debian/0000755000000000000000000000000013377263024007175 5ustar debian/libssh-4.symbols0000644000000000000000000002754712277131412012244 0ustar libssh.so.4 libssh-4 #MINVER# _ssh_log@Base 0.6.1 buffer_free@Base 0.3.4 buffer_get@Base 0.3.4 buffer_get_len@Base 0.3.4 buffer_new@Base 0.3.4 channel_accept_x11@Base 0.3.91 channel_change_pty_size@Base 0.3.4 channel_close@Base 0.3.4 channel_forward_accept@Base 0.3.91 channel_forward_cancel@Base 0.3.91 channel_forward_listen@Base 0.3.91 channel_free@Base 0.3.4 channel_get_exit_status@Base 0.3.4 channel_get_session@Base 0.3.4 channel_is_closed@Base 0.3.4 channel_is_eof@Base 0.3.4 channel_is_open@Base 0.3.4 channel_new@Base 0.3.4 channel_open_forward@Base 0.3.4 channel_open_session@Base 0.3.4 channel_poll@Base 0.3.4 channel_read@Base 0.3.4 channel_read_buffer@Base 0.3.4 channel_read_nonblocking@Base 0.3.4 channel_request_env@Base 0.3.4 channel_request_exec@Base 0.3.4 channel_request_pty@Base 0.3.4 channel_request_pty_size@Base 0.3.4 channel_request_send_signal@Base 0.3.91 channel_request_sftp@Base 0.3.4 channel_request_shell@Base 0.3.4 channel_request_subsystem@Base 0.3.4 channel_request_x11@Base 0.3.91 channel_select@Base 0.3.4 channel_send_eof@Base 0.3.4 channel_set_blocking@Base 0.3.4 channel_write@Base 0.3.4 channel_write_stderr@Base 0.3.91 privatekey_free@Base 0.3.4 privatekey_from_file@Base 0.3.4 publickey_free@Base 0.3.4 publickey_from_file@Base 0.3.4 publickey_from_privatekey@Base 0.3.4 publickey_to_string@Base 0.3.4 sftp_async_read@Base 0.3.4 sftp_async_read_begin@Base 0.3.4 sftp_attributes_free@Base 0.3.4 sftp_canonicalize_path@Base 0.3.4 sftp_chmod@Base 0.3.4 sftp_chown@Base 0.3.4 sftp_client_message_free@Base 0.6.1 sftp_client_message_get_data@Base 0.6.1 sftp_client_message_get_filename@Base 0.6.1 sftp_client_message_get_flags@Base 0.6.1 sftp_client_message_get_type@Base 0.6.1 sftp_client_message_set_filename@Base 0.6.1 sftp_close@Base 0.3.4 sftp_closedir@Base 0.3.4 sftp_dir_eof@Base 0.3.4 sftp_extension_supported@Base 0.3.91 sftp_extensions_get_count@Base 0.3.91 sftp_extensions_get_data@Base 0.3.91 sftp_extensions_get_name@Base 0.3.91 sftp_file_set_blocking@Base 0.3.4 sftp_file_set_nonblocking@Base 0.3.4 sftp_free@Base 0.3.4 sftp_fstat@Base 0.3.4 sftp_fstatvfs@Base 0.3.91 sftp_get_client_message@Base 0.6.1 sftp_get_error@Base 0.3.4 sftp_init@Base 0.3.4 sftp_lstat@Base 0.3.4 sftp_mkdir@Base 0.3.4 sftp_new@Base 0.3.4 sftp_new_channel@Base 0.6.1 sftp_open@Base 0.3.4 sftp_opendir@Base 0.3.4 sftp_read@Base 0.3.4 sftp_readdir@Base 0.3.4 sftp_readlink@Base 0.3.4 sftp_rename@Base 0.3.4 sftp_rewind@Base 0.3.4 sftp_rmdir@Base 0.3.4 sftp_seek64@Base 0.3.4 sftp_seek@Base 0.3.4 sftp_send_client_message@Base 0.6.1 sftp_server_init@Base 0.3.4 sftp_server_new@Base 0.3.4 sftp_server_version@Base 0.3.4 sftp_setstat@Base 0.3.4 sftp_stat@Base 0.3.4 sftp_statvfs@Base 0.3.91 sftp_statvfs_free@Base 0.3.91 sftp_symlink@Base 0.3.4 sftp_tell64@Base 0.3.4 sftp_tell@Base 0.3.4 sftp_unlink@Base 0.3.4 sftp_utimes@Base 0.3.4 sftp_write@Base 0.3.4 ssh_accept@Base 0.3.4 ssh_auth_list@Base 0.3.4 ssh_basename@Base 0.3.4 ssh_bind_accept@Base 0.3.4 ssh_bind_accept_fd@Base 0.6.1 ssh_bind_fd_toaccept@Base 0.3.4 ssh_bind_free@Base 0.3.4 ssh_bind_get_fd@Base 0.3.4 ssh_bind_listen@Base 0.3.4 ssh_bind_new@Base 0.3.4 ssh_bind_options_set@Base 0.3.91 ssh_bind_set_blocking@Base 0.3.4 ssh_bind_set_callbacks@Base 0.5.0 ssh_bind_set_fd@Base 0.3.4 ssh_blocking_flush@Base 0.5.0 ssh_buffer_free@Base 0.5.0 ssh_buffer_get_begin@Base 0.5.0 ssh_buffer_get_len@Base 0.5.0 ssh_buffer_new@Base 0.5.0 ssh_channel_accept_forward@Base 0.6.1 ssh_channel_accept_x11@Base 0.5.0 ssh_channel_change_pty_size@Base 0.5.0 ssh_channel_close@Base 0.5.0 ssh_channel_free@Base 0.5.0 ssh_channel_get_exit_status@Base 0.5.0 ssh_channel_get_session@Base 0.5.0 ssh_channel_is_closed@Base 0.5.0 ssh_channel_is_eof@Base 0.5.0 ssh_channel_is_open@Base 0.5.0 ssh_channel_new@Base 0.5.0 ssh_channel_open_auth_agent@Base 0.6.1 ssh_channel_open_forward@Base 0.5.0 ssh_channel_open_reverse_forward@Base 0.5.0 ssh_channel_open_session@Base 0.5.0 ssh_channel_open_x11@Base 0.6.1 ssh_channel_poll@Base 0.5.0 ssh_channel_poll_timeout@Base 0.6.1 ssh_channel_read@Base 0.5.0 ssh_channel_read_nonblocking@Base 0.5.0 ssh_channel_read_timeout@Base 0.6.1 ssh_channel_request_env@Base 0.5.0 ssh_channel_request_exec@Base 0.5.0 ssh_channel_request_pty@Base 0.5.0 ssh_channel_request_pty_size@Base 0.5.0 ssh_channel_request_send_exit_signal@Base 0.5.0 ssh_channel_request_send_exit_status@Base 0.5.0 ssh_channel_request_send_signal@Base 0.5.0 ssh_channel_request_sftp@Base 0.5.0 ssh_channel_request_shell@Base 0.5.0 ssh_channel_request_subsystem@Base 0.5.0 ssh_channel_request_x11@Base 0.5.0 ssh_channel_select@Base 0.5.0 ssh_channel_send_eof@Base 0.5.0 ssh_channel_set_blocking@Base 0.5.0 ssh_channel_window_size@Base 0.5.0 ssh_channel_write@Base 0.5.0 ssh_channel_write_stderr@Base 0.5.0 ssh_clean_pubkey_hash@Base 0.3.91 ssh_connect@Base 0.3.4 ssh_copyright@Base 0.3.4 ssh_dirname@Base 0.3.4 ssh_disconnect@Base 0.3.4 ssh_event_add_fd@Base 0.6.1 ssh_event_add_session@Base 0.6.1 ssh_event_dopoll@Base 0.6.1 ssh_event_free@Base 0.6.1 ssh_event_new@Base 0.6.1 ssh_event_remove_fd@Base 0.6.1 ssh_event_remove_session@Base 0.6.1 ssh_execute_message_callbacks@Base 0.5.0 ssh_finalize@Base 0.3.4 ssh_forward_accept@Base 0.5.0 ssh_forward_cancel@Base 0.5.0 ssh_forward_listen@Base 0.5.0 ssh_free@Base 0.3.91 ssh_get_cipher_in@Base 0.6.1 ssh_get_cipher_out@Base 0.6.1 ssh_get_clientbanner@Base 0.6.1 ssh_get_disconnect_message@Base 0.3.4 ssh_get_error@Base 0.3.4 ssh_get_error_code@Base 0.3.4 ssh_get_fd@Base 0.3.4 ssh_get_hexa@Base 0.3.4 ssh_get_issue_banner@Base 0.3.4 ssh_get_log_callback@Base 0.6.1 ssh_get_log_level@Base 0.6.1 ssh_get_log_userdata@Base 0.6.1 ssh_get_openssh_version@Base 0.3.4 ssh_get_poll_flags@Base 0.6.1 ssh_get_pubkey@Base 0.3.4 ssh_get_pubkey_hash@Base 0.3.4 ssh_get_publickey@Base 0.6.1 ssh_get_publickey_hash@Base 0.6.1 ssh_get_random@Base 0.3.4 ssh_get_serverbanner@Base 0.6.1 ssh_get_status@Base 0.3.4 ssh_get_version@Base 0.3.4 ssh_getpass@Base 0.5.0 ssh_handle_key_exchange@Base 0.5.0 ssh_init@Base 0.3.4 ssh_is_blocking@Base 0.5.0 ssh_is_connected@Base 0.5.0 ssh_is_server_known@Base 0.3.4 ssh_key_cmp@Base 0.6.1 ssh_key_free@Base 0.6.1 ssh_key_is_private@Base 0.6.1 ssh_key_is_public@Base 0.6.1 ssh_key_new@Base 0.6.1 ssh_key_type@Base 0.6.1 ssh_key_type_from_name@Base 0.6.1 ssh_key_type_to_char@Base 0.6.1 ssh_log@Base 0.3.4 ssh_message_auth_interactive_request@Base 0.6.1 ssh_message_auth_kbdint_is_response@Base 0.6.1 ssh_message_auth_password@Base 0.3.4 ssh_message_auth_pubkey@Base 0.6.1 ssh_message_auth_publickey@Base 0.3.91 ssh_message_auth_publickey_state@Base 0.5.0 ssh_message_auth_reply_pk_ok@Base 0.3.91 ssh_message_auth_reply_pk_ok_simple@Base 0.5.0 ssh_message_auth_reply_success@Base 0.3.4 ssh_message_auth_set_methods@Base 0.3.4 ssh_message_auth_user@Base 0.3.4 ssh_message_channel_request_channel@Base 0.3.91 ssh_message_channel_request_command@Base 0.3.91 ssh_message_channel_request_env_name@Base 0.3.91 ssh_message_channel_request_env_value@Base 0.3.91 ssh_message_channel_request_open_destination@Base 0.3.91 ssh_message_channel_request_open_destination_port@Base 0.3.91 ssh_message_channel_request_open_originator@Base 0.3.91 ssh_message_channel_request_open_originator_port@Base 0.3.91 ssh_message_channel_request_open_reply_accept@Base 0.3.4 ssh_message_channel_request_pty_height@Base 0.3.91 ssh_message_channel_request_pty_pxheight@Base 0.3.91 ssh_message_channel_request_pty_pxwidth@Base 0.3.91 ssh_message_channel_request_pty_term@Base 0.3.91 ssh_message_channel_request_pty_width@Base 0.3.91 ssh_message_channel_request_reply_success@Base 0.3.4 ssh_message_channel_request_subsystem@Base 0.3.4 ssh_message_channel_request_x11_auth_cookie@Base 0.6.1 ssh_message_channel_request_x11_auth_protocol@Base 0.6.1 ssh_message_channel_request_x11_screen_number@Base 0.6.1 ssh_message_channel_request_x11_single_connection@Base 0.6.1 ssh_message_free@Base 0.3.4 ssh_message_get@Base 0.3.4 ssh_message_global_request_address@Base 0.5.0 ssh_message_global_request_port@Base 0.5.0 ssh_message_global_request_reply_success@Base 0.5.0 ssh_message_reply_default@Base 0.3.4 ssh_message_retrieve@Base 0.3.91 ssh_message_service_reply_success@Base 0.3.91 ssh_message_service_service@Base 0.3.91 ssh_message_subtype@Base 0.3.4 ssh_message_type@Base 0.3.4 ssh_mkdir@Base 0.3.4 ssh_new@Base 0.3.4 ssh_options_copy@Base 0.3.4 ssh_options_get@Base 0.6.1 ssh_options_get_port@Base 0.6.1 ssh_options_getopt@Base 0.3.4 ssh_options_parse_config@Base 0.3.91 ssh_options_set@Base 0.3.91 ssh_pcap_file_close@Base 0.5.0 ssh_pcap_file_free@Base 0.5.0 ssh_pcap_file_new@Base 0.5.0 ssh_pcap_file_open@Base 0.5.0 ssh_pki_export_privkey_file@Base 0.6.1 ssh_pki_export_privkey_to_pubkey@Base 0.6.1 ssh_pki_export_pubkey_base64@Base 0.6.1 ssh_pki_export_pubkey_file@Base 0.6.1 ssh_pki_generate@Base 0.6.1 ssh_pki_import_privkey_base64@Base 0.6.1 ssh_pki_import_privkey_file@Base 0.6.1 ssh_pki_import_pubkey_base64@Base 0.6.1 ssh_pki_import_pubkey_file@Base 0.6.1 ssh_print_hexa@Base 0.3.4 ssh_privatekey_type@Base 0.4.3 ssh_publickey_to_file@Base 0.4.2 ssh_scp_accept_request@Base 0.3.91 ssh_scp_close@Base 0.3.91 ssh_scp_deny_request@Base 0.3.91 ssh_scp_free@Base 0.3.91 ssh_scp_init@Base 0.3.91 ssh_scp_leave_directory@Base 0.3.91 ssh_scp_new@Base 0.3.91 ssh_scp_pull_request@Base 0.3.91 ssh_scp_push_directory@Base 0.3.91 ssh_scp_push_file64@Base 0.6.1 ssh_scp_push_file@Base 0.3.91 ssh_scp_read@Base 0.3.91 ssh_scp_request_get_filename@Base 0.3.91 ssh_scp_request_get_permissions@Base 0.3.91 ssh_scp_request_get_size64@Base 0.6.1 ssh_scp_request_get_size@Base 0.3.91 ssh_scp_request_get_warning@Base 0.3.91 ssh_scp_write@Base 0.3.91 ssh_select@Base 0.3.4 ssh_send_debug@Base 0.6.1 ssh_send_ignore@Base 0.6.1 ssh_send_keepalive@Base 0.6.1 ssh_service_request@Base 0.3.4 ssh_set_agent_channel@Base 0.6.1 ssh_set_auth_methods@Base 0.6.1 ssh_set_blocking@Base 0.3.4 ssh_set_callbacks@Base 0.3.91 ssh_set_channel_callbacks@Base 0.5.0 ssh_set_fd_except@Base 0.3.4 ssh_set_fd_toread@Base 0.3.4 ssh_set_fd_towrite@Base 0.3.4 ssh_set_log_callback@Base 0.6.1 ssh_set_log_level@Base 0.6.1 ssh_set_log_userdata@Base 0.6.1 ssh_set_message_callback@Base 0.3.91 ssh_set_pcap_file@Base 0.5.0 ssh_set_server_callbacks@Base 0.6.1 ssh_silent_disconnect@Base 0.3.4 ssh_string_burn@Base 0.5.0 ssh_string_copy@Base 0.5.0 ssh_string_data@Base 0.5.0 ssh_string_fill@Base 0.5.0 ssh_string_free@Base 0.5.0 ssh_string_free_char@Base 0.5.0 ssh_string_from_char@Base 0.5.0 ssh_string_get_char@Base 0.6.1 ssh_string_len@Base 0.5.0 ssh_string_new@Base 0.5.0 ssh_string_to_char@Base 0.5.0 ssh_threads_get_noop@Base 0.5.0 ssh_threads_set_callbacks@Base 0.5.0 ssh_try_publickey_from_file@Base 0.4.2 ssh_userauth_agent@Base 0.6.1 ssh_userauth_agent_pubkey@Base 0.3.4 ssh_userauth_autopubkey@Base 0.3.4 ssh_userauth_gssapi@Base 0.6.1 ssh_userauth_kbdint@Base 0.3.4 ssh_userauth_kbdint_getanswer@Base 0.6.1 ssh_userauth_kbdint_getinstruction@Base 0.3.4 ssh_userauth_kbdint_getname@Base 0.3.4 ssh_userauth_kbdint_getnanswers@Base 0.6.1 ssh_userauth_kbdint_getnprompts@Base 0.3.4 ssh_userauth_kbdint_getprompt@Base 0.3.4 ssh_userauth_kbdint_setanswer@Base 0.3.4 ssh_userauth_list@Base 0.3.4 ssh_userauth_none@Base 0.3.4 ssh_userauth_offer_pubkey@Base 0.3.4 ssh_userauth_password@Base 0.3.4 ssh_userauth_privatekey_file@Base 0.5.0 ssh_userauth_pubkey@Base 0.3.4 ssh_userauth_publickey@Base 0.6.1 ssh_userauth_publickey_auto@Base 0.6.1 ssh_userauth_try_publickey@Base 0.6.1 ssh_version@Base 0.3.4 ssh_write_knownhost@Base 0.3.4 string_burn@Base 0.3.4 string_copy@Base 0.3.4 string_data@Base 0.3.4 string_fill@Base 0.3.4 string_free@Base 0.3.4 string_from_char@Base 0.3.4 string_len@Base 0.3.4 string_new@Base 0.3.4 string_to_char@Base 0.3.4 libssh_threads.so.4 libssh-4 #MINVER# ssh_threads_get_pthread@Base 0.5.0 debian/README.Debian0000644000000000000000000000040012104047131011212 0ustar libssh for Debian ---------------------- This is a package for the library libssh with the soname 4. There are some other projects which have nearly the same name, so be careful. -- Laurent Bigonville Sun, 22 Nov 2009 20:16:08 +0100 debian/rules0000755000000000000000000000071712104047131010244 0ustar #!/usr/bin/make -f DEB_AUTO_CLEANUP_RCS := yes DEB_CMAKE_EXTRA_FLAGS := -DWITH_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) include /usr/share/cdbs/1/class/cmake.mk include /usr/share/cdbs/1/rules/debhelper.mk DEB_DBG_PACKAGE_libssh-4 = libssh-dbg # List any files which are not installed include /usr/share/cdbs/1/rules/utils.mk common-binary-post-install-arch:: list-missing build/libssh-doc:: $(MAKE) -C $(DEB_BUILDDIR) doc debian/libssh-doc.examples0000644000000000000000000000005312104047131012744 0ustar debian/tmp/usr/share/doc/libssh/examples/* debian/libssh-dev.install0000644000000000000000000000045712277127555012641 0ustar debian/tmp/usr/include/libssh/ debian/tmp/usr/lib/*/libssh.so debian/tmp/usr/lib/*/libssh.a debian/tmp/usr/lib/*/libssh_threads.so debian/tmp/usr/lib/*/libssh_threads.a debian/tmp/usr/lib/*/pkgconfig/ debian/tmp/usr/lib/*/cmake/libssh-config.cmake debian/tmp/usr/lib/*/cmake/libssh-config-version.cmake debian/control0000644000000000000000000000557112277127105010605 0ustar Source: libssh Section: libs Priority: optional Maintainer: Kubuntu Developers XSBC-Original-Maintainer: Laurent Bigonville Build-Depends: cdbs (>= 0.4.93~), debhelper (>= 8.1.3~), cmake (>= 2.6), libssl-dev, libz-dev Build-Depends-Indep: doxygen Standards-Version: 3.9.2 Vcs-Git: git://git.debian.org/git/collab-maint/libssh.git Vcs-Browser: http://git.debian.org/?p=collab-maint/libssh.git Homepage: http://www.libssh.org/ Package: libssh-4 Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: tiny C SSH library The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its SFTP implementation, you can play with remote files easily. Package: libssh-dev Section: libdevel Architecture: any Depends: libssh-4 (= ${binary:Version}), ${misc:Depends}, libssl-dev, zlib1g-dev Suggests: libssh-doc Conflicts: libssh-2-dev Replaces: libssh-2-dev Description: tiny C SSH library. Development files The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its SFTP implementation, you can play with remote files easily. . This package contains development files. Package: libssh-dbg Priority: extra Section: debug Architecture: any Depends: libssh-4 (= ${binary:Version}), ${misc:Depends} Multi-Arch: same Description: tiny C SSH library. Debug symbols The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its SFTP implementation, you can play with remote files easily. . This package contains debug symbols. Package: libssh-doc Section: doc Architecture: all Suggests: doc-base Depends: ${misc:Depends} Conflicts: libssh-2-doc Replaces: libssh-2-doc Description: tiny C SSH library. Documentation files The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote programs. With its SFTP implementation, you can play with remote files easily. . This package contains documentation files. debian/watch0000644000000000000000000000015312276740377010235 0ustar version=3 https://red.libssh.org/projects/libssh/files \ /attachments/download/\d+/libssh-(.*)\.tar.xz debian/gbp.conf0000644000000000000000000000023312104047131010574 0ustar [DEFAULT] debian-branch = debian upstream-branch = upstream pristine-tar = True [git-buildpackage] tarball-dir = ../tarballs/ export-dir = ../build-area/ debian/patches/0000755000000000000000000000000013377263004010622 5ustar debian/patches/CVE-2018-10933-8.patch0000644000000000000000000004101213361437024013466 0ustar Backport of: From 7030df59f04a5a59f008db8f0c9946ceb90cd89b Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 16:37:13 +0200 Subject: [PATCH 8/8] CVE-2018-10933: Add tests for packet filtering Created the test torture_packet_filter.c which tests if packets are being correctly filtered. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- tests/unittests/CMakeLists.txt | 2 + tests/unittests/torture_packet_filter.c | 500 ++++++++++++++++++++++++ 2 files changed, 502 insertions(+) create mode 100644 tests/unittests/torture_packet_filter.c Index: libssh-0.6.3/tests/unittests/CMakeLists.txt =================================================================== --- libssh-0.6.3.orig/tests/unittests/CMakeLists.txt 2018-10-16 15:29:52.265265202 -0400 +++ libssh-0.6.3/tests/unittests/CMakeLists.txt 2018-10-16 15:29:52.261265203 -0400 @@ -7,6 +7,7 @@ add_cmocka_test(torture_list torture_lis add_cmocka_test(torture_misc torture_misc.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_options torture_options.c ${TORTURE_LIBRARY}) add_cmocka_test(torture_isipaddr torture_isipaddr.c ${TORTURE_LIBRARY}) +add_cmocka_test(torture_packet_filter torture_packet_filter.c ${TORTURE_LIBRARY}) if (UNIX AND NOT WIN32) # requires ssh-keygen add_cmocka_test(torture_keyfiles torture_keyfiles.c ${TORTURE_LIBRARY}) Index: libssh-0.6.3/tests/unittests/torture_packet_filter.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ libssh-0.6.3/tests/unittests/torture_packet_filter.c 2018-10-16 15:30:46.901259769 -0400 @@ -0,0 +1,499 @@ +/* + * This file is part of the SSH Library + * + * Copyright (c) 2018 by Anderson Toshiyuki Sasaki + * + * The SSH Library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The SSH Library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the SSH Library; see the file COPYING. If not, write to + * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/* + * This test checks if the messages accepted by the packet filter were intented + * to be accepted. + * + * The process consists in 2 steps: + * - Try the filter with a message type in an arbitrary state + * - If the message is accepted by the filter, check if the message is in the + * set of accepted states. + * + * Only the values selected by the flag (COMPARE_*) are considered. + * */ + +#include "config.h" + +#define LIBSSH_STATIC + +#include "torture.h" +#include "libssh/priv.h" +#include "libssh/libssh.h" +#include "libssh/session.h" +#include "libssh/auth.h" +#include "libssh/ssh2.h" +#include "libssh/packet.h" + +#include "packet.c" + +#define COMPARE_SESSION_STATE 1 +#define COMPARE_ROLE (1 << 1) +#define COMPARE_DH_STATE (1 << 2) +#define COMPARE_AUTH_STATE (1 << 3) +#define COMPARE_GLOBAL_REQ_STATE (1 << 4) + +#define SESSION_STATE_COUNT 11 +#define DH_STATE_COUNT 4 +#define AUTH_STATE_COUNT 14 +#define GLOBAL_REQ_STATE_COUNT 5 +#define MESSAGE_COUNT 100 // from 1 to 100 + +#define ROLE_CLIENT 0 +#define ROLE_SERVER 1 + +/* + * This is the list of currently unfiltered message types. + * Only unrecognized types should be in this list. + * */ +static uint8_t unfiltered[] = { + 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, + 22, 23, 24, 25, 26, 27, 28, 29, + 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, + 54, 55, 56, 57, 58, 59, + 62, + 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, + 83, 84, 85, 86, 87, 88, 89, +}; + +typedef struct global_state_st { + /* If the bit in this flag is zero, the corresponding state is not + * considered, working as a wildcard (meaning any value is accepted) */ + uint32_t flags; + uint8_t role; + enum ssh_session_state_e session; + enum ssh_dh_state_e dh; + enum ssh_auth_state_e auth; + enum ssh_channel_request_state_e global_req; +} global_state; + +static int cmp_state(const void *e1, const void *e2) +{ + global_state *s1 = (global_state *) e1; + global_state *s2 = (global_state *) e2; + + /* Compare role (client == 0 or server == 1)*/ + if (s1->role < s2->role) { + return -1; + } + else if (s1->role > s2->role) { + return 1; + } + + /* Compare session state */ + if (s1->session < s2->session) { + return -1; + } + else if (s1->session > s2->session) { + return 1; + } + + /* Compare DH state */ + if (s1->dh < s2->dh) { + return -1; + } + else if (s1->dh > s2->dh) { + return 1; + } + + /* Compare auth */ + if (s1->auth < s2->auth) { + return -1; + } + else if (s1->auth > s2->auth) { + return 1; + } + + /* Compare global_req */ + if (s1->global_req < s2->global_req) { + return -1; + } + else if (s1->global_req > s2->global_req) { + return 1; + } + + /* If all equal, they are equal */ + return 0; +} + +static int cmp_state_search(const void *key, const void *array_element) +{ + global_state *s1 = (global_state *) key; + global_state *s2 = (global_state *) array_element; + + int result = 0; + + if (s2->flags & COMPARE_ROLE) { + /* Compare role (client == 