeof("exit-signal"), namelen); - channelp->exit_signal[namelen] = '\0'; - /* TODO: save error message and language tag */ - _libssh2_debug(session, LIBSSH2_TRACE_CONN, --- -2.17.2 - |