Your message dated Thu, 03 Jan 2019 21:47:19 +0000 with message-id <[email protected]> and subject line Bug#914501: fixed in ssh-agent-filter 0.4.2-1+deb9u1 has caused the Debian Bug report #914501, regarding base64_encode(): two-byte out-of-bounds stack write to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 914501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914501 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ssh-agent-filter Version: 0.2-1 Severity: important Tags: upstream fixed-upstream pending jessie stretch buster sid A two-byte out-of-bounds stack write has been found in base64_encode(). Quoting relevant parts of the conversation with the security team: 21.11.18 20:21 Timo Weingärtner: > while developing a new feature for ssh-agent-filter I noticed an error > interpreting nettle's API documentation I made when I first wrote an > adjacent function (right in the beginning; every version in Debian is > affected). > > The problem is BASE64_ENCODE_LENGTH() returning the size of the encoded > string without the padding added in the finalization step. If the > programmer forgets to take BASE64_ENCODE_FINAL_LENGTH into account this can > result in up to two bytes with value '=' being written past the end of the > buffer. > > I was not able to crash ssh-agent-filter on my amd64 machine, so I guess the > bug is hidden by alignment on the stack. 23.11.18 15:00 Timo Weingärtner: > The strings to be base64-encoded (there is no decoding) is from the user's > ssh-agent and — if confirmation is used — strings from a remote attacker > (the same user or root on a machine the user connected to via (af)ssh) might > get encoded. Encoded strings are compared against, output to terminal in > debug mode or to the user via ssh-askpass in confirmation mode. > > Incoming connections are handled in threads, so the entire filter process > might crash, resulting in DoS. > > The data written past the end of the buffer is always the same ('='); the > attacker can only influence the number of extra bytes written (string length > % 3). I don't really know about the exact stack layout and alignment on > neither amd64 nor other archs, but if the stack grows downward these bytes > would get written into the base64_ctx, unused space because of alignment, > or the canary. 23.11.18 20:15 Moritz Mühlenhoff: > Thanks for the summary. This sounds all quite limited impact-wise and sounds > like a perfect candidate for a targeted fix via stable-proposed-updates. Do > you agree? If so, let's open a a in the BTS which can then be closed with > the upload to unstable (and also serves as a good reference for the stable > update).
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: ssh-agent-filter Source-Version: 0.4.2-1+deb9u1 We believe that the bug you reported is fixed in the latest version of ssh-agent-filter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Weingärtner <[email protected]> (supplier of updated ssh-agent-filter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 24 Nov 2018 01:46:12 +0100 Source: ssh-agent-filter Binary: ssh-agent-filter Architecture: source Version: 0.4.2-1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Timo Weingärtner <[email protected]> Changed-By: Timo Weingärtner <[email protected]> Description: ssh-agent-filter - filtering proxy for ssh-agent Closes: 914501 Changes: ssh-agent-filter (0.4.2-1+deb9u1) stretch; urgency=medium . * backport fix for two-byte out-of-bounds stack write (Closes: #914501) Checksums-Sha1: 8e3a02f7c01a42df9f992e8042352aa8c37e41a7 2073 ssh-agent-filter_0.4.2-1+deb9u1.dsc 2422963c7ec876b93b868c0d12f73de57d27dd28 2996 ssh-agent-filter_0.4.2-1+deb9u1.debian.tar.xz 3a6bc5d802e0febd3f79d3d542a3d166bfb97042 7324 ssh-agent-filter_0.4.2-1+deb9u1_amd64.buildinfo Checksums-Sha256: 40358e76eba4c87fb9d15462670c2e9b60869677a0afda0162329d50d5dabee8 2073 ssh-agent-filter_0.4.2-1+deb9u1.dsc f9028fb3bf1004ef1159b17fdfe274038aabe25775e1b43e60c694b67bd97fa0 2996 ssh-agent-filter_0.4.2-1+deb9u1.debian.tar.xz fde8ec243724d91300e47d181fa58b7515e135d6e16741f478c32458d20c317a 7324 ssh-agent-filter_0.4.2-1+deb9u1_amd64.buildinfo Files: 6dad1faf31cac254ef10b09d18acde65 2073 net extra ssh-agent-filter_0.4.2-1+deb9u1.dsc 07669c755aa63a7ac6454b69bf399886 2996 net extra ssh-agent-filter_0.4.2-1+deb9u1.debian.tar.xz 052b8285da2298fc6e9174c4c7178f54 7324 net extra ssh-agent-filter_0.4.2-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE87+TxUS8xnavTxo5VO6rSJSm4+0FAlv5O9sACgkQVO6rSJSm 4+0PHA//drLAc64H/Bt/Jc8eeiGVTRASyoWyyQa2WGHVoJcY78/XxRzL+WjCiwCH eOqhW3zwnJWaXp7QwN/HzvdCnl0Z0hgQASEVLIKW37WqJzI3jMWTTBxcIBPDqi/K MXXpJDPjvKA50cUD8t36YeGmgHQaJW4GRhWGKW98AxSt6JBaPvZsi1Hsjw4c8UJu 2K33w+O/xfIWno9EQ4YfeY1+kdjrcSvMsVw2JTMZJtX13i5rYK20kACDVhdtl9hP sS1XUODSVcdgrSAFvOiKP+yft5rODNCtKwa11SSh3tX5d9hW0PX0PfsZYjeJEqz6 1QyTMD679GHMcAfqGRzBk+vkWnWYqdT0/XF/usijtSLAxFeBk8/PnwZTzRfgkuOr m9dq5SrzV2FpxhkxMzpA+yPKW2/YmzHFNTMEV+WY/lP++7h1c59K+Uoo+kzb7WOM izXyqUdbI5rNJ4fFNDJGyPpY87WzAE9lhm8PwxJvsAvBSmBfYndQiy680SIqlX0c NLZZ1B6jE+ZSvZFfuTC82Htg41iZVbnpG1EbOdEyGddB9do2ihsg6lsy0cd6AH3O xIaPYLiZ2m+eu4DueMbd0yeBrPO48rckhVp+JB+Q39yFK5reMXr84eWgv5ncuCKN bPhZgf/txdwXdYTpq2THTQ4DjZC9A78Js7lldZO1orRvHzp+Utk= =3Iyp -----END PGP SIGNATURE-----
--- End Message ---
