Your message dated Sat, 24 Nov 2018 00:53:05 +0000 with message-id <[email protected]> and subject line Bug#914501: fixed in ssh-agent-filter 0.5.2-1 has caused the Debian Bug report #914501, regarding base64_encode(): two-byte out-of-bounds stack write to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 914501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914501 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ssh-agent-filter Version: 0.2-1 Severity: important Tags: upstream fixed-upstream pending jessie stretch buster sid A two-byte out-of-bounds stack write has been found in base64_encode(). Quoting relevant parts of the conversation with the security team: 21.11.18 20:21 Timo Weingärtner: > while developing a new feature for ssh-agent-filter I noticed an error > interpreting nettle's API documentation I made when I first wrote an > adjacent function (right in the beginning; every version in Debian is > affected). > > The problem is BASE64_ENCODE_LENGTH() returning the size of the encoded > string without the padding added in the finalization step. If the > programmer forgets to take BASE64_ENCODE_FINAL_LENGTH into account this can > result in up to two bytes with value '=' being written past the end of the > buffer. > > I was not able to crash ssh-agent-filter on my amd64 machine, so I guess the > bug is hidden by alignment on the stack. 23.11.18 15:00 Timo Weingärtner: > The strings to be base64-encoded (there is no decoding) is from the user's > ssh-agent and — if confirmation is used — strings from a remote attacker > (the same user or root on a machine the user connected to via (af)ssh) might > get encoded. Encoded strings are compared against, output to terminal in > debug mode or to the user via ssh-askpass in confirmation mode. > > Incoming connections are handled in threads, so the entire filter process > might crash, resulting in DoS. > > The data written past the end of the buffer is always the same ('='); the > attacker can only influence the number of extra bytes written (string length > % 3). I don't really know about the exact stack layout and alignment on > neither amd64 nor other archs, but if the stack grows downward these bytes > would get written into the base64_ctx, unused space because of alignment, > or the canary. 23.11.18 20:15 Moritz Mühlenhoff: > Thanks for the summary. This sounds all quite limited impact-wise and sounds > like a perfect candidate for a targeted fix via stable-proposed-updates. Do > you agree? If so, let's open a a in the BTS which can then be closed with > the upload to unstable (and also serves as a good reference for the stable > update).
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: ssh-agent-filter Source-Version: 0.5.2-1 We believe that the bug you reported is fixed in the latest version of ssh-agent-filter, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Weingärtner <[email protected]> (supplier of updated ssh-agent-filter package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 24 Nov 2018 01:05:54 +0100 Source: ssh-agent-filter Binary: ssh-agent-filter Architecture: source Version: 0.5.2-1 Distribution: unstable Urgency: medium Maintainer: Timo Weingärtner <[email protected]> Changed-By: Timo Weingärtner <[email protected]> Description: ssh-agent-filter - filtering proxy for ssh-agent Closes: 914501 Changes: ssh-agent-filter (0.5.2-1) unstable; urgency=medium . * release 0.5.2 + base64_encode: fix two-byte out-of-bounds stack write (Closes: #914501) * declare compliance with Debian Policy 4.2.1, no changes needed Checksums-Sha1: 38d8929e3852214a1b90644bb6cc63108a242db6 2146 ssh-agent-filter_0.5.2-1.dsc 671b0f3e5f8d5d706d8ae849e4cc0ba339e8a21e 32326 ssh-agent-filter_0.5.2.orig.tar.gz f16782f30c679d24ba6f401e729033750af7a025 2928 ssh-agent-filter_0.5.2-1.debian.tar.xz a51907f8c44b9791e244bd6d82e95a7121583ff7 8160 ssh-agent-filter_0.5.2-1_amd64.buildinfo Checksums-Sha256: d71a7eb288ecb08dbe14368c2d3d94905a69a387e327800c7c6d20c4cd90c8a5 2146 ssh-agent-filter_0.5.2-1.dsc e37e5a09753518ca3e01477be7f6069935055a8cd96bfdeac3bb8c959881cdb9 32326 ssh-agent-filter_0.5.2.orig.tar.gz 5316c19e8464199c6aa31c1cc10d71278e484b2ad6e57673e1b3d1f0d4633a24 2928 ssh-agent-filter_0.5.2-1.debian.tar.xz b190063e1a1093ee522b0f263df6bea50bd80df6cb4e0f277b22b077dec22c12 8160 ssh-agent-filter_0.5.2-1_amd64.buildinfo Files: a226caea6bebd60bce180101ef3f5a86 2146 net optional ssh-agent-filter_0.5.2-1.dsc 8b202655276a7bdacdf01ac73ff3b10d 32326 net optional ssh-agent-filter_0.5.2.orig.tar.gz 6d97a0071995a83c76b37dd9d749def4 2928 net optional ssh-agent-filter_0.5.2-1.debian.tar.xz 1e18f55c089a99bdd1069a2893ca5414 8160 net optional ssh-agent-filter_0.5.2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE87+TxUS8xnavTxo5VO6rSJSm4+0FAlv4lroACgkQVO6rSJSm 4+0SQw/9F9JwsIOujXrouUb8M5GA1MnpozFk1CRoLeEltd7+54xNvRLiVE20n3uL +f8ItGJmWecjUJX+onN4NMrr6/8kt8JvwFGqbTf7FGpw79QTsUfV88wTXwayuWTG JEhHd2fIevBaEMO2UqjliwgND7QWAVme0P7QSaEXpHacs6A7irM2kVcCG6kPpqM0 bU2pYe8ycu2KYuQ8rSgWB+fdr/rqKDA/SXq0TNrOtP7aJswwtfS2sKSxnrto7fRk hoQhR9dQupWfgbAjP9spcUY4OZK9qvezGced9ag2yqzdrIbyF6hYByZeRICzPrCK Vqyb1tgXAMI0DIPQLEESyI8tizbueOk1xPHm5qwrRrFpZO9lv4yaDsRRsyZ84FuW Ii+7lUsBjGnlI7Yl/KOdF/RjFza8XO+g5fTvD4VL3iN9CXWZf6B9FyAG2UlkGzbE R1SQtsSSwi1um1SlgTaWD5NmGewLuQgRAaLEEBQNDX7ZDyQU95M2j7mNonX5S2Af QU9eyHWjK96uLICC15UUiiyjKVtYxm9uWA+jVjtHJ3cwS/NcLpEne50URLugmYzX kYYTRA5Xk4jMb0rVnWEeSxYX32trVIS6hV8JDS/UyTcPgyyWtn4J+YNT9o5+IcUQ el7zuLAfD+wi9sX3FbuCR65tP8w2a5nfkv03TwCkQsChRiKA+WQ= =eSFq -----END PGP SIGNATURE-----
--- End Message ---

