1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From: Jakub Witczak <kuba@erlang.org>
Date: Fri, 21 Mar 2025 12:17:07 +0100
Subject: [PATCH] ssh: ignore too long names
origin: backport, https://github.com/erlang/otp/commit/655e20a49ef80431e86ffb6c7f366d01fd4b64c3
bug: https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101713
[backport]
Drop CVE-2025-30211-1.patch from bookworm that does not apply and is cosmetic
---
lib/ssh/src/ssh_message.erl | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/lib/ssh/src/ssh_message.erl b/lib/ssh/src/ssh_message.erl
index fab9c50..b78d755 100644
--- a/lib/ssh/src/ssh_message.erl
+++ b/lib/ssh/src/ssh_message.erl
@@ -24,6 +24,7 @@
-module(ssh_message).
-include_lib("public_key/include/public_key.hrl").
+-include_lib("kernel/include/logger.hrl").
-include("ssh.hrl").
-include("ssh_connect.hrl").
@@ -37,6 +38,7 @@
-behaviour(ssh_dbg).
-export([ssh_dbg_trace_points/0, ssh_dbg_flags/1, ssh_dbg_on/1, ssh_dbg_off/1, ssh_dbg_format/2]).
+-define(ALG_NAME_LIMIT, 64).
ucl(B) ->
@@ -727,8 +729,22 @@ decode_kex_init(<<?BYTE(Bool)>>, Acc, 0) ->
X = 0,
list_to_tuple(lists:reverse([X, erl_boolean(Bool) | Acc]));
decode_kex_init(<<?DEC_BIN(Data,__0), Rest/binary>>, Acc, N) ->
- Names = string:tokens(?unicode_list(Data), ","),
- decode_kex_init(Rest, [Names | Acc], N -1).
+ BinParts = binary:split(Data, <<$,>>, [global]),
+ Process =
+ fun(<<>>, PAcc) ->
+ PAcc;
+ (Part, PAcc) ->
+ case byte_size(Part) > ?ALG_NAME_LIMIT of
+ true ->
+ ?LOG_DEBUG("Ignoring too long name", []),
+ PAcc;
+ false ->
+ Name = binary:bin_to_list(Part),
+ [Name | PAcc]
+ end
+ end,
+ Names = lists:foldr(Process, [], BinParts),
+ decode_kex_init(Rest, [Names | Acc], N - 1).
%%%================================================================
|
