Bug#858470: unblock: putty/0.67-3

Wed, 22 Mar 2017 11:39:44 -0700 

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

putty 0.67-3 fixes a vulnerability; please unblock it.

diff -Nru putty-0.67/debian/.git-dpm putty-0.67/debian/.git-dpm
--- putty-0.67/debian/.git-dpm  2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/.git-dpm  2017-03-22 14:41:51.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
-5890a91668730e9ee7852d4b3b7480ef66cc0f04
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
+5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 79cb9b7c6d681b706933a6bfa7948c43e12da294
 putty_0.67.orig.tar.gz
diff -Nru putty-0.67/debian/changelog putty-0.67/debian/changelog
--- putty-0.67/debian/changelog 2016-03-18 22:32:34.000000000 +0000
+++ putty-0.67/debian/changelog 2017-03-22 14:42:13.000000000 +0000
@@ -1,3 +1,10 @@
+putty (0.67-3) unstable; urgency=high
+
+  * CVE-2017-6542: Sanity-check message length fields in CHAN_AGENT input
+    (thanks, Simon Tatham; closes: #857642).
+
+ -- Colin Watson <[email protected]>  Wed, 22 Mar 2017 14:42:13 +0000
+
 putty (0.67-2) unstable; urgency=medium
 
   * Backport from upstream:
diff -Nru putty-0.67/debian/patches/pipe-buf.patch 
putty-0.67/debian/patches/pipe-buf.patch
--- putty-0.67/debian/patches/pipe-buf.patch    2016-03-18 22:31:09.000000000 
+0000
+++ putty-0.67/debian/patches/pipe-buf.patch    2017-03-22 14:41:48.000000000 
+0000
@@ -19,7 +19,7 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/unix/uxshare.c b/unix/uxshare.c
-index 3da52de..4beb4a8 100644
+index 3da52def..4beb4a83 100644
 --- a/unix/uxshare.c
 +++ b/unix/uxshare.c
 @@ -23,6 +23,9 @@
diff -Nru putty-0.67/debian/patches/puttygen-batch-passphrase.patch 
putty-0.67/debian/patches/puttygen-batch-passphrase.patch
--- putty-0.67/debian/patches/puttygen-batch-passphrase.patch   2016-03-18 
22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/puttygen-batch-passphrase.patch   2017-03-22 
14:41:48.000000000 +0000
@@ -36,7 +36,7 @@
  2 files changed, 114 insertions(+), 55 deletions(-)
 
 diff --git a/cmdgen.c b/cmdgen.c
-index c15c01d..424ff95 100644
+index c15c01dd..424ff95d 100644
 --- a/cmdgen.c
 +++ b/cmdgen.c
 @@ -10,6 +10,8 @@
@@ -301,7 +301,7 @@
  
      if (ssh1key)
 diff --git a/doc/man-pg.but b/doc/man-pg.but
-index 51173e2..d381c0e 100644
+index 51173e22..d381c0ed 100644
 --- a/doc/man-pg.but
 +++ b/doc/man-pg.but
 @@ -64,6 +64,13 @@ generate SSH-1 keys).
diff -Nru putty-0.67/debian/patches/series putty-0.67/debian/patches/series
--- putty-0.67/debian/patches/series    2016-03-18 22:31:10.000000000 +0000
+++ putty-0.67/debian/patches/series    2017-03-22 14:41:48.000000000 +0000
@@ -1,2 +1,3 @@
 pipe-buf.patch
 puttygen-batch-passphrase.patch
+vuln-agent-fwd-overflow.patch
diff -Nru putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch 
putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch
--- putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch     1970-01-01 
01:00:00.000000000 +0100
+++ putty-0.67/debian/patches/vuln-agent-fwd-overflow.patch     2017-03-22 
14:41:51.000000000 +0000
@@ -0,0 +1,88 @@
+From 5e2013ef72274a3d9d73d8f3e6047f3cc5657f4e Mon Sep 17 00:00:00 2001
+From: Simon Tatham <[email protected]>
+Date: Tue, 21 Mar 2017 11:55:50 +0000
+Subject: Sanity-check message length fields in CHAN_AGENT input.
+
+Fixes 'vuln-agent-fwd-overflow': a hostile agent-forwarding client
+sending a length such as 0xFFFFFFFD can cause c->u.a.totallen to end
+up less than c->u.a.lensofar, leading to an attacker-controlled heap
+overwrite when those two values are subtracted and used as a bound for
+the amount of data to memcpy into the buffer.
+
+Of course the mitigating factor is that if there is any such thing as
+a 'hostile agent-forwarding client' in your world then you're likely
+to _already_ be in fairly serious trouble - they can make free use of
+all the keys stored in your agent, and would surely prefer to do that
+than tip their hand by crashing your SSH client.
+
+This is just the sort of thing I should have spotted in one of my past
+general tightening-up passes such as commit 896bb7c74, but apparently
+didn't :-(
+
+Bug-Debian: https://bugs.debian.org/857642
+Last-Update: 2017-03-22
+
+Patch-Name: vuln-agent-fwd-overflow.patch
+---
+ ssh.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index e1e94d78..9b28e95d 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -5606,6 +5606,27 @@ static void ssh1_msg_channel_data(Ssh ssh, struct 
Packet *pktin)
+               if (c->u.a.lensofar == 4) {
+                   c->u.a.totallen =
+                       4 + GET_32BIT(c->u.a.msglen);
++                  if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++                      /* If we received an out-of-range message length -
++                       * either so large as to cause c->u.a.totallen to
++                       * suffer unsigned integer overflow, or just too large
++                       * to be a sensible amount of memory to malloc or to
++                       * be a plausible agent message - we send an
++                       * SSH_AGENT_FAILURE message, then send EOF, and
++                       * immediately turn the channel into a CHAN_ZOMBIE to
++                       * avoid continuing to try to parse the bogus
++                       * message. */
++                      char failure_msg[5];
++                      PUT_32BIT(failure_msg, 1);
++                      failure_msg[4] = SSH_AGENT_FAILURE;
++                      sshfwd_write(c, failure_msg, sizeof(failure_msg));
++                      sshfwd_write_eof(c);
++                      sfree(c->u.a.message);
++                      c->type = CHAN_ZOMBIE;
++                      logevent("Agent-forwarding connection closed due to "
++                               "receiving bogus agent message length");
++                      return;
++                  }
+                   c->u.a.message = snewn(c->u.a.totallen,
+                                          unsigned char);
+                   memcpy(c->u.a.message, c->u.a.msglen, 4);
+@@ -7559,6 +7580,26 @@ static void ssh2_msg_channel_data(Ssh ssh, struct 
Packet *pktin)
+               if (c->u.a.lensofar == 4) {
+                   c->u.a.totallen =
+                       4 + GET_32BIT(c->u.a.msglen);
++                  if (c->u.a.totallen < 4 || c->u.a.totallen > 0x10000) {
++                      /* If we received an out-of-range message length -
++                       * either so large as to cause c->u.a.totallen to
++                       * suffer unsigned integer overflow, or just too large
++                       * to be a sensible amount of memory to malloc or to
++                       * be a plausible agent message - we send an
++                       * SSH_AGENT_FAILURE message, then send EOF, and
++                       * immediately turn the channel into a CHAN_ZOMBIE to
++                       * avoid continuing to try to parse the bogus
++                       * message. */
++                      char failure_msg[5];
++                      PUT_32BIT(failure_msg, 1);
++                      failure_msg[4] = SSH_AGENT_FAILURE;
++                      sshfwd_write(c, failure_msg, sizeof(failure_msg));
++                      sfree(c->u.a.message);
++                      logevent("Agent-forwarding connection closed due to "
++                               "receiving bogus agent message length");
++                      sshfwd_unclean_close(c, "message ignored");
++                      return;
++                  }
+                   c->u.a.message = snewn(c->u.a.totallen,
+                                          unsigned char);
+                   memcpy(c->u.a.message, c->u.a.msglen, 4);

unblock putty/0.67-3

Thanks,

-- 
Colin Watson                                       [[email protected]]

Reply via email to