Package: pam-ssh-agent-auth Version: 0.10.3-3 Severity: important Tags: patch User: [email protected] Usertags: origin-ubuntu focal ubuntu-patch
*** /tmp/tmpUqD4LH/bug_body The pam module segfaults when being used with ECDSA keys. Please see the following downstream bug for a detailed reproducer: https://bugs.launchpad.net/bugs/1869512 In Ubuntu, the attached patch was applied to achieve the following: * Fix segfault when using ECDSA keys (LP: #1869512) - debian/patches/lp1869512.patch: properly initialize memory in ssh-ecdsa.c. Thanks for considering the patch. -- System Information: Debian Release: buster/sid APT prefers bionic-updates APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic'), (100, 'bionic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-91-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/lp1869512.patch pam-ssh-agent-auth-0.10.3/debian/patches/lp1869512.patch --- pam-ssh-agent-auth-0.10.3/debian/patches/lp1869512.patch 1969-12-31 19:00:00.000000000 -0500 +++ pam-ssh-agent-auth-0.10.3/debian/patches/lp1869512.patch 2020-04-10 12:48:24.000000000 -0400 @@ -0,0 +1,46 @@ +Description: fix segfault when using ECDSA keys. +Author: Marc Deslauriers <[email protected]> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1869512 + +--- a/ssh-ecdsa.c ++++ b/ssh-ecdsa.c +@@ -111,7 +111,7 @@ ssh_ecdsa_verify(const Key *key, const u + int rlen, ret; + Buffer b; + #if OPENSSL_VERSION_NUMBER >= 0x10100005L +- BIGNUM *r, *s; ++ BIGNUM *r = NULL, *s = NULL; + #endif + + if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) { +@@ -137,20 +137,27 @@ ssh_ecdsa_verify(const Key *key, const u + + /* parse signature */ + if ((sig = ECDSA_SIG_new()) == NULL) +- pamsshagentauth_fatal("ssh_ecdsa_verify: DSA_SIG_new failed"); ++ pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_new failed"); + + pamsshagentauth_buffer_init(&b); + pamsshagentauth_buffer_append(&b, sigblob, len); + #if OPENSSL_VERSION_NUMBER < 0x10100005L + if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) || + (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1)) ++ pamsshagentauth_fatal("ssh_ecdsa_verify:" ++ "pamsshagentauth_buffer_get_bignum2_ret failed"); + #else +- DSA_SIG_get0(sig, &r, &s); ++ if ((r = BN_new()) == NULL) ++ pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed"); ++ if ((s = BN_new()) == NULL) ++ pamsshagentauth_fatal("ssh_ecdsa_verify: BN_new failed"); + if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) || + (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1)) +-#endif + pamsshagentauth_fatal("ssh_ecdsa_verify:" + "pamsshagentauth_buffer_get_bignum2_ret failed"); ++ if (ECDSA_SIG_set0(sig, r, s) != 1) ++ pamsshagentauth_fatal("ssh_ecdsa_verify: ECDSA_SIG_set0 failed"); ++#endif + + /* clean up */ + memset(sigblob, 0, len); diff -Nru pam-ssh-agent-auth-0.10.3/debian/patches/series pam-ssh-agent-auth-0.10.3/debian/patches/series --- pam-ssh-agent-auth-0.10.3/debian/patches/series 2019-01-26 10:40:32.000000000 -0500 +++ pam-ssh-agent-auth-0.10.3/debian/patches/series 2020-04-10 12:48:24.000000000 -0400 @@ -1,3 +1,4 @@ 0001-authfd.c-check-return-value-of-seteuid-2.patch openssl-1.1.1-1.patch openssl-1.1.1-2.patch +lp1869512.patch
