Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 3 Mar 2013 14:38:05 +0000
Message-id: <[🔎] 20130303143805.GA8641@riva.dynamic.greenend.org.uk>
Reply-to: Colin Watson <cjwatson@debian.org>, 702173@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Moritz Muehlenhoff asked me to take care of a minor security issue (a
potential post-authentication DoS in some configurations;
https://security-tracker.debian.org/tracker/CVE-2011-5000).  I don't
think this is a big deal for a DSA, but it'd be good to fix it in
stable.

I can upload the following patch once I have the OK to do so.

diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog	2013-02-08 21:39:18.000000000 +0000
+++ openssh-5.5p1/debian/changelog	2013-03-03 14:14:05.000000000 +0000
@@ -1,3 +1,10 @@
+openssh (1:5.5p1-6+squeeze4) stable; urgency=low
+
+  * CVE-2011-5000: Fix potential int overflow when using gssapi-with-mac
+    authentation.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 03 Mar 2013 14:14:03 +0000
+
 openssh (1:5.5p1-6+squeeze3) stable; urgency=low
 
   * CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
diff -Nru openssh-5.5p1/debian/patches/gss-serv-int-overflow.patch openssh-5.5p1/debian/patches/gss-serv-int-overflow.patch
--- openssh-5.5p1/debian/patches/gss-serv-int-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/gss-serv-int-overflow.patch	2013-03-03 13:55:52.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Fix potential int overflow when using gssapi-with-mac auth
+Author: Markus Friedl
+Origin: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/gss-serv.c?r1=1.23#rev1.23
+Forwarded: not-needed
+Last-Update: 2013-02-03
+
+Index: b/gss-serv.c
+===================================================================
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -266,6 +266,8 @@
+ 	name->length = get_u32(tok+offset);
+ 	offset += 4;
+ 
++	if (UINT_MAX - offset < name->length)
++		return GSS_S_FAILURE;
+ 	if (ename->length < offset+name->length)
+ 		return GSS_S_FAILURE;
+ 
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series	2013-02-08 21:36:03.000000000 +0000
+++ openssh-5.5p1/debian/patches/series	2013-03-03 13:56:16.000000000 +0000
@@ -30,6 +30,7 @@
 # Security fixes
 forced-command-debug-security.patch
 max-startups-default.patch
+gss-serv-int-overflow.patch
 
 # Versioning
 package-versioning.patch

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Processed: Re: Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: openjdk maintenance for wheezy and squeeze
Next by Date: Bug#702001: unblock: opendnssec/1:1.3.9-5
Previous by thread: Re: openjdk maintenance for wheezy and squeeze
Next by thread: Processed: Re: Bug#702173: pu: package openssh/1:5.5p1-6+squeeze3
Index(es):
- Date
- Thread