Bug#808901: wheezy-pu: package libssh/0.5.4-1+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Greetings.
I would like to update libssh in Wheezy via a sponsored NMU to fix
CVE-2015-3146 and CVE-2015-8132, which are non-DSA security bugs and so would
need to be fixed via stable-proposed-updates. I updated libssh in Sid via
sponsored NMU for these in Nov 2015.
The patches used to fix this came from upstream at:
https://www.libssh.org/security/patches/
Thanks.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
diff -Nru libssh-0.5.4/debian/changelog libssh-0.5.4/debian/changelog
--- libssh-0.5.4/debian/changelog 2014-03-06 04:47:48.000000000 -0500
+++ libssh-0.5.4/debian/changelog 2015-12-04 09:31:06.000000000 -0500
@@ -1,3 +1,17 @@
+libssh (0.5.4-1+deb7u2) wheezy; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches:
+ - Add 0005-security-fix-for-vulnerability-CVE-2014-8132.patch
+ Fix "Double free on dangling pointers in initial key exchange packet"
+ (Closes: #773577, CVE-2014-8132)
+ - Add 0006-security-fix-for-vulnerability-CVE-2015-3146.patch
+ Fix "null pointer dereference due to a logical error in the handling of
+ a SSH_MSG_NEWKEYS and KEXDH_REPLY packets"
+ (Closes: #784404, CVE-2015-3146)
+
+ -- Christopher Knadle <Chris.Knadle@coredump.us> Mon, 23 Nov 2015 04:08:05 -0500
+
libssh (0.5.4-1+deb7u1) wheezy-security; urgency=high
* debian/patches/0004-security-fix-for-vulnerability-CVE-2014-0017.patch:
diff -Nru libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch
--- libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 1969-12-31 19:00:00.000000000 -0500
+++ libssh-0.5.4/debian/patches/0005-security-fix-for-vulnerability-CVE-2014-8132.patch 2015-11-23 08:55:39.000000000 -0500
@@ -0,0 +1,46 @@
+From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001
+From: Jon Simons <jon@jonsimons.org>
+Date: Sat, 18 Oct 2014 23:23:26 -0700
+Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
+
+Before this change, dangling pointers can be unintentionally left in the
+respective next_crypto kex methods slots. Ensure to set all slots to
+NULL in the error-out path.
+
+Signed-off-by: Jon Simons <jon@jonsimons.org>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/kex.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index dedf286..db35183 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ for (i = 0; i < 10; i++) {
+ str = buffer_get_ssh_string(packet);
+ if (str == NULL) {
+- break;
++ goto error;
+ }
+
+ if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ error:
+ ssh_string_free(str);
+ for (i = 0; i < 10; i++) {
++ if (server_kex) {
++ session->server_kex.methods[i] = NULL;
++ } else {
++ session->client_kex.methods[i] = NULL;
++ }
+ SAFE_FREE(strings[i]);
+ }
+
+--
+2.2.0
+
diff -Nru libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch
--- libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 1969-12-31 19:00:00.000000000 -0500
+++ libssh-0.5.4/debian/patches/0006-security-fix-for-vulnerability-CVE-2015-3146.patch 2015-11-23 08:55:39.000000000 -0500
@@ -0,0 +1,98 @@
+From cadc76a8b450f4e2181009c8faa2c4dace9bcc2c Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:08:37 +0200
+Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers
+
+The state validation in the packet handlers for SSH_MSG_NEWKEYS and
+SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.
+
+The issue has been found and reported by Mariusz Ziule.
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/client.c | 4 ++--
+ src/server.c | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 0e50497..6919e7a 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -186,7 +186,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
+ (void)type;
+ (void)user;
+ ssh_log(session,SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
++ if(session->session_state!= SSH_SESSION_STATE_DH ||
+ session->dh_handshake_state != DH_STATE_INIT_SENT){
+ ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
+ session->session_state,session->dh_handshake_state);
+@@ -246,7 +246,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
+ (void)user;
+ (void)type;
+ ssh_log(session, SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
+- if(session->session_state!= SSH_SESSION_STATE_DH &&
++ if (session->session_state != SSH_SESSION_STATE_DH ||
+ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){
+ ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
+ session->session_state,session->dh_handshake_state);
+diff --git a/src/server.c b/src/server.c
+index 9a611c1..c07dd8a 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -133,6 +133,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
+ ssh_log(session,SSH_LOG_PACKET,"Received SSH_MSG_KEXDH_INIT");
+ if(session->dh_handshake_state != DH_STATE_INIT){
+ ssh_log(session,SSH_LOG_RARE,"Invalid state for SSH_MSG_KEXDH_INIT");
++ session->session_state=SSH_SESSION_STATE_ERROR;
+ goto error;
+ }
+ e = buffer_get_ssh_string(packet);
+--
+2.3.5
+
+
+From ac683699201a3233b3659baa5f22c96ddab83cd4 Mon Sep 17 00:00:00 2001
+From: Aris Adamantiadis <aris@0xbadc0de.be>
+Date: Wed, 15 Apr 2015 16:25:29 +0200
+Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference
+
+This is an addition to CVE-2015-3146 to fix the null pointer
+dereference. The patch is not required to fix the CVE but prevents
+issues in future.
+
+Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 59b316623ee723a5b6d4c980d0617bbaff4094c6)
+---
+ src/buffer.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index aef7e44..9808399 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -188,6 +188,9 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) {
+ int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
+ buffer_verify(buffer);
+
++ if (data == NULL){
++ return -1;
++ }
+ if (buffer->used + len < len)
+ return -1;
+
+@@ -220,6 +223,9 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer,
+ struct ssh_string_struct *string) {
+ uint32_t len = 0;
+
++ if (string == NULL){
++ return -1;
++ }
+ len = ssh_string_len(string);
+ if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
+ return -1;
+--
+2.3.5
+
diff -Nru libssh-0.5.4/debian/patches/series libssh-0.5.4/debian/patches/series
--- libssh-0.5.4/debian/patches/series 2014-03-06 04:47:48.000000000 -0500
+++ libssh-0.5.4/debian/patches/series 2015-11-23 08:55:39.000000000 -0500
@@ -2,3 +2,5 @@
0002-fix-html-doc-generation.patch
0003-fix-typo.patch
0004-security-fix-for-vulnerability-CVE-2014-0017.patch
+0005-security-fix-for-vulnerability-CVE-2014-8132.patch
+0006-security-fix-for-vulnerability-CVE-2015-3146.patch
Reply to: