From 194c4edcf2b4cb361a705d2b72fe517ad8b999f371444408ef1fa2ed9f1bf9a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 23 Oct 2019 19:01:44 +0000
Subject: [PATCH] Accepting request 742231 from
 home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: [bsc#1154862, CVE-2019-17498]
  * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in
    a bounds check that might lead to disclose sensitive information
    or cause a denial of service
  * Add patch libssh2_org-CVE-2019-17498.patch

OBS-URL: https://build.opensuse.org/request/show/742231
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libssh2_org?expand=0&rev=67
---
 libssh2_org-CVE-2019-17498.patch | 124 +++++++++++++++++++++++++++++++
 libssh2_org.changes              |   9 +++
 libssh2_org.spec                 |   3 +
 3 files changed, 136 insertions(+)
 create mode 100644 libssh2_org-CVE-2019-17498.patch

diff --git a/libssh2_org-CVE-2019-17498.patch b/libssh2_org-CVE-2019-17498.patch
new file mode 100644
index 0000000..eb998c9
--- /dev/null
+++ b/libssh2_org-CVE-2019-17498.patch
@@ -0,0 +1,124 @@
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..2e01bfc5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/libssh2_org.changes b/libssh2_org.changes
index d12ae1b..1be3f98 100644
--- a/libssh2_org.changes
+++ b/libssh2_org.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Oct 23 13:53:38 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1154862, CVE-2019-17498]
+  * The SSH_MSG_DISCONNECT:packet.c logic has an integer overflow in
+    a bounds check that might lead to disclose sensitive information
+    or cause a denial of service
+  * Add patch libssh2_org-CVE-2019-17498.patch
+
 -------------------------------------------------------------------
 Thu Jun 20 11:07:36 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 
diff --git a/libssh2_org.spec b/libssh2_org.spec
index bf0ef4e..4186da6 100644
--- a/libssh2_org.spec
+++ b/libssh2_org.spec
@@ -29,6 +29,8 @@ Source1:        https://www.libssh2.org/download/%{pkg_name}-%{version}.tar.gz.a
 Source2:        baselibs.conf
 Source3:        libssh2_org.keyring
 Patch0:         libssh2-ocloexec.patch
+# PATCH-FIX-UPSTREAM bsc#1154862 CVE-2019-17498
+Patch1:         libssh2_org-CVE-2019-17498.patch
 BuildRequires:  groff
 BuildRequires:  libtool
 BuildRequires:  man
@@ -69,6 +71,7 @@ SECSH-PUBLICKEY.
 %prep
 %setup -q -n %{pkg_name}-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 sed -i -e 's@AM_CONFIG_HEADER@AC_CONFIG_HEADERS@g' configure.ac