Bug#891854: stretch-pu: package openssh/1:7.4p1-10+deb9u3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix openssh CVE-2017-15906 in stretch. A debdiff follows.
It's somewhat difficult to test because you first have to reconfigure
the Subsystem line in /etc/ssh/sshd_config to add the -R option to
sftp-server, and then you have to construct a somewhat weird request,
but I managed to do it locally.
The security team said that they'd rather this go into a stable update
since it's not really urgent enough for a DSA, so would this be
possible?
diff -Nru openssh-7.4p1/debian/.git-dpm openssh-7.4p1/debian/.git-dpm
--- openssh-7.4p1/debian/.git-dpm 2017-11-18 09:35:43.000000000 +0000
+++ openssh-7.4p1/debian/.git-dpm 2018-03-01 12:36:07.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-39d60bbd309be74d337685c2da524233652513f4
-39d60bbd309be74d337685c2da524233652513f4
+8fdc9f49b3be477744bd5b2da3083121752d3422
+8fdc9f49b3be477744bd5b2da3083121752d3422
971a7653746a6972b907dfe0ce139c06e4a6f482
971a7653746a6972b907dfe0ce139c06e4a6f482
openssh_7.4p1.orig.tar.gz
diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog
--- openssh-7.4p1/debian/changelog 2017-11-18 09:37:22.000000000 +0000
+++ openssh-7.4p1/debian/changelog 2018-03-01 15:17:53.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:7.4p1-10+deb9u3) stretch; urgency=medium
+
+ * CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was
+ incorrectly permitting creation of zero-length files. Reported by Michal
+ Zalewski.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 01 Mar 2018 15:17:53 +0000
+
openssh (1:7.4p1-10+deb9u2) stretch; urgency=medium
* Test configuration before starting or reloading sshd under systemd
diff -Nru openssh-7.4p1/debian/patches/CVE-2017-15906.patch openssh-7.4p1/debian/patches/CVE-2017-15906.patch
--- openssh-7.4p1/debian/patches/CVE-2017-15906.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/CVE-2017-15906.patch 2018-03-01 12:36:07.000000000 +0000
@@ -0,0 +1,39 @@
+From 8fdc9f49b3be477744bd5b2da3083121752d3422 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: upstream commit
+
+disallow creation (of empty files) in read-only mode;
+reported by Michal Zalewski, feedback & ok deraadt@
+
+Upstream-ID: 5d9c8f2fa8511d4ecf95322994ffe73e9283899b
+
+Origin: https://anongit.mindrot.org/openssh.git/commit/?id=4d827f0d75a53d3952288ab882efbddea7ffadfe
+Last-Update: 2018-03-01
+
+Patch-Name: CVE-2017-15906.patch
+---
+ sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sftp-server.c b/sftp-server.c
+index 3619cdfc..df0fb506 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
+ *
+@@ -691,8 +691,8 @@ process_open(u_int32_t id)
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+- ((flags & O_ACCMODE) == O_WRONLY ||
+- (flags & O_ACCMODE) == O_RDWR)) {
++ ((flags & O_ACCMODE) != O_RDONLY ||
++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ verbose("Refusing open request in read-only mode");
+ status = SSH2_FX_PERMISSION_DENIED;
+ } else {
diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1/debian/patches/series 2017-11-18 09:35:43.000000000 +0000
+++ openssh-7.4p1/debian/patches/series 2018-03-01 12:36:07.000000000 +0000
@@ -37,3 +37,4 @@
fix-incoming-compression-statistics.patch
winscp-dhgex-compat.patch
dash-dash-before-hostname.patch
+CVE-2017-15906.patch
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: