File openssh-7.2p2-out_of_seq_newkeys.patch of Package openssh.37539

From da169e7988c19452c3204b7095ac64169418a35f Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Wed, 26 Oct 2022 09:59:10 +0200
Subject: [PATCH] openssh-7.2p2-out_of_seq_newkeys

# HG changeset patch
# Parent  1330feee0866ef695507f4ed46ad0d34dea185e7
CVE-2016-10708
bsc#1076957

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of
service (NULL pointer dereference and daemon crash) via an out-of-sequence
NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

upstream commit 28652bca29046f62c7045e933e6b931de1d16737
---
 kex.c    | 2 ++
 packet.c | 4 +---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/kex.c b/kex.c
index 29dd6e97..bda07f1d 100644
--- a/kex.c
+++ b/kex.c
@@ -478,6 +478,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		return r;
+	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+		return r;
 	kex->done = 1;
 	sshbuf_reset(kex->peer);
 	/* sshbuf_reset(kex->my); */
diff --git a/packet.c b/packet.c
index 90797ddd..6bd283f2 100644
--- a/packet.c
+++ b/packet.c
@@ -1798,9 +1798,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
 			return r;
 		return SSH_ERR_PROTOCOL_ERROR;
 	}
-	if (*typep == SSH2_MSG_NEWKEYS)
-		r = ssh_set_newkeys(ssh, MODE_IN);
-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
 		r = ssh_packet_enable_delayed_compress(ssh);
 	else
 		r = 0;
-- 
2.38.0