mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: guile-ssh: Use libssh 0.5.5 patched for CVE-2014-0017.
* gnu/packages/patches/libssh-CVE-2014-0017.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/ssh.scm (libssh-0.5): New variable. (guile-ssh): Use it.
This commit is contained in:
parent
bde8c0e6d9
commit
9c333da6f1
3 changed files with 104 additions and 1 deletions
|
@ -302,6 +302,7 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/libtheora-config-guess.patch \
|
||||
gnu/packages/patches/libtool-skip-tests.patch \
|
||||
gnu/packages/patches/libtool-skip-tests-for-mips.patch \
|
||||
gnu/packages/patches/libssh-CVE-2014-0017.patch \
|
||||
gnu/packages/patches/luit-posix.patch \
|
||||
gnu/packages/patches/m4-gets-undeclared.patch \
|
||||
gnu/packages/patches/m4-readlink-EINVAL.patch \
|
||||
|
|
89
gnu/packages/patches/libssh-CVE-2014-0017.patch
Normal file
89
gnu/packages/patches/libssh-CVE-2014-0017.patch
Normal file
|
@ -0,0 +1,89 @@
|
|||
Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5.
|
||||
|
||||
From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001
|
||||
From: Aris Adamantiadis <aris@0xbadc0de.be>
|
||||
Date: Wed, 05 Feb 2014 20:24:12 +0000
|
||||
Subject: security: fix for vulnerability CVE-2014-0017
|
||||
|
||||
When accepting a new connection, a forking server based on libssh forks
|
||||
and the child process handles the request. The RAND_bytes() function of
|
||||
openssl doesn't reset its state after the fork, but simply adds the
|
||||
current process id (getpid) to the PRNG state, which is not guaranteed
|
||||
to be unique.
|
||||
This can cause several children to end up with same PRNG state which is
|
||||
a security issue.
|
||||
---
|
||||
diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h
|
||||
index 7374a88..e8ff32c 100644
|
||||
--- a/include/libssh/wrapper.h
|
||||
+++ b/include/libssh/wrapper.h
|
||||
@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session);
|
||||
struct ssh_crypto_struct *crypto_new(void);
|
||||
void crypto_free(struct ssh_crypto_struct *crypto);
|
||||
|
||||
+void ssh_reseed(void);
|
||||
|
||||
#endif /* WRAPPER_H_ */
|
||||
diff --git a/src/bind.c b/src/bind.c
|
||||
index 8d82d0d..03d3403 100644
|
||||
--- a/src/bind.c
|
||||
+++ b/src/bind.c
|
||||
@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss
|
||||
session->dsa_key = dsa;
|
||||
session->rsa_key = rsa;
|
||||
|
||||
+ /* force PRNG to change state in case we fork after ssh_bind_accept */
|
||||
+ ssh_reseed();
|
||||
return SSH_OK;
|
||||
}
|
||||
|
||||
diff --git a/src/libcrypto.c b/src/libcrypto.c
|
||||
index bb1d96a..d8cc795 100644
|
||||
--- a/src/libcrypto.c
|
||||
+++ b/src/libcrypto.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
+#include <sys/time.h>
|
||||
|
||||
#include "libssh/priv.h"
|
||||
#include "libssh/session.h"
|
||||
@@ -38,6 +39,8 @@
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/opensslv.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
#ifdef HAVE_OPENSSL_AES_H
|
||||
#define HAS_AES
|
||||
#include <openssl/aes.h>
|
||||
@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+void ssh_reseed(void){
|
||||
+ struct timeval tv;
|
||||
+ gettimeofday(&tv, NULL);
|
||||
+ RAND_add(&tv, sizeof(tv), 0.0);
|
||||
+}
|
||||
+
|
||||
SHACTX sha1_init(void) {
|
||||
SHACTX c = malloc(sizeof(*c));
|
||||
if (c == NULL) {
|
||||
diff --git a/src/libgcrypt.c b/src/libgcrypt.c
|
||||
index 899bccd..4617901 100644
|
||||
--- a/src/libgcrypt.c
|
||||
+++ b/src/libgcrypt.c
|
||||
@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+void ssh_reseed(void){
|
||||
+ }
|
||||
+
|
||||
SHACTX sha1_init(void) {
|
||||
SHACTX ctx = NULL;
|
||||
gcry_md_open(&ctx, GCRY_MD_SHA1, 0);
|
||||
--
|
||||
cgit v0.9.1
|
|
@ -30,6 +30,7 @@ (define-module (gnu packages ssh)
|
|||
#:use-module (gnu packages autotools)
|
||||
#:use-module (gnu packages texinfo)
|
||||
#:use-module (gnu packages which)
|
||||
#:use-module (gnu packages)
|
||||
#:use-module (guix packages)
|
||||
#:use-module (guix download)
|
||||
#:use-module (guix build-system gnu)
|
||||
|
@ -96,6 +97,18 @@ (define (dereference file)
|
|||
(home-page "http://www.libssh.org")
|
||||
(license license:lgpl2.1+)))
|
||||
|
||||
(define libssh-0.5 ; kept private
|
||||
(package (inherit libssh)
|
||||
(version "0.5.5")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "https://red.libssh.org/attachments/download/51/libssh-"
|
||||
version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0"))
|
||||
(patches (list (search-patch "libssh-CVE-2014-0017.patch")))))))
|
||||
|
||||
(define-public libssh2
|
||||
(package
|
||||
(name "libssh2")
|
||||
|
@ -238,7 +251,7 @@ (define-public guile-ssh
|
|||
("pkg-config" ,pkg-config)
|
||||
("which" ,which)))
|
||||
(inputs `(("guile" ,guile-2.0)
|
||||
("libssh" ,libssh)))
|
||||
("libssh" ,libssh-0.5)))
|
||||
(synopsis "Guile bindings to libssh")
|
||||
(description
|
||||
"Guile-SSH is a library that provides access to the SSH protocol for
|
||||
|
|
Loading…
Reference in a new issue