Bug#959081: buster-pu: package libssh/0.8.7-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
Please allow an upload to fix #956308 (CVE-2020-1730).
That upload should also probably end up in the coming point release
changelog | 7 +++++++
patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch | 32 ++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 40 insertions(+)
Kind regards,
Laurent Bigonville
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.5.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
>From 75f81629de6636a82d0129ad86d9b41dd5d9b8da Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@debian.org>
Date: Wed, 29 Apr 2020 10:38:58 +0200
Subject: [PATCH] Fix possible DoS in client and server when handling AES-CTR
keys with OpenSSL, cherry-picked from upstream (Closes: #956308
CVE-2020-1730)
---
debian/changelog | 7 ++++
...ossible-segfault-when-zeroing-AES-CT.patch | 32 +++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 40 insertions(+)
create mode 100644 debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
diff --git a/debian/changelog b/debian/changelog
index c4273f2f..8225fbd2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libssh (0.8.7-1+deb10u1) buster; urgency=medium
+
+ * Fix possible DoS in client and server when handling AES-CTR keys with
+ OpenSSL, cherry-picked from upstream (Closes: #956308 CVE-2020-1730)
+
+ -- Laurent Bigonville <bigon@debian.org> Tue, 28 Apr 2020 13:40:28 +0200
+
libssh (0.8.7-1) unstable; urgency=medium
* New upstream bug fix release 0.8.7.
diff --git a/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch b/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
new file mode 100644
index 00000000..cdbc51f5
--- /dev/null
+++ b/debian/patches/0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
@@ -0,0 +1,32 @@
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Tue, 11 Feb 2020 11:52:33 +0100
+Subject: CVE-2020-1730: Fix a possible segfault when zeroing AES-CTR key
+
+Fixes T213
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+(cherry picked from commit b36272eac1b36982598c10de7af0a501582de07a)
+---
+ src/libcrypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index 340a3e6..b3285e0 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -636,8 +636,12 @@ static void aes_ctr_encrypt(struct ssh_cipher_struct *cipher, void *in, void *ou
+ }
+
+ static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){
+- explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
+- SAFE_FREE(cipher->aes_key);
++ if (cipher != NULL) {
++ if (cipher->aes_key != NULL) {
++ explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
++ }
++ SAFE_FREE(cipher->aes_key);
++ }
+ }
+
+ #endif /* HAVE_OPENSSL_EVP_AES_CTR */
diff --git a/debian/patches/series b/debian/patches/series
index 842c602c..db23779b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
+0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-AES-CT.patch
1003-custom-lib-names.patch
2003-disable-expand_tilde_unix-test.patch
--
2.26.2
Reply to: