From 3abcdd0f8ffcd088b34fe0c51bb685462dadbb74 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Wed, 7 Feb 2024 03:45:50 +0000 Subject: [PATCH] Fix regression in IPv6 addresses in hostname parsing (cherry picked from commit 04d34ecc59e16daf5d89bc7a7265e7deec64e6c0) --- ...n-IPv6-addresses-in-hostname-parsing.patch | 137 ++++++++++++++++++ libssh.spec | 9 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch diff --git a/backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch b/backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch new file mode 100644 index 0000000..dac411b --- /dev/null +++ b/backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch @@ -0,0 +1,137 @@ +From 4f997aee7c7d7ea346b3e8ba505da0b7601ff318 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 22 Dec 2023 10:32:40 +0100 +Subject: [PATCH] Fix regression in IPv6 addresses in hostname parsing + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Reference: +https://git.libssh.org/projects/libssh.git/patch/?id=4f997aee7c7d7 +--- + include/libssh/config_parser.h | 11 ++++++++--- + src/config.c | 4 ++-- + src/config_parser.c | 16 +++++++++++----- + src/options.c | 10 ++-------- + 4 files changed, 23 insertions(+), 18 deletions(-) + +diff --git a/include/libssh/config_parser.h b/include/libssh/config_parser.h +index e974917..ee647bf 100644 +--- a/include/libssh/config_parser.h ++++ b/include/libssh/config_parser.h +@@ -26,6 +26,8 @@ + #ifndef CONFIG_PARSER_H_ + #define CONFIG_PARSER_H_ + ++#include ++ + char *ssh_config_get_cmd(char **str); + + char *ssh_config_get_token(char **str); +@@ -45,13 +47,16 @@ int ssh_config_get_yesno(char **str, int notfound); + * be stored or NULL if we do not care about the result. + * @param[out] port Pointer to the location, where the new port will + * be stored or NULL if we do not care about the result. ++ * @param[in] ignore_port Set to true if the we should not attempt to parse ++ * port number. + * + * @returns SSH_OK if the provided string is in format of SSH URI, + * SSH_ERROR on failure + */ + int ssh_config_parse_uri(const char *tok, +- char **username, +- char **hostname, +- char **port); ++ char **username, ++ char **hostname, ++ char **port, ++ bool ignore_port); + + #endif /* LIBSSH_CONFIG_H_ */ +diff --git a/src/config.c b/src/config.c +index 54a1a6e..cb0890b 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -324,7 +324,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing) + } + if (parse_entry) { + /* We actually care only about the first item */ +- rv = ssh_config_parse_uri(cp, &username, &hostname, &port); ++ rv = ssh_config_parse_uri(cp, &username, &hostname, &port, false); + /* The rest of the list needs to be passed on */ + if (endp != NULL) { + next = strdup(endp + 1); +@@ -335,7 +335,7 @@ ssh_config_parse_proxy_jump(ssh_session session, const char *s, bool do_parsing) + } + } else { + /* The rest is just sanity-checked to avoid failures later */ +- rv = ssh_config_parse_uri(cp, NULL, NULL, NULL); ++ rv = ssh_config_parse_uri(cp, NULL, NULL, NULL, false); + } + if (rv != SSH_OK) { + goto out; +diff --git a/src/config_parser.c b/src/config_parser.c +index 87bac5d..a2da0a6 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -134,9 +134,10 @@ int ssh_config_get_yesno(char **str, int notfound) + } + + int ssh_config_parse_uri(const char *tok, +- char **username, +- char **hostname, +- char **port) ++ char **username, ++ char **hostname, ++ char **port, ++ bool ignore_port) + { + char *endp = NULL; + long port_n; +@@ -182,12 +183,17 @@ int ssh_config_parse_uri(const char *tok, + if (endp == NULL) { + goto error; + } +- } else { +- /* Hostnames or aliases expand to the last colon or to the end */ ++ } else if (!ignore_port) { ++ /* Hostnames or aliases expand to the last colon (if port is requested) ++ * or to the end */ + endp = strrchr(tok, ':'); + if (endp == NULL) { + endp = strchr(tok, '\0'); + } ++ } else { ++ /* If no port is requested, expand to the end of line ++ * (to accommodate the IPv6 addresses) */ ++ endp = strchr(tok, '\0'); + } + if (tok == endp) { + /* Zero-length hostnames are not valid */ +diff --git a/src/options.c b/src/options.c +index 7c03e7a..0890ff2 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -491,17 +491,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type, + ssh_set_error_invalid(session); + return -1; + } else { +- char *username = NULL, *hostname = NULL, *port = NULL; +- rc = ssh_config_parse_uri(value, &username, &hostname, &port); ++ char *username = NULL, *hostname = NULL; ++ rc = ssh_config_parse_uri(value, &username, &hostname, NULL, true); + if (rc != SSH_OK) { + return -1; + } +- if (port != NULL) { +- SAFE_FREE(username); +- SAFE_FREE(hostname); +- SAFE_FREE(port); +- return -1; +- } + if (username != NULL) { + SAFE_FREE(session->opts.username); + session->opts.username = username; +-- +2.33.0 + diff --git a/libssh.spec b/libssh.spec index 1c10b46..c367c35 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.9.6 -Release: 8 +Release: 9 Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -58,6 +58,7 @@ Patch45: backport-0002-CVE-2023-6918-Remove-unused-evp-functions-and-type Patch46: backport-0003-CVE-2023-6918-Systematically-check-return-values-whe.patch Patch47: backport-0004-CVE-2023-6918-kdf-Detect-context-init-failures.patch Patch48: backport-0010-CVE-2023-6004-torture_config-Allow-multiple-in-usern.patch +Patch49: backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server @@ -143,6 +144,12 @@ popd %doc ChangeLog README %changelog +* Wed Feb 7 2024 renmingshuai - 0.9.6-9 +- Type:bugfix +- Id: +- SUG:NA +- DESC:Fix regression in IPv6 addresses in hostname parsing + * Thu Dec 28 2023 renmingshuai - 0.9.6-8 - Type:CVE - Id:CVE-2023-6004,CVE-2023-6918,CVE-2023-48795 -- Gitee