--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libntlm/1.5-1+deb10u1
- From: Anton Gladky <gladk@debian.org>
- Date: Sat, 23 May 2020 21:29:35 +0200
- Message-id: <159026217504.365072.17599957082632240316.reportbug@thinkpad.debian>
- Reply-to: gladk@debian.org
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I have prepared an NMU for buster release which fixes CVE-2019-17455.
Please let mw know whether I can upload it.
Diff is attached.
Thanks,
Anton
diff -Nru libntlm-1.5/debian/changelog libntlm-1.5/debian/changelog
--- libntlm-1.5/debian/changelog 2018-08-24 22:03:11.000000000 +0200
+++ libntlm-1.5/debian/changelog 2020-05-23 21:18:56.000000000 +0200
@@ -1,3 +1,17 @@
+libntlm (1.5-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload
+ * Fix buffer overflow. CVE-2019-17455:
+ Libntlm through 1.5 relies on a fixed buffer size for
+ tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse
+ read and write operations, as demonstrated by a stack-based buffer
+ over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted
+ NTLM request.
+ Closes: #942145
+ * Add regression test for CVE-2019-17455
+
+ -- Anton Gladky <gladk@debian.org> Sat, 23 May 2020 21:18:56 +0200
+
libntlm (1.5-1) unstable; urgency=low
* New upstream version.
diff -Nru libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch
--- libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 1970-01-01 01:00:00.000000000 +0100
+++ libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 2020-05-23 21:12:10.000000000 +0200
@@ -0,0 +1,85 @@
+From b967886873fcf19f816b9c0868465f2d9e5df85e Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Sun, 19 Apr 2020 09:30:05 +0200
+Subject: [PATCH] Fix buffer overflow. Patch from Cedric Buissart based on
+ report by Kirin. CVE-2019-17455
+
+<https://gitlab.com/jas/libntlm/-/issues/2>
+---
+ ntlm.h | 8 +++++---
+ smbutil.c | 13 ++++++++-----
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+Index: libntlm-1.5/ntlm.h
+===================================================================
+--- libntlm-1.5.orig/ntlm.h
++++ libntlm-1.5/ntlm.h
+@@ -36,6 +36,8 @@ extern "C"
+
+ #define NTLM_VERSION "1.5"
+
++#define MSG_BUFSIZE 1024
++
+ /*
+ * These structures are byte-order dependant, and should not
+ * be manipulated except by the use of the routines provided
+@@ -55,7 +57,7 @@ extern "C"
+ uint32 flags;
+ tSmbStrHeader user;
+ tSmbStrHeader domain;
+- uint8 buffer[1024];
++ uint8 buffer[MSG_BUFSIZE];
+ uint32 bufIndex;
+ } tSmbNtlmAuthRequest;
+
+@@ -68,7 +70,7 @@ extern "C"
+ uint8 challengeData[8];
+ uint8 reserved[8];
+ tSmbStrHeader emptyString;
+- uint8 buffer[1024];
++ uint8 buffer[MSG_BUFSIZE];
+ uint32 bufIndex;
+ } tSmbNtlmAuthChallenge;
+
+@@ -84,7 +86,7 @@ extern "C"
+ tSmbStrHeader uWks;
+ tSmbStrHeader sessionKey;
+ uint32 flags;
+- uint8 buffer[1024];
++ uint8 buffer[MSG_BUFSIZE];
+ uint32 bufIndex;
+ } tSmbNtlmAuthResponse;
+
+Index: libntlm-1.5/smbutil.c
+===================================================================
+--- libntlm-1.5.orig/smbutil.c
++++ libntlm-1.5/smbutil.c
+@@ -46,9 +46,9 @@ char versionString[] = PACKAGE_STRING;
+
+ /*
+ * Must be multiple of two
+- * We use a statis buffer of 1024 bytes for message
++ * We use a statis buffer of MSG_BUFSIZE [1024] bytes for message
+ * At maximun we but 48 bytes (ntlm responses) and 3 unicode strings so
+- * NTLM_BUFSIZE * 3 + 48 <= 1024
++ * NTLM_BUFSIZE * 3 + 48 <= MSG_BUFSIZE
+ */
+ #define NTLM_BUFSIZE 320
+
+@@ -70,10 +70,13 @@ char versionString[] = PACKAGE_STRING;
+ */
+ #define AddBytes(ptr, header, buf, count) \
+ { \
+- ptr->header.len = ptr->header.maxlen = UI16LE(count); \
++ size_t count2 = count; \
++ if (count2 > MSG_BUFSIZE - ptr->bufIndex) \
++ count2 = MSG_BUFSIZE - ptr->bufIndex; \
++ ptr->header.len = ptr->header.maxlen = UI16LE(count2); \
+ ptr->header.offset = UI32LE((ptr->buffer - ((uint8*)ptr)) + ptr->bufIndex); \
+- memcpy(ptr->buffer+ptr->bufIndex, buf, count); \
+- ptr->bufIndex += count; \
++ memcpy(ptr->buffer+ptr->bufIndex, buf, count2); \
++ ptr->bufIndex += count2; \
+ }
+
+ #define AddString(ptr, header, string) \
diff -Nru libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch
--- libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 1970-01-01 01:00:00.000000000 +0100
+++ libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 2020-05-23 21:05:29.000000000 +0200
@@ -0,0 +1,90 @@
+From aa975994cf9cf39c33ce33a1b2988277c456dec1 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Sun, 19 Apr 2020 09:44:17 +0200
+Subject: [PATCH] Add regression check for CVE-2019-17455 overflow.
+
+---
+ Makefile.am | 2 +-
+ test_CVE-2019-17455.c | 61 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+), 1 deletion(-)
+ create mode 100644 test_CVE-2019-17455.c
+
+Index: libntlm-1.5/Makefile.am
+===================================================================
+--- libntlm-1.5.orig/Makefile.am
++++ libntlm-1.5/Makefile.am
+@@ -45,7 +45,7 @@ libntlm_la_LIBADD = libntlm_impl.la gl/l
+
+ # test
+
+-TESTS = test_ntlm
++TESTS = test_ntlm test_CVE-2019-17455
+ check_PROGRAMS = $(TESTS)
+ LDADD = libntlm_impl.la gl/libgnu.la
+ CLEANFILES = test.out
+Index: libntlm-1.5/test_CVE-2019-17455.c
+===================================================================
+--- /dev/null
++++ libntlm-1.5/test_CVE-2019-17455.c
+@@ -0,0 +1,61 @@
++/* test_overflow.c --- Test for CVE-2019-17455 overflow bug for libntlm.
++ * Copyright (C) 2020 Simon Josefsson
++ *
++ * This file is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as
++ * published by the Free Software Foundation; either version 2.1 of
++ * the License, or (at your option) any later version.
++ *
++ * This file is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this file; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
++ * 02110-1301, USA.
++ *
++ */
++
++#include <config.h>
++
++#include <string.h>
++#include <stdio.h>
++
++#include "ntlm.h"
++
++int
++main (void)
++{
++ char u[1024];
++ char d[1024];
++ char buf[sizeof (tSmbNtlmAuthRequest) + 5];
++ tSmbNtlmAuthRequest *request = (void*) &buf;
++ size_t i;
++
++ memset (u, '1', 1024);
++ memset (d, '2', 1024);
++ u[1023] = '\0';
++ d[1023] = '\0';
++
++ memset (buf, '3', sizeof (buf));
++
++ printf ("Before call:\n");
++ for (i = sizeof (tSmbNtlmAuthRequest) - 5; i < sizeof (buf); i++)
++ printf ("str[end + %d] = %02x\n",
++ (int) (i - sizeof (tSmbNtlmAuthRequest)), (unsigned int) buf[i]);
++
++ buildSmbNtlmAuthRequest (request, u, d);
++
++ printf ("After call:\n");
++ for (i = sizeof (tSmbNtlmAuthRequest) - 5; i < sizeof (buf); i++)
++ printf ("str[end + %d] = %02x\n",
++ (int) (i - sizeof (tSmbNtlmAuthRequest)), (unsigned int) buf[i]);
++
++ for (i = sizeof (tSmbNtlmAuthRequest); i < sizeof (buf); i++)
++ if (buf[i] != '3')
++ return 1;
++
++ return 0;
++}
diff -Nru libntlm-1.5/debian/patches/series libntlm-1.5/debian/patches/series
--- libntlm-1.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libntlm-1.5/debian/patches/series 2020-05-10 16:15:12.000000000 +0200
@@ -0,0 +1,2 @@
+10_fix_buffer_overflow_CVE-CVE-2019-17455.patch
+20_test_CVE-2019-17455.patch
--- End Message ---