Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible

[Mike Gabriel]

Hi Colin, hi Debian LTS team,

On  Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote:


And yes, it looks OK - I'll upload it to unstable shortly.


I have prepared a backport of this newly added patch [1] (see #923486  
for details) to openssh in Debian jessie LTS, but with that patch  
backported to openssh in Debian jessie, I get a segmentation fault  
whenever I copy something using the scp cmdline tool (I have of course  
backported all other patches regarding CVE-2019-6109 and CVE-2019-6111).


I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7  
(in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8.


The critical patch is CVE-2019-6111-2.patch. With that patch added I  
get segfaults with scp. Without that patch scp works, but is  
susceptible to the earlier mentioned exploit for CVE-2019-6111.


I am a bit lost here and would appreciate some ideas about what is  
going wrong here.


I will only be able to continue on this on Monday, but maybe someone  
else can offer some genuine input over the weekend. Will be much  
appreciated.


Thanks+Greets,
Mike

[1]  
https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874

--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog
--- openssh-6.7p1/debian/changelog  2018-09-12 13:23:59.0 +0200
+++ openssh-6.7p1/debian/changelog  2019-02-01 00:45:09.0 +0100
@@ -1,3 +1,16 @@
+openssh (1:6.7p1-5+deb8u8) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2018-20685: Disallow empty incoming filename or ones that refer
+to the current directory; based on report/patch from Harry Sintonen.
+  * CVE-2019-6109: Sanitize scp filenames via snmprintf. To do this we move
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR, too.
+  * CVE-2019-6111: Check in scp client that filenames sent during remote->local
+directory copies satisfy the wildcard specified by the user.
+
+ -- Mike Gabriel   Fri, 01 Feb 2019 00:45:09 +0100
+
 openssh (1:6.7p1-5+deb8u7) jessie-security; urgency=medium
 
   * Add debian/patches/CVE-2016-1908-3.patch: client_x11_get_proto: check if
diff -Nru openssh-6.7p1/debian/patches/CVE-2018-20685.patch 
openssh-6.7p1/debian/patches/CVE-2018-20685.patch
--- openssh-6.7p1/debian/patches/CVE-2018-20685.patch   1970-01-01 
01:00:00.0 +0100
+++ openssh-6.7p1/debian/patches/CVE-2018-20685.patch   2019-02-01 
00:35:55.0 +0100
@@ -0,0 +1,27 @@
+From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Fri, 16 Nov 2018 03:03:10 +
+Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
+ to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+
+[sunweaver] - Ported to OpenSSH 1:6.0p1 as found in Debian wheezy (ELTS)
+---
+ scp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/scp.c
 b/scp.c
+@@ -1039,7 +1039,8 @@
+   size = size * 10 + (*cp++ - '0');
+   if (*cp++ != ' ')
+   SCREWUP("size not delimited");
+-  if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++  if (*cp == '\0' || strchr(cp, '/') != NULL ||
++  strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+   run_err("error: unexpected filename: %s", cp);
+   exit(1);
+   }
diff -Nru openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch 
openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch
--- openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch  1970-01-01 
01:00:00.0 +0100
+++ openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch  2019-01-31 
17:17:12.0 +0100
@@ -0,0 +1,253 @@
+Backport of:
+
+From 8976f1c4b2721c26e878151f52bdf346dfe2d54c Mon Sep 17 00:00:00 2001
+From: "dtuc...@openbsd.org" 
+Date: Wed, 23 Jan 2019 08:01:46 +
+Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
+ move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too.  bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+---
+ atomicio.c  | 20 ++-
+ progressmeter.c | 53 ++---
+ progressmeter.h |  3 ++-
+ scp.c   |  3 ++-
+ sftp-client.c   | 18 +
+ 5 files changed, 53 insertions(+), 44 deletions(-)
+
+Index: openssh-6.6p1/atomicio.c

[SECURITY] [DLA 1706-1] poppler security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: poppler
Version: 0.26.5-2+deb8u8
CVE ID : CVE-2018-19058 CVE-2018-20481 CVE-2018-20662
 CVE-2019-7310 CVE-2019-9200
Debian Bug : 913177 917325 918158 921215 923414

Several security vulnerabilities were discovered in the poppler PDF
rendering shared library.

