Bug#808890: jessie-pu: package libssh/0.6.3-4
Oops... had trouble with reportbug and the patch I asked to be attached
wasn't sent. Attaching.
Thanks
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog
--- libssh-0.6.3/debian/changelog 2015-01-26 18:28:06.000000000 -0500
+++ libssh-0.6.3/debian/changelog 2015-12-04 09:53:48.000000000 -0500
@@ -1,3 +1,14 @@
+libssh (0.6.3-4+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches:
+ - Add 0002_CVE-2015-3146.patch
+ Fix "null pointer dereference due to a logical error in the handling
+ of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets"
+ (Closes: #784404, CVE-2015-3146)
+
+ -- Christopher Knadle <Chris.Knadle@coredump.us> Mon, 23 Nov 2015 08:43:19 -0500
+
libssh (0.6.3-4) unstable; urgency=medium
* Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in
diff -Nru libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch
--- libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch 1969-12-31 19:00:00.000000000 -0500
+++ libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch 2015-12-04 09:53:32.000000000 -0500
@@ -0,0 +1,129 @@
+From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:08:37 +0200
+Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers
+
+The state validation in the packet handlers for SSH_MSG_NEWKEYS and
+SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.
+
+The issue has been found and reported by Mariusz Ziule.
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe)
+---
+ src/packet_cb.c | 16 ++++++++++------
+ src/server.c | 8 +++++---
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/src/packet_cb.c b/src/packet_cb.c
+index a10dd1a..e6c613f 100644
+--- a/src/packet_cb.c
++++ b/src/packet_cb.c
+@@ -94,7 +94,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
+ (void)type;
+ (void)user;
+ SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
++ if (session->session_state != SSH_SESSION_STATE_DH ||
+ session->dh_handshake_state != DH_STATE_INIT_SENT){
+ ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
+ session->session_state,session->dh_handshake_state);
+@@ -135,12 +135,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+ (void)user;
+ (void)type;
+ SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
+- session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
+- ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
+- session->session_state,session->dh_handshake_state);
+- goto error;
++
++ if (session->session_state != SSH_SESSION_STATE_DH ||
++ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) {
++ ssh_set_error(session,
++ SSH_FATAL,
++ "ssh_packet_newkeys called in wrong state : %d:%d",
++ session->session_state,session->dh_handshake_state);
++ goto error;
+ }
++
+ if(session->server){
+ /* server things are done in server.c */
+ session->dh_handshake_state=DH_STATE_FINISHED;
+diff --git a/src/server.c b/src/server.c
+index 35281ca..1637cce 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
+ }
+
+ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+- int rc;
++ int rc = SSH_ERROR;
+ (void)type;
+ (void)user;
+
+@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+ ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
+ rc = SSH_ERROR;
+ }
+- if (rc == SSH_ERROR)
++
++error:
++ if (rc == SSH_ERROR) {
+ session->session_state = SSH_SESSION_STATE_ERROR;
+- error:
++ }
+
+ return SSH_PACKET_USED;
+ }
+--
+2.3.5
+
+
+From e9d16bd3439205ce7e75017405b1ac6ed5ead062 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:25:29 +0200
+Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference
+
+This is an addition to CVE-2015-3146 to fix the null pointer
+dereference. The patch is not required to fix the CVE but prevents
+issues in future.
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d)
+---
+ src/buffer.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index ca12086..3bb6ec4 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -188,6 +188,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) {
+ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
+ buffer_verify(buffer);
+
++ if (data == NULL) {
++ return -1;
++ }
++
+ if (buffer->used + len < len) {
+ return -1;
+ }
+@@ -221,6 +225,10 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer,
+ struct ssh_string_struct *string) {
+ uint32_t len = 0;
+
++ if (string == NULL) {
++ return -1;
++ }
++
+ len = ssh_string_len(string);
+ if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
+ return -1;
+--
+2.3.5
+
diff -Nru libssh-0.6.3/debian/patches/series libssh-0.6.3/debian/patches/series
--- libssh-0.6.3/debian/patches/series 2015-01-26 18:28:06.000000000 -0500
+++ libssh-0.6.3/debian/patches/series 2015-12-04 09:53:32.000000000 -0500
@@ -1,4 +1,5 @@
0001_CVE-2014-8132.patch
+0002_CVE-2015-3146.patch
1001_error-msg-typo-fix.patch
1003-custom-lib-names.patch
2002-fix-html-doc-generation.patch
Reply to: