Bug 2182199 (CVE-2023-1667)

Summary: CVE-2023-1667 libssh: NULL pointer dereference during rekeying with algorithm guessing
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, ansasaki, askrabec, bdettelb, caswilli, dhalasz, fjansen, hkataria, jburrell, jjelen, jmitchel, jtanner, kaycoth, kshier, kyoshida, michal.skrivanek, micjohns, mperina, mpitt, npocs, psegedy, sbonazzo, security-response-team, sthirugn, tkasparek, tsasak, vkrizan, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh 0.10.5, libssh 0.9.7 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-27 19:31:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182202, 2182249, 2182250, 2182251, 2182252, 2189968, 2196098, 2196099    
Bug Blocks: 2182200    

Description Pedro Sampaio 2023-03-27 21:16:47 UTC 
In libssh before versions 0.10.5 and 0.9.7 a NULL pointer dereference during rekeying with algorithm guessing may lead to remote denial of service from authenticated clients.
Comment 5 Sandipan Roy 2023-05-08 04:46:20 UTC 
Created libssh tracking bugs for this issue:

Affects: epel-7 [bug 2196099]
Affects: fedora-all [bug 2196098]
Comment 6 Michal Skrivanek 2023-06-02 07:20:32 UTC 
There's no tracker for rhel-8.6.0.z, is it not getting fixed there? (see also https://bugzilla.redhat.com/show_bug.cgi?id=2182202#c5)
Comment 7 Jakub Jelen 2023-06-02 10:56:07 UTC 
Correct. No plans to fix this yet in 8.6.z.

This CVE affects SSH servers built with libssh. The client use in ansible is not affected, I believe.

https://www.libssh.org/2023/05/04/libssh-0-10-5-and-libssh-0-9-7-security-releases/
Comment 8 errata-xmlrpc 2023-06-27 14:57:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3839 https://access.redhat.com/errata/RHSA-2023:3839
Comment 9 Product Security DevOps Team 2023-06-27 19:31:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1667
Comment 10 errata-xmlrpc 2023-11-07 08:22:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6643 https://access.redhat.com/errata/RHSA-2023:6643
Comment 11 errata-xmlrpc 2024-01-29 08:20:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0538 https://access.redhat.com/errata/RHSA-2024:0538