Bug#858470: unblock: putty/0.67-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#858470: unblock: putty/0.67-3
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 22 Mar 2017 18:36:47 +0000
Message-id: <[🔎] 20170322183647.GA18691@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 858470@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

putty 0.67-3 fixes a vulnerability; please unblock it.

diff -Nru putty-0.67/debian/.git-dpm putty-0.67/debian/.git-dpm
--- putty-0.67/debian/.git-dpm	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/.git-dpm	2017-03-22 14:41:51.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 putty_0.67.orig.tar.gz
diff -Nru putty-0.67/debian/changelog putty-0.67/debian/changelog
--- putty-0.67/debian/changelog	2016-03-18 22:32:34.000000000 +0000
+++ putty-0.67/debian/changelog	2017-03-22 14:42:13.000000000 +0000
@@ -1,3 +1,10 @@
+putty (0.67-3) unstable; urgency=high
+
+  * CVE-2017-6542: Sanity-check message length fields in CHAN_AGENT input
+    (thanks, Simon Tatham; closes: #857642).
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 22 Mar 2017 14:42:13 +0000
+
 putty (0.67-2) unstable; urgency=medium
 
   * Backport from upstream:
diff -Nru putty-0.67/debian/patches/pipe-buf.patch putty-0.67/debian/patches/pipe-buf.patch
--- putty-0.67/debian/patches/pipe-buf.patch	2016-03-18 22:31:09.000000000 +0000
+++ putty-0.67/debian/patches/pipe-buf.patch	2017-03-22 14:41:48.000000000 +0000
@@ -19,7 +19,7 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/unix/uxshare.c b/unix/uxshare.c
-index 3da52de..4beb4a8 100644
+index 3da52def..4beb4a83 100644
 --- a/unix/uxshare.c
 +++ b/unix/uxshare.c
 @@ -23,6 +23,9 @@
diff -Nru putty-0.67/debian/patches/puttygen-batch-passphrase.patch putty-0.67/debian/patches/puttygen-batch-passphrase.patch
--- putty-0.67/debian/patches/puttygen-batch-passphrase.patch	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/puttygen-batch-passphrase.patch	2017-03-22 14:41:48.000000000 +0000
@@ -36,7 +36,7 @@
  2 files changed, 114 insertions(+), 55 deletions(-)
 
 diff --git a/cmdgen.c b/cmdgen.c
-index c15c01d..424ff95 100644
+index c15c01dd..424ff95d 100644
 --- a/cmdgen.c
 +++ b/cmdgen.c
 @@ -10,6 +10,8 @@
@@ -301,7 +301,7 @@
  