0 or server == 1)*/ + if (s1->role < s2->role) { + return -1; + } + else if (s1->role > s2->role) { + return 1; + } + } + + if (s2->flags & COMPARE_SESSION_STATE) { + /* Compare session state */ + if (s1->session < s2->session) { + result = -1; + goto end; + } + else if (s1->session > s2->session) { + result = 1; + goto end; + } + } + + if (s2->flags & COMPARE_DH_STATE) { + /* Compare DH state */ + if (s1->dh < s2->dh) { + result = -1; + goto end; + } + else if (s1->dh > s2->dh) { + result = 1; + goto end; + } + } + + if (s2->flags & COMPARE_AUTH_STATE) { + /* Compare auth */ + if (s1->auth < s2->auth) { + result = -1; + goto end; + } + else if (s1->auth > s2->auth) { + result = 1; + goto end; + } + } + + if (s2->flags & COMPARE_GLOBAL_REQ_STATE) { + /* Compare global_req */ + if (s1->global_req < s2->global_req) { + result = -1; + goto end; + } + else if (s1->global_req > s2->global_req) { + result = 1; + goto end; + } + } + +end: + return result; +} + +static int is_state_accepted(global_state *tested, global_state *accepted, + int accepted_len) +{ + global_state *found = NULL; + + found = bsearch(tested, accepted, accepted_len, sizeof(global_state), + cmp_state_search); + + if (found != NULL) { + return 1; + } + + return 0; +} + +static int cmp_uint8(const void *i, const void *j) +{ + uint8_t e1 = *((uint8_t *)i); + uint8_t e2 = *((uint8_t *)j); + + if (e1 < e2) { + return -1; + } + else if (e1 > e2) { + return 1; + } + + return 0; +} + +static int check_unfiltered(uint8_t msg_type) +{ + uint8_t *found; + + found = bsearch(&msg_type, unfiltered, sizeof(unfiltered)/sizeof(uint8_t), + sizeof(uint8_t), cmp_uint8); + + if (found != NULL) { + return 1; + } + + return 0; +} + +static void torture_packet_filter_check_unfiltered(void **state) +{ + ssh_session session; + + int role_c; + int auth_c; + int session_c; + int dh_c; + int global_req_c; + + uint8_t msg_type; + + enum ssh_packet_filter_result_e rc; + int in_unfiltered; + + session = ssh_new(); + + for (msg_type = 1; msg_type <= MESSAGE_COUNT; msg_type++) { + session->in_packet.type = msg_type; + for (role_c = 0; role_c < 2; role_c++) { + session->server = role_c; + for (session_c = 0; session_c < SESSION_STATE_COUNT; session_c++) { + session->session_state = session_c; + for (dh_c = 0; dh_c < DH_STATE_COUNT; dh_c++) { + session->dh_handshake_state = dh_c; + for (auth_c = 0; auth_c < AUTH_STATE_COUNT; auth_c++) { + session->auth_state = auth_c; + for (global_req_c = 0; + global_req_c < GLOBAL_REQ_STATE_COUNT; + global_req_c++) + { + session->global_req_state = global_req_c; + + rc = ssh_packet_incoming_filter(session); + + if (rc == SSH_PACKET_UNKNOWN) { + in_unfiltered = check_unfiltered(msg_type); + + if (!in_unfiltered) { + fprintf(stderr, "Message type %d UNFILTERED " + "in state: role %d, session %d, dh %d, auth %d\n", + msg_type, role_c, session_c, dh_c, auth_c); + } + assert_int_equal(in_unfiltered, 1); + } + else { + in_unfiltered = check_unfiltered(msg_type); + + if (in_unfiltered) { + fprintf(stderr, "Message type %d NOT UNFILTERED " + "in state: role %d, session %d, dh %d, auth %d\n", + msg_type, role_c, session_c, dh_c, auth_c); + } + assert_int_equal(in_unfiltered, 0); + } + } + } + } + } + } + } + ssh_free(session); +} + +static int check_message_in_all_states(global_state accepted[], + int accepted_count, uint8_t msg_type) +{ + ssh_session session; + + int role_c; + int auth_c; + int session_c; + int dh_c; + int global_req_c; + + enum ssh_packet_filter_result_e rc; + int in_accepted; + + global_state key; + + session = ssh_new(); + + /* Sort the accepted array so that the elements can be searched using + * bsearch */ + qsort(accepted, accepted_count, sizeof(global_state), cmp_state); + + session->in_packet.type = msg_type; + + for (role_c = 0; role_c < 2; role_c++) { + session->server = role_c; + key.role = role_c; + for (session_c = 0; session_c < SESSION_STATE_COUNT; session_c++) { + session->session_state = session_c; + key.session = session_c; + for (dh_c = 0; dh_c < DH_STATE_COUNT; dh_c++) { + session->dh_handshake_state = dh_c; + key.dh = dh_c; + for (auth_c = 0; auth_c < AUTH_STATE_COUNT; auth_c++) { + session->auth_state = auth_c; + key.auth = auth_c; + for (global_req_c = 0; + global_req_c < GLOBAL_REQ_STATE_COUNT; + global_req_c++) + { + session->global_req_state = global_req_c; + key.global_req = global_req_c; + + rc = ssh_packet_incoming_filter(session); + + if (rc == SSH_PACKET_ALLOWED) { + in_accepted = is_state_accepted(&key, accepted, + accepted_count); + + if (!in_accepted) { + fprintf(stderr, "Message type %d ALLOWED " + "in state: role %d, session %d, dh %d, auth %d\n", + msg_type, role_c, session_c, dh_c, auth_c); + } + assert_int_equal(in_accepted, 1); + } + else if (rc == SSH_PACKET_DENIED) { + in_accepted = is_state_accepted(&key, accepted, accepted_count); + + if (in_accepted) { + fprintf(stderr, "Message type %d DENIED " + "in state: role %d, session %d, dh %d, auth %d\n", + msg_type, role_c, session_c, dh_c, auth_c); + } + assert_int_equal(in_accepted, 0); + } + else { + fprintf(stderr, "Message type %d UNFILTERED " + "in state: role %d, session %d, dh %d, auth %d\n", + msg_type, role_c, session_c, dh_c, auth_c); + } + } + } + } + } + } + + ssh_free(session); + return 0; +} + +static void torture_packet_filter_check_auth_success(void **state) +{ + int rc; + + global_state accepted[] = { + { + .flags = (COMPARE_SESSION_STATE | + COMPARE_ROLE | + COMPARE_AUTH_STATE | + COMPARE_DH_STATE), + .role = ROLE_CLIENT, + .session = SSH_SESSION_STATE_AUTHENTICATING, + .dh = DH_STATE_FINISHED, + .auth = SSH_AUTH_STATE_PUBKEY_AUTH_SENT, + }, + { + .flags = (COMPARE_SESSION_STATE | + COMPARE_ROLE | + COMPARE_AUTH_STATE | + COMPARE_DH_STATE), + .role = ROLE_CLIENT, + .session = SSH_SESSION_STATE_AUTHENTICATING, + .dh = DH_STATE_FINISHED, + .auth = SSH_AUTH_STATE_PASSWORD_AUTH_SENT, + }, + { + .flags = (COMPARE_SESSION_STATE | + COMPARE_ROLE | + COMPARE_AUTH_STATE | + COMPARE_DH_STATE), + .role = ROLE_CLIENT, + .session = SSH_SESSION_STATE_AUTHENTICATING, + .dh = DH_STATE_FINISHED, + .auth = SSH_AUTH_STATE_GSSAPI_MIC_SENT, + }, + { + .flags = (COMPARE_SESSION_STATE | + COMPARE_ROLE | + COMPARE_AUTH_STATE | + COMPARE_DH_STATE), + .role = ROLE_CLIENT, + .session = SSH_SESSION_STATE_AUTHENTICATING, + .dh = DH_STATE_FINISHED, + .auth = SSH_AUTH_STATE_KBDINT_SENT, + }, + { + .flags = (COMPARE_SESSION_STATE | + COMPARE_ROLE | + COMPARE_AUTH_STATE | + COMPARE_DH_STATE), + .role = ROLE_CLIENT, + .session = SSH_SESSION_STATE_AUTHENTICATING, + .dh = DH_STATE_FINISHED, + .auth = SSH_AUTH_STATE_AUTH_NONE_SENT, + } + }; + + int accepted_count = 5; + + /* Unused */ + (void) state; + + rc = check_message_in_all_states(accepted, accepted_count, + SSH2_MSG_USERAUTH_SUCCESS); + + assert_int_equal(rc, 0); +} + +static void torture_packet_filter_check_channel_open(void **state) +{ + int rc; + + /* The only condition to accept a CHANNEL_OPEN is to be authenticated */ + global_state accepted[] = { + { + .flags = COMPARE_SESSION_STATE, + .session = SSH_SESSION_STATE_AUTHENTICATED, + } + }; + + int accepted_count = 1; + + /* Unused */ + (void) state; + + rc = check_message_in_all_states(accepted, accepted_count, + SSH2_MSG_CHANNEL_OPEN); + + assert_int_equal(rc, 0); +} + +int torture_run_tests(void) +{ + int rc; + UnitTest tests[] = { + unit_test(torture_packet_filter_check_auth_success), + unit_test(torture_packet_filter_check_channel_open), + unit_test(torture_packet_filter_check_unfiltered), + }; + + ssh_init(); + rc = run_tests(tests); + ssh_finalize(); + return rc; +} debian/patches/series0000644000000000000000000000061513377263004012041 0ustar 0002-fix-html-doc-generation.patch CVE-2014-0017.patch CVE-2014-8132.patch CVE-2016-0739.patch CVE-2015-3146.patch CVE-2018-10933-1.patch CVE-2018-10933-2.patch CVE-2018-10933-3.patch CVE-2018-10933-4.patch CVE-2018-10933-5.patch CVE-2018-10933-6.patch CVE-2018-10933-7.patch CVE-2018-10933-8.patch CVE-2018-10933-regression.patch CVE-2018-10933-regression2.patch CVE-2018-10933-regression3.patch debian/patches/CVE-2018-10933-2.patch0000644000000000000000000000407213361436775013501 0ustar From e9729e647cf24bf26b48b04c008a1f2825b74336 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 14:12:56 +0200 Subject: [PATCH 2/8] CVE-2018-10933: Introduce SSH_AUTH_STATE_PASSWORD_AUTH_SENT The introduced auth state allows to identify when authentication using password was tried. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- include/libssh/auth.h | 2 ++ src/auth.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/libssh/auth.h b/include/libssh/auth.h index 05754460..1fc00e20 100644 --- a/include/libssh/auth.h +++ b/include/libssh/auth.h @@ -94,6 +94,8 @@ enum ssh_auth_state_e { SSH_AUTH_STATE_PUBKEY_OFFER_SENT, /** We have sent pubkey and signature expecting to be authenticated */ SSH_AUTH_STATE_PUBKEY_AUTH_SENT, + /** We have sent a password expecting to be authenticated */ + SSH_AUTH_STATE_PASSWORD_AUTH_SENT, }; /** @internal diff --git a/src/auth.c b/src/auth.c index f5ab4a97..4c7a8e30 100644 --- a/src/auth.c +++ b/src/auth.c @@ -87,6 +87,7 @@ static int ssh_auth_response_termination(void *user){ case SSH_AUTH_STATE_GSSAPI_MIC_SENT: case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: + case SSH_AUTH_STATE_PASSWORD_AUTH_SENT: return 0; default: return 1; @@ -141,6 +142,7 @@ static int ssh_userauth_get_response(ssh_session session) { case SSH_AUTH_STATE_GSSAPI_MIC_SENT: case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: + case SSH_AUTH_STATE_PASSWORD_AUTH_SENT: case SSH_AUTH_STATE_NONE: /* not reached */ rc = SSH_AUTH_ERROR; @@ -1409,7 +1411,7 @@ int ssh_userauth_password(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth_state = SSH_AUTH_STATE_PASSWORD_AUTH_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_OFFER_PUBKEY; rc = packet_send(session); if (rc == SSH_ERROR) { -- 2.19.0 debian/patches/CVE-2018-10933-regression2.patch0000644000000000000000000000157613377263000015572 0ustar From 09e4f3d33197a5aeef33a7150602e3c95e6efa02 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 17 Oct 2018 07:23:10 +0200 Subject: packet: Add missing break in ssh_packet_incoming_filter() CID 1396239 Signed-off-by: Andreas Schneider (cherry picked from commit fe618a35dc4be3e73ddf29d0c4a96b98d3b9c48f) --- src/packet.c | 1 + 1 file changed, 1 insertion(+) Index: libssh-0.6.3/src/packet.c =================================================================== --- libssh-0.6.3.orig/src/packet.c 2018-11-27 10:37:47.714377480 -0500 +++ libssh-0.6.3/src/packet.c 2018-11-27 10:37:47.714377480 -0500 @@ -287,6 +287,7 @@ static enum ssh_packet_filter_result_e s (session->dh_handshake_state != DH_STATE_FINISHED)) { rc = SSH_PACKET_DENIED; + break; } rc = SSH_PACKET_ALLOWED; debian/patches/CVE-2018-10933-4.patch0000644000000000000000000000216413361437005013466 0ustar From b5b9ae012501dbc4fc64442714e5612eed5e8841 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 14:23:35 +0200 Subject: [PATCH 4/8] CVE-2018-10933: Set correct state after sending MIC After sending the client token, the auth state is set as SSH_AUTH_STATE_GSSAPI_MIC_SENT. Then this can be expected to be the state when a USERAUTH_FAILURE or USERAUTH_SUCCESS arrives. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- src/gssapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libssh-0.6.3/src/gssapi.c =================================================================== --- libssh-0.6.3.orig/src/gssapi.c 2018-10-16 15:04:52.412197665 -0400 +++ libssh-0.6.3/src/gssapi.c 2018-10-16 15:04:52.412197665 -0400 @@ -953,8 +953,8 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_ ssh_string_free(token); } if(maj_stat == GSS_S_COMPLETE){ - session->auth_state = SSH_AUTH_STATE_NONE; ssh_gssapi_send_mic(session); + session->auth_state = SSH_AUTH_STATE_GSSAPI_MIC_SENT; } return SSH_PACKET_USED; } debian/patches/CVE-2015-3146.patch0000644000000000000000000000707612663050764013256 0ustar From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001 From: Aris Adamantiadis Date: Wed, 15 Apr 2015 16:08:37 +0200 Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers The state validation in the packet handlers for SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. The issue has been found and reported by Mariusz Ziule. Signed-off-by: Aris Adamantiadis Reviewed-by: Andreas Schneider (cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe) --- src/packet_cb.c | 16 ++++++++++------ src/server.c | 8 +++++--- 2 files changed, 15 insertions(+), 9 deletions(-) Index: libssh-0.6.3/src/packet_cb.c =================================================================== --- libssh-0.6.3.orig/src/packet_cb.c 2016-02-23 07:30:54.584144611 -0500 +++ libssh-0.6.3/src/packet_cb.c 2016-02-23 07:30:54.580144582 -0500 @@ -88,7 +88,7 @@ (void)type; (void)user; SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); - if(session->session_state!= SSH_SESSION_STATE_DH && + if (session->session_state != SSH_SESSION_STATE_DH || session->dh_handshake_state != DH_STATE_INIT_SENT){ ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", session->session_state,session->dh_handshake_state); @@ -129,12 +129,16 @@ (void)user; (void)type; SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS"); - if(session->session_state!= SSH_SESSION_STATE_DH && - session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){ - ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d", - session->session_state,session->dh_handshake_state); - goto error; + + if (session->session_state != SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { + ssh_set_error(session, + SSH_FATAL, + "ssh_packet_newkeys called in wrong state : %d:%d", + session->session_state,session->dh_handshake_state); + goto error; } + if(session->server){ /* server things are done in server.c */ session->dh_handshake_state=DH_STATE_FINISHED; Index: libssh-0.6.3/src/server.c =================================================================== --- libssh-0.6.3.orig/src/server.c 2016-02-23 07:30:54.584144611 -0500 +++ libssh-0.6.3/src/server.c 2016-02-23 07:30:54.580144582 -0500 @@ -165,7 +165,7 @@ } SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ - int rc; + int rc = SSH_ERROR; (void)type; (void)user; @@ -193,9 +193,11 @@ ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init"); rc = SSH_ERROR; } - if (rc == SSH_ERROR) + +error: + if (rc == SSH_ERROR) { session->session_state = SSH_SESSION_STATE_ERROR; - error: + } return SSH_PACKET_USED; } Index: libssh-0.6.3/src/buffer.c =================================================================== --- libssh-0.6.3.orig/src/buffer.c 2016-02-23 07:30:54.584144611 -0500 +++ libssh-0.6.3/src/buffer.c 2016-02-23 07:30:54.580144582 -0500 @@ -188,6 +188,10 @@ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { buffer_verify(buffer); + if (data == NULL) { + return -1; + } + if (buffer->used + len < len) { return -1; } @@ -221,6 +225,10 @@ struct ssh_string_struct *string) { uint32_t len = 0; + if (string == NULL) { + return -1; + } + len = ssh_string_len(string); if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) { return -1; debian/patches/CVE-2018-10933-1.patch0000644000000000000000000001113013361436771013465 0ustar From 92feb6b859473bdd909ff618c89ce4c89a6a867d Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 14:08:28 +0200 Subject: [PATCH 1/8] CVE-2018-10933: Introduced new auth states Introduced the states SSH_AUTH_STATE_PUBKEY_OFFER_SENT and SSH_AUTH_STATE_PUBKEY_AUTH_SENT to know when SSH2_MSG_USERAUTH_PK_OK and SSH2_MSG_USERAUTH_SUCCESS should be expected. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- include/libssh/auth.h | 4 ++++ src/auth.c | 32 +++++++++++++++++++++----------- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/include/libssh/auth.h b/include/libssh/auth.h index 2c0012b0..05754460 100644 --- a/include/libssh/auth.h +++ b/include/libssh/auth.h @@ -90,6 +90,10 @@ enum ssh_auth_state_e { SSH_AUTH_STATE_GSSAPI_TOKEN, /** We have sent the MIC and expecting to be authenticated */ SSH_AUTH_STATE_GSSAPI_MIC_SENT, + /** We have offered a pubkey to check if it is supported */ + SSH_AUTH_STATE_PUBKEY_OFFER_SENT, + /** We have sent pubkey and signature expecting to be authenticated */ + SSH_AUTH_STATE_PUBKEY_AUTH_SENT, }; /** @internal diff --git a/src/auth.c b/src/auth.c index 9731efd4..f5ab4a97 100644 --- a/src/auth.c +++ b/src/auth.c @@ -85,6 +85,8 @@ static int ssh_auth_response_termination(void *user){ case SSH_AUTH_STATE_GSSAPI_REQUEST_SENT: case SSH_AUTH_STATE_GSSAPI_TOKEN: case SSH_AUTH_STATE_GSSAPI_MIC_SENT: + case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: + case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: return 0; default: return 1; @@ -137,6 +139,8 @@ static int ssh_userauth_get_response(ssh_session session) { case SSH_AUTH_STATE_GSSAPI_REQUEST_SENT: case SSH_AUTH_STATE_GSSAPI_TOKEN: case SSH_AUTH_STATE_GSSAPI_MIC_SENT: + case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: + case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: case SSH_AUTH_STATE_NONE: /* not reached */ rc = SSH_AUTH_ERROR; @@ -282,21 +286,27 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_success){ SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok){ int rc; - SSH_LOG(SSH_LOG_TRACE, "Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE"); + SSH_LOG(SSH_LOG_TRACE, + "Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE"); - if(session->auth_state==SSH_AUTH_STATE_KBDINT_SENT){ + if (session->auth_state == SSH_AUTH_STATE_KBDINT_SENT) { /* Assuming we are in keyboard-interactive context */ SSH_LOG(SSH_LOG_TRACE, - "keyboard-interactive context, assuming SSH_USERAUTH_INFO_REQUEST"); - rc=ssh_packet_userauth_info_request(session,type,packet,user); + "keyboard-interactive context, " + "assuming SSH_USERAUTH_INFO_REQUEST"); + rc = ssh_packet_userauth_info_request(session, type, packet, user); #ifdef WITH_GSSAPI - } else if (session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT){ + } else if (session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT) { rc = ssh_packet_userauth_gssapi_response(session, type, packet, user); #endif + } else if (session->auth_state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT) { + session->auth_state = SSH_AUTH_STATE_PK_OK; + SSH_LOG(SSH_LOG_TRACE, "Assuming SSH_USERAUTH_PK_OK"); + rc = SSH_PACKET_USED; } else { - session->auth_state=SSH_AUTH_STATE_PK_OK; - SSH_LOG(SSH_LOG_TRACE, "Assuming SSH_USERAUTH_PK_OK"); - rc=SSH_PACKET_USED; + session->auth_state = SSH_AUTH_STATE_ERROR; + SSH_LOG(SSH_LOG_TRACE, "SSH_USERAUTH_PK_OK received in wrong state"); + rc = SSH_PACKET_USED; } return rc; @@ -598,7 +608,7 @@ int ssh_userauth_try_publickey(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth_state = SSH_AUTH_STATE_PUBKEY_OFFER_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_OFFER_PUBKEY; rc = packet_send(session); if (rc == SSH_ERROR) { @@ -772,7 +782,7 @@ int ssh_userauth_publickey(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth_state = SSH_AUTH_STATE_PUBKEY_AUTH_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_PUBKEY; rc = packet_send(session); if (rc == SSH_ERROR) { @@ -908,7 +918,7 @@ static int ssh_userauth_agent_publickey(ssh_session session, goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth_state = SSH_AUTH_STATE_PUBKEY_AUTH_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_AGENT; rc = packet_send(session); if (rc == SSH_ERROR) { -- 2.19.0 debian/patches/CVE-2018-10933-5.patch0000644000000000000000000000230113361437011013455 0ustar From 0acc250ad094d9bfef04543ed87bd21de0931c55 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 14:30:33 +0200 Subject: [PATCH 5/8] CVE-2018-10933: Check channel state when OPEN_CONFIRMATION arrives When a SSH2_MSG_OPEN_CONFIRMATION arrives, the channel state is checked to be in SSH_CHANNEL_STATE_OPENING. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- src/channels.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/channels.c b/src/channels.c index ced9697a..2aa08322 100644 --- a/src/channels.c +++ b/src/channels.c @@ -171,6 +171,15 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ "Received a CHANNEL_OPEN_CONFIRMATION for channel %d:%d", channel->local_channel, channel->remote_channel); + + if (channel->state != SSH_CHANNEL_STATE_OPENING) { + SSH_LOG(SSH_LOG_RARE, + "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION received in incorrect " + "channel state %d", + channel->state); + goto error; + } + SSH_LOG(SSH_LOG_PROTOCOL, "Remote window : %lu, maxpacket : %lu", (long unsigned int) channel->remote_window, -- 2.19.0 debian/patches/0003-fix-typo.patch0000644000000000000000000000064212104047131013770 0ustar Subject: Fix typo From: Laurent Bigonville --- a/src/server.c +++ b/src/server.c @@ -186,7 +186,7 @@ static int dh_handshake_server(ssh_sessi default: ssh_set_error(session, SSH_FATAL, - "Could determine the specified hostkey"); + "Could not determine the specified hostkey"); ssh_string_free(f); return -1; } debian/patches/0002-fix-html-doc-generation.patch0000644000000000000000000000145012276742325016653 0ustar Description: Do not exclude "*/build/*" directory as buildd use that path Author: Laurent Bigonville Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/821437 Index: libssh-0.6.1/doc/doxy.config.in =================================================================== --- libssh-0.6.1.orig/doc/doxy.config.in 2014-02-12 11:00:37.500190171 -0800 +++ libssh-0.6.1/doc/doxy.config.in 2014-02-12 11:00:37.500190171 -0800 @@ -720,8 +720,7 @@ EXCLUDE_PATTERNS = */.git/* \ */.svn/* \ - */cmake/* \ - */build/* + */cmake/* # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the debian/patches/CVE-2018-10933-6.patch0000644000000000000000000000335513361437015013474 0ustar From 69e505bb8deb375486623117b9d1187e20e2e088 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 14:37:40 +0200 Subject: [PATCH 6/8] CVE-2018-10933: Check channel state when OPEN_FAILURE arrives When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked to be in SSH_CHANNEL_STATE_OPENING. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki fix build for 0.6 --- src/channels.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/channels.c b/src/channels.c index 2aa08322..34207911 100644 --- a/src/channels.c +++ b/src/channels.c @@ -177,7 +177,8 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ "SSH2_MSG_CHANNEL_OPEN_CONFIRMATION received in incorrect " "channel state %d", channel->state); - goto error; + ssh_set_error(session, SSH_FATAL, "Invalid packet"); + return SSH_PACKET_USED; } SSH_LOG(SSH_LOG_PROTOCOL, @@ -220,6 +221,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ return SSH_PACKET_USED; } + if (channel->state != SSH_CHANNEL_STATE_OPENING) { + SSH_LOG(SSH_LOG_RARE, + "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel " + "state %d", + channel->state); + goto error; + } + ssh_set_error(session, SSH_REQUEST_DENIED, "Channel opening failure: channel %u error (%lu) %s", channel->local_channel, @@ -227,6 +236,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ error); SAFE_FREE(error); channel->state=SSH_CHANNEL_STATE_OPEN_DENIED; + +error: + ssh_set_error(session, SSH_FATAL, "Invalid packet"); return SSH_PACKET_USED; } -- 2.19.0 debian/patches/CVE-2016-0739.patch0000644000000000000000000000314512662643342013254 0ustar Description: fix weakness in diffie-hellman secret key generation Origin: provided by the libssh team Index: libssh-0.6.3/src/dh.c =================================================================== --- libssh-0.6.3.orig/src/dh.c 2014-03-04 05:14:20.000000000 -0500 +++ libssh-0.6.3/src/dh.c 2016-02-22 12:07:16.223439049 -0500 @@ -240,15 +240,23 @@ } int dh_generate_x(ssh_session session) { + int keysize; + + if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { + keysize = 1023; + } else { + keysize = 2047; + } + session->next_crypto->x = bignum_new(); if (session->next_crypto->x == NULL) { return -1; } #ifdef HAVE_LIBGCRYPT - bignum_rand(session->next_crypto->x, 128); + bignum_rand(session->next_crypto->x, keysize); #elif defined HAVE_LIBCRYPTO - bignum_rand(session->next_crypto->x, 128, 0, -1); + bignum_rand(session->next_crypto->x, keysize, -1, 0); #endif /* not harder than this */ @@ -261,15 +269,23 @@ /* used by server */ int dh_generate_y(ssh_session session) { - session->next_crypto->y = bignum_new(); + int keysize; + + if (session->next_crypto->kex_type == SSH_KEX_DH_GROUP1_SHA1) { + keysize = 1023; + } else { + keysize = 2047; + } + + session->next_crypto->y = bignum_new(); if (session->next_crypto->y == NULL) { return -1; } #ifdef HAVE_LIBGCRYPT - bignum_rand(session->next_crypto->y, 128); + bignum_rand(session->next_crypto->y, keysize); #elif defined HAVE_LIBCRYPTO - bignum_rand(session->next_crypto->y, 128, 0, -1); + bignum_rand(session->next_crypto->y, keysize, -1, 0); #endif /* not harder than this */ debian/patches/CVE-2014-8132.patch0000644000000000000000000000237412453263340013242 0ustar Backport of: From c2aed4ca78030d9014a890cb4370e6dc8264823f Mon Sep 17 00:00:00 2001 From: Jon Simons Date: Sun, 19 Oct 2014 06:23:26 +0000 Subject: CVE-2014-8132: Fixup error path in ssh_packet_kexinit() Before this change, dangling pointers can be unintentionally left in the respective next_crypto kex methods slots. Ensure to set all slots to NULL in the error-out path. Signed-off-by: Jon Simons Reviewed-by: Andreas Schneider --- Index: libssh-0.6.3/src/kex.c =================================================================== --- libssh-0.6.3.orig/src/kex.c 2015-01-07 11:59:20.072822104 -0500 +++ libssh-0.6.3/src/kex.c 2015-01-07 12:00:30.825361625 -0500 @@ -315,7 +315,7 @@ for (i = 0; i < KEX_METHODS_SIZE; i++) { str = buffer_get_ssh_string(packet); if (str == NULL) { - break; + goto error; } if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) { @@ -350,6 +350,11 @@ error: ssh_string_free(str); for (i = 0; i < SSH_KEX_METHODS; i++) { + if (server_kex) { + session->next_crypto->client_kex.methods[i] = NULL; + } else { /* client */ + session->next_crypto->server_kex.methods[i] = NULL; + } SAFE_FREE(strings[i]); } debian/patches/CVE-2018-10933-3.patch0000644000000000000000000000410513361437001013456 0ustar From d42cf1bc656db3e335ed8e16b1252e7d51c3d6fc Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 15:55:43 +0200 Subject: [PATCH 3/8] CVE-2018-10933: Introduce SSH_AUTH_STATE_AUTH_NONE_SENT The introduced auth state allows to identify when a request without authentication information was sent. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- include/libssh/auth.h | 2 ++ src/auth.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/libssh/auth.h b/include/libssh/auth.h index 1fc00e20..75bc7546 100644 --- a/include/libssh/auth.h +++ b/include/libssh/auth.h @@ -96,6 +96,8 @@ enum ssh_auth_state_e { SSH_AUTH_STATE_PUBKEY_AUTH_SENT, /** We have sent a password expecting to be authenticated */ SSH_AUTH_STATE_PASSWORD_AUTH_SENT, + /** We have sent a request without auth information (method 'none') */ + SSH_AUTH_STATE_AUTH_NONE_SENT, }; /** @internal diff --git a/src/auth.c b/src/auth.c index 4c7a8e30..375c2c85 100644 --- a/src/auth.c +++ b/src/auth.c @@ -88,6 +88,7 @@ static int ssh_auth_response_termination(void *user){ case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: case SSH_AUTH_STATE_PASSWORD_AUTH_SENT: + case SSH_AUTH_STATE_AUTH_NONE_SENT: return 0; default: return 1; @@ -143,6 +144,7 @@ static int ssh_userauth_get_response(ssh_session session) { case SSH_AUTH_STATE_PUBKEY_OFFER_SENT: case SSH_AUTH_STATE_PUBKEY_AUTH_SENT: case SSH_AUTH_STATE_PASSWORD_AUTH_SENT: + case SSH_AUTH_STATE_AUTH_NONE_SENT: case SSH_AUTH_STATE_NONE: /* not reached */ rc = SSH_AUTH_ERROR; @@ -444,7 +446,7 @@ int ssh_userauth_none(ssh_session session, const char *username) { goto fail; } - session->auth_state = SSH_AUTH_STATE_NONE; + session->auth_state = SSH_AUTH_STATE_AUTH_NONE_SENT; session->pending_call_state = SSH_PENDING_CALL_AUTH_NONE; rc = packet_send(session); if (rc == SSH_ERROR) { -- 2.19.0 debian/patches/CVE-2014-0017.patch0000644000000000000000000000464712307341133013234 0ustar From e99246246b4061f7e71463f8806b9dcad65affa0 Mon Sep 17 00:00:00 2001 From: Aris Adamantiadis Date: Wed, 05 Feb 2014 20:24:12 +0000 Subject: security: fix for vulnerability CVE-2014-0017 When accepting a new connection, a forking server based on libssh forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but simply adds the current process id (getpid) to the PRNG state, which is not guaranteed to be unique. This can cause several children to end up with same PRNG state which is a security issue. --- diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h index 7374a88..e8ff32c 100644 --- a/include/libssh/wrapper.h +++ b/include/libssh/wrapper.h @@ -70,5 +70,6 @@ int crypt_set_algorithms_server(ssh_session session); struct ssh_crypto_struct *crypto_new(void); void crypto_free(struct ssh_crypto_struct *crypto); +void ssh_reseed(void); #endif /* WRAPPER_H_ */ diff --git a/src/bind.c b/src/bind.c index 8d82d0d..03d3403 100644 --- a/src/bind.c +++ b/src/bind.c @@ -458,6 +458,8 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){ return SSH_ERROR; } } + /* force PRNG to change state in case we fork after ssh_bind_accept */ + ssh_reseed(); return SSH_OK; } diff --git a/src/libcrypto.c b/src/libcrypto.c index bb1d96a..d8cc795 100644 --- a/src/libcrypto.c +++ b/src/libcrypto.c @@ -23,6 +23,7 @@ #include #include #include +#include #include "libssh/priv.h" #include "libssh/session.h" @@ -38,6 +39,8 @@ #include #include #include +#include + #ifdef HAVE_OPENSSL_AES_H #define HAS_AES #include @@ -74,6 +77,12 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { return 0; } +void ssh_reseed(void){ + struct timeval tv; + gettimeofday(&tv, NULL); + RAND_add(&tv, sizeof(tv), 0.0); +} + SHACTX sha1_init(void) { SHACTX c = malloc(sizeof(*c)); if (c == NULL) { diff --git a/src/libgcrypt.c b/src/libgcrypt.c index 899bccd..4617901 100644 --- a/src/libgcrypt.c +++ b/src/libgcrypt.c @@ -45,6 +45,9 @@ static int alloc_key(struct ssh_cipher_struct *cipher) { return 0; } +void ssh_reseed(void){ + } + SHACTX sha1_init(void) { SHACTX ctx = NULL; gcry_md_open(&ctx, GCRY_MD_SHA1, 0); -- cgit v0.9.1 debian/patches/CVE-2018-10933-regression.patch0000644000000000000000000000215313377260203015502 0ustar Backport of: From 4ea46eecce9f4e676150fe27fec34e1570b70ace Mon Sep 17 00:00:00 2001 From: Meng Tan Date: Wed, 17 Oct 2018 14:50:08 +0200 Subject: server: Set correct state after sending INFO_REQUEST (Kbd Interactive) Signed-off-by: Meng Tan Reviewed-by: Andreas Schneider --- src/server.c | 1 + 1 file changed, 1 insertion(+) Index: libssh-0.6.3/src/server.c =================================================================== --- libssh-0.6.3.orig/src/server.c 2018-11-27 10:01:40.703994571 -0500 +++ libssh-0.6.3/src/server.c 2018-11-27 10:04:11.408460679 -0500 @@ -985,7 +985,6 @@ int ssh_message_auth_interactive_request msg->session->kbdint = NULL; return SSH_PACKET_USED; } - msg->session->kbdint->nprompts = num_prompts; if(num_prompts > 0) { msg->session->kbdint->prompts = malloc(num_prompts * sizeof(char *)); @@ -1018,6 +1017,7 @@ int ssh_message_auth_interactive_request msg->session->kbdint->prompts = NULL; msg->session->kbdint->echo = NULL; } + msg->session->auth_state = SSH_AUTH_STATE_INFO; return r; } debian/patches/CVE-2018-10933-7.patch0000644000000000000000000006546213361437021013501 0ustar From 50cba69159e1c7f4b85f2e267d5f9e8c741ca964 Mon Sep 17 00:00:00 2001 From: Anderson Toshiyuki Sasaki Date: Wed, 19 Sep 2018 15:04:31 +0200 Subject: [PATCH 7/8] CVE-2018-10933: Introduced packet filtering The packet filter checks required states for the incoming packets and reject them if they arrived in the wrong state. Fixes T101 Signed-off-by: Anderson Toshiyuki Sasaki --- include/libssh/packet.h | 6 + src/packet.c | 787 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 791 insertions(+), 2 deletions(-) diff --git a/include/libssh/packet.h b/include/libssh/packet.h index 513eaa81..80217f84 100644 --- a/include/libssh/packet.h +++ b/include/libssh/packet.h @@ -41,6 +41,12 @@ enum ssh_packet_state_e { PACKET_STATE_PROCESSING }; +enum ssh_packet_filter_result_e { + SSH_PACKET_UNKNOWN, + SSH_PACKET_ALLOWED, + SSH_PACKET_DENIED +}; + int packet_send(ssh_session session); #ifdef WITH_SSH1 diff --git a/src/packet.c b/src/packet.c index 535b6d55..4d6f4878 100644 --- a/src/packet.c +++ b/src/packet.c @@ -129,6 +129,775 @@ static ssh_packet_callback default_packet_handlers[]= { ssh_packet_channel_failure, // SSH2_MSG_CHANNEL_FAILURE 100 }; +/** @internal + * @brief check if the received packet is allowed for the current session state + * @param session current ssh_session + * @returns SSH_PACKET_ALLOWED if the packet is allowed; SSH_PACKET_DENIED + * if the packet arrived in wrong state; SSH_PACKET_UNKNOWN if the packet type + * is unknown + */ +static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session session) +{ + enum ssh_packet_filter_result_e rc; + +#ifdef DEBUG_PACKET + SSH_LOG(SSH_LOG_PACKET, "Filtering packet type %d", + session->in_packet.type); +#endif + + switch(session->in_packet.type) { + case SSH2_MSG_DISCONNECT: // 1 + /* + * States required: + * - None + * + * Transitions: + * - session->socket->state = SSH_SOCKET_CLOSED + * - session->session_state = SSH_SESSION_STATE_ERROR + * */ + + /* Always allowed */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_IGNORE: // 2 + /* + * States required: + * - None + * + * Transitions: + * - None + * */ + + /* Always allowed */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_UNIMPLEMENTED: // 3 + /* + * States required: + * - None + * + * Transitions: + * - None + * */ + + /* Always allowed */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_DEBUG: // 4 + /* + * States required: + * - None + * + * Transitions: + * - None + * */ + + /* Always allowed */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_SERVICE_REQUEST: // 5 + /* Server only */ + + /* + * States required: + * - session->session_state == SSH_SESSION_STATE_AUTHENTICATING + * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED + * - session->dh_handshake_state == DH_STATE_FINISHED + * + * Transitions: + * - None + * */ + + /* If this is a client, reject the message */ + if (session->client) { + rc = SSH_PACKET_DENIED; + break; + } + + if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) && + (session->session_state != SSH_SESSION_STATE_AUTHENTICATED)) + { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_SERVICE_ACCEPT: // 6 + /* + * States required: + * - session->session_state == SSH_SESSION_STATE_AUTHENTICATING + * or session->session_state == SSH_SESSION_STATE_AUTHENTICATED + * - session->dh_handshake_state == DH_STATE_FINISHED + * - session->auth_service_state == SSH_AUTH_SERVICE_SENT + * + * Transitions: + * - auth_service_state = SSH_AUTH_SERVICE_ACCEPTED + * */ + + if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) && + (session->session_state != SSH_SESSION_STATE_AUTHENTICATED)) + { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + /* TODO check if only auth service can be requested */ + if (session->auth_service_state != SSH_AUTH_SERVICE_SENT) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEXINIT: // 20 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * or session_state == SSH_SESSION_STATE_INITIAL_KEX + * - dh_handshake_state == DH_STATE_INIT + * or dh_handshake_state == DH_STATE_FINISHED (re-exchange) + * + * Transitions: + * - session->dh_handshake_state = DH_STATE_INIT + * - session->session_state = SSH_SESSION_STATE_KEXINIT_RECEIVED + * + * On server: + * - session->session_state = SSH_SESSION_STATE_DH + * */ + + if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATED) && + (session->session_state != SSH_SESSION_STATE_INITIAL_KEX)) + { + rc = SSH_PACKET_DENIED; + break; + } + + if ((session->dh_handshake_state != DH_STATE_INIT) && + (session->dh_handshake_state != DH_STATE_FINISHED)) + { + rc = SSH_PACKET_DENIED; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_NEWKEYS: // 21 + /* + * States required: + * - session_state == SSH_SESSION_STATE_DH + * - dh_handshake_state == DH_STATE_NEWKEYS_SENT + * + * Transitions: + * - session->dh_handshake_state = DH_STATE_FINISHED + * - session->session_state = SSH_SESSION_STATE_AUTHENTICATING + * if session->flags & SSH_SESSION_FLAG_AUTHENTICATED + * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED + * */ + + /* If DH has not been started, reject message */ + if (session->session_state != SSH_SESSION_STATE_DH) { + rc = SSH_PACKET_DENIED; + break; + } + + /* Only allowed if dh_handshake_state is in NEWKEYS_SENT state */ + if (session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEXDH_INIT: // 30 + // SSH2_MSG_KEX_ECDH_INIT: // 30 + // SSH2_MSG_ECMQV_INIT: // 30 + // SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: // 30 + + /* Server only */ + + /* + * States required: + * - session_state == SSH_SESSION_STATE_DH + * - dh_handshake_state == DH_STATE_INIT + * + * Transitions: + * - session->dh_handshake_state = DH_STATE_INIT_SENT + * then calls dh_handshake_server which triggers: + * - session->dh_handhsake_state = DH_STATE_NEWKEYS_SENT + * */ + + if (session->session_state != SSH_SESSION_STATE_DH) { + rc = SSH_PACKET_DENIED; + break; + } + + /* Only allowed if dh_handshake_state is in initial state */ + if (session->dh_handshake_state != DH_STATE_INIT) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEXDH_REPLY: // 31 + // SSH2_MSG_KEX_ECDH_REPLY: // 31 + // SSH2_MSG_ECMQV_REPLY: // 31 + // SSH2_MSG_KEX_DH_GEX_GROUP: // 31 + + /* + * States required: + * - session_state == SSH_SESSION_STATE_DH + * - dh_handshake_state == DH_STATE_INIT_SENT + * + * Transitions: + * - session->dh_handhsake_state = DH_STATE_NEWKEYS_SENT + * */ + + if (session->session_state != SSH_SESSION_STATE_DH) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_INIT_SENT) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEX_DH_GEX_INIT: // 32 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEX_DH_GEX_REPLY: // 33 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_KEX_DH_GEX_REQUEST: // 34 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_REQUEST: // 50 + /* Server only */ + + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - dh_hanshake_state == DH_STATE_FINISHED + * + * Transitions: + * - if authentication was successful: + * - session_state = SSH_SESSION_STATE_AUTHENTICATED + * */ + + /* If this is a client, reject the message */ + if (session->client) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_FAILURE: // 51 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - dh_hanshake_state == DH_STATE_FINISHED + * - session->auth_state == SSH_AUTH_STATE_KBDINT_SENT + * or session->auth_state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT + * or session->auth_state == SSH_AUTH_STATE_PUBKEY_AUTH_SENT + * or session->auth_state == SSH_AUTH_STATE_PASSWORD_AUTH_SENT + * or session->auth_state == SSH_AUTH_STATE_GSSAPI_MIC_SENT + * + * Transitions: + * - if unpacking failed: + * - session->auth_state = SSH_AUTH_ERROR + * - if failure was partial: + * - session->auth_state = SSH_AUTH_PARTIAL + * - else: + * - session->auth_state = SSH_AUTH_STATE_FAILED + * */ + + /* If this is a server, reject the message */ + if (session->server) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_SUCCESS: // 52 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - dh_hanshake_state == DH_STATE_FINISHED + * - session->auth_state == SSH_AUTH_STATE_KBDINT_SENT + * or session->auth_state == SSH_AUTH_STATE_PUBKEY_AUTH_SENT + * or session->auth_state == SSH_AUTH_STATE_PASSWORD_AUTH_SENT + * or session->auth_state == SSH_AUTH_STATE_GSSAPI_MIC_SENT + * or session->auth_state == SSH_AUTH_STATE_AUTH_NONE_SENT + * + * Transitions: + * - session->auth_state = SSH_AUTH_STATE_SUCCESS + * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED + * - session->flags |= SSH_SESSION_FLAG_AUTHENTICATED + * - sessions->auth.current_method = SSH_AUTH_METHOD_UNKNOWN + * */ + + /* If this is a server, reject the message */ + if (session->server) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + if ((session->auth_state != SSH_AUTH_STATE_KBDINT_SENT) && + (session->auth_state != SSH_AUTH_STATE_PUBKEY_AUTH_SENT) && + (session->auth_state != SSH_AUTH_STATE_PASSWORD_AUTH_SENT) && + (session->auth_state != SSH_AUTH_STATE_GSSAPI_MIC_SENT) && + (session->auth_state != SSH_AUTH_STATE_AUTH_NONE_SENT)) + { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_BANNER: // 53 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_PK_OK: // 60 + // SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ: // 60 + // SSH2_MSG_USERAUTH_INFO_REQUEST: // 60 + // SSH2_MSG_USERAUTH_GSSAPI_RESPONSE: // 60 + + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - session->auth_state == SSH_AUTH_STATE_KBDINT_SENT + * or + * session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT + * or + * session->auth_state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT + * + * Transitions: + * Depending on the current state, the message is treated + * differently: + * - session->auth_state == SSH_AUTH_STATE_KBDINT_SENT + * - session->auth_state = SSH_AUTH_STATE_INFO + * - session->auth_state == SSH_AUTH_STATE_GSSAPI_REQUEST_SENT + * - session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN + * - session->auth_state == SSH_AUTH_STATE_PUBKEY_OFFER_SENT + * - session->auth_state = SSH_AUTH_STATE_PK_OK + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + if ((session->auth_state != SSH_AUTH_STATE_KBDINT_SENT) && + (session->auth_state != SSH_AUTH_STATE_PUBKEY_OFFER_SENT) && + (session->auth_state != SSH_AUTH_STATE_GSSAPI_REQUEST_SENT)) + { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_INFO_RESPONSE: // 61 + // SSH2_MSG_USERAUTH_GSSAPI_TOKEN: // 61 + + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - session_state->auth_state == SSH_SESSION_STATE_GSSAPI_TOKEN + * or + * session_state->auth_state == SSH_SESSION_STATE_INFO + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + if ((session->auth_state != SSH_AUTH_STATE_INFO) && + (session->auth_state != SSH_AUTH_STATE_GSSAPI_TOKEN)) + { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE: // 63 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_GSSAPI_ERROR: // 64 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_GSSAPI_ERRTOK: // 65 + /* TODO Not filtered */ + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_USERAUTH_GSSAPI_MIC: // 66 + /* Server only */ + + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATING + * - session->gssapi->state == SSH_GSSAPI_STATE_RCV_MIC + * + * Transitions: + * Depending on the result of the verification, the states are + * changed: + * - SSH_AUTH_SUCCESS: + * - session->session_state = SSH_SESSION_STATE_AUTHENTICATED + * - session->flags != SSH_SESSION_FLAG_AUTHENTICATED + * - SSH_AUTH_PARTIAL: + * - None + * - any other case: + * - None + * */ + + /* If this is a client, reject the message */ + if (session->client) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->dh_handshake_state != DH_STATE_FINISHED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_GLOBAL_REQUEST: // 80 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_REQUEST_SUCCESS: // 81 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * - session->global_req_state == SSH_CHANNEL_REQ_STATE_PENDING + * + * Transitions: + * - session->global_req_state == SSH_CHANNEL_REQ_STATE_ACCEPTED + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->global_req_state != SSH_CHANNEL_REQ_STATE_PENDING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_REQUEST_FAILURE: // 82 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * - session->global_req_state == SSH_CHANNEL_REQ_STATE_PENDING + * + * Transitions: + * - session->global_req_state == SSH_CHANNEL_REQ_STATE_DENIED + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + if (session->global_req_state != SSH_CHANNEL_REQ_STATE_PENDING) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_OPEN: // 90 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: // 91 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - channel->state = SSH_CHANNEL_STATE_OPEN + * - channel->flags &= ~SSH_CHANNEL_FLAG_NOT_BOUND + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_OPEN_FAILURE: // 92 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - channel->state = SSH_CHANNEL_STATE_OPEN_DENIED + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_WINDOW_ADJUST: // 93 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_DATA: // 94 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_EXTENDED_DATA: // 95 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_EOF: // 96 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - None + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_CLOSE: // 97 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - channel->state = SSH_CHANNEL_STATE_CLOSED + * - channel->flags |= SSH_CHANNEL_FLAG_CLOSED_REMOTE + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_REQUEST: // 98 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * + * Transitions: + * - Depends on the request + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_SUCCESS: // 99 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * - channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING + * + * Transitions: + * - channel->request_state = SSH_CHANNEL_REQ_STATE_ACCEPTED + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + case SSH2_MSG_CHANNEL_FAILURE: // 100 + /* + * States required: + * - session_state == SSH_SESSION_STATE_AUTHENTICATED + * - channel->request_state == SSH_CHANNEL_REQ_STATE_PENDING + * + * Transitions: + * - channel->request_state = SSH_CHANNEL_REQ_STATE_DENIED + * */ + + if (session->session_state != SSH_SESSION_STATE_AUTHENTICATED) { + rc = SSH_PACKET_DENIED; + break; + } + + rc = SSH_PACKET_ALLOWED; + break; + default: + /* Unknown message, do not filter */ + rc = SSH_PACKET_UNKNOWN; + goto end; + } + +end: +#ifdef DEBUG_PACKET + if (rc == SSH_PACKET_DENIED) { + SSH_LOG(SSH_LOG_PACKET, "REJECTED packet type %d: ", + session->in_packet.type); + } + + if (rc == SSH_PACKET_UNKNOWN) { + SSH_LOG(SSH_LOG_PACKET, "UNKNOWN packet type %d", + session->in_packet.type); + } +#endif + + return rc; +} + /* in nonblocking mode, socket_read will read as much as it can, and return */ /* SSH_OK if it has read at least len bytes, otherwise, SSH_AGAIN. */ /* in blocking mode, it will read at least len bytes and will block until it's ok. */ @@ -155,6 +924,7 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user) uint32_t len, compsize, payloadsize; uint8_t padding; size_t processed = 0; /* number of byte processed from the callback */ + enum ssh_packet_filter_result_e filter_result; if (data == NULL) { goto error; @@ -322,8 +1092,21 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user) "packet: read type %hhd [len=%d,padding=%hhd,comp=%d,payload=%d]", session->in_packet.type, len, padding, compsize, payloadsize); - /* Execute callbacks */ - ssh_packet_process(session, session->in_packet.type); + /* Check if the packet is expected */ + filter_result = ssh_packet_incoming_filter(session); + + switch(filter_result) { + case SSH_PACKET_ALLOWED: + /* Execute callbacks */ + ssh_packet_process(session, session->in_packet.type); + break; + case SSH_PACKET_DENIED: + goto error; + case SSH_PACKET_UNKNOWN: + ssh_packet_send_unimplemented(session, session->recv_seq - 1); + break; + } + session->packet_state = PACKET_STATE_INIT; if (processed < receivedlen) { /* Handle a potential packet left in socket buffer */ -- 2.19.0 debian/patches/0001-disable-latex-documentation.patch0000644000000000000000000000106312104047131017572 0ustar Description: Be sure we never build LaTeX documentation Author: Laurent Bigonville Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622108 --- a/doc/doxy.config.in +++ b/doc/doxy.config.in @@ -1014,7 +1014,7 @@ # If the GENERATE_LATEX tag is set to YES (the default) Doxygen will # generate Latex output. -GENERATE_LATEX = @DOXYFILE_LATEX@ +GENERATE_LATEX = NO # The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be debian/patches/CVE-2018-10933-regression3.patch0000644000000000000000000000166613377263004015577 0ustar Backport of: From bea6393de046bfc7f3d5aaea1d863dbe88f68b52 Mon Sep 17 00:00:00 2001 From: Meng Tan Date: Thu, 25 Oct 2018 17:06:06 +0200 Subject: gssapi: Set correct state after sending GSSAPI_RESPONSE (select mechanism OID) Signed-off-by: Meng Tan Reviewed-by: Andreas Schneider (cherry picked from commit bce8d567053232debd6ec490af5a7d27e1160f39) --- src/gssapi.c | 1 + 1 file changed, 1 insertion(+) Index: libssh-0.6.3/src/gssapi.c =================================================================== --- libssh-0.6.3.orig/src/gssapi.c 2018-11-27 10:37:54.678398470 -0500 +++ libssh-0.6.3/src/gssapi.c 2018-11-27 10:37:54.678398470 -0500 @@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_ ssh_set_error_oom(session); return SSH_ERROR; } + session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN; packet_send(session); SSH_LOG(SSH_LOG_PACKET, debian/libssh-4.lintian-overrides0000644000000000000000000000020512104047131014161 0ustar # We use libssh-4 name to avoid name clash with libssh2 package. libssh-4: package-name-doesnt-match-sonames libssh4 libssh-threads4 debian/compat0000644000000000000000000000000212104047131010355 0ustar 8 debian/copyright0000644000000000000000000001075312104047131011120 0ustar This package was debianized by Laurent Bigonville on Thu, 16 Nov 2006 20:34:01 +0100. It was downloaded from http://www.libssh.org/ Upstream Author: Aris Adamantiadis (aka spacewalker) Andreas Schneider Nick Zitzmann Norbert Kiesel Jean-Philippe Garcia Ballester Files: * Copyright: Copyright © 2003-2008 Aris Adamantiadis Copyright © 2008-2009 Andreas Schneider License: LGPL-2.1+ with OpenSSL exemption In addition, as a special exception, the author of this program gives permission to link the code of its release with the OpenSSL project's "OpenSSL" library (or with modified versions of it that use the same license as the "OpenSSL" library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. Files: libssh/match.c Copyright: Copyright © 2000 Markus Friedl License: BSD-C2 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: cmake/Modules/FindGCrypt.cmake, cmake/Modules/FindOpenSSL.cmake, cmake/Modules/FindZLIB.cmake, cmake/Modules/MacroAddCompileFlags.cmake, cmake/Modules/MacroAddLinkFlags.cmake, cmake/Modules/MacroAddPlugin.cmake, cmake/Modules/MacroCopyFile.cmake, cmake/Modules/MacroEnsureOutOfSourceBuild.cmake Copyright: Copyright © 2009 Andreas Schneider Copyright © 2006, Oswald Buddenhagen Copyright © 2006, Alexander Neundorf Copyright © 2006, Laurent Montel Copyright © 2006-2007 Wengo License: BSD-C3 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: debian/* Copyright: Copyright © 2005-2006, Jean-Philippe Garcia Ballester , Copyright © 2006-2009, Laurent Bigonville and License: GPL-2+ On Debian systems, the complete text of the GPL can be found in /usr/share/common-licenses/GPL. debian/libssh-doc.manpages0000644000000000000000000000002712104047131012722 0ustar doxygen/man/man3/ssh_* debian/source/0000755000000000000000000000000012104047131010457 5ustar debian/source/format0000644000000000000000000000001412104047131011665 0ustar 3.0 (quilt) debian/libssh-doc.doc-base0000644000000000000000000000041612104047131012606 0ustar Document: libssh Title: libssh public API Manual Author: Aris Adamantiadis Abstract: This manual describes libssh API. Section: Programming/C Format: HTML Index: /usr/share/doc/libssh-doc/html/index.html Files: /usr/share/doc/libssh-doc/html/*.html debian/.directory0000644000000000000000000000012112276722414011174 0ustar [Dolphin] Timestamp=2014,2,12,8,45,0 Version=3 [Settings] HiddenFilesShown=true debian/libssh-doc.docs0000644000000000000000000000001612104047131012055 0ustar obj*/doc/html debian/libssh-4.install0000644000000000000000000000011212104047131012166 0ustar debian/tmp/usr/lib/*/libssh.so.