Bug 1978810 (CVE-2021-3634)
Summary: | CVE-2021-3634 libssh: possible heap-based buffer overflow when rekeying | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | ansasaki, asn, bishop, caswilli, dblechte, devthomp, dfediuck, djuran, eedri, elima, erik-fedora, fidencio, fjansen, jjelen, jnakfour, kaycoth, kdudka, marcandre.lureau, mgoldboi, michal.skrivanek, mike, mperina, mpitt, negativo17, paul, psegedy, rdieter, redhat-bugzilla, rjones, sahana, sbonazzo, security-response-team, sherold, vmugicag, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libssh 0.9.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw has been found in libssh. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-26 13:34:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1994600, 1994605, 1994607, 1998135, 1998136, 1998137, 1998139, 1998140 | ||
Bug Blocks: | 1976967, 1978811 |
Description
Guilherme de Almeida Suckevicz
2021-07-02 19:54:56 UTC
Created libssh tracking bugs for this issue: Affects: epel-7 [bug 1998139] Affects: fedora-all [bug 1998135] Created libssh2 tracking bugs for this issue: Affects: epel-8 [bug 1998140] Affects: fedora-all [bug 1998136] Created mingw-libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1998137] Embargo lifted, patch attached, analysis has been completed resolving.. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:2031 https://access.redhat.com/errata/RHSA-2022:2031 |