From: Jakub Witczak Date: Fri, 21 Mar 2025 12:17:07 +0100 Subject: [PATCH] ssh: ignore too long names origin: backport, https://github.com/erlang/otp/commit/655e20a49ef80431e86ffb6c7f366d01fd4b64c3 bug: https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101713 [backport] Drop CVE-2025-30211-1.patch from bookworm that does not apply and is cosmetic --- lib/ssh/src/ssh_message.erl | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl index fab9c50..b78d755 100644 --- a/lib/ssh/src/ssh_message.erl +++ b/lib/ssh/src/ssh_message.erl @@ -24,6 +24,7 @@ -module(ssh_message). -include_lib("public_key/include/public_key.hrl"). +-include_lib("kernel/include/logger.hrl"). -include("ssh.hrl"). -include("ssh_connect.hrl"). @@ -37,6 +38,7 @@ -behaviour(ssh_dbg). -export([ssh_dbg_trace_points/0, ssh_dbg_flags/1, ssh_dbg_on/1, ssh_dbg_off/1, ssh_dbg_format/2]). +-define(ALG_NAME_LIMIT, 64). ucl(B) -> @@ -727,8 +729,22 @@ decode_kex_init(<>, Acc, 0) -> X = 0, list_to_tuple(lists:reverse([X, erl_boolean(Bool) | Acc])); decode_kex_init(<>, Acc, N) -> - Names = string:tokens(?unicode_list(Data), ","), - decode_kex_init(Rest, [Names | Acc], N -1). + BinParts = binary:split(Data, <<$,>>, [global]), + Process = + fun(<<>>, PAcc) -> + PAcc; + (Part, PAcc) -> + case byte_size(Part) > ?ALG_NAME_LIMIT of + true -> + ?LOG_DEBUG("Ignoring too long name", []), + PAcc; + false -> + Name = binary:bin_to_list(Part), + [Name | PAcc] + end + end, + Names = lists:foldr(Process, [], BinParts), + decode_kex_init(Rest, [Names | Acc], N - 1). %%%================================================================