Bug#917900: stretch-pu: package libssh/0.7.3-2+deb9u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#917900: stretch-pu: package libssh/0.7.3-2+deb9u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 31 Dec 2018 15:02:08 +0100
Message-id: <[🔎] 154626492869.12036.14497869966989767211.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 917900@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

The update for libssh in DSA-4322-1 introduced a regression which
breaks server-side keyboard-interactive authentication. The issue was
reported by Martin Pitt in #913870.

As this is more a special case we want to avoid to issue another DSA
(regression update) for this specific issue, but as it was introduced
in a security update we should have a fix for it in an upcoming point
release.

For that I have cherry-picked the two needed patches and i have tested
the resulting packages with the reproducer case as provided by Martin
in the upstream issue https://bugs.libssh.org/T117 .

Following the new allowed procedure, and as the changes were minimal
enough I have already uploaded the package, and attached is the
corresponding debdiff for further review.

Could you accept the changes for an upcoming point release?

Regards,
Salvatore

diff -Nru libssh-0.7.3/debian/changelog libssh-0.7.3/debian/changelog
--- libssh-0.7.3/debian/changelog	2018-10-16 21:18:05.000000000 +0200
+++ libssh-0.7.3/debian/changelog	2018-12-31 14:47:15.000000000 +0100
@@ -1,3 +1,11 @@
+libssh (0.7.3-2+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix broken server-side keyboard-interactive authentication.
+    Thanks to Martin Pitt (Closes: #913870)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 31 Dec 2018 14:47:15 +0100
+
 libssh (0.7.3-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libssh-0.7.3/debian/patches/0009-server-Set-correct-state-after-sending-INFO_REQUEST-.patch libssh-0.7.3/debian/patches/0009-server-Set-correct-state-after-sending-INFO_REQUEST-.patch
--- libssh-0.7.3/debian/patches/0009-server-Set-correct-state-after-sending-INFO_REQUEST-.patch	1970-01-01 01:00:00.000000000 +0100
+++ libssh-0.7.3/debian/patches/0009-server-Set-correct-state-after-sending-INFO_REQUEST-.patch	2018-12-31 14:47:15.000000000 +0100
@@ -0,0 +1,30 @@
+From: Meng Tan <mtan@wallix.com>
+Date: Wed, 17 Oct 2018 14:50:08 +0200
+Subject: server: Set correct state after sending INFO_REQUEST (Kbd
+ Interactive)
+Origin: https://git.libssh.org/projects/libssh.git/commit/?id=734e3ce6747a5ed120b93a1ff253b3fde5f20024
+Bug: https://bugs.libssh.org/T117
+Bug-Debian: https://bugs.debian.org/913870
+
+Signed-off-by: Meng Tan <mtan@wallix.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 4ea46eecce9f4e676150fe27fec34e1570b70ace)
+---
+ src/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/server.c b/src/server.c
+index a078e7afc7f1..b1f01a86842c 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request(ssh_message msg, const char *name,
+     msg->session->kbdint->prompts = NULL;
+     msg->session->kbdint->echo = NULL;
+   }
++  msg->session->auth.state = SSH_AUTH_STATE_INFO;
+ 
+   return rc;
+ }
+-- 
+2.11.0
+
diff -Nru libssh-0.7.3/debian/patches/0010-server-Fix-compile-error.patch libssh-0.7.3/debian/patches/0010-server-Fix-compile-error.patch
--- libssh-0.7.3/debian/patches/0010-server-Fix-compile-error.patch	1970-01-01 01:00:00.000000000 +0100
+++ libssh-0.7.3/debian/patches/0010-server-Fix-compile-error.patch	2018-12-31 14:47:15.000000000 +0100
@@ -0,0 +1,26 @@
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 24 Oct 2018 19:57:17 +0200
+Subject: server: Fix compile error
+Origin: https://git.libssh.org/projects/libssh.git/commit/?id=7ad80ba1cc48f7af1f192692d100a6255d97b843
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/server.c b/src/server.c
+index b1f01a86842c..400b04a7e61b 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -976,7 +976,7 @@ int ssh_message_auth_interactive_request(ssh_message msg, const char *name,
+     msg->session->kbdint->prompts = NULL;
+     msg->session->kbdint->echo = NULL;
+   }
+-  msg->session->auth.state = SSH_AUTH_STATE_INFO;
++  msg->session->auth_state = SSH_AUTH_STATE_INFO;
+ 
+   return rc;
+ }
+-- 
+2.11.0
+
diff -Nru libssh-0.7.3/debian/patches/series libssh-0.7.3/debian/patches/series
--- libssh-0.7.3/debian/patches/series	2018-10-16 21:18:05.000000000 +0200
+++ libssh-0.7.3/debian/patches/series	2018-12-31 14:47:15.000000000 +0100
@@ -6,6 +6,8 @@
 0006-CVE-2018-10933-Check-channel-state-when-OPEN_FAILURE.patch
 0007-CVE-2018-10933-Introduced-packet-filtering.patch
 0008-CVE-2018-10933-Add-tests-for-packet-filtering.patch
+0009-server-Set-correct-state-after-sending-INFO_REQUEST-.patch
+0010-server-Fix-compile-error.patch
 1001_error-msg-typo-fix.patch
 1003-custom-lib-names.patch
 2003-disable-expand_tilde_unix-test.patch

Reply to:

Prev by Date: Bug#917196: transition: qtbase-opensource-src
Next by Date: Bug#917911: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018i
Previous by thread: Bug#917888: marked as done (nmu: mustache-d_0.1.3-3 [armel])
Next by thread: Bug#917911: stretch-pu: package libdatetime-timezone-perl/1:2.09-1+2018i
Index(es):
- Date
- Thread