Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I have prepared an NMU for buster release which fixes CVE-2019-17455. Please let mw know whether I can upload it. Diff is attached. Thanks, Anton
diff -Nru libntlm-1.5/debian/changelog libntlm-1.5/debian/changelog --- libntlm-1.5/debian/changelog 2018-08-24 22:03:11.000000000 +0200 +++ libntlm-1.5/debian/changelog 2020-05-23 21:18:56.000000000 +0200 @@ -1,3 +1,17 @@ +libntlm (1.5-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload + * Fix buffer overflow. CVE-2019-17455: + Libntlm through 1.5 relies on a fixed buffer size for + tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse + read and write operations, as demonstrated by a stack-based buffer + over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted + NTLM request. + Closes: #942145 + * Add regression test for CVE-2019-17455 + + -- Anton Gladky <gl...@debian.org> Sat, 23 May 2020 21:18:56 +0200 + libntlm (1.5-1) unstable; urgency=low * New upstream version. diff -Nru libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch --- libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 1970-01-01 01:00:00.000000000 +0100 +++ libntlm-1.5/debian/patches/10_fix_buffer_overflow_CVE-CVE-2019-17455.patch 2020-05-23 21:12:10.000000000 +0200 @@ -0,0 +1,85 @@ +From b967886873fcf19f816b9c0868465f2d9e5df85e Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <si...@josefsson.org> +Date: Sun, 19 Apr 2020 09:30:05 +0200 +Subject: [PATCH] Fix buffer overflow. Patch from Cedric Buissart based on + report by Kirin. CVE-2019-17455 + +<https://gitlab.com/jas/libntlm/-/issues/2> +--- + ntlm.h | 8 +++++--- + smbutil.c | 13 ++++++++----- + 2 files changed, 13 insertions(+), 8 deletions(-) + +Index: libntlm-1.5/ntlm.h +=================================================================== +--- libntlm-1.5.orig/ntlm.h ++++ libntlm-1.5/ntlm.h +@@ -36,6 +36,8 @@ extern "C" + + #define NTLM_VERSION "1.5" + ++#define MSG_BUFSIZE 1024 ++ + /* + * These structures are byte-order dependant, and should not + * be manipulated except by the use of the routines provided +@@ -55,7 +57,7 @@ extern "C" + uint32 flags; + tSmbStrHeader user; + tSmbStrHeader domain; +- uint8 buffer[1024]; ++ uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthRequest; + +@@ -68,7 +70,7 @@ extern "C" + uint8 challengeData[8]; + uint8 reserved[8]; + tSmbStrHeader emptyString; +- uint8 buffer[1024]; ++ uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthChallenge; + +@@ -84,7 +86,7 @@ extern "C" + tSmbStrHeader uWks; + tSmbStrHeader sessionKey; + uint32 flags; +- uint8 buffer[1024]; ++ uint8 buffer[MSG_BUFSIZE]; + uint32 bufIndex; + } tSmbNtlmAuthResponse; + +Index: libntlm-1.5/smbutil.c +=================================================================== +--- libntlm-1.5.orig/smbutil.c ++++ libntlm-1.5/smbutil.c +@@ -46,9 +46,9 @@ char versionString[] = PACKAGE_STRING; + + /* + * Must be multiple of two +- * We use a statis buffer of 1024 bytes for message ++ * We use a statis buffer of MSG_BUFSIZE [1024] bytes for message + * At maximun we but 48 bytes (ntlm responses) and 3 unicode strings so +- * NTLM_BUFSIZE * 3 + 48 <= 1024 ++ * NTLM_BUFSIZE * 3 + 48 <= MSG_BUFSIZE + */ + #define NTLM_BUFSIZE 320 + +@@ -70,10 +70,13 @@ char versionString[] = PACKAGE_STRING; + */ + #define AddBytes(ptr, header, buf, count) \ + { \ +- ptr->header.len = ptr->header.maxlen = UI16LE(count); \ ++ size_t count2 = count; \ ++ if (count2 > MSG_BUFSIZE - ptr->bufIndex) \ ++ count2 = MSG_BUFSIZE - ptr->bufIndex; \ ++ ptr->header.len = ptr->header.maxlen = UI16LE(count2); \ + ptr->header.offset = UI32LE((ptr->buffer - ((uint8*)ptr)) + ptr->bufIndex); \ +- memcpy(ptr->buffer+ptr->bufIndex, buf, count); \ +- ptr->bufIndex += count; \ ++ memcpy(ptr->buffer+ptr->bufIndex, buf, count2); \ ++ ptr->bufIndex += count2; \ + } + + #define AddString(ptr, header, string) \ diff -Nru libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch --- libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 1970-01-01 01:00:00.000000000 +0100 +++ libntlm-1.5/debian/patches/20_test_CVE-2019-17455.patch 2020-05-23 21:05:29.000000000 +0200 @@ -0,0 +1,90 @@ +From aa975994cf9cf39c33ce33a1b2988277c456dec1 Mon Sep 17 00:00:00 2001 +From: Simon Josefsson <si...@josefsson.org> +Date: Sun, 19 Apr 2020 09:44:17 +0200 +Subject: [PATCH] Add regression check for CVE-2019-17455 overflow. + +--- + Makefile.am | 2 +- + test_CVE-2019-17455.c | 61 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + create mode 100644 test_CVE-2019-17455.c + +Index: libntlm-1.5/Makefile.am +=================================================================== +--- libntlm-1.5.orig/Makefile.am ++++ libntlm-1.5/Makefile.am +@@ -45,7 +45,7 @@ libntlm_la_LIBADD = libntlm_impl.la gl/l + + # test + +-TESTS = test_ntlm ++TESTS = test_ntlm test_CVE-2019-17455 + check_PROGRAMS = $(TESTS) + LDADD = libntlm_impl.la gl/libgnu.la + CLEANFILES = test.out +Index: libntlm-1.5/test_CVE-2019-17455.c +=================================================================== +--- /dev/null ++++ libntlm-1.5/test_CVE-2019-17455.c +@@ -0,0 +1,61 @@ ++/* test_overflow.c --- Test for CVE-2019-17455 overflow bug for libntlm. ++ * Copyright (C) 2020 Simon Josefsson ++ * ++ * This file is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU Lesser General Public License as ++ * published by the Free Software Foundation; either version 2.1 of ++ * the License, or (at your option) any later version. ++ * ++ * This file is distributed in the hope that it will be useful, but ++ * WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this file; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA ++ * 02110-1301, USA. ++ * ++ */ ++ ++#include <config.h> ++ ++#include <string.h> ++#include <stdio.h> ++ ++#include "ntlm.h" ++ ++int ++main (void) ++{ ++ char u[1024]; ++ char d[1024]; ++ char buf[sizeof (tSmbNtlmAuthRequest) + 5]; ++ tSmbNtlmAuthRequest *request = (void*) &buf; ++ size_t i; ++ ++ memset (u, '1', 1024); ++ memset (d, '2', 1024); ++ u[1023] = '\0'; ++ d[1023] = '\0'; ++ ++ memset (buf, '3', sizeof (buf)); ++ ++ printf ("Before call:\n"); ++ for (i = sizeof (tSmbNtlmAuthRequest) - 5; i < sizeof (buf); i++) ++ printf ("str[end + %d] = %02x\n", ++ (int) (i - sizeof (tSmbNtlmAuthRequest)), (unsigned int) buf[i]); ++ ++ buildSmbNtlmAuthRequest (request, u, d); ++ ++ printf ("After call:\n"); ++ for (i = sizeof (tSmbNtlmAuthRequest) - 5; i < sizeof (buf); i++) ++ printf ("str[end + %d] = %02x\n", ++ (int) (i - sizeof (tSmbNtlmAuthRequest)), (unsigned int) buf[i]); ++ ++ for (i = sizeof (tSmbNtlmAuthRequest); i < sizeof (buf); i++) ++ if (buf[i] != '3') ++ return 1; ++ ++ return 0; ++} diff -Nru libntlm-1.5/debian/patches/series libntlm-1.5/debian/patches/series --- libntlm-1.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libntlm-1.5/debian/patches/series 2020-05-10 16:15:12.000000000 +0200 @@ -0,0 +1,2 @@ +10_fix_buffer_overflow_CVE-CVE-2019-17455.patch +20_test_CVE-2019-17455.patch