* debian/tmp/usr/lib/*/libssh_threads.so.* debian/changelog0000644000000000000000000002465313377263024011061 0ustar libssh (0.6.1-0ubuntu3.5) trusty-security; urgency=medium * SECURITY REGRESSION: fix multiple regressions (LP: #1805348) - debian/patches/CVE-2018-10933-regression.patch: set correct state after sending INFO_REQUEST in src/server.c. - debian/patches/CVE-2018-10933-regression2.patch: add missing break in src/packet.c. - debian/patches/CVE-2018-10933-regression3.patch: set correct state after sending GSSAPI_RESPONSE in src/gssapi.c. -- Marc Deslauriers Tue, 27 Nov 2018 10:05:25 -0500 libssh (0.6.1-0ubuntu3.4) trusty-security; urgency=medium * SECURITY UPDATE: authentication bypass vulnerability - debian/patches/CVE-2018-10933-*.patch: add upstream patches to correct the issue. - CVE-2018-10933 -- Marc Deslauriers Tue, 16 Oct 2018 15:38:00 -0400 libssh (0.6.1-0ubuntu3.3) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect SSH_MSG_NEWKEYS and KEXDH_REPLY packet handling - debian/patches/CVE-2015-3146.patch: fix state validation in src/packet_cb.c, src/server.c, src/buffer.c. - CVE-2015-3146 * SECURITY UPDATE: weakness in diffie-hellman secret key generation - debian/patches/CVE-2016-0739.patch: fix bits/bytes confusion bug in src/dh.c. - CVE-2016-0739 -- Marc Deslauriers Tue, 23 Feb 2016 07:35:04 -0500 libssh (0.6.1-0ubuntu3.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via crafted kexinit packet - debian/patches/CVE-2014-8132.patch: properly set slots to NULL in src/kex.c. - CVE-2014-8132 -- Marc Deslauriers Wed, 07 Jan 2015 12:03:32 -0500 libssh (0.6.1-0ubuntu3) trusty; urgency=medium * SECURITY UPDATE: PRNG state reuse on forking servers - debian/patches/CVE-2014-0017.patch: force reseed after fork in include/libssh/wrapper.h, src/bind.c, src/libcrypto.c, src/libgcrypt.c. - CVE-2014-0017 -- Marc Deslauriers Mon, 10 Mar 2014 09:47:11 -0400 libssh (0.6.1-0ubuntu2) trusty; urgency=medium * Fix .symbols file -- Jonathan Riddell Thu, 13 Feb 2014 11:57:02 +0000 libssh (0.6.1-0ubuntu1) trusty; urgency=low * New upstream release. -- Scarlett Clark Wed, 12 Feb 2014 10:49:46 -0800 libssh (0.5.4-1) unstable; urgency=low * New upstream security release - Fix NULL dereference leads to denial of service (Closes: #698963, CVE-2013-0176) * debian/patches/0003-fix-typo.patch: Fix typo in error message -- Laurent Bigonville Tue, 05 Feb 2013 01:06:40 +0100 libssh (0.5.3-1) unstable; urgency=high * New upstream security release - Fixes CVE-2012-4559, CVE-2012-4560, CVE-2012-4561, CVE-2012-4562 - Fix regression in pre-connected socket setting (Closes: #688700) -- Laurent Bigonville Wed, 21 Nov 2012 13:53:14 +0100 libssh (0.5.2-1) unstable; urgency=low * New upstream release - Fix bug with ssh_channel_write (Closes: #631950) * debian/watch: Use new tarball location -- Laurent Bigonville Mon, 19 Sep 2011 12:01:26 +0200 libssh (0.5.1-1) unstable; urgency=low * New upstream release (Closes: #637445) * debian/patches/0001-rename-threads-static.patch, debian/patches/0002-Check-for-NULL-pointers-in-string-c.patch: Dropped * debian/rules: - Adjust rule that build documentation * debian/patches/0001-disable-latex-documentation.patch: Disable LaTeX documentation generation (Closes: #622108) * debian/control: Drop texlive-fonts-recommended build-dependency * debian/patches/0002-fix-html-doc-generation.patch: Fix HTML doc generation (LP: #821437) * debian/libssh-doc.doc-base: Refine Title and Files glob -- Laurent Bigonville Fri, 19 Aug 2011 00:46:48 +0200 libssh (0.5.0-2) unstable; urgency=low * debian/patches/0002-Check-for-NULL-pointers-in-string-c.patch: Consolidate patch (Should fix previous REJECT) * Support multiarch spec -- Laurent Bigonville Wed, 15 Jun 2011 15:48:07 +0200 libssh (0.5.0-1) unstable; urgency=low * New upstream release * debian/control: - Bump Standards-Version to 3.9.2 (no further changes) - Fix short description to please lintian * debian/libssh-dev.install: - Remove "static" from the static library name - Install pkg-config file * debian/libssh-4.symbols: Add new symbols to .symbols file * debian/patch/0001-rename-threads-static.patch: Rename libssh_threads_static.so to libssh_threads.so * debian/libssh-4.install, debian/libssh-dev.install, debian/libssh-4.symbols, debian/libssh-4.lintian-overrides: Install libssh_threads library * debian/patches/0002-Check-for-NULL-pointers-in-string-c.patch: Check if string is NULL. -- Laurent Bigonville Fri, 10 Jun 2011 22:47:54 +0200 libssh (0.4.8-2) unstable; urgency=low * Upload to unstable * debian/control: Add texlive-fonts-recommended to Build-Depends-Indep (Closes: #608319) -- Laurent Bigonville Sun, 13 Mar 2011 22:06:00 +0100 libssh (0.4.8-1) experimental; urgency=low * New upstream release * Bump debhelper compatibility to 8 -- Laurent Bigonville Mon, 17 Jan 2011 19:31:47 +0100 libssh (0.4.7-1) experimental; urgency=low * New upstream release - Drop all patches, applied upstream * debian/watch: Fix URL regex -- Laurent Bigonville Tue, 04 Jan 2011 21:24:34 +0100 libssh (0.4.6-1) experimental; urgency=low * New upstream release -- Laurent Bigonville Mon, 13 Dec 2010 23:30:03 +0100 libssh (0.4.5-3) unstable; urgency=low * d/p/0002-socket-Fixed-uninitialized-fd-revents-member.patch: Fix uninitialized memory use (Closes: #606347) -- Laurent Bigonville Sat, 11 Dec 2010 01:33:45 +0100 libssh (0.4.5-2) unstable; urgency=low * Add d/p/0001-socket.c-Fixed-setting-max_fd-which-breaks-ssh_selec.patch: Fix slow response in Remmina SSH (Closes: #599687, LP: #663777) * debian/control: Bump Standards-Version to 3.9.1 (no futher changes) * debian/copyright: Update copyright file to please lintian -- Laurent Bigonville Wed, 20 Oct 2010 20:45:48 +0200 libssh (0.4.5-1) unstable; urgency=low * New upstream release * Bump Standards-Version to 3.9.0 (no further changes) * Move doxygen to Build-Depends-Indep -- Laurent Bigonville Sun, 18 Jul 2010 22:48:10 +0200 libssh (0.4.4-1) unstable; urgency=low * New upstream release - Should fix ~/.ssh directory access (Closes: #582461) -- Laurent Bigonville Mon, 31 May 2010 20:10:56 +0200 libssh (0.4.3-1) unstable; urgency=low * New upstream release - Drop 0001-Fix-symbols-visibility.patch, applied upstream - Update debian/libssh-4.symbols: Add new symbol -- Laurent Bigonville Tue, 18 May 2010 21:06:33 +0200 libssh (0.4.2-1) unstable; urgency=low * New upstream release - 0001-Fix-symbols-visibility.patch: Only export needed symbols - debian/libssh-4.symbols: Update symbols file -- Laurent Bigonville Thu, 25 Mar 2010 13:38:35 +0100 libssh (0.4.1-1) unstable; urgency=low * New upstream release * debian/control: Bump Standards-Version (no further changes) * Use new source package format '3.0 (quilt)' -- Laurent Bigonville Sat, 13 Feb 2010 20:18:18 +0100 libssh (0.4.0-1) unstable; urgency=low * New upstream release. - Bump soname - Adjust .symbols file * Readd static library in -dev package * Let dh_lintian install override file * debian/README.Debian: Update file * debian/rules: Add list-missing rule -- Laurent Bigonville Sat, 12 Dec 2009 14:29:12 +0100 libssh (0.3.4-3) unstable; urgency=low * Add correct Conflicts/Replaces for -dev and -doc packages (Closes: #550996) -- Laurent Bigonville Thu, 15 Oct 2009 09:59:57 +0200 libssh (0.3.4-2) unstable; urgency=low * debian/watch: Update the URL * debian/copyright: Add missing licence for some cmake/Modules files -- Laurent Bigonville Mon, 12 Oct 2009 09:37:03 +0200 libssh (0.3.4-1) unstable; urgency=low * New upstream release (Closes: #467284). - Adjust build-deps and use cmake - Bump soname and adjust .symbols file * debian/control: - Use my debian.org address in Uploaders and takeover the package with Jean-Philippe permission - Use now official Vcs-* field - Use new Homepage field instead of old pseudo-field - Bump Standards-Version to 3.8.3 (no further changes) - Use debug section for -dbg package - Add ${misc:Depends} to please lintian - Remove duplicate section to please lintian * debian/libssh-2-doc.doc-base: Fix doc-base-uses-applications-section * Bump debhelper version to 7 * debian/libssh-dev.install: do not install .la file and static library anymore * debian/libssh-3.lintian-overrides: Update override * debian/copyright: Update copyright file * debian/libssh-3.symbols: Add initial symbols file -- Laurent Bigonville Fri, 09 Oct 2009 21:21:16 +0200 libssh (0.2+svn20070321-4) unstable; urgency=low * debian/control: - Add XS-Vcs-Svn and XS-Vcs-Browser fields. - Change to ${binary:Version} for versionized dependencies. * Add debian/README.Debian to disambiguate the package name -- Laurent Bigonville Fri, 27 Jul 2007 15:00:06 +0200 libssh (0.2+svn20070321-3) unstable; urgency=low * Fix wrong versionized Replaces for -doc package -- Laurent Bigonville Thu, 5 Apr 2007 17:58:27 +0200 libssh (0.2+svn20070321-2) unstable; urgency=low * Split devel package into devel and documentation packages -- Laurent Bigonville Mon, 26 Mar 2007 15:29:51 +0200 libssh (0.2+svn20070321-1) unstable; urgency=low * New svn snapshot: - Fix broken include in include/libssh/server.h (Closes: #410020) - Fix nasty bug in server side code -- Laurent Bigonville Mon, 26 Mar 2007 15:06:40 +0200 libssh (0.2-1) unstable; urgency=low * New upstream release. -- Laurent Bigonville Fri, 29 Dec 2006 07:40:20 +0100 libssh (0.2~rc-1) unstable; urgency=low * Initial release (Closes: #316872) -- Jean-Philippe Garcia Ballester Wed, 20 Dec 2006 23:56:50 +0100