Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
I'd like to fix openssh CVE-2017-15906 in stretch. A debdiff follows. It's somewhat difficult to test because you first have to reconfigure the Subsystem line in /etc/ssh/sshd_config to add the -R option to sftp-server, and then you have to construct a somewhat weird request, but I managed to do it locally. The security team said that they'd rather this go into a stable update since it's not really urgent enough for a DSA, so would this be possible? diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm --- openssh-7.4p1/debian/.git-dpm 2017-11-18 09:35:43.000000000 +0000 +++ openssh-7.4p1/debian/.git-dpm 2018-03-01 12:36:07.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -39d60bbd309be74d337685c2da524233652513f4 -39d60bbd309be74d337685c2da524233652513f4 +8fdc9f49b3be477744bd5b2da3083121752d3422 +8fdc9f49b3be477744bd5b2da3083121752d3422 971a7653746a6972b907dfe0ce139c06e4a6f482 971a7653746a6972b907dfe0ce139c06e4a6f482 openssh_7.4p1.orig.tar.gz diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2017-11-18 09:37:22.000000000 +0000 +++ openssh-7.4p1/debian/changelog 2018-03-01 15:17:53.000000000 +0000 @@ -1,3 +1,11 @@ +openssh (1:7.4p1-10+deb9u3) stretch; urgency=medium + + * CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was + incorrectly permitting creation of zero-length files. Reported by Michal + Zalewski. + + -- Colin Watson <cjwat...@debian.org> Thu, 01 Mar 2018 15:17:53 +0000 + openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium * Test configuration before starting or reloading sshd under systemd diff -Nru openssh-7.4p1/debian/patches/CVE-2017-15906.patch openssh-7.4p1/debian/patches/CVE-2017-15906.patch --- openssh-7.4p1/debian/patches/CVE-2017-15906.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssh-7.4p1/debian/patches/CVE-2017-15906.patch 2018-03-01 12:36:07.000000000 +0000 @@ -0,0 +1,39 @@ +From 8fdc9f49b3be477744bd5b2da3083121752d3422 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" <d...@openbsd.org> +Date: Tue, 4 Apr 2017 00:24:56 +0000 +Subject: upstream commit + +disallow creation (of empty files) in read-only mode; +reported by Michal Zalewski, feedback & ok deraadt@ + +Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b + +Origin: https://anongit.mindrot.org/openssh.git/commit/?id=4d827f0d75a53d3952288ab882efbddea7ffadfe +Last-Update: 2018-03-01 + +Patch-Name: CVE-2017-15906.patch +--- + sftp-server.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sftp-server.c b/sftp-server.c +index 3619cdfc..df0fb506 100644 +--- a/sftp-server.c ++++ b/sftp-server.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */ ++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */ + /* + * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. + * +@@ -691,8 +691,8 @@ process_open(u_int32_t id) + logit("open \"%s\" flags %s mode 0%o", + name, string_from_portable(pflags), mode); + if (readonly && +- ((flags & O_ACCMODE) == O_WRONLY || +- (flags & O_ACCMODE) == O_RDWR)) { ++ ((flags & O_ACCMODE) != O_RDONLY || ++ (flags & (O_CREAT|O_TRUNC)) != 0)) { + verbose("Refusing open request in read-only mode"); + status = SSH2_FX_PERMISSION_DENIED; + } else { diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2017-11-18 09:35:43.000000000 +0000 +++ openssh-7.4p1/debian/patches/series 2018-03-01 12:36:07.000000000 +0000 @@ -37,3 +37,4 @@ fix-incoming-compression-statistics.patch winscp-dhgex-compat.patch dash-dash-before-hostname.patch +CVE-2017-15906.patch Thanks, -- Colin Watson [cjwat...@debian.org]