gnu: libssh: Update to 0.7.3 [fixes CVE-2016-0739].

* gnu/packages/patches/libssh-CVE-2014-0017.patch: Delete file.
* gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch: New file.
* gnu-system.am (dist_patch_DATA): Adjust accordingly.
* gnu/packages/ssh.scm (libssh): Update to 0.7.3.
  (libssh-0.5): Rename to...
  (libssh-0.6): ... this.  Update to 0.6.5.
  [source]: Add patch for CVE-2016-0739.
  (guile-ssh)[inputs]: Use libssh-0.6.

Modified-By: Mark H Weaver <mhw@netris.org>
This commit is contained in:
Leo Famulari 2016-02-24 15:57:31 -05:00 committed by Mark H Weaver
parent 78d80c5c6a
commit 85267efb2a
4 changed files with 90 additions and 100 deletions

View file

@ -566,12 +566,12 @@ dist_patch_DATA = \
gnu/packages/patches/libmad-armv7-thumb-pt2.patch \
gnu/packages/patches/libmad-frame-length.patch \
gnu/packages/patches/libmad-mips-newgcc.patch \
gnu/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
gnu/packages/patches/libtheora-config-guess.patch \
gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch \
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
gnu/packages/patches/libssh-CVE-2014-0017.patch \
gnu/packages/patches/libunwind-CVE-2015-3239.patch \
gnu/packages/patches/libwmf-CAN-2004-0941.patch \
gnu/packages/patches/libwmf-CVE-2006-3376.patch \

View file

@ -0,0 +1,77 @@
Fix CVE-2016-0739 (Weak Diffie-Hellman secret generation in
dh_generate_x() and dh_generate_y()).
"Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version."
Source:
https://git.libssh.org/projects/libssh.git/commit/?id=f8d0026c65fc8a55748ae481758e2cf376c26c86
This patch was created by upstream for libssh-0.7.3, but applied without
modification to libssh-0.6.3 by Debian. In Guix, we apply it without
modification to libssh-0.6.5.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739
https://security-tracker.debian.org/tracker/CVE-2016-0739
---
src/dh.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/dh.c b/src/dh.c
index e489a1d..d27b66e 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -227,15 +227,21 @@ void ssh_crypto_finalize(void) {
}
int dh_generate_x(ssh_session session) {
+ int keysize;
+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
+ keysize = 1023;
+ } else {
+ keysize = 2047;
+ }
session->next_crypto->x = bignum_new();
if (session->next_crypto->x == NULL) {
return -1;
}
#ifdef HAVE_LIBGCRYPT
- bignum_rand(session->next_crypto->x, 128);
+ bignum_rand(session->next_crypto->x, keysize);
#elif defined HAVE_LIBCRYPTO
- bignum_rand(session->next_crypto->x, 128, 0, -1);
+ bignum_rand(session->next_crypto->x, keysize, -1, 0);
#endif
/* not harder than this */
@@ -248,15 +254,21 @@ int dh_generate_x(ssh_session session) {
/* used by server */
int dh_generate_y(ssh_session session) {
- session->next_crypto->y = bignum_new();
+ int keysize;
+ if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) {
+ keysize = 1023;
+ } else {
+ keysize = 2047;
+ }
+ session->next_crypto->y = bignum_new();
if (session->next_crypto->y == NULL) {
return -1;
}
#ifdef HAVE_LIBGCRYPT
- bignum_rand(session->next_crypto->y, 128);
+ bignum_rand(session->next_crypto->y, keysize);
#elif defined HAVE_LIBCRYPTO
- bignum_rand(session->next_crypto->y, 128, 0, -1);
+ bignum_rand(session->next_crypto->y, keysize, -1, 0);
#endif
/* not harder than this */
--
cgit v0.12

