Control: tags 780249 + pending
Hi Mikhail,
I've prepared an NMU for libssh2 (versioned as 1.4.3-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
It is the part to solve #780249/CVE-2015-1782 for sid and jessie.
Regards,
Salvatore
diff -Nru libssh2-1.4.3/debian/changelog libssh2-1.4.3/debian/changelog
--- libssh2-1.4.3/debian/changelog 2014-09-03 15:52:17.000000000 +0200
+++ libssh2-1.4.3/debian/changelog 2015-03-11 12:13:08.000000000 +0100
@@ -1,3 +1,11 @@
+libssh2 (1.4.3-4.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add 0003-CVE-2015-1782.patch.
+ CVE-2015-1782: Using SSH_MSG_KEXINIT data unbounded. (Closes: #780249)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 11 Mar 2015 12:08:30 +0100
+
libssh2 (1.4.3-4) unstable; urgency=low
* Update description to mention SFTPv5 support
diff -Nru libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch
--- libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch 1970-01-01 01:00:00.000000000 +0100
+++ libssh2-1.4.3/debian/patches/0003-CVE-2015-1782.patch 2015-03-11 12:13:08.000000000 +0100
@@ -0,0 +1,111 @@
+From c7f66cca285033da9b8c9de8eceff52d7b3c3ef3 Mon Sep 17 00:00:00 2001
+From: Mariusz Ziulek <m...@owasp.org>
+Date: Sat, 21 Feb 2015 23:31:36 +0100
+Subject: [PATCH] kex: bail out on rubbish in the incoming packet
+
+---
+ src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 41 insertions(+), 32 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index fa4c4e1..ad7498a 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
+
+ /* TODO: When in server mode we need to turn this logic on its head
+ * The Client gets to make the final call on "agreed methods"
+ */
+
++/*
++ * kex_string_pair() extracts a string from the packet and makes sure it fits
++ * within the given packet.
++ */
++static int kex_string_pair(unsigned char **sp, /* parsing position */
++ unsigned char *data, /* start pointer to packet */
++ size_t data_len, /* size of total packet */
++ size_t *lenp, /* length of the string */
++ unsigned char **strp) /* pointer to string start */
++{
++ unsigned char *s = *sp;
++ *lenp = _libssh2_ntohu32(s);
++
++ /* the length of the string must fit within the current pointer and the
++ end of the packet */
++ if (*lenp > (data_len - (s - data) -4))
++ return 1;
++ *strp = s + 4;
++ s += 4 + *lenp;
++
++ *sp = s;
++ return 0;
++}
++
+ /* kex_agree_methods
+ * Decide which specific method to use of the methods offered by each party
+ */
+ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+ unsigned data_len)
+@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
+
+ /* Skip cookie, don't worry, it's preserved in the kexinit field */
+ s += 16;
+
+ /* Locate each string */
+- kex_len = _libssh2_ntohu32(s);
+- kex = s + 4;
+- s += 4 + kex_len;
+- hostkey_len = _libssh2_ntohu32(s);
+- hostkey = s + 4;
+- s += 4 + hostkey_len;
+- crypt_cs_len = _libssh2_ntohu32(s);
+- crypt_cs = s + 4;
+- s += 4 + crypt_cs_len;
+- crypt_sc_len = _libssh2_ntohu32(s);
+- crypt_sc = s + 4;
+- s += 4 + crypt_sc_len;
+- mac_cs_len = _libssh2_ntohu32(s);
+- mac_cs = s + 4;
+- s += 4 + mac_cs_len;
+- mac_sc_len = _libssh2_ntohu32(s);
+- mac_sc = s + 4;
+- s += 4 + mac_sc_len;
+- comp_cs_len = _libssh2_ntohu32(s);
+- comp_cs = s + 4;
+- s += 4 + comp_cs_len;
+- comp_sc_len = _libssh2_ntohu32(s);
+- comp_sc = s + 4;
+-#if 0
+- s += 4 + comp_sc_len;
+- lang_cs_len = _libssh2_ntohu32(s);
+- lang_cs = s + 4;
+- s += 4 + lang_cs_len;
+- lang_sc_len = _libssh2_ntohu32(s);
+- lang_sc = s + 4;
+- s += 4 + lang_sc_len;
+-#endif
++ if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
++ return -1;
++ if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
++ return -1;
++
+ /* If the server sent an optimistic packet, assume that it guessed wrong.
+ * If the guess is determined to be right (by kex_agree_kex_hostkey)
+ * This flag will be reset to zero so that it's not ignored */
+ session->burn_optimistic_kexinit = *(s++);
+ /* Next uint32 in packet is all zeros (reserved) */
+--
+2.1.4
+
diff -Nru libssh2-1.4.3/debian/patches/series libssh2-1.4.3/debian/patches/series
--- libssh2-1.4.3/debian/patches/series 2014-09-03 15:52:17.000000000 +0200
+++ libssh2-1.4.3/debian/patches/series 2015-03-11 12:13:08.000000000 +0100
@@ -1,3 +1,4 @@
0001-Add-lgpg-error-to-.pc-to-facilitate-static-linking.patch
0001-Do-not-expose-private-libraries-nor-link-flags-to-us.patch
0002-Fix-typos-in-manpages.patch
+0003-CVE-2015-1782.patch
