Merge pull request #90 from rapier1/dev_minor

rapier1 · web-flow · commit 52bc5fd19cb5 · 2024-07-02T16:06:08.000-04:00
Resolve CVE aka regreSSHion bug.
diff --git a/clientloop.c b/clientloop.c
@@ -616,8 +616,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
 		if (timespeccmp(&now, &chaff_until, >=)) {
 			/* Stop if there have been no keystrokes for a while */
 			stop_reason = "chaff time expired";
-		} else if (timespeccmp(&now, &next_interval, >=)) {
-			/* Otherwise if we were due to send, then send chaff */
+		} else if (timespeccmp(&now, &next_interval, >=) &&
+		    !ssh_packet_have_data_to_write(ssh)) {
+			/* If due to send but have no data, then send chaff */
 			if (send_chaff(ssh))
 				nchaff++;
 		}
diff --git a/log.c b/log.c
@@ -458,12 +458,13 @@ void
 sshsigdie(const char *file, const char *func, int line, int showfunc,
     LogLevel level, const char *suffix, const char *fmt, ...)
 {
+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
 	va_list args;
-
 	va_start(args, fmt);
 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
 	    suffix, fmt, args);
 	va_end(args);
+#endif
 	_exit(1);
 }
 
diff --git a/version.h b/version.h
@@ -3,5 +3,5 @@
 #define SSH_VERSION	"OpenSSH_9.7"
 
 #define SSH_PORTABLE	"p1"
-#define SSH_HPN         "-hpn18.4.1"
+#define SSH_HPN         "-hpn18.4.2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN

Original file line number	Diff line number	Diff line change
`@@ -458,12 +458,13 @@ void`
`458`	`458`	`sshsigdie(const char file, const char func, int line, int showfunc,`
`459`	`459`	`LogLevel level, const char suffix, const char fmt, ...)`
`460`	`460`	`{`
	`461`	`+#ifdef SYSLOG_R_SAFE_IN_SIGHAND`
`461`	`462`	`va_list args;`
`462`		`-`
`463`	`463`	`va_start(args, fmt);`
`464`	`464`	`sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,`
`465`	`465`	`suffix, fmt, args);`
`466`	`466`	`va_end(args);`
	`467`	`+#endif`
`467`	`468`	`_exit(1);`
`468`	`469`	`}`
`469`	`470`