--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
putty 0.67-3 fixes a vulnerability; please unblock it.
diff -Nru putty-0.67/debian/.git-dpm putty-0.67/debian/.git-dpm
--- putty-0.67/debian/.git-dpm 2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/.git-dpm 2017-03-22 14:41:51.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
79cb9b7c6d681b706933a6bfa7948c43e12da294
79cb9b7c6d681b706933a6bfa7948c43e12da294
putty_0.67.orig.tar.gz
diff -Nru putty-0.67/debian/changelog putty-0.67/debian/changelog
--- putty-0.67/debian/changelog 2016-03-18 22:32:34.000000000 +0000
+++ putty-0.67/debian/changelog 2017-03-22 14:42:13.000000000 +0000
@@ -1,3 +1,10 @@
+putty (0.67-3) unstable; urgency=high
+
+ * CVE-2017-6542: Sanity-check message length fields in CHAN_AGENT input
+ (thanks, Simon Tatham; closes: #857642).
+
+ -- Colin Watson <cjwatson@debian.org> Wed, 22 Mar 2017 14:42:13 +0000
+
putty (0.67-2) unstable; urgency=medium
* Backport from upstream:
diff -Nru putty-0.67/debian/patches/pipe-buf.patch putty-0.67/debian/patches/pipe-buf.patch
--- putty-0.67/debian/patches/pipe-buf.patch 2016-03-18 22:31:09.000000000 +0000
+++ putty-0.67/debian/patches/pipe-buf.patch 2017-03-22 14:41:48.000000000 +0000
@@ -19,7 +19,7 @@
1 file changed, 3 insertions(+)
diff --git a/unix/uxshare.c b/unix/uxshare.c
-index 3da52de..4beb4a8 100644
+index 3da52def..4beb4a83 100644
--- a/unix/uxshare.c
+++ b/unix/uxshare.c
@@ -23,6 +23,9 @@
diff -Nru putty-0.67/debian/patches/puttygen-batch-passphrase.patch putty-0.67/debian/patches/puttygen-batch-passphrase.patch
--- putty-0.67/debian/patches/puttygen-batch-passphrase.patch 2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/puttygen-batch-passphrase.patch 2017-03-22 14:41:48.000000000 +0000
@@ -36,7 +36,7 @@
2 files changed, 114 insertions(+), 55 deletions(-)
diff --git a/cmdgen.c b/cmdgen.c
-index c15c01d..424ff95 100644
+index c15c01dd..424ff95d 100644
--- a/cmdgen.c
+++ b/cmdgen.c
@@ -10,6 +10,8 @@
@@ -301,7 +301,7 @@
if (ssh1key)
diff --git a/doc/man-pg.but b/doc/man-pg.but
-index 51173e2..d381c0e 100644
+index 51173e22..d381c0ed 100644
--- a/doc/man-pg.but
+++ b/doc/man-pg.but
@@ -64,6 +64,13 @@ generate SSH-1 keys).
diff -Nru putty-0.67/debian/patches/series putty-0.67/debian/patches/series
--- putty-0.67/debian/patches/series 2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/series 2017-03-22 14:41:48.000000000 +0000
@@ -1,2 +1,3 @@
pipe-buf.patch
puttygen-batch-passphrase.patch
+vuln-agent-fwd-overflow.patch
diff -Nru putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch
--- putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch 2017-03-22 14:41:51.000000000 +0000
@@ -0,0 +1,88 @@
+From 5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e Mon Sep 17 00:00:00 2001
+From: Simon Tatham <anakin@pobox.com>
+Date: Tue, 21 Mar 2017 11:55:50 +0000
+Subject: Sanity-check message length fields in CHAN_AGENT input.
+
+Fixes 'vuln-agent-fwd-overflow': a hostile agent-forwarding client
+sending a length such as 0xFFFFFFFD can cause c->u.a.totallen to end
+up less than c->u.a.lensofar, leading to an attacker-controlled heap
+overwrite when those two values are subtracted and used as a bound for
+the amount of data to memcpy into the buffer.
+
+Of course the mitigating factor is that if there is any such thing as
+a 'hostile agent-forwarding client' in your world then you're likely
+to _already_ be in fairly serious trouble - they can make free use of
+all the keys stored in your agent, and would surely prefer to do that
+than tip their hand by crashing your SSH client.
+
+This is just the sort of thing I should have spotted in one of my past
+general tightening-up passes such as commit 896bb7c74, but apparently
+didn't :-(
+
+Bug-Debian: https://bugs.debian.org/857642
+Last-Update: 2017-03-22
+
+Patch-Name: vuln-agent-fwd-overflow.patch
+---
+ ssh.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index e1e94d78..9b28e95d 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -5606,6 +5606,27 @@ static void ssh1_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ if (c->u.a.lensofar == 4) {
+ c->u.a.totallen =
+ 4 + GET_32BIT(c->u.a.msglen);
++ if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++ /* If we received an out-of-range message length -
++ * either so large as to cause c->u.a.totallen to
++ * suffer unsigned integer overflow, or just too large
++ * to be a sensible amount of memory to malloc or to
++ * be a plausible agent message - we send an
++ * SSH_AGENT_FAILURE message, then send EOF, and
++ * immediately turn the channel into a CHAN_ZOMBIE to
++ * avoid continuing to try to parse the bogus
++ * message. */
++ char failure_msg[5];
++ PUT_32BIT(failure_msg, 1);
++ failure_msg[4] = SSH_AGENT_FAILURE;
++ sshfwd_write(c, failure_msg, sizeof(failure_msg));
++ sshfwd_write_eof(c);
++ sfree(c->u.a.message);
++ c->type = CHAN_ZOMBIE;
++ logevent("Agent-forwarding connection closed due to "
++ "receiving bogus agent message length");
++ return;
++ }
+ c->u.a.message = snewn(c->u.a.totallen,
+ unsigned char);
+ memcpy(c->u.a.message, c->u.a.msglen, 4);
+@@ -7559,6 +7580,26 @@ static void ssh2_msg_channel_data(Ssh ssh, struct Packet *pktin)
+ if (c->u.a.lensofar == 4) {
+ c->u.a.totallen =
+ 4 + GET_32BIT(c->u.a.msglen);
++ if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++ /* If we received an out-of-range message length -
++ * either so large as to cause c->u.a.totallen to
++ * suffer unsigned integer overflow, or just too large
++ * to be a sensible amount of memory to malloc or to
++ * be a plausible agent message - we send an
++ * SSH_AGENT_FAILURE message, then send EOF, and
++ * immediately turn the channel into a CHAN_ZOMBIE to
++ * avoid continuing to try to parse the bogus
++ * message. */
++ char failure_msg[5];
++ PUT_32BIT(failure_msg, 1);
++ failure_msg[4] = SSH_AGENT_FAILURE;
++ sshfwd_write(c, failure_msg, sizeof(failure_msg));
++ sfree(c->u.a.message);
++ logevent("Agent-forwarding connection closed due to "
++ "receiving bogus agent message length");
++ sshfwd_unclean_close(c, "message ignored");
++ return;
++ }
+ c->u.a.message = snewn(c->u.a.totallen,
+ unsigned char);
+ memcpy(c->u.a.message, c->u.a.msglen, 4);
unblock putty/0.67-3
Thanks,
--
Colin Watson [cjwatson@debian.org]
--- End Message ---