diff options
author | Thomas Deutschmann <whissi@gentoo.org> | 2019-10-09 18:17:12 +0200 |
---|---|---|
committer | Thomas Deutschmann <whissi@gentoo.org> | 2019-10-09 18:17:29 +0200 |
commit | 0148cb4b99350b09cc7eaa229ad42d4b6009d0e9 (patch) | |
tree | c6ffe0e6b3c981308a45054f8b8fd95646ef9bb3 /net-misc/openssh/files | |
parent | media-plugins/kodi-visualization-projectm: 2.3.2 version bump (diff) | |
download | gentoo-0148cb4b99350b09cc7eaa229ad42d4b6009d0e9.tar.gz gentoo-0148cb4b99350b09cc7eaa229ad42d4b6009d0e9.tar.bz2 gentoo-0148cb4b99350b09cc7eaa229ad42d4b6009d0e9.zip |
net-misc/openssh: fix integer overflows
- Fix integer overflow in XMSS private key parsing
- Fix an unreachable integer overflow similar to the XMSS case
- Fix putty tests
Closes: https://bugs.gentoo.org/493866
Bug: https://bugs.gentoo.org/697046
Package-Manager: Portage-2.3.76, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'net-misc/openssh/files')
3 files changed, 147 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch new file mode 100644 index 000000000000..bffc591ef667 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch @@ -0,0 +1,76 @@ +https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81 + +--- a/sshkey.c ++++ b/sshkey.c +@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + if ((r = sshkey_froms(buf, &k)) != 0 || + (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + if ((r = sshkey_froms(buf, &k)) != 0 || + (r = sshbuf_get_bignum2(buf, &exponent)) != 0) + goto out; ++ if (k->type != type || ++ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || + (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || + (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } + k->ed25519_pk = ed25519_pk; + k->ed25519_sk = ed25519_sk; +- ed25519_pk = ed25519_sk = NULL; ++ ed25519_pk = ed25519_sk = NULL; /* transferred */ + break; + #ifdef WITH_XMSS + case KEY_XMSS: +@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || + (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) + goto out; +- if (strcmp(xmss_name, k->xmss_name)) { ++ if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } +@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, + } + + /* check that an appropriate amount of auth data is present */ +- if (sshbuf_len(decoded) < encrypted_len + authlen) { ++ if (sshbuf_len(decoded) < authlen || ++ sshbuf_len(decoded) - authlen < encrypted_len) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch new file mode 100644 index 000000000000..ba0bd02371d4 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch @@ -0,0 +1,14 @@ +https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a + +--- a/sshkey-xmss.c ++++ b/sshkey-xmss.c +@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded, + goto out; + } + /* check that an appropriate amount of auth data is present */ +- if (sshbuf_len(encoded) < encrypted_len + authlen) { ++ if (sshbuf_len(encoded) < authlen || ++ sshbuf_len(encoded) - authlen < encrypted_len) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch new file mode 100644 index 000000000000..4310aa123fc8 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch @@ -0,0 +1,57 @@ +Make sure that host keys are already accepted before +running tests. + +https://bugs.gentoo.org/493866 + +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -10,11 +10,17 @@ fi + + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" ++ rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + +- rm -f ${COPY} ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -14,6 +14,13 @@ for c in 0 1 ; do + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k ++ ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then |