[AUTO-CHERRYPICK] gh: patch CVE-2021-43565 - branch main (#9969)

CBL-Mariner-Bot · arc9693 · web-flow · commit 21b41f2cceb8 · 2024-07-29T23:35:55.000-04:00
Co-authored-by: Archana Choudhary &lt;36061892+arc9693@users.noreply.github.com&gt;
diff --git a/SPECS/gh/CVE-2021-43565.patch b/SPECS/gh/CVE-2021-43565.patch
@@ -0,0 +1,56 @@
+From 5770296d904e90f15f38f77dfc2e43fdf5efc083 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 9 Nov 2021 11:45:57 -0800
+Subject: [PATCH] ssh: don't assume packet plaintext size
+
+When reading GCM and ChaChaPoly1305 packets, don't make assumptions
+about the size of the enciphered plaintext. This fixes two panics
+caused by standards non-compliant malformed packets.
+
+Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.
+
+Fixes golang/go#49932
+Fixes CVE-2021-43565
+
+Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Julie Qiu <julie@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+---
+ ssh/cipher.go      |   8 ++++
+ ssh/cipher_test.go | 100 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
+index bddbde5dbd..f8bdf4984c 100644
+--- a/vendor/golang.org/x/crypto/ssh/cipher.go
++++ b/vendor/golang.org/x/crypto/ssh/cipher.go
+@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
+ 	}
+ 	c.incIV()
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
+@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
+ 	plain := c.buf[4:contentEnd]
+ 	s.XORKeyStream(plain, plain)
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec
@@ -29,6 +29,7 @@ Source0:        https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz#
 Source1:        %{name}-%{version}-vendor.tar.gz
 # Available upstream in 2.16.0
 Patch0:         fix-relative-time-search-tests.patch
+Patch1:         CVE-2021-43565.patch
 
 BuildRequires:  golang
 BuildRequires:  git
@@ -40,10 +41,12 @@ Requires:       git
 GitHub official command line tool.
 
 %prep
-%autosetup -p1 -n cli-%{version}
+%setup -q -n cli-%{version}
+%patch0 -p1
+tar --no-same-owner -xf %{SOURCE1}
+%patch1 -p1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 # No mod download use vednor cache locally
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
@@ -72,8 +75,13 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+<<<<<<< HEAD
 * Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.13.0-19
 - Drop requirement on a specific version of golang
+=======
+* Fri Jul 19 2024 Archana Choudhary <archana1@microsoft.com> - 2.13.0-19
+- Patch for CVE-2021-43565
+>>>>>>> 9b583d8ff (gh: patch CVE-2021-43565 (#9894))
 
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.13.0-18
 - Bump release to rebuild with go 1.21.11
