Bug#657445: your mail

To: Moritz Muehlenhoff <jmm@inutil.org>, 657445@bugs.debian.org
Cc: Marc Deslauriers <marc.deslauriers@canonical.com>, team@security.debian.org
Subject: Bug#657445: your mail
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 20 Feb 2012 02:46:14 +0000
Message-id: <[🔎] 20120220024614.GQ3917@riva.dynamic.greenend.org.uk>
Reply-to: Colin Watson <cjwatson@debian.org>, 657445@bugs.debian.org
In-reply-to: <[🔎] 20120208174426.GA11216@inutil.org>
References: <1327625424.3101.63.camel@mdlinux> <[🔎] 20120208174426.GA11216@inutil.org>

On Wed, Feb 08, 2012 at 06:44:26PM +0100, Moritz Muehlenhoff wrote:
> On Thu, Jan 26, 2012 at 07:50:24PM -0500, Marc Deslauriers wrote:
> > Looks like this:
> > 
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
> 
> Colin, can you fix this for the 6.0.5 point release?

Yes - sorry for the delay, real life intervened fairly heavily.  Do the
signed packages at master:~cjwatson/openssh/ meet your requirements?  A
debdiff follows.

diff -Nru openssh-5.5p1/debian/changelog openssh-5.5p1/debian/changelog
--- openssh-5.5p1/debian/changelog	2011-07-28 17:44:13.000000000 +0100
+++ openssh-5.5p1/debian/changelog	2012-02-20 02:26:35.000000000 +0000
@@ -1,3 +1,11 @@
+openssh (1:5.5p1-6+squeeze2) stable-security; urgency=high
+
+  * CVE-2012-0814: Don't send the actual forced command in a debug message,
+    which allowed remote authenticated users to obtain potentially sensitive
+    information by reading these messages (closes: #657445).
+
+ -- Colin Watson <cjwatson@debian.org>  Mon, 20 Feb 2012 02:23:55 +0000
+
 openssh (1:5.5p1-6+squeeze1) stable; urgency=low
 
   * Quieten logs when multiple from= restrictions are used in different
diff -Nru openssh-5.5p1/debian/patches/forced-command-debug-security.patch openssh-5.5p1/debian/patches/forced-command-debug-security.patch
--- openssh-5.5p1/debian/patches/forced-command-debug-security.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-5.5p1/debian/patches/forced-command-debug-security.patch	2012-02-20 02:18:45.000000000 +0000
@@ -0,0 +1,19 @@
+Description: Don't send the actual forced command in a debug message
+Origin: upstream, http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
+Forwarded: not-needed
+Last-Update: 2012-02-20
+
+Index: b/auth-options.c
+===================================================================
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -174,7 +174,7 @@
+ 				goto bad_option;
+ 			}
+ 			forced_command[i] = '\0';
+-			auth_debug_add("Forced command: %.900s", forced_command);
++			auth_debug_add("Forced command.");
+ 			opts++;
+ 			goto next_option;
+ 		}
diff -Nru openssh-5.5p1/debian/patches/series openssh-5.5p1/debian/patches/series
--- openssh-5.5p1/debian/patches/series	2011-07-28 17:22:59.000000000 +0100
+++ openssh-5.5p1/debian/patches/series	2012-02-20 02:22:06.000000000 +0000
@@ -27,6 +27,9 @@
 dnssec-sshfp.patch
 auth-log-verbosity.patch
 
+# Security fixes
+forced-command-debug-security.patch
+
 # Versioning
 package-versioning.patch
 debian-banner.patch

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#657445: your mail
  - From: "Thijs Kinkhorst" <thijs@debian.org>

References:
- Bug#657445: your mail
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Processed: #659000 duplicates #607602
Next by Date: Processed: fixed 657445 in openssh/1:5.7p1-1
Previous by thread: Bug#657445: your mail
Next by thread: Bug#657445: your mail
Index(es):
- Date
- Thread