Bug#924965: libssh2: diff for NMU version 1.8.0-2.1

2019-04-02 Thread Salvatore Bonaccorso 
Hi Mikhail,

On Tue, Apr 02, 2019 at 11:47:25PM +0300, Mikhail Gusarov wrote:
> Dear Salvatore,
> 
> On 2 Apr 2019, at 23:01, Salvatore Bonaccorso wrote:
> 
> > I've prepared an NMU for libssh2 (versioned as 1.8.0-2.1) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> I'm awfully busy at the moment outside of Debain, no need to delay
> it further.

Ack, thanks. I just have rescheduled it then.

Regards,
Salvatore

Bug#924965: libssh2: diff for NMU version 1.8.0-2.1

2019-04-02 Thread Mikhail Gusarov 
Dear Salvatore,

On 2 Apr 2019, at 23:01, Salvatore Bonaccorso wrote:

> I've prepared an NMU for libssh2 (versioned as 1.8.0-2.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

I'm awfully busy at the moment outside of Debain, no need to delay it further.

Best,
Mikhail.

Bug#924965: libssh2: diff for NMU version 1.8.0-2.1

2019-04-02 Thread Salvatore Bonaccorso 
Control: tags 924965 + pending


Dear maintainer,

I've prepared an NMU for libssh2 (versioned as 1.8.0-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru libssh2-1.8.0/debian/changelog libssh2-1.8.0/debian/changelog
--- libssh2-1.8.0/debian/changelog	2018-06-23 21:45:38.0 +0200
+++ libssh2-1.8.0/debian/changelog	2019-03-31 16:06:20.0 +0200
@@ -1,3 +1,29 @@
+libssh2 (1.8.0-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Possible integer overflow in transport read allows out-of-bounds write
+(CVE-2019-3855) (Closes: #924965)
+  * Possible integer overflow in keyboard interactive handling allows
+out-of-bounds write (CVE-2019-3856) (Closes: #924965)
+  * Possible integer overflow leading to zero-byte allocation and
+out-of-bounds write (CVE-2019-3857) (Closes: #924965)
+  * Possible zero-byte allocation leading to an out-of-bounds read
+(CVE-2019-3858) (Closes: #924965)
+  * Out-of-bounds reads with specially crafted payloads due to unchecked use
+of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
+(Closes: #924965)
+  * Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
+(Closes: #924965)
+  * Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+(Closes: #924965)
+  * Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
+  * Integer overflow in user authenicate keyboard interactive allows
+out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
+  * Fixed misapplied patch for user auth.
+  * moved MAX size declarations
+
+ -- Salvatore Bonaccorso   Sun, 31 Mar 2019 16:06:20 +0200
+
 libssh2 (1.8.0-2) unstable; urgency=low
 
   * Add missing zlib1g-dev dependency (Closes: #900558).
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3855.patch libssh2-1.8.0/debian/patches/CVE-2019-3855.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3855.patch	1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3855.patch	2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,22 @@
+Description: Possible integer overflow in transport read allows out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3855
+Forwarded: not-needed
+Last-Update: 2019-03-30
+
+--- a/src/transport.c
 b/src/transport.c
+@@ -438,6 +438,12 @@ int _libssh2_transport_read(LIBSSH2_SESS
+ return LIBSSH2_ERROR_DECRYPT;
+ 
+ p->padding_length = block[4];
++if(p->packet_length < 1) {
++return LIBSSH2_ERROR_DECRYPT;
++}
++else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++}
+ 
+ /* total_num is the number of bytes following the initial
+(5 bytes) packet length and padding length fields */
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3856.patch libssh2-1.8.0/debian/patches/CVE-2019-3856.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3856.patch	1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3856.patch	2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,23 @@
+Description: Possible integer overflow in keyboard interactive handling allows out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3856
+Forwarded: not-needed
+Last-Update: 2019-03-30
+
+--- a/src/userauth.c
 b/src/userauth.c
+@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SE
+ /* int   num-prompts */
+ session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
+ s += 4;
++if(session->userauth_kybd_num_prompts && 
++   session->userauth_kybd_num_prompts > 100) {
++   _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++  "Too many replies for "
++  "keyboard-interactive prompts");
++   goto cleanup;
++}
+ 
+ if(session->userauth_kybd_num_prompts) {
+ session->userauth_kybd_prompts =
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3857.patch libssh2-1.8.0/debian/patches/CVE-2019-3857.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3857.patch	1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3857.patch	2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,48 @@
+Description: Possible integer overflow leading to zero-byte allocation and out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3857