Bug#808890: jessie-pu: package libssh/0.6.3-4

2015-12-24 Thread Chris Knadle 
Oops... had trouble with reportbug and the patch I asked to be attached
wasn't sent.  Attaching.

Thanks
   -- Chris

-- 
Chris Knadle
chris.kna...@coredump.us
diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog
--- libssh-0.6.3/debian/changelog   2015-01-26 18:28:06.0 -0500
+++ libssh-0.6.3/debian/changelog   2015-12-04 09:53:48.0 -0500
@@ -1,3 +1,14 @@
+libssh (0.6.3-4+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches:
+- Add 0002_CVE-2015-3146.patch
+  Fix "null pointer dereference due to a logical error in the handling
+  of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets"
+  (Closes: #784404, CVE-2015-3146)
+
+ -- Christopher Knadle   Mon, 23 Nov 2015 08:43:19 
-0500
+
 libssh (0.6.3-4) unstable; urgency=medium
 
   * Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in
diff -Nru libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch 
libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch
--- libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch1969-12-31 
19:00:00.0 -0500
+++ libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch2015-12-04 
09:53:32.0 -0500
@@ -0,0 +1,129 @@
+From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis 
+Date: Wed, 15 Apr 2015 16:08:37 +0200
+Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers
+
+The state validation in the packet handlers for SSH_MSG_NEWKEYS and
+SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.
+
+The issue has been found and reported by Mariusz Ziule.
+
+Signed-off-by: Aris Adamantiadis 
+Reviewed-by: Andreas Schneider 
+(cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe)
+---
+ src/packet_cb.c | 16 ++--
+ src/server.c|  8 +---
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/src/packet_cb.c b/src/packet_cb.c
+index a10dd1a..e6c613f 100644
+--- a/src/packet_cb.c
 b/src/packet_cb.c
+@@ -94,7 +94,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
+   (void)type;
+   (void)user;
+   SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
+-  if(session->session_state!= SSH_SESSION_STATE_DH &&
++  if (session->session_state != SSH_SESSION_STATE_DH ||
+   session->dh_handshake_state != DH_STATE_INIT_SENT){
+   ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong 
state : %d:%d",
+   session->session_state,session->dh_handshake_state);
+@@ -135,12 +135,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+   (void)user;
+   (void)type;
+   SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
+-  if(session->session_state!= SSH_SESSION_STATE_DH &&
+-  session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
+-  ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong 
state : %d:%d",
+-  session->session_state,session->dh_handshake_state);
+-  goto error;
++
++  if (session->session_state != SSH_SESSION_STATE_DH ||
++  session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) {
++  ssh_set_error(session,
++SSH_FATAL,
++"ssh_packet_newkeys called in wrong state : %d:%d",
++session->session_state,session->dh_handshake_state);
++  goto error;
+   }
++
+   if(session->server){
+ /* server things are done in server.c */
+ session->dh_handshake_state=DH_STATE_FINISHED;
+diff --git a/src/server.c b/src/server.c
+index 35281ca..1637cce 100644
+--- a/src/server.c
 b/src/server.c
+@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, 
ssh_buffer packet){
+ }
+ 
+ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+-  int rc;
++  int rc = SSH_ERROR;
+   (void)type;
+   (void)user;
+ 
+@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+ ssh_set_error(session,SSH_FATAL,"Wrong kex type in 
ssh_packet_kexdh_init");
+ rc = SSH_ERROR;
+   }
+-  if (rc == SSH_ERROR)
++
++error:
++  if (rc == SSH_ERROR) {
+   session->session_state = SSH_SESSION_STATE_ERROR;
+-  error:
++  }
+ 
+   return SSH_PACKET_USED;
+ }
+-- 
+2.3.5
+
+
+From e9d16bd3439205ce7e75017405b1ac6ed5ead062 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis 
+Date: Wed, 15 Apr 2015 16:25:29 +0200
+Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference
+
+This is an addition to CVE-2015-3146 to fix the null pointer
+dereference. The patch is not required to fix the CVE but prevents
+issues in future.
+
+Signed-off-by: Aris Adamantiadis 
+Reviewed-by: Andreas Schneider 
+(cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d)
+---
+ src/buffer.c | 8 
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index ca12086..3bb6ec4 100644
+---

Bug#808901: wheezy-pu: package libssh/0.5.4-1+deb7u1

2015-12-24 Thread Christopher Knadle 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Greetings.

I would like to update libssh in Wheezy via a sponsored NMU to fix
CVE-2015-3146 and CVE-2015-8132, which are non-DSA security bugs and so would
need to be fixed via stable-proposed-updates.  I updated libssh in Sid via
sponsored NMU for these in Nov 2015.

The patches used to fix this came from upstream at:

   https://www.libssh.org/security/patches/

Thanks.

  -- Chris

--
Chris Knadle
chris.kna...@coredump.us
diff -Nru libssh-0.5.4/debian/changelog libssh-0.5.4/debian/changelog
--- libssh-0.5.4/debian/changelog	2014-03-06 04:47:48.0 -0500
+++ libssh-0.5.4/debian/changelog	2015-12-04 09:31:06.0 -0500
@@ -1,3 +1,17 @@
+libssh (0.5.4-1+deb7u2) wheezy; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches:
+- Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch
+  Fix "Double free on dangling pointers in initial key exchange packet"
+  (Closes: #773577, CVE-2014-8132)
+- Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch
+  Fix "null pointer dereference due to a logical error in the handling of
+  a SSH_MSG_NEWKEYS and KEXDH_REPLY packets"
+  (Closes: #784404, CVE-2015-3146)
+
+ -- Christopher Knadle   Mon, 23 Nov 2015 04:08:05 -0500
+
 libssh (0.5.4-1+deb7u1) wheezy-security; urgency=high
 
   * debian/patches/0004-security-fix-for-vulnerability-CVE-2014-0017.patch:
diff -Nru libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch
--- libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch	1969-12-31 19:00:00.0 -0500
+++ libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch	2015-11-23 08:55:39.0 -0500
@@ -0,0 +1,46 @@
+From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001
+From: Jon Simons 
+Date: Sat, 18 Oct 2014 23:23:26 -0700
+Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
+
+Before this change, dangling pointers can be unintentionally left in the
+respective next_crypto kex methods slots.  Ensure to set all slots to
+NULL in the error-out path.
+
+Signed-off-by: Jon Simons 
+Reviewed-by: Andreas Schneider 
+
+(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
+Signed-off-by: Andreas Schneider 
+---
+ src/kex.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index dedf286..db35183 100644
+--- a/src/kex.c
 b/src/kex.c
+@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+   for (i = 0; i < 10; i++) {
+ str = buffer_get_ssh_string(packet);
+ if (str == NULL) {
+-  break;
++  goto error;
+ }
+ 
+ if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ error:
+   ssh_string_free(str);
+   for (i = 0; i < 10; i++) {
++if (server_kex) {
++  session->server_kex.methods[i] = NULL;
++} else {
++  session->client_kex.methods[i] = NULL;
++}
+ SAFE_FREE(strings[i]);
+   }
+ 
+-- 
+2.2.0
+
diff -Nru libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch
--- libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch	1969-12-31 19:00:00.0 -0500
+++ libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch	2015-11-23 08:55:39.0 -0500
@@ -0,0 +1,98 @@
+From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis 
+Date: Wed, 15 Apr 2015 16:08:37 +0200
+Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers
+
+The state validation in the packet handlers for SSH_MSG_NEWKEYS and
+SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.
+
+The issue has been found and reported by Mariusz Ziule.
+
+Signed-off-by: Aris Adamantiadis 
+Reviewed-by: Andreas Schneider 
+---
+ src/client.c | 4 ++--
+ src/server.c | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 0e50497..6919e7a 100644
+--- a/src/client.c
 b/src/client.c
+@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
+   (void)type;
+   (void)user;
+   ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
+-  if(session->session_state!= SSH_SESSION_STATE_DH &&
++  if(session->session_state!= SSH_SESSION_STATE_DH ||
+ 		session->dh_handshake_state != DH_STATE_INIT_SENT){
+ 	ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
+

Bug#808890: jessie-pu: package libssh/0.6.3-4

2015-12-24 Thread Chris Knadle 
After filing #808901 I realize the source of the patch for #808890 is
elsewhere than I had originally stated: for the 0.6.x series for
CVE-20150-3146 the patch is within upstream tarball libssh-0.6.5.tar.xz:

   libssh-0.6.5/CVE-2015-3146-libssh-0.6.x.patch

Link to tarball:
   https://red.libssh.org/attachments/download/121/libssh-0.6.5.tar.xz

   -- Chris

-- 
Chris Knadle
chris.kna...@coredump.us

Bug#796345: [Debian-ha-maintainers] Bug#796345: redhat-cluster/libdlm + lvm + perl transition

2015-12-24 Thread Christoph Berg 
Re: Ferenc Wagner 2015-12-22 <874mfbfh6y@lant.ki.iif.hu>
> Emilio Pozuelo Monfort  writes:
> 
> > This is the last blocker for the perl transition. Packages should be
> > installable now in unstable. Please let us know if you make progress
> > with this or if you hit any blockers.
> 
> Short progress report: no blockers.
> 
> I encountered unexpected problems, but they are mostly solved by now.
> While waiting for the review of my sponsor, I'm doing QA tests.

pacemaker 1.1.13-1 is now in NEW.

Thanks to Feri for preparing this release!

Merry Christmas,
Christoph
-- 
c...@df7cb.de | http://www.df7cb.de/


signature.asc
Description: Digital signature

Bug#650601: transition: libpng 1.5

2015-12-24 Thread Tobias Frost 
Hi Nobuhiro,

Am Mittwoch, den 23.12.2015, 05:29 +0900 schrieb Nobuhiro Iwamatsu:
> Hi Tobias, Gianfranco and Emilio.
> 
> Thanks for your help!
> Sorry, about this transition.
> 
> I don't upload libpng16 with providing libpng-dev now. Because Depend
> of libpng
> is very large and effect for system is large too.
> I was considering to gradually transition in a way that was proposed
> by Michael.
> I just sent a mail about this. Could you check this mail, and
> comment?
> 
> Best regards,
>   Nobuhiro

For me this plan sounds good. 

Some steps couls be parallized thouhg, so for example I think we do not
need to wait libpng to transistion to testing before filing bugs and
making packages ready to compile with (libpng12 and) libpng16.

I think we should also recommend people to B-D on libpng-dev to help
subsequent transistions, maybe in combination with stop providing
libpng-dev when the transistion is completed but having a real package
depending on the latest -dev package. (As Michael pointing out,
Versioned depends are not working with Provided packages.)  
 
(But the release team should give the ok to start)

I'm currently rebuilding all reverse B-Ds (on libpng-dev and libpng12-
dev), but this will still take a few days to complete (currently done
~150packages out of ~450) to sasess the situation -- A summary will be
posted to this bug when ready.

--
tobi

NEW changes in p-u-new

2015-12-24 Thread Debian FTP Masters 
E: Cannot find policy queue p-u-new

NEW changes in o-p-u-new

2015-12-24 Thread Debian FTP Masters 
E: Cannot find policy queue o-p-u-new

Bug#650601: transition: libpng 1.5

2015-12-24 Thread Tobias Frost 
On Thu, 24 Dec 2015 12:12:31 +0100 Tobias Frost 
wrote:

> I'm currently rebuilding all reverse B-Ds (on libpng-dev and
libpng12-
> dev), but this will still take a few days to complete (currently done
> ~150packages out of ~450) to sasess the situation -- A summary will
be
> posted to this bug when ready.

buildlogs / status are available here:

http://libpng.sviech.de

(*build are the logs, the other files are just helpers for the script)

(Note: the local libpng16 package is configured to provide libpng12-dev 
and libpng-dev)

(I did not yet closely look at the failures, but there might be a few
failures due to the brute-force nature of the rebuilding. :))

Tobi