Package: libssh
Version: 0.5.3-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu raring ubuntu-patch
*** /tmp/tmpWGDf6_/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service via NULL dereference
- debian/patches/CVE-2013-0176.patch: properly handle client that
doesn't send a matching key in src/server.c.
- CVE-2013-0176
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500,
'quantal'), (100, 'quantal-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-22-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libssh-0.5.3/debian/changelog libssh-0.5.3/debian/changelog
diff -Nru libssh-0.5.3/debian/patches/CVE-2013-0176.patch libssh-0.5.3/debian/patches/CVE-2013-0176.patch
--- libssh-0.5.3/debian/patches/CVE-2013-0176.patch 1969-12-31 19:00:00.000000000 -0500
+++ libssh-0.5.3/debian/patches/CVE-2013-0176.patch 2013-01-25 13:37:30.000000000 -0500
@@ -0,0 +1,47 @@
+From 55b09f426417406bb25c0b9c474fbab1398b0dc8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <a...@cryptomilk.org>
+Date: Wed, 09 Jan 2013 12:20:02 +0000
+Subject: CVE-2013-0176: Fix a remote DoS if the client doesn't send a matching kex.
+
+Thanks to Yong Chuan Koh, X-Force Research <ko...@sg.ibm.com>
+---
+diff --git a/src/server.c b/src/server.c
+index 131a2bc..b4fb189 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -184,7 +184,11 @@ static int dh_handshake_server(ssh_session session) {
+ prv = session->rsa_key;
+ break;
+ default:
+- prv = NULL;
++ ssh_set_error(session,
++ SSH_FATAL,
++ "Could determine the specified hostkey");
++ ssh_string_free(f);
++ return -1;
+ }
+
+ pub = publickey_from_privatekey(prv);
+@@ -270,6 +274,8 @@ static int dh_handshake_server(ssh_session session) {
+ */
+ static void ssh_server_connection_callback(ssh_session session){
+ int ssh1,ssh2;
++ int rc;
++
+ enter_function();
+ switch(session->session_state){
+ case SSH_SESSION_STATE_NONE:
+@@ -338,7 +344,10 @@ static void ssh_server_connection_callback(ssh_session session){
+ case SSH_SESSION_STATE_KEXINIT_RECEIVED:
+ set_status(session,0.6f);
+ ssh_list_kex(session, &session->client_kex); // log client kex
+- crypt_set_algorithms_server(session);
++ rc = crypt_set_algorithms_server(session);
++ if (rc == SSH_ERROR) {
++ goto error;
++ }
+ if (set_kex(session) < 0) {
+ goto error;
+ }
+--
+cgit v0.9.0.2
diff -Nru libssh-0.5.3/debian/patches/series libssh-0.5.3/debian/patches/series
--- libssh-0.5.3/debian/patches/series 2012-11-21 07:53:20.000000000 -0500
+++ libssh-0.5.3/debian/patches/series 2013-01-25 13:37:30.000000000 -0500
@@ -1,2 +1,3 @@
0001-disable-latex-documentation.patch
0002-fix-html-doc-generation.patch
+CVE-2013-0176.patch
