Oops... had trouble with reportbug and the patch I asked to be attached wasn't sent. Attaching.
Thanks -- Chris -- Chris Knadle [email protected]
diff -Nru libssh-0.6.3/debian/changelog libssh-0.6.3/debian/changelog --- libssh-0.6.3/debian/changelog 2015-01-26 18:28:06.000000000 -0500 +++ libssh-0.6.3/debian/changelog 2015-12-04 09:53:48.000000000 -0500 @@ -1,3 +1,14 @@ +libssh (0.6.3-4+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * debian/patches: + - Add 0002_CVE-2015-3146.patch + Fix "null pointer dereference due to a logical error in the handling + of a SSH_MSG_NEWKEYS and KEXDH_REPLY packets" + (Closes: #784404, CVE-2015-3146) + + -- Christopher Knadle <[email protected]> Mon, 23 Nov 2015 08:43:19 -0500 + libssh (0.6.3-4) unstable; urgency=medium * Add debian/patches/0001_CVE-2014-8132.patch: Fixup error path in diff -Nru libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch --- libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch 1969-12-31 19:00:00.000000000 -0500 +++ libssh-0.6.3/debian/patches/0002_CVE-2015-3146.patch 2015-12-04 09:53:32.000000000 -0500 @@ -0,0 +1,129 @@ +From 94f6955fbaee6fda9385a23e505497efe21f5b4f Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <[email protected]> +Date: Wed, 15 Apr 2015 16:08:37 +0200 +Subject: [PATCH 1/2] CVE-2015-3146: Fix state validation in packet handlers + +The state validation in the packet handlers for SSH_MSG_NEWKEYS and +SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. + +The issue has been found and reported by Mariusz Ziule. + +Signed-off-by: Aris Adamantiadis <[email protected]> +Reviewed-by: Andreas Schneider <[email protected]> +(cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe) +--- + src/packet_cb.c | 16 ++++++++++------ + src/server.c | 8 +++++--- + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/src/packet_cb.c b/src/packet_cb.c +index a10dd1a..e6c613f 100644 +--- a/src/packet_cb.c ++++ b/src/packet_cb.c +@@ -94,7 +94,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){ + (void)type; + (void)user; + SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY"); +- if(session->session_state!= SSH_SESSION_STATE_DH && ++ if (session->session_state != SSH_SESSION_STATE_DH || + session->dh_handshake_state != DH_STATE_INIT_SENT){ + ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d", + session->session_state,session->dh_handshake_state); +@@ -135,12 +135,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ + (void)user; + (void)type; + SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS"); +- if(session->session_state!= SSH_SESSION_STATE_DH && +- session->dh_handshake_state != DH_STATE_NEWKEYS_SENT){ +- ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d", +- session->session_state,session->dh_handshake_state); +- goto error; ++ ++ if (session->session_state != SSH_SESSION_STATE_DH || ++ session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) { ++ ssh_set_error(session, ++ SSH_FATAL, ++ "ssh_packet_newkeys called in wrong state : %d:%d", ++ session->session_state,session->dh_handshake_state); ++ goto error; + } ++ + if(session->server){ + /* server things are done in server.c */ + session->dh_handshake_state=DH_STATE_FINISHED; +diff --git a/src/server.c b/src/server.c +index 35281ca..1637cce 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){ + } + + SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ +- int rc; ++ int rc = SSH_ERROR; + (void)type; + (void)user; + +@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){ + ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init"); + rc = SSH_ERROR; + } +- if (rc == SSH_ERROR) ++ ++error: ++ if (rc == SSH_ERROR) { + session->session_state = SSH_SESSION_STATE_ERROR; +- error: ++ } + + return SSH_PACKET_USED; + } +-- +2.3.5 + + +From e9d16bd3439205ce7e75017405b1ac6ed5ead062 Mon Sep 17 00:00:00 2001 +From: Aris Adamantiadis <[email protected]> +Date: Wed, 15 Apr 2015 16:25:29 +0200 +Subject: [PATCH 2/2] buffers: Fix a possible null pointer dereference + +This is an addition to CVE-2015-3146 to fix the null pointer +dereference. The patch is not required to fix the CVE but prevents +issues in future. + +Signed-off-by: Aris Adamantiadis <[email protected]> +Reviewed-by: Andreas Schneider <[email protected]> +(cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d) +--- + src/buffer.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index ca12086..3bb6ec4 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -188,6 +188,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) { + int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) { + buffer_verify(buffer); + ++ if (data == NULL) { ++ return -1; ++ } ++ + if (buffer->used + len < len) { + return -1; + } +@@ -221,6 +225,10 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer, + struct ssh_string_struct *string) { + uint32_t len = 0; + ++ if (string == NULL) { ++ return -1; ++ } ++ + len = ssh_string_len(string); + if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) { + return -1; +-- +2.3.5 + diff -Nru libssh-0.6.3/debian/patches/series libssh-0.6.3/debian/patches/series --- libssh-0.6.3/debian/patches/series 2015-01-26 18:28:06.000000000 -0500 +++ libssh-0.6.3/debian/patches/series 2015-12-04 09:53:32.000000000 -0500 @@ -1,4 +1,5 @@ 0001_CVE-2014-8132.patch +0002_CVE-2015-3146.patch 1001_error-msg-typo-fix.patch 1003-custom-lib-names.patch 2002-fix-html-doc-generation.patch
