Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Hello Adam, On Wed, 13 Jun 2018 21:22:50 +0100 "Adam D. Barratt" wrote: > Control: tags -1 -moreinfo > > On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote: > > > > > Request for uploading to stable, as there is posted a CVE for a bug > > > in mactelnet-client. > > > This update is a backport of the fix that is done upstream, that > > > fixes only the mentioned bug. > > > > > > Mor information here: https://security-tracker.debian.org/tracker/C > > > VE-2016-7115 > > > and here: https://bugs.debian.org/836320 > > > > +mactelnet (0.4.0-2) stable; urgency=low > > > > The version should be 0.4.0-1+deb8u1. With that change, please go > > ahead. > > > > And the distribution should be "jessie". If this is still of interest, > please upload *soon*. > done! G. > Regards, > > Adam > >
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Control: tags -1 -moreinfo On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote: > > > Request for uploading to stable, as there is posted a CVE for a bug > > in mactelnet-client. > > This update is a backport of the fix that is done upstream, that > > fixes only the mentioned bug. > > > > Mor information here: https://security-tracker.debian.org/tracker/C > > VE-2016-7115 > > and here: https://bugs.debian.org/836320 > > +mactelnet (0.4.0-2) stable; urgency=low > > The version should be 0.4.0-1+deb8u1. With that change, please go > ahead. > And the distribution should be "jessie". If this is still of interest, please upload *soon*. Regards, Adam
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Hello Adam, On Sat, 12 Aug 2017 10:16:06 -0400 "Adam D. Barratt" wrote: > On Thu, 2017-01-12 at 14:26 +0100, Gianfranco Costamagna wrote: > > Control: tags -1 - confirmed > > Control: tags -1 + moreinfo > [...] > > while the version is good, we need some more changes according to the CVE > > fix in github [1] > > > > so I'm removing the confirmed tag and adding moreinfo, haakon please fix > > and remove moreinfo once done. > > > > thanks > > > > G. > > > > [1] > > https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a > > What's the status of this? I think we might be good with the previous patch version, backporting that upstream commit is really invasive, because the underlying code has changed too much in the meanwhile. sorry for the delay, I tried to cherry-pick rebase a lot of stuff, but I failed. So, probably better an incomplete but working patch than none... G. > > Regards, > > Adam > > >
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
On Thu, 2017-01-12 at 14:26 +0100, Gianfranco Costamagna wrote: > Control: tags -1 - confirmed > Control: tags -1 + moreinfo [...] > while the version is good, we need some more changes according to the CVE fix > in github [1] > > so I'm removing the confirmed tag and adding moreinfo, haakon please fix and > remove moreinfo once done. > > thanks > > G. > > [1] > https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a What's the status of this? Regards, Adam
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Control: tags -1 - confirmed Control: tags -1 + moreinfo On Thu, 05 Jan 2017 20:06:47 + "Adam D. Barratt" wrote: > Control: tags -1 + confirmed > > On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote: > > > Request for uploading to stable, as there is posted a CVE for a bug in > > mactelnet-client. > > This update is a backport of the fix that is done upstream, that fixes only > > the mentioned bug. > > > > Mor information here: > > https://security-tracker.debian.org/tracker/CVE-2016-7115 > > and here: https://bugs.debian.org/836320 > > +mactelnet (0.4.0-2) stable; urgency=low > > The version should be 0.4.0-1+deb8u1. With that change, please go ahead. > while the version is good, we need some more changes according to the CVE fix in github [1] so I'm removing the confirmed tag and adding moreinfo, haakon please fix and remove moreinfo once done. thanks G. [1] https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a signature.asc Description: OpenPGP digital signature
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Control: tags -1 + confirmed On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote: > Request for uploading to stable, as there is posted a CVE for a bug in > mactelnet-client. > This update is a backport of the fix that is done upstream, that fixes only > the mentioned bug. > > Mor information here: > https://security-tracker.debian.org/tracker/CVE-2016-7115 > and here: https://bugs.debian.org/836320 +mactelnet (0.4.0-2) stable; urgency=low The version should be 0.4.0-1+deb8u1. With that change, please go ahead. Regards, Adam
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Control: tags -1 + moreinfo On Mon, 2016-09-12 at 06:17 +0200, Salvatore Bonaccorso wrote: > Hi, > > Disclaimer, I'm not member of the release team/stable release managers. You are, however, correct in your statements. :-) > > Request for uploading to stable, as there is posted a CVE for a bug > > in mactelnet-client. > > This update is a backport of the fix that is done upstream, that > > fixes only the mentioned bug. > > Generally the stable release managers request that the fix should land > first in unstable, could you upload the fix as well there? Or Is there > a new upstream version which could be uploaded? Please remove the "moreinfo" tag once that's happened. Regards, Adam
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Hi, Disclaimer, I'm not member of the release team/stable release managers. > Request for uploading to stable, as there is posted a CVE for a bug > in mactelnet-client. > This update is a backport of the fix that is done upstream, that > fixes only the mentioned bug. Generally the stable release managers request that the fix should land first in unstable, could you upload the fix as well there? Or Is there a new upstream version which could be uploaded? Regards, Salvatore
Bug#837458: jessie-pu: package mactelnet/0.4.0-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Request for uploading to stable, as there is posted a CVE for a bug in mactelnet-client. This update is a backport of the fix that is done upstream, that fixes only the mentioned bug. Mor information here: https://security-tracker.debian.org/tracker/CVE-2016-7115 and here: https://bugs.debian.org/836320 -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-21-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru mactelnet-0.4.0/debian/changelog mactelnet-0.4.0/debian/changelog --- mactelnet-0.4.0/debian/changelog 2016-09-10 23:43:04.0 +0200 +++ mactelnet-0.4.0/debian/changelog 2016-09-10 23:46:41.0 +0200 @@ -1,3 +1,9 @@ +mactelnet (0.4.0-2) stable; urgency=low + + * Backported bugfix of CVE 2016-7115 (closes: 836320) + + -- Håkon Nessjøen Sun, 10 Sep 2016 23:11:32 +0200 + mactelnet (0.4.0-1) unstable; urgency=low * Upstream release 0.4.0 diff -Nru mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch --- mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch 1970-01-01 01:00:00.0 +0100 +++ mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch 2016-09-10 23:49:20.0 +0200 @@ -0,0 +1,51 @@ +--- a/mactelnet.c b/mactelnet.c +@@ -75,7 +75,7 @@ + + static int keepalive_counter = 0; + +-static unsigned char encryptionkey[128]; ++static unsigned char pass_salt[16]; + static char username[255]; + static char password[255]; + static char nonpriv_username[255]; +@@ -191,18 +191,21 @@ + char *terminal = getenv("TERM"); + char md5data[100]; + unsigned char md5sum[17]; +- int plen; ++ int plen, act_pass_len; + md5_state_t state; + +- /* Concat string of 0 + password + encryptionkey */ ++ /* calculate the actual password's length */ ++ act_pass_len = strnlen(password, 82); ++ ++ /* Concat string of 0 + password + pass_salt */ + md5data[0] = 0; +- strncpy(md5data + 1, password, 82); +- md5data[83] = '\0'; +- memcpy(md5data + 1 + strlen(password), encryptionkey, 16); ++ memcpy(md5data + 1, password, act_pass_len); ++ /* in case that password is long, calculate only using the used-up parts */ ++ memcpy(md5data + 1 + act_pass_len, pass_salt, 16); + + /* Generate md5 sum of md5data with a leading 0 */ + md5_init(&state); +- md5_append(&state, (const md5_byte_t *)md5data, strlen(password) + 17); ++ md5_append(&state, (const md5_byte_t *)md5data, 1 + act_pass_len + 16); + md5_finish(&state, (md5_byte_t *)md5sum + 1); + md5sum[0] = 0; + +@@ -279,9 +282,9 @@ + + while (success) { + +- /* If we receive encryptionkey, transmit auth data back */ ++ /* If we receive pass_salt, transmit auth data back */ + if (cpkt.cptype == MT_CPTYPE_ENCRYPTIONKEY) { +-memcpy(encryptionkey, cpkt.data, cpkt.length); ++memcpy(pass_salt, cpkt.data, 16); + send_auth(username, password); + } + diff -Nru mactelnet-0.4.0/debian/patches/series mactelnet-0.4.0/debian/patches/series --- mactelnet-0.4.0/debian/patches/series 1970-01-01 01:00:00.0 +0100 +++ mactelnet-0.4.0/debian/patches/series 2016-09-10 23:49:03.0 +0200 @@ -0,0 +1 @@ +CVE-2016-7115.patch