Red Hat Bugzilla – Bug 1059052
CVE-2014-1692 openssh: uninitialized variable use in J-PAKE implementation
Last modified: 2015-01-04 17:38:24 EST
Mark Dowd reported uninitialized variable use in the shnorr_hash() function in OpenSSH. The J-PAKE implementation exposes this flaw. J-PAKE support is not enabled in the Red Hat Enterprise Linux and Fedora openssh packages. Upstream fix: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c.diff?r1=1.9;r2=1.10
Possible CVE request: http://www.openwall.com/lists/oss-security/2014/01/29/2
J-PAKE support in OpenSSH is experimental work-in-progress. It's not enabled in Red Hat Enterprise Linux and Fedora openssh packages. Statement: Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6, as the code for J-PAKE support is not compiled into the Red Hat shipped binaries.
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1692 to the following vulnerability: Name: CVE-2014-1692 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1692 Assigned: 20140129 Reference: http://openwall.com/lists/oss-security/2014/01/29/2 Reference: http://openwall.com/lists/oss-security/2014/01/29/10 Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/schnorr.c.diff?r1=1.9;r2=1.10;f=h Reference: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c#rev1.10 The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition.