Bug#808890: jessie-pu: package libssh/0.6.3-4
Oops... had trouble with reportbug and the patch I asked to be attached wasn't sent. Attaching. Thanks -- Chris -- Chris Knadle chris.kna...@coredump.us diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog --- libssh-0.6.3/debian/changelog 2015-01-26 18:28:06.0 -0500 +++ libssh-0.6.3/debian/changelog 2015-12-04 09:53:48.0 -0500 @@ -1,3 +1,14 @@ +libssh (0.6.3-4+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * debian/patches: +- Add 0002_CVE-2015-3146.patch + Fix "null pointer dereference due to a logical error in the handling + of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" + (Closes: #784404, CVE-2015-3146) + + -- Christopher KnadleMon, 23 Nov 2015 08:43:19 -0500 + libssh (0.6.3-4) unstable; urgency=medium * Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in diff -Nru libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch --- libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch1969-12-31 19:00:00.0 -0500 +++ libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch2015-12-04 09:53:32.0 -0500 @@ -0,0 +1,129 @@ +From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis +Date: Wed, 15 Apr 2015 16:08:37 +0200 +Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers + +The state validation in the packet handlers for SSH_MSG_NEWKEYS and +SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. + +The issue has been found and reported by Mariusz Ziule. + +Signed-off-by: Aris Adamantiadis +Reviewed-by: Andreas Schneider +(cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe) +--- + src/packet_cb.c | 16 ++-- + src/server.c| 8 +--- + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/src/packet_cb.c b/src/packet_cb.c +index a10dd1a..e6c613f 100644 +--- a/src/packet_cb.c b/src/packet_cb.c +@@ -94,7 +94,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ + (void)type; + (void)user; + SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if (session->session_state != SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_INIT_SENT){ + ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", + session->session_state,session->dh_handshake_state); +@@ -135,12 +135,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ + (void)user; + (void)type; + SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS"); +- if(session->session_state!= SSH_SESSION_STATE_DH && +- session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){ +- ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d", +- session->session_state,session->dh_handshake_state); +- goto error; ++ ++ if (session->session_state != SSH_SESSION_STATE_DH || ++ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { ++ ssh_set_error(session, ++SSH_FATAL, ++"ssh_packet_newkeys called in wrong state : %d:%d", ++session->session_state,session->dh_handshake_state); ++ goto error; + } ++ + if(session->server){ + /* server things are done in server.c */ + session->dh_handshake_state=DH_STATE_FINISHED; +diff --git a/src/server.c b/src/server.c +index 35281ca..1637cce 100644 +--- a/src/server.c b/src/server.c +@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){ + } + + SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ +- int rc; ++ int rc = SSH_ERROR; + (void)type; + (void)user; + +@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ + ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init"); + rc = SSH_ERROR; + } +- if (rc == SSH_ERROR) ++ ++error: ++ if (rc == SSH_ERROR) { + session->session_state = SSH_SESSION_STATE_ERROR; +- error: ++ } + + return SSH_PACKET_USED; + } +-- +2.3.5 + + +From e9d16bd3439205ce7e75017405b1ac6ed5ead062 Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis +Date: Wed, 15 Apr 2015 16:25:29 +0200 +Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference + +This is an addition to CVE-2015-3146 to fix the null pointer +dereference. The patch is not required to fix the CVE but prevents +issues in future. + +Signed-off-by: Aris Adamantiadis +Reviewed-by: Andreas Schneider +(cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d) +--- + src/buffer.c | 8 + 1 file changed, 8 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index ca12086..3bb6ec4 100644 +---
Bug#808901: wheezy-pu: package libssh/0.5.4-1+deb7u1
Package: release.debian.org Severity: normal Tags: wheezy User: release.debian@packages.debian.org Usertags: pu Greetings. I would like to update libssh in Wheezy via a sponsored NMU to fix CVE-2015-3146 and CVE-2015-8132, which are non-DSA security bugs and so would need to be fixed via stable-proposed-updates. I updated libssh in Sid via sponsored NMU for these in Nov 2015. The patches used to fix this came from upstream at: https://www.libssh.org/security/patches/ Thanks. -- Chris -- Chris Knadle chris.kna...@coredump.us diff -Nru libssh-0.5.4/debian/changelog libssh-0.5.4/debian/changelog --- libssh-0.5.4/debian/changelog 2014-03-06 04:47:48.0 -0500 +++ libssh-0.5.4/debian/changelog 2015-12-04 09:31:06.0 -0500 @@ -1,3 +1,17 @@ +libssh (0.5.4-1+deb7u2) wheezy; urgency=medium + + * Non-maintainer upload. + * debian/patches: +- Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch + Fix "Double free on dangling pointers in initial key exchange packet" + (Closes: #773577, CVE-2014-8132) +- Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch + Fix "null pointer dereference due to a logical error in the handling of + a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" + (Closes: #784404, CVE-2015-3146) + + -- Christopher KnadleMon, 23 Nov 2015 04:08:05 -0500 + libssh (0.5.4-1+deb7u1) wheezy-security; urgency=high * debian/patches/0004-security-fix-for-vulnerability-CVE-2014-0017.patch: diff -Nru libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch --- libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 1969-12-31 19:00:00.0 -0500 +++ libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 2015-11-23 08:55:39.0 -0500 @@ -0,0 +1,46 @@ +From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001 +From: Jon Simons +Date: Sat, 18 Oct 2014 23:23:26 -0700 +Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit() + +Before this change, dangling pointers can be unintentionally left in the +respective next_crypto kex methods slots. Ensure to set all slots to +NULL in the error-out path. + +Signed-off-by: Jon Simons +Reviewed-by: Andreas Schneider + +(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7) +Signed-off-by: Andreas Schneider +--- + src/kex.c | 7 ++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kex.c b/src/kex.c +index dedf286..db35183 100644 +--- a/src/kex.c b/src/kex.c +@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + for (i = 0; i < 10; i++) { + str = buffer_get_ssh_string(packet); + if (str == NULL) { +- break; ++ goto error; + } + + if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) { +@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ + error: + ssh_string_free(str); + for (i = 0; i < 10; i++) { ++if (server_kex) { ++ session->server_kex.methods[i] = NULL; ++} else { ++ session->client_kex.methods[i] = NULL; ++} + SAFE_FREE(strings[i]); + } + +-- +2.2.0 + diff -Nru libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch --- libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 1969-12-31 19:00:00.0 -0500 +++ libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 2015-11-23 08:55:39.0 -0500 @@ -0,0 +1,98 @@ +From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis +Date: Wed, 15 Apr 2015 16:08:37 +0200 +Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers + +The state validation in the packet handlers for SSH_MSG_NEWKEYS and +SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. + +The issue has been found and reported by Mariusz Ziule. + +Signed-off-by: Aris Adamantiadis +Reviewed-by: Andreas Schneider +--- + src/client.c | 4 ++-- + src/server.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 0e50497..6919e7a 100644 +--- a/src/client.c b/src/client.c +@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ + (void)type; + (void)user; + ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if(session->session_state!= SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_INIT_SENT){ + ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", +
Bug#808890: jessie-pu: package libssh/0.6.3-4
After filing #808901 I realize the source of the patch for #808890 is elsewhere than I had originally stated: for the 0.6.x series for CVE-20150-3146 the patch is within upstream tarball libssh-0.6.5.tar.xz: libssh-0.6.5/CVE-2015-3146-libssh-0.6.x.patch Link to tarball: https://red.libssh.org/attachments/download/121/libssh-0.6.5.tar.xz -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#796345: [Debian-ha-maintainers] Bug#796345: redhat-cluster/libdlm + lvm + perl transition
Re: Ferenc Wagner 2015-12-22 <874mfbfh6y@lant.ki.iif.hu> > Emilio Pozuelo Monfortwrites: > > > This is the last blocker for the perl transition. Packages should be > > installable now in unstable. Please let us know if you make progress > > with this or if you hit any blockers. > > Short progress report: no blockers. > > I encountered unexpected problems, but they are mostly solved by now. > While waiting for the review of my sponsor, I'm doing QA tests. pacemaker 1.1.13-1 is now in NEW. Thanks to Feri for preparing this release! Merry Christmas, Christoph -- c...@df7cb.de | http://www.df7cb.de/ signature.asc Description: Digital signature
Bug#650601: transition: libpng 1.5
Hi Nobuhiro, Am Mittwoch, den 23.12.2015, 05:29 +0900 schrieb Nobuhiro Iwamatsu: > Hi Tobias, Gianfranco and Emilio. > > Thanks for your help! > Sorry, about this transition. > > I don't upload libpng16 with providing libpng-dev now. Because Depend > of libpng > is very large and effect for system is large too. > I was considering to gradually transition in a way that was proposed > by Michael. > I just sent a mail about this. Could you check this mail, and > comment? > > Best regards, > Nobuhiro For me this plan sounds good. Some steps couls be parallized thouhg, so for example I think we do not need to wait libpng to transistion to testing before filing bugs and making packages ready to compile with (libpng12 and) libpng16. I think we should also recommend people to B-D on libpng-dev to help subsequent transistions, maybe in combination with stop providing libpng-dev when the transistion is completed but having a real package depending on the latest -dev package. (As Michael pointing out, Versioned depends are not working with Provided packages.) (But the release team should give the ok to start) I'm currently rebuilding all reverse B-Ds (on libpng-dev and libpng12- dev), but this will still take a few days to complete (currently done ~150packages out of ~450) to sasess the situation -- A summary will be posted to this bug when ready. -- tobi
NEW changes in p-u-new
E: Cannot find policy queue p-u-new
NEW changes in o-p-u-new
E: Cannot find policy queue o-p-u-new
Bug#650601: transition: libpng 1.5
On Thu, 24 Dec 2015 12:12:31 +0100 Tobias Frostwrote: > I'm currently rebuilding all reverse B-Ds (on libpng-dev and libpng12- > dev), but this will still take a few days to complete (currently done > ~150packages out of ~450) to sasess the situation -- A summary will be > posted to this bug when ready. buildlogs / status are available here: http://libpng.sviech.de (*build are the logs, the other files are just helpers for the script) (Note: the local libpng16 package is configured to provide libpng12-dev and libpng-dev) (I did not yet closely look at the failures, but there might be a few failures due to the brute-force nature of the rebuilding. :)) Tobi