Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Request for uploading to stable, as there is posted a CVE for a bug in mactelnet-client. This update is a backport of the fix that is done upstream, that fixes only the mentioned bug. Mor information here: https://security-tracker.debian.org/tracker/CVE-2016-7115 and here: https://bugs.debian.org/836320 -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru mactelnet-0.4.0/debian/changelog mactelnet-0.4.0/debian/changelog --- mactelnet-0.4.0/debian/changelog 2016-09-10 23:43:04.000000000 +0200 +++ mactelnet-0.4.0/debian/changelog 2016-09-10 23:46:41.000000000 +0200 @@ -1,3 +1,9 @@ +mactelnet (0.4.0-2) stable; urgency=low + + * Backported bugfix of CVE 2016-7115 (closes: 836320) + + -- Håkon Nessjøen <haakon.nessj...@gmail.com> Sun, 10 Sep 2016 23:11:32 +0200 + mactelnet (0.4.0-1) unstable; urgency=low * Upstream release 0.4.0 diff -Nru mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch --- mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch 1970-01-01 01:00:00.000000000 +0100 +++ mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch 2016-09-10 23:49:20.000000000 +0200 @@ -0,0 +1,51 @@ +--- a/mactelnet.c ++++ b/mactelnet.c +@@ -75,7 +75,7 @@ + + static int keepalive_counter = 0; + +-static unsigned char encryptionkey[128]; ++static unsigned char pass_salt[16]; + static char username[255]; + static char password[255]; + static char nonpriv_username[255]; +@@ -191,18 +191,21 @@ + char *terminal = getenv("TERM"); + char md5data[100]; + unsigned char md5sum[17]; +- int plen; ++ int plen, act_pass_len; + md5_state_t state; + +- /* Concat string of 0 + password + encryptionkey */ ++ /* calculate the actual password's length */ ++ act_pass_len = strnlen(password, 82); ++ ++ /* Concat string of 0 + password + pass_salt */ + md5data[0] = 0; +- strncpy(md5data + 1, password, 82); +- md5data[83] = '\0'; +- memcpy(md5data + 1 + strlen(password), encryptionkey, 16); ++ memcpy(md5data + 1, password, act_pass_len); ++ /* in case that password is long, calculate only using the used-up parts */ ++ memcpy(md5data + 1 + act_pass_len, pass_salt, 16); + + /* Generate md5 sum of md5data with a leading 0 */ + md5_init(&state); +- md5_append(&state, (const md5_byte_t *)md5data, strlen(password) + 17); ++ md5_append(&state, (const md5_byte_t *)md5data, 1 + act_pass_len + 16); + md5_finish(&state, (md5_byte_t *)md5sum + 1); + md5sum[0] = 0; + +@@ -279,9 +282,9 @@ + + while (success) { + +- /* If we receive encryptionkey, transmit auth data back */ ++ /* If we receive pass_salt, transmit auth data back */ + if (cpkt.cptype == MT_CPTYPE_ENCRYPTIONKEY) { +- memcpy(encryptionkey, cpkt.data, cpkt.length); ++ memcpy(pass_salt, cpkt.data, 16); + send_auth(username, password); + } + diff -Nru mactelnet-0.4.0/debian/patches/series mactelnet-0.4.0/debian/patches/series --- mactelnet-0.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ mactelnet-0.4.0/debian/patches/series 2016-09-10 23:49:03.000000000 +0200 @@ -0,0 +1 @@ +CVE-2016-7115.patch