Bug#1035832: libssh: CVE-2023-1667 CVE-2023-2283
Hi Martin, On Wed, May 10, 2023 at 08:19:42AM +0200, Martin Pitt wrote: > Control: tag -1 pending > > Hello Salvatore, > > Salvatore Bonaccorso [2023-05-09 22:30 +0200]: > > The following vulnerabilities were published for libssh. > > > > CVE-2023-1667[0]: > > | Potential NULL dereference during rekeying with algorithm guessing > > > > CVE-2023-2283[1]: > > | Authorization bypass in pki_verify_data_signature > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > I uploaded the new upstream release to unstable, with urgency=high to > hopefully > make it into the release in time. With upstream's extensive unit tests and > Debian's reverse dependency autopkgtesting etc. I have enough confidence in > that. Thanks for preparing the update. Note that at this stage of the freeze it won't migrate anymore automatically. Can you please request for an unblock by the release team? Note there is a strict deadline approaching, so that should happen quickly. Note I'm not sure if release team will want to have * Bump Standards-Version to 4.6.2. No changes necessary. and * Bump debhelper from old 12 to 13. * Avoid explicitly specifying -Wl,--as-needed linker flag. included in this stage of the release. > I also checked buster. It's not affected by CVE-2023-2283, that code does not > exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it > is wildly different. Upstream does not maintain the 0.8 branch any more, and > I'm afraid I will not have the time/skills to analyze, understand, and > backport > the patches myself, at least not to an extent where I'd have faith in them. > > I'll attempt to backport the fixes for stable now. > https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some > changes before and beyond the actual security fix: some memory leak fixes, > moving some code around, indentation fixes, more unit tests. Personally I'd > rather trust upstream's release validation and update to 0.9.7 wholesale than > trying to pick it apart, but how is the Debian security team stanza wrt. > upstream microreleases these days? Thanks for this mail and the followup with the proposed update. We come back to you on it. Regards, Salvatore
Bug#1035832: libssh: CVE-2023-1667 CVE-2023-2283 -- stable (bullseye) update prepared
Hello security team, Martin Pitt [2023-05-10 8:19 +0200]: > I'll attempt to backport the fixes for stable now. > https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some > changes before and beyond the actual security fix: some memory leak fixes, > moving some code around, indentation fixes, more unit tests. Personally I'd > rather trust upstream's release validation and update to 0.9.7 wholesale than > trying to pick it apart, but how is the Debian security team stanza wrt. > upstream microreleases these days? I prepared a security update for the two CVEs, plus four "reformat code" cherry-picks which changed the actual security fix from "hairy and risky" to "only causes minor and obvious conflicts". https://salsa.debian.org/debian/libssh/-/commit/5aa68cee3d2e8a50402ef77623ff8ceac9eb183c https://salsa.debian.org/debian/libssh/-/commit/baa5cda9287580b16d3ecd9ecfc7fef82f2e12c2 They were taken from https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 as "95% clean" cherry-picks, which I found the best compromise wrt. minimizing risk. See the Debian commit messages for details. I built the package in a clean bullseye container, unit tests and autopkgtest pass. The commit messages are more wordy than appropriate for the changelog. I'd use a similar format as for unstable [1], e.g. -- ✂️ -- * Fix authenticated remote DoS through potential NULL dereference during rekeying with algorithm guessing (CVE-2023-1667) https://www.libssh.org/security/advisories/CVE-2023-1667.txt * Fix client authentication bypass in pki_verify_data_signature() in low-memory conditions with OpenSSL backend; gcrypt backend is not affected (CVE-2023-2283, Closes: #1035832) https://www.libssh.org/security/advisories/CVE-2023-2283.txt -- ✂️ -- I'm happy to upload to the queue if/once you give me the signal, or massage the patches/changelog according to your liking. Thanks, Martin [1] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9
Bug#1035832: libssh: CVE-2023-1667 CVE-2023-2283
Control: tag -1 pending Hello Salvatore, Salvatore Bonaccorso [2023-05-09 22:30 +0200]: > The following vulnerabilities were published for libssh. > > CVE-2023-1667[0]: > | Potential NULL dereference during rekeying with algorithm guessing > > CVE-2023-2283[1]: > | Authorization bypass in pki_verify_data_signature > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. I uploaded the new upstream release to unstable, with urgency=high to hopefully make it into the release in time. With upstream's extensive unit tests and Debian's reverse dependency autopkgtesting etc. I have enough confidence in that. I also checked buster. It's not affected by CVE-2023-2283, that code does not exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it is wildly different. Upstream does not maintain the 0.8 branch any more, and I'm afraid I will not have the time/skills to analyze, understand, and backport the patches myself, at least not to an extent where I'd have faith in them. I'll attempt to backport the fixes for stable now. https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some changes before and beyond the actual security fix: some memory leak fixes, moving some code around, indentation fixes, more unit tests. Personally I'd rather trust upstream's release validation and update to 0.9.7 wholesale than trying to pick it apart, but how is the Debian security team stanza wrt. upstream microreleases these days? Thanks, Martin
Bug#1035832: libssh: CVE-2023-1667 CVE-2023-2283
Source: libssh Version: 0.10.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.9.3-1 Control: found -1 0.9.5-1+deb11u1 Hi, The following vulnerabilities were published for libssh. CVE-2023-1667[0]: | Potential NULL dereference during rekeying with algorithm guessing CVE-2023-2283[1]: | Authorization bypass in pki_verify_data_signature If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1667 https://www.cve.org/CVERecord?id=CVE-2023-1667 https://www.libssh.org/security/advisories/CVE-2023-1667.txt [1] https://security-tracker.debian.org/tracker/CVE-2023-2283 https://www.cve.org/CVERecord?id=CVE-2023-2283 https://www.libssh.org/security/advisories/CVE-2023-2283.txt Regards, Salvatore