      if (ssh1key)
 diff --git a/doc/man-pg.but b/doc/man-pg.but
-index 51173e2..d381c0e 100644
+index 51173e22..d381c0ed 100644
 --- a/doc/man-pg.but
 +++ b/doc/man-pg.but
 @@ -64,6 +64,13 @@ generate SSH-1 keys).
diff -Nru putty-0.67/debian/patches/series putty-0.67/debian/patches/series
--- putty-0.67/debian/patches/series	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/series	2017-03-22 14:41:48.000000000 +0000
@@ -1,2 +1,3 @@
 pipe-buf.patch
 puttygen-batch-passphrase.patch
+vuln-agent-fwd-overflow.patch
diff -Nru putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch
--- putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch	2017-03-22 14:41:51.000000000 +0000
@@ -0,0 +1,88 @@
+From 5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e Mon Sep 17 00:00:00 2001
+From: Simon Tatham <anakin@pobox.com>
+Date: Tue, 21 Mar 2017 11:55:50 +0000
+Subject: Sanity-check message length fields in CHAN_AGENT input.
+
+Fixes 'vuln-agent-fwd-overflow': a hostile agent-forwarding client
+sending a length such as 0xFFFFFFFD can cause c->u.a.totallen to end
+up less than c->u.a.lensofar, leading to an attacker-controlled heap
+overwrite when those two values are subtracted and used as a bound for
+the amount of data to memcpy into the buffer.
+
+Of course the mitigating factor is that if there is any such thing as
+a 'hostile agent-forwarding client' in your world then you're likely
+to _already_ be in fairly serious trouble - they can make free use of
+all the keys stored in your agent, and would surely prefer to do that
+than tip their hand by crashing your SSH client.
+
+This is just the sort of thing I should have spotted in one of my past
+general tightening-up passes such as commit 896bb7c74, but apparently
+didn't :-(
+
+Bug-Debian: https://bugs.debian.org/857642
+Last-Update: 2017-03-22
+
+Patch-Name: vuln-agent-fwd-overflow.patch
+---
+ ssh.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index e1e94d78..9b28e95d 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -5606,6 +5606,27 @@ static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ 		if (c->u.a.lensofar == 4) {
+ 		    c->u.a.totallen =
+ 			4 + GET_32BIT(c->u.a.msglen);
++		    if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++			/* If we received an out-of-range message length -
++			 * either so large as to cause c->u.a.totallen to
++			 * suffer unsigned integer overflow, or just too large
++			 * to be a sensible amount of memory to malloc or to
++			 * be a plausible agent message - we send an
++			 * SSH_AGENT_FAILURE message, then send EOF, and
++			 * immediately turn the channel into a CHAN_ZOMBIE to
++			 * avoid continuing to try to parse the bogus
++			 * message. */
++			char failure_msg[5];
++			PUT_32BIT(failure_msg, 1);
++			failure_msg[4] = SSH_AGENT_FAILURE;
++			sshfwd_write(c, failure_msg, sizeof(failure_msg));
++			sshfwd_write_eof(c);
++			sfree(c->u.a.message);
++			c->type = CHAN_ZOMBIE;
++			logevent("Agent-forwarding connection closed due to "
++				 "receiving bogus agent message length");
++			return;
++		    }
+ 		    c->u.a.message = snewn(c->u.a.totallen,
+ 					   unsigned char);
+ 		    memcpy(c->u.a.message, c->u.a.msglen, 4);
+@@ -7559,6 +7580,26 @@ static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ 		if (c->u.a.lensofar == 4) {
+ 		    c->u.a.totallen =
+ 			4 + GET_32BIT(c->u.a.msglen);
++		    if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++			/* If we received an out-of-range message length -
++			 * either so large as to cause c->u.a.totallen to
++			 * suffer unsigned integer overflow, or just too large
++			 * to be a sensible amount of memory to malloc or to
++			 * be a plausible agent message - we send an
++			 * SSH_AGENT_FAILURE message, then send EOF, and
++			 * immediately turn the channel into a CHAN_ZOMBIE to
++			 * avoid continuing to try to parse the bogus
++			 * message. */
++			char failure_msg[5];
++			PUT_32BIT(failure_msg, 1);
++			failure_msg[4] = SSH_AGENT_FAILURE;
++			sshfwd_write(c, failure_msg, sizeof(failure_msg));
++			sfree(c->u.a.message);
++			logevent("Agent-forwarding connection closed due to "
++				 "receiving bogus agent message length");
++			sshfwd_unclean_close(c, "message ignored");
++			return;
++		    }
+ 		    c->u.a.message = snewn(c->u.a.totallen,
+ 					   unsigned char);
+ 		    memcpy(c->u.a.message, c->u.a.msglen, 4);

unblock putty/0.67-3

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#858470: marked as done (unblock: putty/0.67-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#858455: Prospective unblock of erlang/1:19.2.1+dfsg-2
Next by Date: Bug#858183: marked as done (binNMU needed for r-bioc- packages broken by R 3.3.3.)
Previous by thread: Bug#858462: marked as done (unblock: libreoffice/1:5.2.6-2)
Next by thread: Bug#858470: marked as done (unblock: putty/0.67-3)
Index(es):
- Date
- Thread