Sync from SUSE:SLFO:Main libssh2_org revision 5fdf95a62f5a1bbcf006c3fe3d7cb40c

This commit is contained in:
Adrian Schröter 2024-06-07 18:40:12 +02:00
parent 55f86e1efd
commit d2f8d9d13e
4 changed files with 113 additions and 0 deletions

View File

@ -0,0 +1,65 @@
From 59786b186d4de8fd6cd5aeebedbce2362a849566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20=C4=8Cejka?= <jcejka@suse.cz>
Date: Tue, 6 Feb 2024 15:14:29 +0100
Subject: [PATCH] Always add extension indicators to kex_algorithms
KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
are in default kex method list but they were lost
after configuring custom kex method list in libssh2_session_method_pref().
---
src/kex.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/kex.c b/src/kex.c
index 8c65a0fe..1d1dadfa 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -4027,13 +4027,25 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session, int method_type,
const char *prefs)
{
char **prefvar, *s, *newprefs;
+ char *tmpprefs = NULL;
size_t prefs_len = strlen(prefs);
const LIBSSH2_COMMON_METHOD **mlist;
+ const char *kex_extensions = "ext-info-c,kex-strict-c-v00@openssh.com,";
+ size_t kex_extensions_len = strlen(kex_extensions);
switch(method_type) {
case LIBSSH2_METHOD_KEX:
prefvar = &session->kex_prefs;
mlist = (const LIBSSH2_COMMON_METHOD **)libssh2_kex_methods;
+ tmpprefs = LIBSSH2_ALLOC(session, kex_extensions_len + prefs_len + 1);
+ if(!tmpprefs) {
+ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+ "Error allocated space for kex method preferences");
+ }
+ memcpy(tmpprefs, kex_extensions, kex_extensions_len);
+ memcpy(tmpprefs + kex_extensions_len, prefs, prefs_len + 1);
+ prefs = tmpprefs;
+ prefs_len = strlen(prefs);
break;
case LIBSSH2_METHOD_HOSTKEY:
@@ -4093,6 +4105,9 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session, int method_type,
s = newprefs = LIBSSH2_ALLOC(session, prefs_len + 1);
if(!newprefs) {
+ if (tmpprefs) {
+ LIBSSH2_FREE(session, tmpprefs);
+ }
return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
"Error allocated space for method preferences");
}
@@ -4121,6 +4136,10 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session, int method_type,
}
}
+ if (tmpprefs) {
+ LIBSSH2_FREE(session, tmpprefs);
+ }
+
if(!*newprefs) {
LIBSSH2_FREE(session, newprefs);
return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED,
--
2.26.2

View File

@ -0,0 +1,26 @@
From bde10825f1271769d56a0e99793da61d37abc23c Mon Sep 17 00:00:00 2001
From: Josef Cejka <jcejka@suse.com>
Date: Thu, 28 Mar 2024 23:38:47 +0100
Subject: [PATCH] transport: check ETM on remote end when receiving (#1332)
We should check if encrypt-then-MAC feature is enabled in remote end's
configuration.
Fixes #1331
---
src/transport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/transport.c b/src/transport.c
index 531f5aa15a..af175d3fa1 100644
--- a/src/transport.c
+++ b/src/transport.c
@@ -425,7 +425,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
make the checks below work fine still */
}
- etm = encrypted && session->local.mac ? session->local.mac->etm : 0;
+ etm = encrypted && session->remote.mac ? session->remote.mac->etm : 0;
/* read/use a whole big chunk into a temporary area stored in
the LIBSSH2_SESSION struct. We will decrypt data from that

View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Tue Apr 2 16:48:26 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
* Test the ETM feature in the remote end's configuration when
receiving data. Upstream issue: #1331.
* Add libssh2_org-ETM-remote.patch
-------------------------------------------------------------------
Fri Feb 9 14:55:47 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Always add the KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
when configuring custom method list. [bsc#1218971, CVE-2023-48795]
* The strict-kex extension is announced in the list of available
KEX methods. However, when the default KEX method list is modified
or replaced, the extension is not added back automatically.
* Add libssh2_org-CVE-2023-48795-ext.patch
-------------------------------------------------------------------
Tue Dec 19 11:25:35 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

View File

@ -31,6 +31,10 @@ Source3: libssh2_org.keyring
Patch0: libssh2-ocloexec.patch
# PATCH-FIX-UPSTREAM bsc#1218127 CVE-2023-48795: Add 'strict KEX' to fix Terrapin Attack
Patch1: libssh2_org-CVE-2023-48795.patch
# PATCH-FIX-SUSE bsc#1218971 Always add extension indicators to kex_algorithms
Patch2: libssh2_org-CVE-2023-48795-ext.patch
# PATCH-FIX-UPSTREAM bsc#1221622 Test ETM feature in remote end's config when receiving data
Patch3: libssh2_org-ETM-remote.patch
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig