Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Greetings. I would like to update libssh in Wheezy via a sponsored NMU to fix CVE-2015-3146 and CVE-2015-8132, which are non-DSA security bugs and so would need to be fixed via stable-proposed-updates. I updated libssh in Sid via sponsored NMU for these in Nov 2015. The patches used to fix this came from upstream at: https://www.libssh.org/security/patches/ Thanks. -- Chris -- Chris Knadle chris.kna...@coredump.us
diff -Nru libssh-0.5.4/debian/changelog libssh-0.5.4/debian/changelog --- libssh-0.5.4/debian/changelog 2014-03-06 04:47:48.000000000 -0500 +++ libssh-0.5.4/debian/changelog 2015-12-04 09:31:06.000000000 -0500 @@ -1,3 +1,17 @@ +libssh (0.5.4-1+deb7u2) wheezy; urgency=medium + + * Non-maintainer upload. + * debian/patches: + - Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch + Fix "Double free on dangling pointers in initial key exchange packet" + (Closes: #773577, CVE-2014-8132) + - Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch + Fix "null pointer dereference due to a logical error in the handling of + a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" + (Closes: #784404, CVE-2015-3146) + + -- Christopher Knadle <chris.kna...@coredump.us> Mon, 23 Nov 2015 04:08:05 -0500 + libssh (0.5.4-1+deb7u1) wheezy-security; urgency=high * debian/patches/0004-security-fix-for-vulnerability-CVE-2014-0017.patch: diff -Nru libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch --- libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 1969-12-31 19:00:00.000000000 -0500 +++ libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 2015-11-23 08:55:39.000000000 -0500 @@ -0,0 +1,46 @@ +From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001 +From: Jon Simons <j...@jonsimons.org> +Date: Sat, 18 Oct 2014 23:23:26 -0700 +Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit() + +Before this change, dangling pointers can be unintentionally left in the +respective next_crypto kex methods slots. Ensure to set all slots to +NULL in the error-out path. + +Signed-off-by: Jon Simons <j...@jonsimons.org> +Reviewed-by: Andreas Schneider <a...@cryptomilk.org> + +(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7) +Signed-off-by: Andreas Schneider <a...@cryptomilk.org> +--- + src/kex.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kex.c b/src/kex.c +index dedf286..db35183 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + for (i = 0; i < 10; i++) { + str = buffer_get_ssh_string(packet); + if (str == NULL) { +- break; ++ goto error; + } + + if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) { +@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + error: + ssh_string_free(str); + for (i = 0; i < 10; i++) { ++ if (server_kex) { ++ session->server_kex.methods[i] = NULL; ++ } else { ++ session->client_kex.methods[i] = NULL; ++ } + SAFE_FREE(strings[i]); + } + +-- +2.2.0 + diff -Nru libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch --- libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 1969-12-31 19:00:00.000000000 -0500 +++ libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 2015-11-23 08:55:39.000000000 -0500 @@ -0,0 +1,98 @@ +From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <a...@0xbadc0de.be> +Date: Wed, 15 Apr 2015 16:08:37 +0200 +Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers + +The state validation in the packet handlers for SSH_MSG_NEWKEYS and +SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. + +The issue has been found and reported by Mariusz Ziule. + +Signed-off-by: Aris Adamantiadis <a...@0xbadc0de.be> +Reviewed-by: Andreas Schneider <a...@cryptomilk.org> +--- + src/client.c | 4 ++-- + src/server.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 0e50497..6919e7a 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ + (void)type; + (void)user; + ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if(session->session_state!= SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_INIT_SENT){ + ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", + session->session_state,session->dh_handshake_state); +@@ -246,7 +246,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ + (void)user; + (void)type; + ssh_log(session, SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if (session->session_state != SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){ + ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d", + session->session_state,session->dh_handshake_state); +diff --git a/src/server.c b/src/server.c +index 9a611c1..c07dd8a 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -133,6 +133,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ + ssh_log(session,SSH_LOG_PACKET,"Received SSH_MSG_KEXDH_INIT"); + if(session->dh_handshake_state != DH_STATE_INIT){ + ssh_log(session,SSH_LOG_RARE,"Invalid state for SSH_MSG_KEXDH_INIT"); ++ session->session_state=SSH_SESSION_STATE_ERROR; + goto error; + } + e = buffer_get_ssh_string(packet); +-- +2.3.5 + + +From ac683699201a3233b3659baa5f22c96ddab83cd4 Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <a...@0xbadc0de.be> +Date: Wed, 15 Apr 2015 16:25:29 +0200 +Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference + +This is an addition to CVE-2015-3146 to fix the null pointer +dereference. The patch is not required to fix the CVE but prevents +issues in future. + +Signed-off-by: Aris Adamantiadis <a...@0xbadc0de.be> +Reviewed-by: Andreas Schneider <a...@cryptomilk.org> +(cherry picked from commit 59b316623ee723a5b6d4c980d0617bbaff4094c6) +--- + src/buffer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index aef7e44..9808399 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -188,6 +188,9 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) { + int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { + buffer_verify(buffer); + ++ if (data == NULL){ ++ return -1; ++ } + if (buffer->used + len < len) + return -1; + +@@ -220,6 +223,9 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer, + struct ssh_string_struct *string) { + uint32_t len = 0; + ++ if (string == NULL){ ++ return -1; ++ } + len = ssh_string_len(string); + if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) { + return -1; +-- +2.3.5 + diff -Nru libssh-0.5.4/debian/patches/series libssh-0.5.4/debian/patches/series --- libssh-0.5.4/debian/patches/series 2014-03-06 04:47:48.000000000 -0500 +++ libssh-0.5.4/debian/patches/series 2015-11-23 08:55:39.000000000 -0500 @@ -2,3 +2,5 @@ 0002-fix-html-doc-generation.patch 0003-fix-typo.patch 0004-security-fix-for-vulnerability-CVE-2014-0017.patch +0005-security-fix-for-vulnerability-CVE-2014-8132.patch +0006-security-fix-for-vulnerability-CVE-2015-3146.patch