Bug#776615: unblock: libssh/0.6.3-4

Thu, 29 Jan 2015 16:12:29 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hello,

I've uploaded libssh 0.6.3-4 that contains a security fix for #773577
(CVE-2014-8132).

Please unblock package libssh

unblock libssh/0.6.3-4

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog
--- libssh-0.6.3/debian/changelog	2014-08-30 17:31:23.000000000 +0200
+++ libssh-0.6.3/debian/changelog	2015-01-27 00:28:06.000000000 +0100
@@ -1,3 +1,10 @@
+libssh (0.6.3-4) unstable; urgency=medium
+
+  * Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in
+    ssh_packet_kexinit() (Closes: #773577, CVE-2014-8132)
+
+ -- Laurent Bigonville <bi...@debian.org>  Tue, 27 Jan 2015 00:28:01 +0100
+
 libssh (0.6.3-3) unstable; urgency=low
 
   [ Sebastian Ramacher ]
diff -Nru libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch
--- libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch	1970-01-01 01:00:00.000000000 +0100
+++ libssh-0.6.3/debian/patches/0001_CVE-2014-8132.patch	2015-01-27 00:28:06.000000000 +0100
@@ -0,0 +1,39 @@
+commit 87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5
+Author: Jon Simons <j...@jonsimons.org>
+Date:   Sat Oct 18 23:23:26 2014 -0700
+
+    CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
+    
+    Before this change, dangling pointers can be unintentionally left in the
+    respective next_crypto kex methods slots.  Ensure to set all slots to
+    NULL in the error-out path.
+    
+    Signed-off-by: Jon Simons <j...@jonsimons.org>
+    Reviewed-by: Andreas Schneider <a...@cryptomilk.org>
+    (cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
+
+diff --git a/src/kex.c b/src/kex.c
+index 563c6a5..fab6bad 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -315,7 +315,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+   for (i = 0; i < KEX_METHODS_SIZE; i++) {
+     str = buffer_get_ssh_string(packet);
+     if (str == NULL) {
+-      break;
++      goto error;
+     }
+ 
+     if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+@@ -350,6 +350,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ error:
+   ssh_string_free(str);
+   for (i = 0; i < SSH_KEX_METHODS; i++) {
++    if (server_kex) {
++        session->next_crypto->client_kex.methods[i] = NULL;
++    } else { /* client */
++        session->next_crypto->server_kex.methods[i] = NULL;
++    }
+     SAFE_FREE(strings[i]);
+   }
+ 
diff -Nru libssh-0.6.3/debian/patches/series libssh-0.6.3/debian/patches/series
--- libssh-0.6.3/debian/patches/series	2014-08-30 17:31:23.000000000 +0200
+++ libssh-0.6.3/debian/patches/series	2015-01-27 00:28:06.000000000 +0100
@@ -1,3 +1,4 @@
+0001_CVE-2014-8132.patch
 1001_error-msg-typo-fix.patch
 1003-custom-lib-names.patch
 2002-fix-html-doc-generation.patch

Reply via email to