Bug#858470: marked as done (unblock: putty/0.67-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#858470: marked as done (unblock: putty/0.67-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 22 Mar 2017 20:33:07 +0000
Message-id: <[🔎] handler.858470.D858470.149021463712502.ackdone@bugs.debian.org>
References: <a9dae9f7-8717-7aea-a79c-2b2d7533b5b1@thykier.net> <[🔎] 20170322183647.GA18691@riva.ucam.org>

Your message dated Wed, 22 Mar 2017 20:29:00 +0000
with message-id <a9dae9f7-8717-7aea-a79c-2b2d7533b5b1@thykier.net>
and subject line Re: Bug#858470: unblock: putty/0.67-3
has caused the Debian Bug report #858470,
regarding unblock: putty/0.67-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858470
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: putty/0.67-3
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 22 Mar 2017 18:36:47 +0000
Message-id: <[🔎] 20170322183647.GA18691@riva.ucam.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

putty 0.67-3 fixes a vulnerability; please unblock it.

diff -Nru putty-0.67/debian/.git-dpm putty-0.67/debian/.git-dpm
--- putty-0.67/debian/.git-dpm	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/.git-dpm	2017-03-22 14:41:51.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 putty_0.67.orig.tar.gz
diff -Nru putty-0.67/debian/changelog putty-0.67/debian/changelog
--- putty-0.67/debian/changelog	2016-03-18 22:32:34.000000000 +0000
+++ putty-0.67/debian/changelog	2017-03-22 14:42:13.000000000 +0000
@@ -1,3 +1,10 @@
+putty (0.67-3) unstable; urgency=high
+
+  * CVE-2017-6542: Sanity-check message length fields in CHAN_AGENT input
+    (thanks, Simon Tatham; closes: #857642).
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 22 Mar 2017 14:42:13 +0000
+
 putty (0.67-2) unstable; urgency=medium
 
   * Backport from upstream:
diff -Nru putty-0.67/debian/patches/pipe-buf.patch putty-0.67/debian/patches/pipe-buf.patch
--- putty-0.67/debian/patches/pipe-buf.patch	2016-03-18 22:31:09.000000000 +0000
+++ putty-0.67/debian/patches/pipe-buf.patch	2017-03-22 14:41:48.000000000 +0000
@@ -19,7 +19,7 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/unix/uxshare.c b/unix/uxshare.c
-index 3da52de..4beb4a8 100644
+index 3da52def..4beb4a83 100644
 --- a/unix/uxshare.c
 +++ b/unix/uxshare.c
 @@ -23,6 +23,9 @@
diff -Nru putty-0.67/debian/patches/puttygen-batch-passphrase.patch putty-0.67/debian/patches/puttygen-batch-passphrase.patch
--- putty-0.67/debian/patches/puttygen-batch-passphrase.patch	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/puttygen-batch-passphrase.patch	2017-03-22 14:41:48.000000000 +0000
@@ -36,7 +36,7 @@
  2 files changed, 114 insertions(+), 55 deletions(-)
 
 diff --git a/cmdgen.c b/cmdgen.c
-index c15c01d..424ff95 100644
+index c15c01dd..424ff95d 100644
 --- a/cmdgen.c
 +++ b/cmdgen.c
 @@ -10,6 +10,8 @@
@@ -301,7 +301,7 @@
  
      if (ssh1key)
 diff --git a/doc/man-pg.but b/doc/man-pg.but
-index 51173e2..d381c0e 100644
+index 51173e22..d381c0ed 100644
 --- a/doc/man-pg.but
 +++ b/doc/man-pg.but
 @@ -64,6 +64,13 @@ generate SSH-1 keys).
diff -Nru putty-0.67/debian/patches/series putty-0.67/debian/patches/series
--- putty-0.67/debian/patches/series	2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/series	2017-03-22 14:41:48.000000000 +0000
@@ -1,2 +1,3 @@
 pipe-buf.patch
 puttygen-batch-passphrase.patch
+vuln-agent-fwd-overflow.patch
diff -Nru putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch
--- putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch	2017-03-22 14:41:51.000000000 +0000
@@ -0,0 +1,88 @@
+From 5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e Mon Sep 17 00:00:00 2001
+From: Simon Tatham <anakin@pobox.com>
+Date: Tue, 21 Mar 2017 11:55:50 +0000
+Subject: Sanity-check message length fields in CHAN_AGENT input.
+
+Fixes 'vuln-agent-fwd-overflow': a hostile agent-forwarding client
+sending a length such as 0xFFFFFFFD can cause c->u.a.totallen to end
+up less than c->u.a.lensofar, leading to an attacker-controlled heap
+overwrite when those two values are subtracted and used as a bound for
+the amount of data to memcpy into the buffer.
+
+Of course the mitigating factor is that if there is any such thing as
+a 'hostile agent-forwarding client' in your world then you're likely
+to _already_ be in fairly serious trouble - they can make free use of
+all the keys stored in your agent, and would surely prefer to do that
+than tip their hand by crashing your SSH client.
+
+This is just the sort of thing I should have spotted in one of my past
+general tightening-up passes such as commit 896bb7c74, but apparently
+didn't :-(
+
+Bug-Debian: https://bugs.debian.org/857642
+Last-Update: 2017-03-22
+
+Patch-Name: vuln-agent-fwd-overflow.patch
+---
+ ssh.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index e1e94d78..9b28e95d 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -5606,6 +5606,27 @@ static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ 		if (c->u.a.lensofar == 4) {
+ 		    c->u.a.totallen =
+ 			4 + GET_32BIT(c->u.a.msglen);
++		    if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++			/* If we received an out-of-range message length -
++			 * either so large as to cause c->u.a.totallen to
++			 * suffer unsigned integer overflow, or just too large
++			 * to be a sensible amount of memory to malloc or to
++			 * be a plausible agent message - we send an
++			 * SSH_AGENT_FAILURE message, then send EOF, and
++			 * immediately turn the channel into a CHAN_ZOMBIE to
++			 * avoid continuing to try to parse the bogus
++			 * message. */
++			char failure_msg[5];
++			PUT_32BIT(failure_msg, 1);
++			failure_msg[4] = SSH_AGENT_FAILURE;
++			sshfwd_write(c, failure_msg, sizeof(failure_msg));
++			sshfwd_write_eof(c);
++			sfree(c->u.a.message);
++			c->type = CHAN_ZOMBIE;
++			logevent("Agent-forwarding connection closed due to "
++				 "receiving bogus agent message length");
++			return;
++		    }
+ 		    c->u.a.message = snewn(c->u.a.totallen,
+ 					   unsigned char);
+ 		    memcpy(c->u.a.message, c->u.a.msglen, 4);
+@@ -7559,6 +7580,26 @@ static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ 		if (c->u.a.lensofar == 4) {
+ 		    c->u.a.totallen =
+ 			4 + GET_32BIT(c->u.a.msglen);
++		    if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++			/* If we received an out-of-range message length -
++			 * either so large as to cause c->u.a.totallen to
++			 * suffer unsigned integer overflow, or just too large
++			 * to be a sensible amount of memory to malloc or to
++			 * be a plausible agent message - we send an
++			 * SSH_AGENT_FAILURE message, then send EOF, and
++			 * immediately turn the channel into a CHAN_ZOMBIE to
++			 * avoid continuing to try to parse the bogus
++			 * message. */
++			char failure_msg[5];
++			PUT_32BIT(failure_msg, 1);
++			failure_msg[4] = SSH_AGENT_FAILURE;
++			sshfwd_write(c, failure_msg, sizeof(failure_msg));
++			sfree(c->u.a.message);
++			logevent("Agent-forwarding connection closed due to "
++				 "receiving bogus agent message length");
++			sshfwd_unclean_close(c, "message ignored");
++			return;
++		    }
+ 		    c->u.a.message = snewn(c->u.a.totallen,
+ 					   unsigned char);
+ 		    memcpy(c->u.a.message, c->u.a.msglen, 4);

unblock putty/0.67-3

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

--- Begin Message ---

To: Colin Watson <cjwatson@debian.org>, 858470-done@bugs.debian.org

Subject: Re: Bug#858470: unblock: putty/0.67-3

From: Niels Thykier <niels@thykier.net>

Date: Wed, 22 Mar 2017 20:29:00 +0000

Message-id: <a9dae9f7-8717-7aea-a79c-2b2d7533b5b1@thykier.net>

In-reply-to: <[🔎] 20170322183647.GA18691@riva.ucam.org>

References: <[🔎] 20170322183647.GA18691@riva.ucam.org>
Colin Watson:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> putty 0.67-3 fixes a vulnerability; please unblock it.
> 
> [...]
> 
> unblock putty/0.67-3
> 
> Thanks,
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#858470: unblock: putty/0.67-3
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#858481: unblock: bind9/1:9.10.3.dfsg.P4-12.1
Next by Date: Bug#858455: marked as done (Prospective unblock of erlang/1:19.2.1+dfsg-2)
Previous by thread: Bug#858470: unblock: putty/0.67-3
Next by thread: Bug#858478: unblock: lvm2/2.02.168-2
Index(es):
- Date
- Thread