CVE-2018-19058

A reachable abort in Object.h will lead to denial-of-service because
EmbFile::save2 in FileSpec.cc lacks a stream check before saving an
embedded file.

CVE-2018-20481

Poppler mishandles unallocated XRef entries, which allows remote
attackers to cause a denial-of-service (NULL pointer dereference)
via a crafted PDF document.

CVE-2018-20662

Poppler allows attackers to cause a denial-of-service (application
crash and segmentation fault by crafting a PDF file in which an xref
data structure is corrupted.

CVE-2019-7310

A heap-based buffer over-read (due to an integer signedness error in
the XRef::getEntry function in XRef.cc) allows remote attackers to
cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted PDF document.

CVE-2019-9200

A heap-based buffer underwrite exists in ImageStream::getLine()
located at Stream.cc that can (for example) be triggered by sending
a crafted PDF file to the pdfimages binary. It allows an attacker to
cause denial-of-service (segmentation fault) or possibly have
unspecified other impact.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u8.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyC0nxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSADA//WoORipRClpa37uyOReoY/LpJF/6A+I09319knIajvns2pn5vJaQ5hZ9a
JTQVz0cGQYb5OHWVzr7dlbJyy3DLH+BQ/vMca0qTG5OAlLbKhw+dFankHLPeyqJH
CnTwLDgEGnn650uF4p86kEkzUwH36KvRPsEfjX2HsABY87bEwMcUxaCcJBazKyTC
uTj4qwCidssoiA4lmCGNAa/VEAHUykIzaI2eC0ZWtAN4UWRFiLt4XfXi7K3TcswK
GMvRHwe+AQCJVK4jhpyb5qdhbRmMWuahcFUlYncCpW7/5Qrw9cEqhdOfHoW3VYNS
PufpPySCjET34GCY2wizq424XVeSzmz+Um5vKhBFp/FCt7vdEvww73kAnbXbFGWb
wyVD7iC3lS675iq7P91AdPQtQFDNTQELxEvcgEplLpFMhLKXCa4j34xkzO1Xf17a
tfiqq/C5PjaXFCNF8eFqI/jAhOXcFyV7pX+/dimxw/IjjidTAyiQnil27MQTqfQC
pTcx6ZYC5ed1FcIpPvDwBF1Sjv8h+okcZIWbFCPi1s9nyU44iAxoF/AXMNRzWwpm
x2VVUsXxy4ZjVCY3StKTyKiJCKKAsDiIbEhbbmQcvFl2T1A2R32sYnWoH64cpZJy
iox1jympDYjPcPc89XnMkxQvFpNX4Ws/UEaCjF/V64HYHcgMpjw=
=gwm1
-END PGP SIGNATURE-

Accepted poppler 0.26.5-2+deb8u8 (source amd64 all) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 08 Mar 2019 19:09:06 +0100
Source: poppler
Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 
libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 
libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0 
libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64 all
Version: 0.26.5-2+deb8u8
Distribution: jessie-security
Urgency: high
Maintainer: Loic Minier 
Changed-By: Markus Koschany 
Description:
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib 
interface)
 libpoppler-glib-doc - PDF rendering library -- documentation for the GLib 
interface
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 
interface)
 libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
 libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 
interface)
 libpoppler46 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Changes:
 poppler (0.26.5-2+deb8u8) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2018-19058:
 A reachable abort in Object.h will lead to denial of service because
 EmbFile::save2 in FileSpec.cc lacks a stream check before saving an
 embedded file.
   * Fix CVE-2018-20481:
 Poppler mishandles unallocated XRef entries, which allows remote attackers
 to cause a denial-of-service (NULL pointer dereference) via a crafted PDF
 document.
   * Fix CVE-2018-20662:
 Poppler allows attackers to cause a denial-of-service (application crash
 and segmentation fault by crafting a PDF file in which an xref data
 structure is corrupted.
   * Fix CVE-2019-7310:
 A heap-based buffer over-read (due to an integer signedness error in the
 XRef::getEntry function in XRef.cc) allows remote attackers to cause a
 denial of service (application crash) or possibly have unspecified other
 impact via a crafted PDF document.
   * Fix CVE-2019-9200:
 A heap-based buffer underwrite exists in ImageStream::getLine() located at
 Stream.cc that can (for example) be triggered by sending
 a crafted PDF file to the pdfimages binary. It allows an attacker to cause
 denial-of-service (segmentation fault) or possibly have unspecified other
 impact.
Checksums-Sha1:
 4d3f30331877373c8b80223a19515ae4234b6d52 3525 poppler_0.26.5-2+deb8u8.dsc
 4db8518d4b323730751aa43bfa5380634ab85147 43452 
poppler_0.26.5-2+deb8u8.debian.tar.xz
 261c6432ab18cff822a6fae1f0ab3b3455d2b8d2 1212806 
libpoppler46_0.26.5-2+deb8u8_amd64.deb
 68dbb7822f056d42d36e29f2028849873fa82041 766740 
libpoppler-dev_0.26.5-2+deb8u8_amd64.deb
 2f433290a5e5b4edbdcdbef1c34ca0c0853d7280 180900 
libpoppler-private-dev_0.26.5-2+deb8u8_amd64.deb
 98bbb340e4f741154a35620b8a77293fa1f4194a 122968 
libpoppler-glib8_0.26.5-2+deb8u8_amd64.deb
 1e44fb63b6048d1a57f7edf0241e74cedfe8e71a 163494 
libpoppler-glib-dev_0.26.5-2+deb8u8_amd64.deb
 1e3974eede228fddb7155b162b402b4c1b1e4c63 86382 
libpoppler-glib-doc_0.26.5-2+deb8u8_all.deb
 21f8fbd06584a2f774d903f2b004535943589fe3 34802 
gir1.2-poppler-0.18_0.26.5-2+deb8u8_amd64.deb
 281d7dd8a5fee82128d3ea4e1d0e0705daef8fdb 128156 
libpoppler-qt4-4_0.26.5-2+deb8u8_amd64.deb
 b2f124b1399def6e4f5946d6e67acf0cd7ef6471 159172 
libpoppler-qt4-dev_0.26.5-2+deb8u8_amd64.deb
 1ee1ad691037c6c47b866383329ba90b57bb28c8 132334 
libpoppler-qt5-1_0.26.5-2+deb8u8_amd64.deb
 82b120b83423f0187d1b5fe39c486267e6423469 166506 
libpoppler-qt5-dev_0.26.5-2+deb8u8_amd64.deb
 92adfe5e81dd2afd4901fbbab8d89ce76a28 45376 
libpoppler-cpp0_0.26.5-2+deb8u8_amd64.deb
 d9e06eae521dc4628fb1dcb1a64832f602f4d1cc 49814 
libpoppler-cpp-dev_0.26.5-2+deb8u8_amd64.deb
 bb809578bae6ca67bf4953303bf4ed884f7f0af4 141270 
poppler-utils_0.26.5-2+deb8u8_amd64.deb
 beb0f1fd771c80cf147ec68f9ad9d89e8994c8c2 7686250 
poppler-dbg_0.26.5-2+deb8u8_amd64.deb
Checksums-Sha256:
 9044230b7937d276b5dd417a9cfcf3bbf83bc77389d7c8463cc9670ee618ae9a 3525 
poppler_0.26.5-2+deb8u8.dsc
 f9131c2e5e236f364659f5addf3ca33e14f4e171cce19d156e767774a239b927 43452 
poppler_0.26.5-2+deb8u8.debian.tar.xz
 25c7dd68423239fd57535c9784f08ff9cb03359c3ef9b0c8063412e89f2dafea 1212806 
libpoppler46_0.26.5-2+deb8u8_amd64.deb
 d64b50724a181144e2efa97561e971e4bfa3ce7bb916630c3fd6bb0c2d2ff876 766740 
libpoppler-dev_0.26.5-2+deb8u8_amd64.deb
 

Re: Contacting maintainers about no-dsa

[Holger Levsen]

On Fri, Mar 08, 2019 at 12:22:40PM +0100, Sylvain Beucler wrote:
> I was about do contact the nettle and gnutls maintainers, but after
> discussing with Emilio on IRC it appears that we do not contact
> maintainers for this anymore.
> 
> Should we delete the section?

yes, please. Maybe it should however mention that its possible to fix
non-dsa issues if one wants to?

> (incidentally I fixed the remaining wheezy references in the template)

Thanks!


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Source for PHP security updates

[Ondřej Surý]

Hi,

there’s a collaborative work on bringing security updates to PHP 5.6 (for 
jessie LTS) and PHP 7.0 (for stretch LTS):

https://github.com/Microsoft/php-src

If you are doing security updates, you might want to bookmark this (and use the 
patches on top of PHP 5.6.40)...

Ondrej
--
Ondřej Surý
ond...@isc.org

Contacting maintainers about no-dsa

[Sylvain Beucler]

Hi,

At the wiki process page we say:
https://wiki.debian.org/LTS/Development#Contact_the_maintainer
  When we tag issues as "no-dsa", and don't plan to take care of the
updates by ourselves, then we use it in this way:
  $ bin/contact-maintainers --lts --no-dsa sudo CVE-2014-9680 CVE-2014-0106

I was about do contact the nettle and gnutls maintainers, but after
discussing with Emilio on IRC it appears that we do not contact
maintainers for this anymore.

Should we delete the section?

(incidentally I fixed the remaining wheezy references in the template)

Cheers!
Sylvain

Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)

[Sylvain Beucler]

Hi,

On 04/03/2019 17:37, Sylvain Beucler wrote:
> On 04/03/2019 16:55, Markus Koschany wrote:
>> Am 04.03.19 um 16:33 schrieb Sylvain Beucler:
>> [...]
>>> I see this as a strong signal that we should not attempt to backport the
>>> fix, and go with a  (minor).
>>>
>>> Alternatively we could upgrade nettle (libnettle4->libnettle6) which
>>> doesn't break gnutls28's test suite, though it's likely to introduce
>>> other issues (e.g. #789119).
>>>
>>> Thoughts?
>> I also worked on nettle/gnutls26 for Wheezy. There are too many changes
>> and just backporting rsa_sec_decrypt in nettle would be an incomplete
>> fix for CVE-2018-16869 because they introduced more hardening against
>> those side-channel attacks in other functions. An upgrade of nettle
>> would require a rebuild of all reverse-dependencies and that is probably
>> too intrusive.
>
> Thanks for your input Markus.
>
> Instead of upgrading I was thinking of providing libnettle6 /in addition
> to/ libnettle4, but that still sounds like more troubles than it solves.

(and indeed, when testing gnutls28+libnettle6, "git clone" now fails.)
# git clone https://github.com/symfony/symfony-installer
Clonage dans 'symfony-installer'...
fatal: unable to access 'https://github.com/symfony/symfony-installer/':
gnutls_handshake() failed: Public key signature verification has failed.


Also, the stable security team didn't answer my mail but reached the
same conclusion ( minor).
I'll mark these CVE-s as  and fix the CVE/list incomplete
assessment.


Cheers!
Sylvain