Re: Bug#923486: CVE-2019-6111 not fixed, file transfer of unwanted files by malicious SSH server still possible
Hi Colin, hi Debian LTS team, On Fr 01 Mär 2019 13:24:30 CET, Colin Watson wrote: And yes, it looks OK - I'll upload it to unstable shortly. I have prepared a backport of this newly added patch [1] (see #923486 for details) to openssh in Debian jessie LTS, but with that patch backported to openssh in Debian jessie, I get a segmentation fault whenever I copy something using the scp cmdline tool (I have of course backported all other patches regarding CVE-2019-6109 and CVE-2019-6111). I have attached the complete .debdiff between openssh 1:6.7p1-5+deb8u7 (in jessie-security) and my (not-yet-)proposal for 1:6.7p1-5+deb8u8. The critical patch is CVE-2019-6111-2.patch. With that patch added I get segfaults with scp. Without that patch scp works, but is susceptible to the earlier mentioned exploit for CVE-2019-6111. I am a bit lost here and would appreciate some ideas about what is going wrong here. I will only be able to continue on this on Monday, but maybe someone else can offer some genuine input over the weekend. Will be much appreciated. Thanks+Greets, Mike [1] https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874 -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net diff -Nru openssh-6.7p1/debian/changelog openssh-6.7p1/debian/changelog --- openssh-6.7p1/debian/changelog 2018-09-12 13:23:59.0 +0200 +++ openssh-6.7p1/debian/changelog 2019-02-01 00:45:09.0 +0100 @@ -1,3 +1,16 @@ +openssh (1:6.7p1-5+deb8u8) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2018-20685: Disallow empty incoming filename or ones that refer +to the current directory; based on report/patch from Harry Sintonen. + * CVE-2019-6109: Sanitize scp filenames via snmprintf. To do this we move +the progressmeter formatting outside of signal handler context and have the +atomicio callback called for EINTR, too. + * CVE-2019-6111: Check in scp client that filenames sent during remote->local +directory copies satisfy the wildcard specified by the user. + + -- Mike Gabriel Fri, 01 Feb 2019 00:45:09 +0100 + openssh (1:6.7p1-5+deb8u7) jessie-security; urgency=medium * Add debian/patches/CVE-2016-1908-3.patch: client_x11_get_proto: check if diff -Nru openssh-6.7p1/debian/patches/CVE-2018-20685.patch openssh-6.7p1/debian/patches/CVE-2018-20685.patch --- openssh-6.7p1/debian/patches/CVE-2018-20685.patch 1970-01-01 01:00:00.0 +0100 +++ openssh-6.7p1/debian/patches/CVE-2018-20685.patch 2019-02-01 00:35:55.0 +0100 @@ -0,0 +1,27 @@ +From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" +Date: Fri, 16 Nov 2018 03:03:10 + +Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer + to the + +current directory; based on report/patch from Harry Sintonen + +OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 + +[sunweaver] - Ported to OpenSSH 1:6.0p1 as found in Debian wheezy (ELTS) +--- + scp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/scp.c b/scp.c +@@ -1039,7 +1039,8 @@ + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); +- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ if (*cp == '\0' || strchr(cp, '/') != NULL || ++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + run_err("error: unexpected filename: %s", cp); + exit(1); + } diff -Nru openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch --- openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch 1970-01-01 01:00:00.0 +0100 +++ openssh-6.7p1/debian/patches/CVE-2019-6109-1.patch 2019-01-31 17:17:12.0 +0100 @@ -0,0 +1,253 @@ +Backport of: + +From 8976f1c4b2721c26e878151f52bdf346dfe2d54c Mon Sep 17 00:00:00 2001 +From: "dtuc...@openbsd.org" +Date: Wed, 23 Jan 2019 08:01:46 + +Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we + move + +the progressmeter formatting outside of signal handler context and have the +atomicio callback called for EINTR too. bz#2434 with contributions from djm +and jjelen at redhat.com, ok djm@ + +OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 +--- + atomicio.c | 20 ++- + progressmeter.c | 53 ++--- + progressmeter.h | 3 ++- + scp.c | 3 ++- + sftp-client.c | 18 + + 5 files changed, 53 insertions(+), 44 deletions(-) + +Index: openssh-6.6p1/atomicio.c
[SECURITY] [DLA 1706-1] poppler security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: poppler Version: 0.26.5-2+deb8u8 CVE ID : CVE-2018-19058 CVE-2018-20481 CVE-2018-20662 CVE-2019-7310 CVE-2019-9200 Debian Bug : 913177 917325 918158 921215 923414 Several security vulnerabilities were discovered in the poppler PDF rendering shared library. CVE-2018-19058 A reachable abort in Object.h will lead to denial-of-service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file. CVE-2018-20481 Poppler mishandles unallocated XRef entries, which allows remote attackers to cause a denial-of-service (NULL pointer dereference) via a crafted PDF document. CVE-2018-20662 Poppler allows attackers to cause a denial-of-service (application crash and segmentation fault by crafting a PDF file in which an xref data structure is corrupted. CVE-2019-7310 A heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. CVE-2019-9200 A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause denial-of-service (segmentation fault) or possibly have unspecified other impact. For Debian 8 "Jessie", these problems have been fixed in version 0.26.5-2+deb8u8. We recommend that you upgrade your poppler packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyC0nxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSADA//WoORipRClpa37uyOReoY/LpJF/6A+I09319knIajvns2pn5vJaQ5hZ9a JTQVz0cGQYb5OHWVzr7dlbJyy3DLH+BQ/vMca0qTG5OAlLbKhw+dFankHLPeyqJH CnTwLDgEGnn650uF4p86kEkzUwH36KvRPsEfjX2HsABY87bEwMcUxaCcJBazKyTC uTj4qwCidssoiA4lmCGNAa/VEAHUykIzaI2eC0ZWtAN4UWRFiLt4XfXi7K3TcswK GMvRHwe+AQCJVK4jhpyb5qdhbRmMWuahcFUlYncCpW7/5Qrw9cEqhdOfHoW3VYNS PufpPySCjET34GCY2wizq424XVeSzmz+Um5vKhBFp/FCt7vdEvww73kAnbXbFGWb wyVD7iC3lS675iq7P91AdPQtQFDNTQELxEvcgEplLpFMhLKXCa4j34xkzO1Xf17a tfiqq/C5PjaXFCNF8eFqI/jAhOXcFyV7pX+/dimxw/IjjidTAyiQnil27MQTqfQC pTcx6ZYC5ed1FcIpPvDwBF1Sjv8h+okcZIWbFCPi1s9nyU44iAxoF/AXMNRzWwpm x2VVUsXxy4ZjVCY3StKTyKiJCKKAsDiIbEhbbmQcvFl2T1A2R32sYnWoH64cpZJy iox1jympDYjPcPc89XnMkxQvFpNX4Ws/UEaCjF/V64HYHcgMpjw= =gwm1 -END PGP SIGNATURE-
Accepted poppler 0.26.5-2+deb8u8 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 08 Mar 2019 19:09:06 +0100 Source: poppler Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg Architecture: source amd64 all Version: 0.26.5-2+deb8u8 Distribution: jessie-security Urgency: high Maintainer: Loic Minier Changed-By: Markus Koschany Description: gir1.2-poppler-0.18 - GObject introspection data for poppler-glib libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface) libpoppler-cpp0 - PDF rendering library (CPP shared library) libpoppler-dev - PDF rendering library -- development files libpoppler-glib-dev - PDF rendering library -- development files (GLib interface) libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface libpoppler-glib8 - PDF rendering library (GLib-based shared library) libpoppler-private-dev - PDF rendering library -- private development files libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library) libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface) libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library) libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface) libpoppler46 - PDF rendering library poppler-dbg - PDF rendering library -- debugging symbols poppler-utils - PDF utilities (based on Poppler) Changes: poppler (0.26.5-2+deb8u8) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-19058: A reachable abort in Object.h will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file. * Fix CVE-2018-20481: Poppler mishandles unallocated XRef entries, which allows remote attackers to cause a denial-of-service (NULL pointer dereference) via a crafted PDF document. * Fix CVE-2018-20662: Poppler allows attackers to cause a denial-of-service (application crash and segmentation fault by crafting a PDF file in which an xref data structure is corrupted. * Fix CVE-2019-7310: A heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. * Fix CVE-2019-9200: A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause denial-of-service (segmentation fault) or possibly have unspecified other impact. Checksums-Sha1: 4d3f30331877373c8b80223a19515ae4234b6d52 3525 poppler_0.26.5-2+deb8u8.dsc 4db8518d4b323730751aa43bfa5380634ab85147 43452 poppler_0.26.5-2+deb8u8.debian.tar.xz 261c6432ab18cff822a6fae1f0ab3b3455d2b8d2 1212806 libpoppler46_0.26.5-2+deb8u8_amd64.deb 68dbb7822f056d42d36e29f2028849873fa82041 766740 libpoppler-dev_0.26.5-2+deb8u8_amd64.deb 2f433290a5e5b4edbdcdbef1c34ca0c0853d7280 180900 libpoppler-private-dev_0.26.5-2+deb8u8_amd64.deb 98bbb340e4f741154a35620b8a77293fa1f4194a 122968 libpoppler-glib8_0.26.5-2+deb8u8_amd64.deb 1e44fb63b6048d1a57f7edf0241e74cedfe8e71a 163494 libpoppler-glib-dev_0.26.5-2+deb8u8_amd64.deb 1e3974eede228fddb7155b162b402b4c1b1e4c63 86382 libpoppler-glib-doc_0.26.5-2+deb8u8_all.deb 21f8fbd06584a2f774d903f2b004535943589fe3 34802 gir1.2-poppler-0.18_0.26.5-2+deb8u8_amd64.deb 281d7dd8a5fee82128d3ea4e1d0e0705daef8fdb 128156 libpoppler-qt4-4_0.26.5-2+deb8u8_amd64.deb b2f124b1399def6e4f5946d6e67acf0cd7ef6471 159172 libpoppler-qt4-dev_0.26.5-2+deb8u8_amd64.deb 1ee1ad691037c6c47b866383329ba90b57bb28c8 132334 libpoppler-qt5-1_0.26.5-2+deb8u8_amd64.deb 82b120b83423f0187d1b5fe39c486267e6423469 166506 libpoppler-qt5-dev_0.26.5-2+deb8u8_amd64.deb 92adfe5e81dd2afd4901fbbab8d89ce76a28 45376 libpoppler-cpp0_0.26.5-2+deb8u8_amd64.deb d9e06eae521dc4628fb1dcb1a64832f602f4d1cc 49814 libpoppler-cpp-dev_0.26.5-2+deb8u8_amd64.deb bb809578bae6ca67bf4953303bf4ed884f7f0af4 141270 poppler-utils_0.26.5-2+deb8u8_amd64.deb beb0f1fd771c80cf147ec68f9ad9d89e8994c8c2 7686250 poppler-dbg_0.26.5-2+deb8u8_amd64.deb Checksums-Sha256: 9044230b7937d276b5dd417a9cfcf3bbf83bc77389d7c8463cc9670ee618ae9a 3525 poppler_0.26.5-2+deb8u8.dsc f9131c2e5e236f364659f5addf3ca33e14f4e171cce19d156e767774a239b927 43452 poppler_0.26.5-2+deb8u8.debian.tar.xz 25c7dd68423239fd57535c9784f08ff9cb03359c3ef9b0c8063412e89f2dafea 1212806 libpoppler46_0.26.5-2+deb8u8_amd64.deb d64b50724a181144e2efa97561e971e4bfa3ce7bb916630c3fd6bb0c2d2ff876 766740 libpoppler-dev_0.26.5-2+deb8u8_amd64.deb
Re: Contacting maintainers about no-dsa
On Fri, Mar 08, 2019 at 12:22:40PM +0100, Sylvain Beucler wrote: > I was about do contact the nettle and gnutls maintainers, but after > discussing with Emilio on IRC it appears that we do not contact > maintainers for this anymore. > > Should we delete the section? yes, please. Maybe it should however mention that its possible to fix non-dsa issues if one wants to? > (incidentally I fixed the remaining wheezy references in the template) Thanks! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Source for PHP security updates
Hi, there’s a collaborative work on bringing security updates to PHP 5.6 (for jessie LTS) and PHP 7.0 (for stretch LTS): https://github.com/Microsoft/php-src If you are doing security updates, you might want to bookmark this (and use the patches on top of PHP 5.6.40)... Ondrej -- Ondřej Surý ond...@isc.org
Contacting maintainers about no-dsa
Hi, At the wiki process page we say: https://wiki.debian.org/LTS/Development#Contact_the_maintainer When we tag issues as "no-dsa", and don't plan to take care of the updates by ourselves, then we use it in this way: $ bin/contact-maintainers --lts --no-dsa sudo CVE-2014-9680 CVE-2014-0106 I was about do contact the nettle and gnutls maintainers, but after discussing with Emilio on IRC it appears that we do not contact maintainers for this anymore. Should we delete the section? (incidentally I fixed the remaining wheezy references in the template) Cheers! Sylvain
Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)
Hi, On 04/03/2019 17:37, Sylvain Beucler wrote: > On 04/03/2019 16:55, Markus Koschany wrote: >> Am 04.03.19 um 16:33 schrieb Sylvain Beucler: >> [...] >>> I see this as a strong signal that we should not attempt to backport the >>> fix, and go with a (minor). >>> >>> Alternatively we could upgrade nettle (libnettle4->libnettle6) which >>> doesn't break gnutls28's test suite, though it's likely to introduce >>> other issues (e.g. #789119). >>> >>> Thoughts? >> I also worked on nettle/gnutls26 for Wheezy. There are too many changes >> and just backporting rsa_sec_decrypt in nettle would be an incomplete >> fix for CVE-2018-16869 because they introduced more hardening against >> those side-channel attacks in other functions. An upgrade of nettle >> would require a rebuild of all reverse-dependencies and that is probably >> too intrusive. > > Thanks for your input Markus. > > Instead of upgrading I was thinking of providing libnettle6 /in addition > to/ libnettle4, but that still sounds like more troubles than it solves. (and indeed, when testing gnutls28+libnettle6, "git clone" now fails.) # git clone https://github.com/symfony/symfony-installer Clonage dans 'symfony-installer'... fatal: unable to access 'https://github.com/symfony/symfony-installer/': gnutls_handshake() failed: Public key signature verification has failed. Also, the stable security team didn't answer my mail but reached the same conclusion ( minor). I'll mark these CVE-s as and fix the CVE/list incomplete assessment. Cheers! Sylvain