Red Hat Bugzilla – Bug 1199511
CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded
Last modified: 2016-06-13 06:42:42 EDT
The following issue was reported as affecting libssh2: When negotiating a new SSH session with a remote server, one of libssh2's functions for doing the key exchange (kex_agree_methods) was naively reading data from the incoming packet and using it without doing sufficient range checks. The SSH_MSG_KEXINIT packet arrives to libssh2 with a set of strings, sent as a series of LENGTH + DATA pairs. libssh2 would go through the list and read the LENGTH field, read the string following the LENGTH and then advance the pointer LENGTH bytes in memory and expect to find the next LENGTH + DATA pair there. Then move on until seven subsequent strings are taken care of. It would naively assume that the (unsigned 32 bit) LENGTH fields were fine. This packet arrives in the negotiating phase so the remote server has not yet been deemed to be a known or trusted party. A malicious attacker could man in the middle a real server and cause libssh2 using clients to crash (denial of service) or otherwise read and use completely unintended memory areas in this process. There are no known exploits of this flaw at this time.
External References: http://www.libssh2.org/adv_20150311.html
I am adding Paul Howarth to CC as he is the maintainer of libssh2 in Fedora. Paul, could you please take this issue into consideration when updating to latest upstream in Fedora? According to the above information, the fix for this issue is likely going to be included in the upcoming upstream release of libssh2. Unfortunately, I am leaving for vacation today and will mostly be offline until March 18th.
I believe the upcoming release is due this coming Wednesday, 11th March. Assuming the fix for this is included, that should address rawhide, but what about older releases (and indeed F-22)? Bump to 1.5.0 or just add the patch to the existing 1.4.3 builds? Hope you enjoy your vacation!
(In reply to Paul Howarth from comment #7) > Assuming the fix for this is included, that should address rawhide, but what > about older releases (and indeed F-22)? Bump to 1.5.0 or just add the patch > to the existing 1.4.3 builds? It is really up to you. I am fine with both the solutions. > Hope you enjoy your vacation! Will do, thanks!
I'll probably just bump them all up to 1.5.0 then to pull in all the bug fixes.
Just submitted updates for F-20, F-21 and F-22 but bodhi refused to add references to either this bug or CVE-2015-1782, presumably because of the issue still being private in bugzilla? https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc22 https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc21 https://admin.fedoraproject.org/updates/libssh2-1.5.0-1.fc20 The upstream advisory has now moved to http://www.libssh2.org/adv_20150311.html by the way.
libssh2-1.5.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libssh2-1.5.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libssh2-1.5.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2140 https://rhn.redhat.com/errata/RHSA-2015-2140.html