Bug#776615: unblock: libssh/0.6.3-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hello,
I've uploaded libssh 0.6.3-4 that contains a security fix for #773577
(CVE-2014-8132).
Please unblock package libssh
unblock libssh/0.6.3-4
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.18.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog
--- libssh-0.6.3/debian/changelog 2014-08-30 17:31:23.000000000 +0200
+++ libssh-0.6.3/debian/changelog 2015-01-27 00:28:06.000000000 +0100
@@ -1,3 +1,10 @@
+libssh (0.6.3-4) unstable; urgency=medium
+
+ * Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in
+ ssh_packet_kexinit() (Closes: #773577, CVE-2014-8132)
+
+ -- Laurent Bigonville <bigon@debian.org> Tue, 27 Jan 2015 00:28:01 +0100
+
libssh (0.6.3-3) unstable; urgency=low
[ Sebastian Ramacher ]
diff -Nru libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch
--- libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch 1970-01-01 01:00:00.000000000 +0100
+++ libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch 2015-01-27 00:28:06.000000000 +0100
@@ -0,0 +1,39 @@
+commit 87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5
+Author: Jon Simons <jon@jonsimons.org>
+Date: Sat Oct 18 23:23:26 2014 -0700
+
+ CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
+
+ Before this change, dangling pointers can be unintentionally left in the
+ respective next_crypto kex methods slots. Ensure to set all slots to
+ NULL in the error-out path.
+
+ Signed-off-by: Jon Simons <jon@jonsimons.org>
+ Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+ (cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
+
+diff --git a/src/kex.c b/src/kex.c
+index 563c6a5..fab6bad 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -315,7 +315,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ for (i = 0; i < KEX_METHODS_SIZE; i++) {
+ str = buffer_get_ssh_string(packet);
+ if (str == NULL) {
+- break;
++ goto error;
+ }
+
+ if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+@@ -350,6 +350,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ error:
+ ssh_string_free(str);
+ for (i = 0; i < SSH_KEX_METHODS; i++) {
++ if (server_kex) {
++ session->next_crypto->client_kex.methods[i] = NULL;
++ } else { /* client */
++ session->next_crypto->server_kex.methods[i] = NULL;
++ }
+ SAFE_FREE(strings[i]);
+ }
+
diff -Nru libssh-0.6.3/debian/patches/series libssh-0.6.3/debian/patches/series
--- libssh-0.6.3/debian/patches/series 2014-08-30 17:31:23.000000000 +0200
+++ libssh-0.6.3/debian/patches/series 2015-01-27 00:28:06.000000000 +0100
@@ -1,3 +1,4 @@
+0001_CVE-2014-8132.patch
1001_error-msg-typo-fix.patch
1003-custom-lib-names.patch
2002-fix-html-doc-generation.patch
Reply to: