Your message dated Sat, 24 Nov 2018 00:53:05 +0000
with message-id <[email protected]>
and subject line Bug#914501: fixed in ssh-agent-filter 0.5.2-1
has caused the Debian Bug report #914501,
regarding base64_encode(): two-byte out-of-bounds stack write
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
914501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914501
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ssh-agent-filter
Version: 0.2-1
Severity: important
Tags: upstream fixed-upstream pending jessie stretch buster sid

A two-byte out-of-bounds stack write has been found in base64_encode().

Quoting relevant parts of the conversation with the security team:

21.11.18 20:21 Timo Weingärtner:
> while developing a new feature for ssh-agent-filter I noticed an error
> interpreting nettle's API documentation I made when I first wrote an
> adjacent function (right in the beginning; every version in Debian is
> affected).
> 
> The problem is BASE64_ENCODE_LENGTH() returning the size of the encoded
> string without the padding added in the finalization step. If the
> programmer forgets to take BASE64_ENCODE_FINAL_LENGTH into account this can
> result in up to two bytes with value '=' being written past the end of the
> buffer.
> 
> I was not able to crash ssh-agent-filter on my amd64 machine, so I guess the
> bug is hidden by alignment on the stack.

23.11.18 15:00 Timo Weingärtner:
> The strings to be base64-encoded (there is no decoding) is from the user's
> ssh-agent and — if confirmation is used — strings from a remote attacker
> (the same user or root on a machine the user connected to via (af)ssh) might
> get encoded. Encoded strings are compared against, output to terminal in
> debug mode or to the user via ssh-askpass in confirmation mode.
> 
> Incoming connections are handled in threads, so the entire filter process
> might crash, resulting in DoS.
> 
> The data written past the end of the buffer is always the same ('='); the
> attacker can only influence the number of extra bytes written (string length
> % 3). I don't really know about the exact stack layout and alignment on
> neither amd64 nor other archs, but if the stack grows downward these bytes
> would get written into the base64_ctx, unused space because of alignment,
> or the canary.

23.11.18 20:15 Moritz Mühlenhoff:
> Thanks for the summary. This sounds all quite limited impact-wise and sounds
> like a perfect candidate for a targeted fix via stable-proposed-updates. Do
> you agree? If so, let's open a a in the BTS which can then be closed with
> the upload to unstable (and also serves as a good reference for the stable
> update).

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message ---
Source: ssh-agent-filter
Source-Version: 0.5.2-1

We believe that the bug you reported is fixed in the latest version of
ssh-agent-filter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Weingärtner <[email protected]> (supplier of updated ssh-agent-filter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Nov 2018 01:05:54 +0100
Source: ssh-agent-filter
Binary: ssh-agent-filter
Architecture: source
Version: 0.5.2-1
Distribution: unstable
Urgency: medium
Maintainer: Timo Weingärtner <[email protected]>
Changed-By: Timo Weingärtner <[email protected]>
Description:
 ssh-agent-filter - filtering proxy for ssh-agent
Closes: 914501
Changes:
 ssh-agent-filter (0.5.2-1) unstable; urgency=medium
 .
   * release 0.5.2
     + base64_encode: fix two-byte out-of-bounds stack write (Closes: #914501)
   * declare compliance with Debian Policy 4.2.1, no changes needed
Checksums-Sha1:
 38d8929e3852214a1b90644bb6cc63108a242db6 2146 ssh-agent-filter_0.5.2-1.dsc
 671b0f3e5f8d5d706d8ae849e4cc0ba339e8a21e 32326 
ssh-agent-filter_0.5.2.orig.tar.gz
 f16782f30c679d24ba6f401e729033750af7a025 2928 
ssh-agent-filter_0.5.2-1.debian.tar.xz
 a51907f8c44b9791e244bd6d82e95a7121583ff7 8160 
ssh-agent-filter_0.5.2-1_amd64.buildinfo
Checksums-Sha256:
 d71a7eb288ecb08dbe14368c2d3d94905a69a387e327800c7c6d20c4cd90c8a5 2146 
ssh-agent-filter_0.5.2-1.dsc
 e37e5a09753518ca3e01477be7f6069935055a8cd96bfdeac3bb8c959881cdb9 32326 
ssh-agent-filter_0.5.2.orig.tar.gz
 5316c19e8464199c6aa31c1cc10d71278e484b2ad6e57673e1b3d1f0d4633a24 2928 
ssh-agent-filter_0.5.2-1.debian.tar.xz
 b190063e1a1093ee522b0f263df6bea50bd80df6cb4e0f277b22b077dec22c12 8160 
ssh-agent-filter_0.5.2-1_amd64.buildinfo
Files:
 a226caea6bebd60bce180101ef3f5a86 2146 net optional ssh-agent-filter_0.5.2-1.dsc
 8b202655276a7bdacdf01ac73ff3b10d 32326 net optional 
ssh-agent-filter_0.5.2.orig.tar.gz
 6d97a0071995a83c76b37dd9d749def4 2928 net optional 
ssh-agent-filter_0.5.2-1.debian.tar.xz
 1e18f55c089a99bdd1069a2893ca5414 8160 net optional 
ssh-agent-filter_0.5.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE87+TxUS8xnavTxo5VO6rSJSm4+0FAlv4lroACgkQVO6rSJSm
4+0SQw/9F9JwsIOujXrouUb8M5GA1MnpozFk1CRoLeEltd7+54xNvRLiVE20n3uL
+f8ItGJmWecjUJX+onN4NMrr6/8kt8JvwFGqbTf7FGpw79QTsUfV88wTXwayuWTG
JEhHd2fIevBaEMO2UqjliwgND7QWAVme0P7QSaEXpHacs6A7irM2kVcCG6kPpqM0
bU2pYe8ycu2KYuQ8rSgWB+fdr/rqKDA/SXq0TNrOtP7aJswwtfS2sKSxnrto7fRk
hoQhR9dQupWfgbAjP9spcUY4OZK9qvezGced9ag2yqzdrIbyF6hYByZeRICzPrCK
Vqyb1tgXAMI0DIPQLEESyI8tizbueOk1xPHm5qwrRrFpZO9lv4yaDsRRsyZ84FuW
Ii+7lUsBjGnlI7Yl/KOdF/RjFza8XO+g5fTvD4VL3iN9CXWZf6B9FyAG2UlkGzbE
R1SQtsSSwi1um1SlgTaWD5NmGewLuQgRAaLEEBQNDX7ZDyQU95M2j7mNonX5S2Af
QU9eyHWjK96uLICC15UUiiyjKVtYxm9uWA+jVjtHJ3cwS/NcLpEne50URLugmYzX
kYYTRA5Xk4jMb0rVnWEeSxYX32trVIS6hV8JDS/UyTcPgyyWtn4J+YNT9o5+IcUQ
el7zuLAfD+wi9sX3FbuCR65tP8w2a5nfkv03TwCkQsChRiKA+WQ=
=eSFq
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to