Bug#657445: your mail
On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> > Looks like this:
> >
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
>
> Colin, can you fix this for the 6.0.5 point release?
Yes - sorry for the delay, real life intervened fairly heavily. Do the
signed packages at master:~cjwatson/openssh/ meet your requirements? A
debdiff follows.
diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog 2011-07-28 17:44:13.000000000 +0100
+++ openssh-5.5p1/debian/changelog 2012-02-20 02:26:35.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
+
+ * CVE-2012-0814: Don't send the actual forced command in a debug message,
+ which allowed remote authenticated users to obtain potentially sensitive
+ information by reading these messages (closes: #657445).
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 20 Feb 2012 02:23:55 +0000
+
openssh (1:5.5p1-6+squeeze1) stable; urgency=low
* Quieten logs when multiple from= restrictions are used in different
diff -Nru openssh-5.5p1/debian/patches/forced-command-debug-security.patch openssh-5.5p1/debian/patches/forced-command-debug-security.patch
--- openssh-5.5p1/debian/patches/forced-command-debug-security.patch 1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/forced-command-debug-security.patch 2012-02-20 02:18:45.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Don't send the actual forced command in a debug message
+Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
+Forwarded: not-needed
+Last-Update: 2012-02-20
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -174,7 +174,7 @@
+ goto bad_option;
+ }
+ forced_command[i] = '\0';
+- auth_debug_add("Forced command: %.900s", forced_command);
++ auth_debug_add("Forced command.");
+ opts++;
+ goto next_option;
+ }
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series 2011-07-28 17:22:59.000000000 +0100
+++ openssh-5.5p1/debian/patches/series 2012-02-20 02:22:06.000000000 +0000
@@ -27,6 +27,9 @@
dnssec-sshfp.patch
auth-log-verbosity.patch
+# Security fixes
+forced-command-debug-security.patch
+
# Versioning
package-versioning.patch
debian-banner.patch
--
Colin Watson [cjwatson@debian.org]
Reply to: