gh: patch CVE-2021-43565

SPECS/gh/CVE-2021-43565.patch

@@ -0,0 +1,56 @@
+From 5770296d904e90f15f38f77dfc2e43fdf5efc083 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Tue, 9 Nov 2021 11:45:57 -0800
+Subject: [PATCH] ssh: don't assume packet plaintext size
+
+When reading GCM and ChaChaPoly1305 packets, don't make assumptions
+about the size of the enciphered plaintext. This fixes two panics
+caused by standards non-compliant malformed packets.
+
+Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.
+
+Fixes golang/go#49932
+Fixes CVE-2021-43565
+
+Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659
+Reviewed-by: Katie Hockman <[email protected]>
+Reviewed-by: Julie Qiu <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814
+Trust: Roland Shoemaker <[email protected]>
+Trust: Katie Hockman <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+TryBot-Result: Gopher Robot <[email protected]>
+Reviewed-by: Julie Qiu <[email protected]>
+Reviewed-by: Katie Hockman <[email protected]>
+---
+ ssh/cipher.go | 8 ++++
+ ssh/cipher_test.go | 100 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
+index bddbde5dbd..f8bdf4984c 100644
+--- a/vendor/golang.org/x/crypto/ssh/cipher.go
++++ b/vendor/golang.org/x/crypto/ssh/cipher.go
+@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
+ }
+ c.incIV()
+
++ if len(plain) == 0 {
++ return nil, errors.New("ssh: empty packet")
++ }
++
+ padding := plain[0]
+ if padding < 4 {
+ // padding is a byte, so it automatically satisfies
+@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
+ plain := c.buf[4:contentEnd]
+ s.XORKeyStream(plain, plain)
+
++ if len(plain) == 0 {
++ return nil, errors.New("ssh: empty packet")
++ }
++
+ padding := plain[0]
+ if padding < 4 {
+ // padding is a byte, so it automatically satisfies

SPECS/gh/gh.spec

@@ -1,7 +1,7 @@
 Summary: GitHub official command line tool
 Name: gh
 Version: 2.13.0
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: MIT
 Vendor: Microsoft Corporation
 Distribution: Mariner
@@ -29,6 +29,7 @@ Source0: https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz#
 Source1: %{name}-%{version}-vendor.tar.gz
 # Available upstream in 2.16.0
 Patch0: fix-relative-time-search-tests.patch
+Patch1: CVE-2021-43565.patch
 
 BuildRequires: golang >= 1.17.1
 BuildRequires: git
@@ -40,10 +41,12 @@ Requires: git
 GitHub official command line tool.
 
 %prep
-%autosetup -p1 -n cli-%{version}
+%setup -q -n cli-%{version}
+%patch0 -p1
+tar --no-same-owner -xf %{SOURCE1}
+%patch1 -p1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 # No mod download use vednor cache locally
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
@@ -72,6 +75,9 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
+* Fri Jul 19 2024 Archana Choudhary <[email protected]> - 2.13.0-19
+- Patch for CVE-2021-43565
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <[email protected]> - 2.13.0-18
 - Bump release to rebuild with go 1.21.11