Bug#606922: marked as done (openssh: cve-2010-4478 jpake issue)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 16 Dec 2010 16:47:27 +0000
with message-id <20101216164727.GR12396@riva.ucam.org>
and subject line Re: Bug#606922: jpake not enabled in sid
has caused the Debian Bug report #606922,
regarding openssh: cve-2010-4478 jpake issue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
606922: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606922
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh: cve-2010-4478 jpake issue
• From: Michael Gilbert <michael.s.gilbert@gmail.com>
• Date: Sun, 12 Dec 2010 19:31:30 -0500
• Message-id: <[🔎] AANLkTimwHC8cVM7VTUuKx2dBVzdWnpp9vEV6h_0Qsvpn@mail.gmail.com>

Package: openssh
Version: 1:5.5p1-5
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openssh.

CVE-2010-4478[0]:
| OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly
| validate the public parameters in the J-PAKE protocol, which allows
| remote attackers to bypass the need for knowledge of the shared
| secret, and successfully authenticate, by sending crafted values in
| each round of the protocol, a related issue to CVE-2010-4252.

It does look like jpake is build for openssh.  I've checked the version
in squeeze and it has the vulnerable code.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478
    http://security-tracker.debian.org/tracker/CVE-2010-4478

--- End Message ---

--- Begin Message ---

• To: 606922-close@bugs.debian.org
• Cc: Moritz Muehlenhoff <jmm@inutil.org>, Arne Wichmann <aw@anhrefn.saar.de>
• Subject: Re: Bug#606922: jpake not enabled in sid
• From: Colin Watson <cjwatson@debian.org>
• Date: Thu, 16 Dec 2010 16:47:27 +0000
• Message-id: <20101216164727.GR12396@riva.ucam.org>
• In-reply-to: <[🔎] 20101216101809.GB31764@anhrefn.saar.de>
• References: <[🔎] 20101216101809.GB31764@anhrefn.saar.de>

On Thu, Dec 16, 2010 at 11:18:09AM +0100, Arne Wichmann wrote:
> It does not look like jpake is enabled in sid:

That's correct.  It's disabled upstream and we haven't enabled it.  I
have no intention of enabling it until upstream say it's OK to do so
(which will probably consist of enabling it by default).

Here's the upstream commit message:

   - djm@cvs.openbsd.org 2010/09/20 04:50:53
     [jpake.c schnorr.c]
     check that received values are smaller than the group size in the
     disabled and unfinished J-PAKE code.
     avoids catastrophic security failure found by Sebastien Martini

Michael, thanks for the heads-up, but I don't see any need to spend time
backporting this.  Anyone who goes in, enables this against the advice
of upstream, and deploys it on a publicly-visible system deserves what
they get!  If you're going to use experimental authentication modes,
then you at least need to use current CVS HEAD.

I'm closing this bug, and I recommend the security team mark it as "no
fix needed".

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---