Bug#85303: marked as done (Security bugfix)
Your message dated Thu, 11 Sep 2003 17:37:41 +0100
with message-id <20030911163740.GA16568@riva.ucam.org>
and subject line Fixed forever
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Feb 2001 22:45:46 +0000
>From joey@finlandia.infodrom.north.de Thu Feb 08 16:45:46 2001
Return-path: <joey@finlandia.infodrom.north.de>
Received: from kuolema.infodrom.north.de [::ffff:195.27.69.163]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 14Qzot-0000DR-00; Thu, 08 Feb 2001 16:45:45 -0600
Received: from finladia.infodrom.north.de (finlandia.Infodrom.North.DE [195.27.69.162])
by kuolema.infodrom.north.de (Postfix) with ESMTP id AF22F4D73C
for <submit@bugs.debian.org>; Thu, 8 Feb 2001 23:45:27 +0100 (CET)
Received: by finladia.infodrom.north.de (Postfix, from userid 501)
id 9B5FD10960; Thu, 8 Feb 2001 23:45:12 +0100 (CET)
Date: Thu, 8 Feb 2001 23:45:12 +0100
From: Martin Schulze <joey@finlandia.infodrom.north.de>
To: submit@bugs.debian.org
Subject: Security bugfix
Message-ID: <20010208234512.A15483@finlandia.infodrom.north.de>
Reply-To: Martin Schulze <joey@infodrom.north.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.12i
Delivered-To: submit@bugs.debian.org
Package: openssh
Version: 1.2.3-9
Severity: critical
The following patch has been applied to the stable incarnation of
OpenSSH by the Security Team and should most probably also be applied
to the unstable branch.
Regards,
Joey
This upload fixes:
1. OpenSSH is vulnerable to a remote arbitrary memory overwrite
attack which may lead into a root exploit. No exploit program is
known yet but expected soon.
2. CORE-SDI described a problem with regards to RSA key exchange.
diff -u -Nur --exclude CVS orig/openssh-1.2.3/deattack.c openssh-1.2.3/deattack.c
--- orig/openssh-1.2.3/deattack.c Wed Nov 24 14:26:22 1999
+++ openssh-1.2.3/deattack.c Thu Feb 8 21:12:50 2001
@@ -84,7 +84,7 @@
detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
{
static u_int16_t *h = (u_int16_t *) NULL;
- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
register u_int32_t i, j;
u_int32_t l;
register unsigned char *c;
diff -u -Nur --exclude CVS orig/openssh-1.2.3/debian/changelog openssh-1.2.3/debian/changelog
--- orig/openssh-1.2.3/debian/changelog Thu Feb 8 18:52:39 2001
+++ openssh-1.2.3/debian/changelog Thu Feb 8 22:18:20 2001
@@ -1,3 +1,14 @@
+openssh (1:1.2.3-9.2) stable; urgency=high
+
+ * Non-maintainer upload by Security Team
+ * Added backported fix for a buffer overflow (thanks to Piotr
+ Roszatycki)
+ * Added modified build dependencies from unstable for convenience
+ * Added patch that fixes an rsa key exchange problem made public by CORE
+ SDI.
+
+ -- Martin Schulze <joey@debian.org> Thu, 8 Feb 2001 22:15:04 +0100
+
openssh (1:1.2.3-9.1) stable; urgency=high
* Non-maintainer upload by security team; approved by maintainer
diff -u -Nur --exclude CVS orig/openssh-1.2.3/debian/control openssh-1.2.3/debian/control
--- orig/openssh-1.2.3/debian/control Thu Feb 8 18:52:40 2001
+++ openssh-1.2.3/debian/control Thu Feb 8 20:24:59 2001
@@ -2,6 +2,7 @@
Section: non-US/main
Priority: optional
Maintainer: Philip Hands <phil@hands.com>
+Build-Depends: libwrap-dev, zlib1g-dev, libssl09-dev, libpam0g-dev [!hurd-i386], libgnome-dev, groff, debhelper
Standards-Version: 3.0.1
Package: ssh
diff -u -Nur --exclude CVS orig/openssh-1.2.3/rsa.c openssh-1.2.3/rsa.c
--- orig/openssh-1.2.3/rsa.c Fri Mar 17 13:40:16 2000
+++ openssh-1.2.3/rsa.c Thu Feb 8 21:23:59 2001
@@ -170,7 +170,7 @@
xfree(inbuf);
}
-void
+int
rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
{
unsigned char *inbuf, *outbuf;
@@ -184,15 +184,16 @@
BN_bn2bin(in, inbuf);
if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
- RSA_PKCS1_PADDING)) <= 0)
- fatal("rsa_private_decrypt() failed");
-
- BN_bin2bn(outbuf, len, out);
-
+ RSA_PKCS1_PADDING)) <= 0) {
+ error("rsa_private_decrypt() failed");
+ } else {
+ BN_bin2bn(outbuf, len, out);
+ }
memset(outbuf, 0, olen);
memset(inbuf, 0, ilen);
xfree(outbuf);
xfree(inbuf);
+ return len;
}
/* Set whether to output verbose messages during key generation. */
diff -u -Nur --exclude CVS orig/openssh-1.2.3/rsa.h openssh-1.2.3/rsa.h
--- orig/openssh-1.2.3/rsa.h Sat Jan 29 10:40:22 2000
+++ openssh-1.2.3/rsa.h Thu Feb 8 21:23:59 2001
@@ -44,6 +44,6 @@
int rsa_alive __P((void));
void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
-void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv));
#endif /* RSA_H */
diff -u -Nur --exclude CVS orig/openssh-1.2.3/ssh-agent.c openssh-1.2.3/ssh-agent.c
--- orig/openssh-1.2.3/ssh-agent.c Thu Feb 8 18:52:39 2001
+++ openssh-1.2.3/ssh-agent.c Thu Feb 8 21:52:45 2001
@@ -116,7 +116,8 @@
BN_cmp(pub_e, identities[i].key->e) == 0 &&
BN_cmp(pub_n, identities[i].key->n) == 0) {
/* Decrypt the challenge using the private key. */
- rsa_private_decrypt(challenge, challenge, identities[i].key);
+ if (rsa_private_decrypt(challenge, challenge, identities[i].key) <= 0)
+ goto failure;
/* Compute the desired response. */
switch (response_type) {
@@ -155,6 +156,7 @@
goto send;
}
+failure:
/* Unknown identity. Send failure. */
buffer_put_char(&msg, SSH_AGENT_FAILURE);
send:
diff -u -Nur --exclude CVS orig/openssh-1.2.3/sshconnect.c openssh-1.2.3/sshconnect.c
--- orig/openssh-1.2.3/sshconnect.c Fri Mar 17 13:40:18 2000
+++ openssh-1.2.3/sshconnect.c Thu Feb 8 21:24:11 2001
@@ -418,14 +418,17 @@
int i, len;
/* Decrypt the challenge using the private key. */
- rsa_private_decrypt(challenge, challenge, prv);
+ /* XXX think about Bleichenbacher, too */
+ if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
+ packet_disconnect(
+ "respond_to_rsa_challenge: rsa_private_decrypt failed");
/* Compute the response. */
/* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
if (len <= 0 || len > sizeof(buf))
- packet_disconnect("respond_to_rsa_challenge: bad challenge length %d",
- len);
+ packet_disconnect(
+ "respond_to_rsa_challenge: bad challenge length %d", len);
memset(buf, 0, sizeof(buf));
BN_bn2bin(challenge, buf + sizeof(buf) - len);
diff -u -Nur --exclude CVS orig/openssh-1.2.3/sshd.c openssh-1.2.3/sshd.c
--- orig/openssh-1.2.3/sshd.c Thu Feb 8 18:52:39 2001
+++ openssh-1.2.3/sshd.c Thu Feb 8 21:45:30 2001
@@ -925,6 +925,7 @@
{
int i, len;
int plen, slen;
+ int rsafail = 0;
BIGNUM *session_key_int;
unsigned char session_key[SSH_SESSION_KEY_LENGTH];
unsigned char cookie[8];
@@ -1036,7 +1037,7 @@
* with larger modulus first).
*/
if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) {
- /* Private key has bigger modulus. */
+ /* Server key has bigger modulus. */
if (BN_num_bits(sensitive_data.private_key->n) <
BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) {
fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d",
@@ -1045,10 +1046,12 @@
BN_num_bits(sensitive_data.host_key->n),
SSH_KEY_BITS_RESERVED);
}
- rsa_private_decrypt(session_key_int, session_key_int,
- sensitive_data.private_key);
- rsa_private_decrypt(session_key_int, session_key_int,
- sensitive_data.host_key);
+ if (rsa_private_decrypt(session_key_int, session_key_int,
+ sensitive_data.private_key) <= 0)
+ rsafail++;
+ if (rsa_private_decrypt(session_key_int, session_key_int,
+ sensitive_data.host_key) <= 0)
+ rsafail++;
} else {
/* Host key has bigger modulus (or they are equal). */
if (BN_num_bits(sensitive_data.host_key->n) <
@@ -1059,10 +1062,12 @@
BN_num_bits(sensitive_data.private_key->n),
SSH_KEY_BITS_RESERVED);
}
- rsa_private_decrypt(session_key_int, session_key_int,
- sensitive_data.host_key);
- rsa_private_decrypt(session_key_int, session_key_int,
- sensitive_data.private_key);
+ if (rsa_private_decrypt(session_key_int, session_key_int,
+ sensitive_data.host_key) <= 0)
+ rsafail++;
+ if (rsa_private_decrypt(session_key_int, session_key_int,
+ sensitive_data.private_key) <= 0)
+ rsafail++;
}
compute_session_id(session_id, cookie,
@@ -1079,14 +1084,27 @@
* least significant 256 bits of the integer; the first byte of the
* key is in the highest bits.
*/
- BN_mask_bits(session_key_int, sizeof(session_key) * 8);
- len = BN_num_bytes(session_key_int);
- if (len < 0 || len > sizeof(session_key))
- fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d",
- get_remote_ipaddr(),
- len, sizeof(session_key));
- memset(session_key, 0, sizeof(session_key));
- BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
+ if (!rsafail) {
+ BN_mask_bits(session_key_int, sizeof(session_key) * 8);
+ len = BN_num_bytes(session_key_int);
+ if (len < 0 || len > sizeof(session_key)) {
+ error("do_connection: bad session key len from %s: session_key_int %d > sizeof(session_key) %d",
+ get_remote_ipaddr(), len, sizeof(session_key));
+ rsafail++;
+ } else {
+ memset(session_key, 0, sizeof(session_key));
+ BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len);
+ }
+ }
+ if (rsafail) {
+ log("do_connection: generating a fake encryption key");
+ for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) {
+ if (i % 4 == 0)
+ rand = arc4random();
+ session_key[i] = rand & 0xff;
+ rand >>= 8;
+ }
+ }
/* Destroy the decrypted integer. It is no longer needed. */
BN_clear_free(session_key_int);
--
Linux - the choice of a GNU generation.
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 85303-done) by bugs.debian.org; 11 Sep 2003 16:39:58 +0000
>From cjwatson@flatline.org.uk Thu Sep 11 11:37:44 2003
Return-path: <cjwatson@flatline.org.uk>
Received: from zinc.btinternet.com [194.73.73.148]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19xURy-0004gm-00; Thu, 11 Sep 2003 11:37:42 -0500
Received: from host81-129-36-235.in-addr.btopenworld.com ([81.129.36.235] helo=riva.lab.dotat.at)
by zinc.btinternet.com with esmtp (Exim 3.22 #23)
id 19xURx-0002uz-00
for 85303-done@bugs.debian.org; Thu, 11 Sep 2003 17:37:41 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
for 85303-done@bugs.debian.org
id 19xURx-0004JJ-00; Thu, 11 Sep 2003 17:37:41 +0100
Date: Thu, 11 Sep 2003 17:37:41 +0100
From: Colin Watson <cjwatson@debian.org>
To: 85303-done@bugs.debian.org
Subject: Fixed forever
Message-ID: <20030911163740.GA16568@riva.ucam.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: 85303-done@bugs.debian.org
X-Spam-Status: No, hits=-1.0 required=4.0
tests=BAYES_30
version=2.53-bugs.debian.org_2003_8_27
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_8_27 (1.174.2.15-2003-03-30-exp)
This bug ("Security bugfix") reported against openssh 1.2.3-9 has been
fixed for years now. I'm closing it out properly.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: