Bug 1298746 (CVE-2016-1907)

Summary: CVE-2016-1907 openssh: out-of-bounds read in packet handling code
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jjelen, mattias.ellert, sardella, security-response-team, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 7.1p2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-15 09:19:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1298840, 1298841    
Bug Blocks: 1298744    

Description Tomas Hoger 2016-01-14 22:19:14 UTC 
OpenSSH 7.1p2 release notes mention the following security fix:

 * SECURITY: Fix an out of-bound read access in the packet handling
   code. Reported by Ben Hawkes.

http://www.openssh.com/txt/release-7.1p2

Related upstream commit is:

https://anongit.mindrot.org/openssh.git/commit/?id=d77148e3a3ef6c29b26ec74331455394581aa257
Comment 1 Jakub Jelen 2016-01-15 08:17:57 UTC 
For the record, this bug was introduced by upstream commit in openssh-6.8:
https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0

The function packet_disconnect() (terminating connection and exiting) was replaced by sshpkt_disconnect() which only sends disconnect message, but does not terminate the execution. This might lead to operation on the buffer of wrong size.

This does not affect any released version of RHEL.
Comment 2 Tomas Hoger 2016-01-15 09:09:09 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298840]
Comment 3 Tomas Hoger 2016-01-15 09:09:15 UTC 
Created gsi-openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298841]
Comment 4 Tomas Hoger 2016-01-15 09:19:38 UTC 
Only OpenSSH versions 6.8 - 7.1 were affected by this issue.  Therefore, openssh packages in Red Hat Enterprise Linux 7 and earlier were not affected by this issue.
Comment 5 Tomas Hoger 2016-01-15 19:37:12 UTC 
CVE-2016-1907 was assigned to this issue:

http://seclists.org/oss-sec/2016/q1/112
Comment 6 Fedora Update System 2016-01-17 18:50:14 UTC 
openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-01-29 00:21:43 UTC 
gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-02-01 06:32:29 UTC 
gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.