Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2018-06-14 Thread Gianfranco Costamagna 
Hello Adam,

On Wed, 13 Jun 2018 21:22:50 +0100 "Adam D. Barratt"  
wrote:
> Control: tags -1 -moreinfo
> 
> On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> > 
> > > Request for uploading to stable, as there is posted a CVE for a bug
> > > in mactelnet-client.
> > > This update is a backport of the fix that is done upstream, that
> > > fixes only the mentioned bug.
> > > 
> > > Mor information here: https://security-tracker.debian.org/tracker/C
> > > VE-2016-7115
> > > and here: https://bugs.debian.org/836320
> > 
> > +mactelnet (0.4.0-2) stable; urgency=low
> > 
> > The version should be 0.4.0-1+deb8u1. With that change, please go
> > ahead.
> > 
> 
> And the distribution should be "jessie". If this is still of interest,
> please upload *soon*.
> 


done!

G.

> Regards,
> 
> Adam
> 
>

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2018-06-13 Thread Adam D. Barratt 
Control: tags -1 -moreinfo

On Thu, 2017-01-05 at 20:06 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> 
> > Request for uploading to stable, as there is posted a CVE for a bug
> > in mactelnet-client.
> > This update is a backport of the fix that is done upstream, that
> > fixes only the mentioned bug.
> > 
> > Mor information here: https://security-tracker.debian.org/tracker/C
> > VE-2016-7115
> > and here: https://bugs.debian.org/836320
> 
> +mactelnet (0.4.0-2) stable; urgency=low
> 
> The version should be 0.4.0-1+deb8u1. With that change, please go
> ahead.
> 

And the distribution should be "jessie". If this is still of interest,
please upload *soon*.

Regards,

Adam

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2018-06-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 -moreinfo
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Removed tag(s) moreinfo.

-- 
837458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2018-05-09 Thread Gianfranco Costamagna 
Hello Adam,

On Sat, 12 Aug 2017 10:16:06 -0400 "Adam D. Barratt"  
wrote:
> On Thu, 2017-01-12 at 14:26 +0100, Gianfranco Costamagna wrote:
> > Control: tags -1 - confirmed
> > Control: tags -1 + moreinfo
> [...]
> > while the version is good, we need some more changes according to the CVE 
> > fix in github [1]
> > 
> > so I'm removing the confirmed tag and adding moreinfo, haakon please fix 
> > and remove moreinfo once done.
> > 
> > thanks
> > 
> > G.
> > 
> > [1] 
> > https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a
> 
> What's the status of this?

I think we might be good with the previous patch version, backporting that 
upstream commit is really invasive, because the underlying
code has changed too much in the meanwhile.

sorry for the delay, I tried to cherry-pick rebase a lot of stuff, but I failed.

So, probably better an incomplete but working patch than none...

G.

> 
> Regards,
> 
> Adam
> 
> 
>

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2017-08-12 Thread Adam D. Barratt 
On Thu, 2017-01-12 at 14:26 +0100, Gianfranco Costamagna wrote:
> Control: tags -1 - confirmed
> Control: tags -1 + moreinfo
[...]
> while the version is good, we need some more changes according to the CVE fix 
> in github [1]
> 
> so I'm removing the confirmed tag and adding moreinfo, haakon please fix and 
> remove moreinfo once done.
> 
> thanks
> 
> G.
> 
> [1] 
> https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a

What's the status of this?

Regards,

Adam

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2017-01-12 Thread Gianfranco Costamagna 
Control: tags -1 - confirmed
Control: tags -1 + moreinfo
On Thu, 05 Jan 2017 20:06:47 + "Adam D. Barratt"  
wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:
> 
> > Request for uploading to stable, as there is posted a CVE for a bug in 
> > mactelnet-client.
> > This update is a backport of the fix that is done upstream, that fixes only 
> > the mentioned bug.
> > 
> > Mor information here: 
> > https://security-tracker.debian.org/tracker/CVE-2016-7115
> > and here: https://bugs.debian.org/836320
> 
> +mactelnet (0.4.0-2) stable; urgency=low
> 
> The version should be 0.4.0-1+deb8u1. With that change, please go ahead.
> 

while the version is good, we need some more changes according to the CVE fix 
in github [1]

so I'm removing the confirmed tag and adding moreinfo, haakon please fix and 
remove moreinfo once done.

thanks

G.

[1] 
https://github.com/haakonnessjoen/MAC-Telnet/commit/b69d11727d4f0f8cf719c79e3fb700f55ca03e9a




signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2017-01-12 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - confirmed
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Removed tag(s) confirmed.
> tags -1 + moreinfo
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Added tag(s) moreinfo.

-- 
837458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2017-01-05 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2016-09-11 at 19:55 +0200, haakon.nessj...@gmail.com wrote:

> Request for uploading to stable, as there is posted a CVE for a bug in 
> mactelnet-client.
> This update is a backport of the fix that is done upstream, that fixes only 
> the mentioned bug.
> 
> Mor information here: 
> https://security-tracker.debian.org/tracker/CVE-2016-7115
> and here: https://bugs.debian.org/836320

+mactelnet (0.4.0-2) stable; urgency=low

The version should be 0.4.0-1+deb8u1. With that change, please go ahead.

Regards,

Adam

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2017-01-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Added tag(s) confirmed.

-- 
837458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2016-09-17 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + moreinfo
Bug #837458 [release.debian.org] jessie-pu: package mactelnet/0.4.0-1
Added tag(s) moreinfo.

-- 
837458: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837458
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2016-09-17 Thread Adam D. Barratt 
Control: tags -1 + moreinfo

On Mon, 2016-09-12 at 06:17 +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> Disclaimer, I'm not member of the release team/stable release managers.

You are, however, correct in your statements. :-)

> > Request for uploading to stable, as there is posted a CVE for a bug
> > in mactelnet-client.
> > This update is a backport of the fix that is done upstream, that
> > fixes only the mentioned bug.
> 
> Generally the stable release managers request that the fix should land
> first in unstable, could you upload the fix as well there? Or Is there
> a new upstream version which could be uploaded?

Please remove the "moreinfo" tag once that's happened.

Regards,

Adam

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2016-09-11 Thread Salvatore Bonaccorso 
Hi,

Disclaimer, I'm not member of the release team/stable release managers.

> Request for uploading to stable, as there is posted a CVE for a bug
> in mactelnet-client.
> This update is a backport of the fix that is done upstream, that
> fixes only the mentioned bug.

Generally the stable release managers request that the fix should land
first in unstable, could you upload the fix as well there? Or Is there
a new upstream version which could be uploaded?

Regards,
Salvatore

Bug#837458: jessie-pu: package mactelnet/0.4.0-1

2016-09-11 Thread haakon . nessjoen 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Request for uploading to stable, as there is posted a CVE for a bug in 
mactelnet-client.
This update is a backport of the fix that is done upstream, that fixes only the 
mentioned bug.

Mor information here: https://security-tracker.debian.org/tracker/CVE-2016-7115
and here: https://bugs.debian.org/836320

-- System Information:
Debian Release: stretch/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-21-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru mactelnet-0.4.0/debian/changelog mactelnet-0.4.0/debian/changelog
--- mactelnet-0.4.0/debian/changelog	2016-09-10 23:43:04.0 +0200
+++ mactelnet-0.4.0/debian/changelog	2016-09-10 23:46:41.0 +0200
@@ -1,3 +1,9 @@
+mactelnet (0.4.0-2) stable; urgency=low
+
+  * Backported bugfix of CVE 2016-7115 (closes: 836320)
+
+ -- Håkon Nessjøen   Sun, 10 Sep 2016 23:11:32 +0200
+
 mactelnet (0.4.0-1) unstable; urgency=low
 
   * Upstream release 0.4.0
diff -Nru mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch
--- mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch	1970-01-01 01:00:00.0 +0100
+++ mactelnet-0.4.0/debian/patches/CVE-2016-7115.patch	2016-09-10 23:49:20.0 +0200
@@ -0,0 +1,51 @@
+--- a/mactelnet.c
 b/mactelnet.c
+@@ -75,7 +75,7 @@
+ 
+ static int keepalive_counter = 0;
+ 
+-static unsigned char encryptionkey[128];
++static unsigned char pass_salt[16];
+ static char username[255];
+ static char password[255];
+ static char nonpriv_username[255];
+@@ -191,18 +191,21 @@
+ 	char *terminal = getenv("TERM");
+ 	char md5data[100];
+ 	unsigned char md5sum[17];
+-	int plen;
++	int plen, act_pass_len;
+ 	md5_state_t state;
+ 
+-	/* Concat string of 0 + password + encryptionkey */
++	/* calculate the actual password's length */
++	act_pass_len = strnlen(password, 82);
++
++	/* Concat string of 0 + password + pass_salt */
+ 	md5data[0] = 0;
+-	strncpy(md5data + 1, password, 82);
+-	md5data[83] = '\0';
+-	memcpy(md5data + 1 + strlen(password), encryptionkey, 16);
++	memcpy(md5data + 1, password, act_pass_len);
++	/* in case that password is long, calculate only using the used-up parts */
++	memcpy(md5data + 1 + act_pass_len, pass_salt, 16);
+ 
+ 	/* Generate md5 sum of md5data with a leading 0 */
+ 	md5_init();
+-	md5_append(, (const md5_byte_t *)md5data, strlen(password) + 17);
++	md5_append(, (const md5_byte_t *)md5data, 1 + act_pass_len + 16);
+ 	md5_finish(, (md5_byte_t *)md5sum + 1);
+ 	md5sum[0] = 0;
+ 
+@@ -279,9 +282,9 @@
+ 
+ 		while (success) {
+ 
+-			/* If we receive encryptionkey, transmit auth data back */
++			/* If we receive pass_salt, transmit auth data back */
+ 			if (cpkt.cptype == MT_CPTYPE_ENCRYPTIONKEY) {
+-memcpy(encryptionkey, cpkt.data, cpkt.length);
++memcpy(pass_salt, cpkt.data, 16);
+ send_auth(username, password);
+ 			}
+ 
diff -Nru mactelnet-0.4.0/debian/patches/series mactelnet-0.4.0/debian/patches/series
--- mactelnet-0.4.0/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ mactelnet-0.4.0/debian/patches/series	2016-09-10 23:49:03.0 +0200
@@ -0,0 +1 @@
+CVE-2016-7115.patch