diff --git a/CVE-2025-26618.patch b/CVE-2025-26618.patch new file mode 100644 index 0000000..1735498 --- /dev/null +++ b/CVE-2025-26618.patch @@ -0,0 +1,89 @@ +From 0ed2573cbd55c92e9125c9dc70fa1ca7fed82872 Mon Sep 17 00:00:00 2001 +From: Jakub Witczak +Date: Thu, 6 Feb 2025 19:00:44 +0100 +Subject: [PATCH] ssh: sftp reject packets exceeding limit + +origin: https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872 +--- + lib/ssh/src/ssh_sftpd.erl | 47 ++++++++++++++++++++++++++------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +diff --git a/lib/ssh/src/ssh_sftpd.erl b/lib/ssh/src/ssh_sftpd.erl +index c86ed2cb8199..6bcad0d056e7 100644 +--- a/lib/ssh/src/ssh_sftpd.erl ++++ b/lib/ssh/src/ssh_sftpd.erl +@@ -27,7 +27,7 @@ + -behaviour(ssh_server_channel). + + -include_lib("kernel/include/file.hrl"). +- ++-include_lib("kernel/include/logger.hrl"). + -include("ssh.hrl"). + -include("ssh_xfer.hrl"). + -include("ssh_connect.hrl"). %% For ?DEFAULT_PACKET_SIZE and ?DEFAULT_WINDOW_SIZE +@@ -128,9 +128,8 @@ init(Options) -> + %% Description: Handles channel messages + %%-------------------------------------------------------------------- + handle_ssh_msg({ssh_cm, _ConnectionManager, +- {data, _ChannelId, Type, Data}}, State) -> +- State1 = handle_data(Type, Data, State), +- {ok, State1}; ++ {data, ChannelId, Type, Data}}, State) -> ++ handle_data(Type, ChannelId, Data, State); + + handle_ssh_msg({ssh_cm, _, {eof, ChannelId}}, State) -> + {stop, ChannelId, State}; +@@ -187,24 +186,42 @@ terminate(_, #state{handles=Handles, file_handler=FileMod, file_state=FS}) -> + %%-------------------------------------------------------------------- + %%% Internal functions + %%-------------------------------------------------------------------- +-handle_data(0, <>, ++handle_data(0, ChannelId, <>, + State = #state{pending = <<>>}) -> + <> = Msg, + NewState = handle_op(Op, ReqId, Data, State), + case Rest of + <<>> -> +- NewState; ++ {ok, NewState}; + _ -> +- handle_data(0, Rest, NewState) ++ handle_data(0, ChannelId, Rest, NewState) + end; +- +-handle_data(0, Data, State = #state{pending = <<>>}) -> +- State#state{pending = Data}; +- +-handle_data(Type, Data, State = #state{pending = Pending}) -> +- handle_data(Type, <>, +- State#state{pending = <<>>}). +- ++handle_data(0, _ChannelId, Data, State = #state{pending = <<>>}) -> ++ {ok, State#state{pending = Data}}; ++handle_data(Type, ChannelId, Data0, State = #state{pending = Pending}) -> ++ Data = <>, ++ Size = byte_size(Data), ++ case Size > ?SSH_MAX_PACKET_SIZE of ++ true -> ++ ReportFun = ++ fun([S]) -> ++ Report = ++ #{label => {error_logger, error_report}, ++ report => ++ io_lib:format("SFTP packet size (~B) exceeds the limit!", ++ [S])}, ++ Meta = ++ #{error_logger => ++ #{tag => error_report,type => std_error}, ++ report_cb => fun(#{report := Msg}) -> {Msg, []} end}, ++ {Report, Meta} ++ end, ++ ?LOG_ERROR(ReportFun, [Size]), ++ {stop, ChannelId, State}; ++ _ -> ++ handle_data(Type, ChannelId, Data, State#state{pending = <<>>}) ++ end. ++ + handle_op(?SSH_FXP_INIT, Version, B, State) when is_binary(B) -> + XF = State#state.xf, + Vsn = lists:min([XF#ssh_xfer.vsn, Version]), diff --git a/erlang.spec b/erlang.spec index 80e8eaa..7fa24ef 100644 --- a/erlang.spec +++ b/erlang.spec @@ -11,7 +11,7 @@ %global __with_wxwidgets 1 Name: erlang Version: 21.3.3 -Release: 4 +Release: 5 Summary: General-purpose programming language and runtime environment License: Apache-2.0 URL: https://www.erlang.org @@ -32,6 +32,7 @@ Patch8: otp-0008-Avoid-forking-sed-to-get-basename.patch Patch9: otp-0009-Load-man-pages-from-system-wide-directory.patch Patch10: otp-0010-Improve-nodes-querying.patch Patch11: CVE-2023-48795-erlang21.patch +Patch12: CVE-2025-26618.patch BuildRequires: gcc gcc-c++ flex %if %{with doc} %if 0%{?need_bootstrap} < 1 @@ -1725,6 +1726,9 @@ useradd -r -g epmd -d /dev/null -s /sbin/nologin \ %endif %changelog +* Mon Feb 24 2025 yaoxin <1024769339@qq.com> - 21.3.3-5 +- Fix CVE-2025-26618 + * Thu Jan 25 2024 wangkai <13474090681@163.com> - 21.3.3-4 - Fix CVE-2023-48795