diff options
| -rw-r--r-- | gnu-system.am | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/libssh-CVE-2014-0017.patch | 89 | ||||
| -rw-r--r-- | gnu/packages/ssh.scm | 15 | 
3 files changed, 104 insertions, 1 deletions
| diff --git a/gnu-system.am b/gnu-system.am index 315b661eaf..5d817cc03e 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -302,6 +302,7 @@ dist_patch_DATA =						\    gnu/packages/patches/libtheora-config-guess.patch		\    gnu/packages/patches/libtool-skip-tests.patch			\    gnu/packages/patches/libtool-skip-tests-for-mips.patch	\ +  gnu/packages/patches/libssh-CVE-2014-0017.patch		\    gnu/packages/patches/luit-posix.patch				\    gnu/packages/patches/m4-gets-undeclared.patch			\    gnu/packages/patches/m4-readlink-EINVAL.patch			\ diff --git a/gnu/packages/patches/libssh-CVE-2014-0017.patch b/gnu/packages/patches/libssh-CVE-2014-0017.patch new file mode 100644 index 0000000000..94d8cc33d2 --- /dev/null +++ b/gnu/packages/patches/libssh-CVE-2014-0017.patch @@ -0,0 +1,89 @@ +Patch from libssh 0.6, with bind.c hunk adjusted for 0.5.5. + +From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <aris@0xbadc0de.be> +Date: Wed, 05 Feb 2014 20:24:12 +0000 +Subject: security: fix for vulnerability CVE-2014-0017 + +When accepting a new connection, a forking server based on libssh forks +and the child process handles the request. The RAND_bytes() function of +openssl doesn't reset its state after the fork, but simply adds the +current process id (getpid) to the PRNG state, which is not guaranteed +to be unique. +This can cause several children to end up with same PRNG state which is +a security issue. +--- +diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h +index 7374a88..e8ff32c 100644 +--- a/include/libssh/wrapper.h ++++ b/include/libssh/wrapper.h +@@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session); + struct ssh_crypto_struct *crypto_new(void); + void crypto_free(struct ssh_crypto_struct *crypto); +  ++void ssh_reseed(void); +  + #endif /* WRAPPER_H_ */ +diff --git a/src/bind.c b/src/bind.c +index 8d82d0d..03d3403 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -375,6 +375,8 @@ int ssh_bind_accept(ssh_bind sshbind, ss +   session->dsa_key = dsa; +   session->rsa_key = rsa; +  ++  /* force PRNG to change state in case we fork after ssh_bind_accept */ ++  ssh_reseed(); +   return SSH_OK; + } +  +diff --git a/src/libcrypto.c b/src/libcrypto.c +index bb1d96a..d8cc795 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -23,6 +23,7 @@ + #include <stdlib.h> + #include <stdio.h> + #include <string.h> ++#include <sys/time.h> +  + #include "libssh/priv.h" + #include "libssh/session.h" +@@ -38,6 +39,8 @@ + #include <openssl/rsa.h> + #include <openssl/hmac.h> + #include <openssl/opensslv.h> ++#include <openssl/rand.h> ++ + #ifdef HAVE_OPENSSL_AES_H + #define HAS_AES + #include <openssl/aes.h> +@@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { +     return 0; + } +  ++void ssh_reseed(void){ ++    struct timeval tv; ++    gettimeofday(&tv, NULL); ++    RAND_add(&tv, sizeof(tv), 0.0); ++} ++ + SHACTX sha1_init(void) { +   SHACTX c = malloc(sizeof(*c)); +   if (c == NULL) { +diff --git a/src/libgcrypt.c b/src/libgcrypt.c +index 899bccd..4617901 100644 +--- a/src/libgcrypt.c ++++ b/src/libgcrypt.c +@@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { +     return 0; + } +  ++void ssh_reseed(void){ ++	} ++ + SHACTX sha1_init(void) { +   SHACTX ctx = NULL; +   gcry_md_open(&ctx, GCRY_MD_SHA1, 0); +-- +cgit v0.9.1 diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index a6441709f3..a952890b29 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -30,6 +30,7 @@    #:use-module (gnu packages autotools)    #:use-module (gnu packages texinfo)    #:use-module (gnu packages which) +  #:use-module (gnu packages)    #:use-module (guix packages)    #:use-module (guix download)    #:use-module (guix build-system gnu) @@ -96,6 +97,18 @@ remote applications.")      (home-page "http://www.libssh.org")      (license license:lgpl2.1+))) +(define libssh-0.5                                ; kept private +  (package (inherit libssh) +    (version "0.5.5") +    (source (origin +              (method url-fetch) +              (uri (string-append "https://red.libssh.org/attachments/download/51/libssh-" +                                  version ".tar.gz")) +              (sha256 +               (base32 +                "17cfdff4hc0ijzrr15biq29fiabafz0bw621zlkbwbc1zh2hzpy0")) +              (patches (list (search-patch "libssh-CVE-2014-0017.patch"))))))) +  (define-public libssh2    (package     (name "libssh2") @@ -238,7 +251,7 @@ Additionally, various channel-specific options can be negotiated.")                       ("pkg-config" ,pkg-config)                       ("which" ,which)))      (inputs `(("guile" ,guile-2.0) -              ("libssh" ,libssh))) +              ("libssh" ,libssh-0.5)))      (synopsis "Guile bindings to libssh")      (description       "Guile-SSH is a library that provides access to the SSH protocol for | 
