Bug 1489736 - libssh2 sends null terminating char over SCP in SSH_MSG_CHANNEL_REQUEST
Summary: libssh2 sends null terminating char over SCP in SSH_MSG_CHANNEL_REQUEST
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libssh2
Version: 26
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1489733
TreeView+ depends on / blocked
 
Reported: 2017-09-08 09:02 UTC by Stepan Broz
Modified: 2017-10-02 02:49 UTC (History)
4 users (show)

Fixed In Version: libssh2-1.8.0-5.fc27 libssh2-1.8.0-5.fc25 libssh2-1.8.0-5.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1489733
Environment:
Last Closed: 2017-09-30 06:24:57 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stepan Broz 2017-09-08 09:02:05 UTC
+++ This bug was initially created as a clone of Bug #1489733 +++

Description of the problem:

When doing SCP transfers using libssh2 client (e.g. curl), libssh2 generates a command to be sent in SSH_MSG_CHANNEL_REQUEST (exec request) based on path received as a user input, adds quotes around the path, and the scp command and its options. However the memory used for the command string was not initialized and uninitialized memory is sent over the secure channel. This may potentially leak some private information to the SCP/SSH remote server, and the unexpected bytes after the terminating quote 

There is an upstream fix for that in libssh2-1.8.0, libssh2 github commits: 

https://github.com/libssh2/libssh2/commit/b99204f2896b0cdafa3ecc0736f0252ce44c32c7#diff-692a9f59c318be98d982afb140caade9

and 

https://github.com/libssh2/libssh2/commit/1e7988cb0d8dae32148b04dd93e919a770599f30#diff-692a9f59c318be98d982afb140caade9

There is also an upstream fix improving the command length calculation, it seems: 

https://github.com/libssh2/libssh2/commit/3d3347c0625ce29b5581a0aa45e6e3be580769f1#diff-692a9f59c318be98d982afb140caade9

However, none of the above patches actually fixes the unexpected bytes in the command itself completely. The libssh2 library now appends a null terminating character at the end and some SCP/SSH server implementations (e.g. BrickFTP) fail on that and libssh2 clients cannot be used to do SCP transfers with them.

According to RFC 4521 definition of a string, null terminating characters are not used:

https://tools.ietf.org/html/rfc4251#section-9.5

I suggest a patch where the command length will not be increased by 1 after appending a terminating char and therefore the terminating null char will not be transferred. Please consider a necessity of the terminating null in general.


Version-Release number of selected component (if applicable):

Detected in libssh2-1.4.3-10.el7_2.1 (uninitialized memory)
Not fixed completely in libssh2-1.8.0-2.fc26 (null terminating char)

How reproducible:

The uninitialized memory and null terminating chars are visible when doing scp transfers using libssh2 built with --enable-debug, and a version of curl that uses the libssh2 debug function (commented out define in ssh.c).

Steps to Reproduce:

1. Build libssh2 with --enable-debug, build curl and libcurl with the line "#define CURL_LIBSSH2_DEBUG" uncommented in lib/ssh.c.
2. Use "curl --insecure -v -u user -T hello.txt scp://serverhostname/~/hello2.txt" to do an SCP upload.
3. Inspect the debug output.

Actual results:

Look for the exec request before encrypting:

[libssh2] 0.754346 Conn: starting request(exec) on channel 0/0, message=scp -t 'hello2.txt'
=> libssh2_transport_write plain (18 bytes)
0000: 62 00 00 00 00 00 00 00  04 65 78 65 63 01 00 00 : b........exec...
0010: 00 28                                            : .(
=> libssh2_transport_write plain2 (40 bytes)
0000: 73 63 70 20 2D 74 20 27  68 65 6C 6C 6F 32 2E 74 : scp -t 'hello2.t
0010: 78 74 27 00 6E 65 63 74  69 6F 6E 00 00 00 04 00 : xt'.nection.....
0020: 30 00 00 00 00 00 00 00                          : 0.......
[libssh2] 0.754375 Socket: Sent 100/100 bytes at 0xcc68c0

See the remains of a previous string appended after the scp -t 'hello2.txt' command?

Expected results:

The last byte of the command shall be the terminating single quote, not even a null byte.

Additional info:

To verify the upload/download functionality with e.g. BrickFTP service, you can setup a 30days trial account. BrickFTP SCP/SFTP server fails on SCP download/upload with curl/libssh2.

Fedora 26 and latest git have only the "null termination char" part of this bug.

Comment 1 Paul Howarth 2017-09-08 11:17:53 UTC
Kamil, is there an upstream issue/commit for this?

Comment 2 Kamil Dudka 2017-09-08 13:29:53 UTC
I have just created one (sorry for the delay):

https://github.com/libssh2/libssh2/pull/208

Comment 3 Kamil Dudka 2017-09-12 08:17:20 UTC
upstream commit:

https://github.com/libssh2/libssh2/commit/819ef4f2

Comment 4 Fedora Update System 2017-09-12 12:24:11 UTC
libssh2-1.8.0-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2365eadd39

Comment 5 Fedora Update System 2017-09-12 12:24:20 UTC
libssh2-1.8.0-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-148849f8bd

Comment 6 Fedora Update System 2017-09-12 12:24:27 UTC
libssh2-1.8.0-5.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d41fab42fc

Comment 7 Fedora Update System 2017-09-12 19:57:12 UTC
libssh2-1.8.0-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2365eadd39

Comment 8 Fedora Update System 2017-09-13 06:21:18 UTC
libssh2-1.8.0-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-148849f8bd

Comment 9 Fedora Update System 2017-09-13 07:24:09 UTC
libssh2-1.8.0-5.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d41fab42fc

Comment 10 Fedora Update System 2017-09-30 06:24:57 UTC
libssh2-1.8.0-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2017-10-01 23:20:21 UTC
libssh2-1.8.0-5.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2017-10-02 02:49:34 UTC
libssh2-1.8.0-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.