View file

@ -1,89 +0,0 @@
Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5.
From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 05 Feb 2014 20:24:12 +0000
Subject: security: fix for vulnerability CVE-2014-0017
When accepting a new connection, a forking server based on libssh forks
and the child process handles the request. The RAND_bytes() function of
openssl doesn't reset its state after the fork, but simply adds the
current process id (getpid) to the PRNG state, which is not guaranteed
to be unique.
This can cause several children to end up with same PRNG state which is
a security issue.
---
diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h
index 7374a88..e8ff32c 100644
--- a/include/libssh/wrapper.h
+++ b/include/libssh/wrapper.h
@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session);
struct ssh_crypto_struct *crypto_new(void);
void crypto_free(struct ssh_crypto_struct *crypto);
+void ssh_reseed(void);
#endif /* WRAPPER_H_ */
diff --git a/src/bind.c b/src/bind.c
index 8d82d0d..03d3403 100644
--- a/src/bind.c
+++ b/src/bind.c
@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss
session->dsa_key = dsa;
session->rsa_key = rsa;
+ /* force PRNG to change state in case we fork after ssh_bind_accept */
+ ssh_reseed();
return SSH_OK;
}
diff --git a/src/libcrypto.c b/src/libcrypto.c
index bb1d96a..d8cc795 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -23,6 +23,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <sys/time.h>
#include "libssh/priv.h"
#include "libssh/session.h"
@@ -38,6 +39,8 @@
#include <openssl/rsa.h>
#include <openssl/hmac.h>
#include <openssl/opensslv.h>
+#include <openssl/rand.h>
+
#ifdef HAVE_OPENSSL_AES_H
#define HAS_AES
#include <openssl/aes.h>
@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
return 0;
}
+void ssh_reseed(void){
+ struct timeval tv;
+ gettimeofday(&tv, NULL);
+ RAND_add(&tv, sizeof(tv), 0.0);
+}
+
SHACTX sha1_init(void) {
SHACTX c = malloc(sizeof(*c));
if (c == NULL) {
diff --git a/src/libgcrypt.c b/src/libgcrypt.c
index 899bccd..4617901 100644
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
return 0;
}
+void ssh_reseed(void){
+ }
+
SHACTX sha1_init(void) {
SHACTX ctx = NULL;
gcry_md_open(&ctx, GCRY_MD_SHA1, 0);
--
cgit v0.9.1

View file

@ -45,15 +45,15 @@ (define-module (gnu packages ssh)
(define-public libssh
(package
(name "libssh")
(version "0.6.5")
(version "0.7.3")
(source (origin
(method url-fetch)
(uri (string-append
"https://red.libssh.org/attachments/download/121/libssh-"
"https://red.libssh.org/attachments/download/195/libssh-"
version ".tar.xz"))
(sha256
(base32
"0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g"))))
"165g49i4kmm3bfsjm0n8hm21kadv79g9yjqyq09138jxanz4dvr6"))))
(build-system cmake-build-system)
(arguments
'(#:configure-flags '("-DWITH_GCRYPT=ON")
@ -71,17 +71,19 @@ (define-public libssh
(home-page "http://www.libssh.org")
(license license:lgpl2.1+)))
(define libssh-0.5 ; kept private
(define libssh-0.6 ; kept private for use in guile-ssh
(package (inherit libssh)
(version "0.5.5")
(version "0.6.5")
(source (origin
(method url-fetch)
(uri (string-append "https://red.libssh.org/attachments/download/51/libssh-"
version ".tar.gz"))
(uri (string-append "https://red.libssh.org/attachments/"
"download/121/libssh-"
version ".tar.xz"))
(sha256
(base32
"17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0"))
(patches (list (search-patch "libssh-CVE-2014-0017.patch")))))))
"0b6wyx6bwbb8jpn8x4rhlrdiqwqrwrs0mxjmrnqykm9kw1ijgm8g"))
(patches (list
(search-patch "libssh-0.6.5-CVE-2016-0739.patch")))))))
(define-public libssh2
(package
@ -255,7 +257,7 @@ (define-public guile-ssh
("pkg-config" ,pkg-config)
("which" ,which)))
(inputs `(("guile" ,guile-2.0)
("libssh" ,libssh)
("libssh" ,libssh-0.6)
("libgcrypt" ,libgcrypt)))
(synopsis "Guile bindings to libssh")
(description