Bug#780402: marked as done (unblock: libssh2/1.4.3-4.1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 13 Mar 2015 13:20:09 +0100
with message-id <20150313122009.GA17152@eldamar.local>
and subject line Re: Bug#780402: unblock: libssh2/1.4.3-4.1
has caused the Debian Bug report #780402,
regarding unblock: libssh2/1.4.3-4.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780402
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libssh2/1.4.3-4.1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 13 Mar 2015 13:16:26 +0100
• Message-id: <[🔎] 20150313121626.16261.15048.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package libssh2. It fixes CVE-2015-1782, #780249 in the
BTS. The changelog entry reads as:

>libssh2 (1.4.3-4.1) unstable; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add 0003-CVE-2015-1782.patch.
>    CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded. (Closes: #780249)
>
> -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 11 Mar 2015 12:08:30 +0100

Attached is as well the full debdiff.

unblock libssh2/1.4.3-4.1

Regards and thanks in advance!

Salvatore

diff -Nru libssh2-1.4.3/debian/changelog libssh2-1.4.3/debian/changelog
--- libssh2-1.4.3/debian/changelog	2014-09-03 15:52:17.000000000 +0200
+++ libssh2-1.4.3/debian/changelog	2015-03-11 12:13:08.000000000 +0100
@@ -1,3 +1,11 @@
+libssh2 (1.4.3-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add 0003-CVE-2015-1782.patch.
+    CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded. (Closes: #780249)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 11 Mar 2015 12:08:30 +0100
+
 libssh2 (1.4.3-4) unstable; urgency=low
 
   * Update description to mention SFTPv5 support
diff -Nru libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch
--- libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch	1970-01-01 01:00:00.000000000 +0100
+++ libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch	2015-03-11 12:13:08.000000000 +0100
@@ -0,0 +1,111 @@
+From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001
+From: Mariusz Ziulek <mzet@owasp.org>
+Date: Sat, 21 Feb 2015 23:31:36 +0100
+Subject: [PATCH] kex: bail out on rubbish in the incoming packet
+
+---
+ src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 41 insertions(+), 32 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index fa4c4e1..ad7498a 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+ 
+ /* TODO: When in server mode we need to turn this logic on its head
+  * The Client gets to make the final call on "agreed methods"
+  */
+ 
++/*
++ * kex_string_pair() extracts a string from the packet and makes sure it fits
++ * within the given packet.
++ */
++static int kex_string_pair(unsigned char **sp,   /* parsing position */
++                           unsigned char *data,  /* start pointer to packet */
++                           size_t data_len,      /* size of total packet */
++                           size_t *lenp,         /* length of the string */
++                           unsigned char **strp) /* pointer to string start */
++{
++    unsigned char *s = *sp;
++    *lenp = _libssh2_ntohu32(s);
++
++    /* the length of the string must fit within the current pointer and the
++       end of the packet */
++    if (*lenp > (data_len - (s - data) -4))
++        return 1;
++    *strp = s + 4;
++    s += 4 + *lenp;
++
++    *sp = s;
++    return 0;
++}
++
+ /* kex_agree_methods
+  * Decide which specific method to use of the methods offered by each party
+  */
+ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+                              unsigned data_len)
+@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+     /* Skip cookie, don't worry, it's preserved in the kexinit field */
+     s += 16;
+ 
+     /* Locate each string */
+-    kex_len = _libssh2_ntohu32(s);
+-    kex = s + 4;
+-    s += 4 + kex_len;
+-    hostkey_len = _libssh2_ntohu32(s);
+-    hostkey = s + 4;
+-    s += 4 + hostkey_len;
+-    crypt_cs_len = _libssh2_ntohu32(s);
+-    crypt_cs = s + 4;
+-    s += 4 + crypt_cs_len;
+-    crypt_sc_len = _libssh2_ntohu32(s);
+-    crypt_sc = s + 4;
+-    s += 4 + crypt_sc_len;
+-    mac_cs_len = _libssh2_ntohu32(s);
+-    mac_cs = s + 4;
+-    s += 4 + mac_cs_len;
+-    mac_sc_len = _libssh2_ntohu32(s);
+-    mac_sc = s + 4;
+-    s += 4 + mac_sc_len;
+-    comp_cs_len = _libssh2_ntohu32(s);
+-    comp_cs = s + 4;
+-    s += 4 + comp_cs_len;
+-    comp_sc_len = _libssh2_ntohu32(s);
+-    comp_sc = s + 4;
+-#if 0
+-    s += 4 + comp_sc_len;
+-    lang_cs_len = _libssh2_ntohu32(s);
+-    lang_cs = s + 4;
+-    s += 4 + lang_cs_len;
+-    lang_sc_len = _libssh2_ntohu32(s);
+-    lang_sc = s + 4;
+-    s += 4 + lang_sc_len;
+-#endif
++    if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
++       return -1;
++    if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
++       return -1;
++
+     /* If the server sent an optimistic packet, assume that it guessed wrong.
+      * If the guess is determined to be right (by kex_agree_kex_hostkey)
+      * This flag will be reset to zero so that it's not ignored */
+     session->burn_optimistic_kexinit = *(s++);
+     /* Next uint32 in packet is all zeros (reserved) */
+-- 
+2.1.4
+
diff -Nru libssh2-1.4.3/debian/patches/series libssh2-1.4.3/debian/patches/series
--- libssh2-1.4.3/debian/patches/series	2014-09-03 15:52:17.000000000 +0200
+++ libssh2-1.4.3/debian/patches/series	2015-03-11 12:13:08.000000000 +0100
@@ -1,3 +1,4 @@
 0001-Add-lgpg-error-to-.pc-to-facilitate-static-linking.patch
 0001-Do-not-expose-private-libraries-nor-link-flags-to-us.patch
 0002-Fix-typos-in-manpages.patch
+0003-CVE-2015-1782.patch

--- End Message ---

--- Begin Message ---

• To: 780402-done@bugs.debian.org
• Subject: Re: Bug#780402: unblock: libssh2/1.4.3-4.1
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 13 Mar 2015 13:20:09 +0100
• Message-id: <20150313122009.GA17152@eldamar.local>
• In-reply-to: <[🔎] 20150313121626.16261.15048.reportbug@eldamar.local>
• References: <[🔎] 20150313121626.16261.15048.reportbug@eldamar.local>

... and closing since it was already unblocked by Niels Thykier!

--- End Message ---