[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#959081: marked as done (buster-pu: package libssh/0.8.7-1)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #959081,
regarding buster-pu: package libssh/0.8.7-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
959081: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959081
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

Please allow an upload to fix #956308 (CVE-2020-1730).

That upload should also probably end up in the coming point release

 changelog                                                                    |    7 +++++++
 patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch |   32 ++++++++++++++++++++++++++++++++
 patches/series                                                               |    1 +
 3 files changed, 40 insertions(+)

Kind regards,
Laurent Bigonville

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

>From 75f81629de6636a82d0129ad86d9b41dd5d9b8da Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@debian.org>
Date: Wed, 29 Apr 2020 10:38:58 +0200
Subject: [PATCH] Fix possible DoS in client and server when handling AES-CTR
 keys with OpenSSL, cherry-picked from upstream (Closes: #956308
 CVE-2020-1730)

---
 debian/changelog                              |  7 ++++
 ...ossible-segfault-when-zeroing-AES-CT.patch | 32 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 40 insertions(+)
 create mode 100644 debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch

diff --git a/debian/changelog b/debian/changelog
index c4273f2f..8225fbd2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libssh (0.8.7-1+deb10u1) buster; urgency=medium
+
+  * Fix possible DoS in client and server when handling AES-CTR keys with
+    OpenSSL, cherry-picked from upstream (Closes: #956308 CVE-2020-1730)
+
+ -- Laurent Bigonville <bigon@debian.org>  Tue, 28 Apr 2020 13:40:28 +0200
+
 libssh (0.8.7-1) unstable; urgency=medium
 
   * New upstream bug fix release 0.8.7.
diff --git a/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch b/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
new file mode 100644
index 00000000..cdbc51f5
--- /dev/null
+++ b/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
@@ -0,0 +1,32 @@
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 11 Feb 2020 11:52:33 +0100
+Subject: CVE-2020-1730: Fix a possible segfault when zeroing AES-CTR key
+
+Fixes T213
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+(cherry picked from commit b36272eac1b36982598c10de7af0a501582de07a)
+---
+ src/libcrypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 340a3e6..b3285e0 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -636,8 +636,12 @@ static void aes_ctr_encrypt(struct ssh_cipher_struct *cipher, void *in, void *ou
+ }
+ 
+ static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){
+-    explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
+-    SAFE_FREE(cipher->aes_key);
++    if (cipher != NULL) {
++        if (cipher->aes_key != NULL) {
++            explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
++        }
++        SAFE_FREE(cipher->aes_key);
++    }
+ }
+ 
+ #endif /* HAVE_OPENSSL_EVP_AES_CTR */
diff --git a/debian/patches/series b/debian/patches/series
index 842c602c..db23779b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
+0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
 1003-custom-lib-names.patch
 2003-disable-expand_tilde_unix-test.patch
-- 
2.26.2

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: