Bug 1298746 – CVE-2016-1907 openssh: out-of-bounds read in packet handling code

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1298746 - (CVE-2016-1907) CVE-2016-1907 openssh: out-of-bounds read in packet handling code

Summary:	CVE-2016-1907 openssh: out-of-bounds read in packet handling code

Status:	CLOSED NOTABUG

Aliases:	CVE-2016-1907

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160114,repor...
Keywords:	Security

Depends On:	1298840 1298841
Blocks:	1298744
	Show dependency tree / graph

Reported:	2016-01-14 17:19 EST by Tomas Hoger
Modified:	2016-02-01 01:32 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	openssh 7.1p2
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-01-15 04:19:38 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2016-01-14 17:19:14 EST

OpenSSH 7.1p2 release notes mention the following security fix:

 * SECURITY: Fix an out of-bound read access in the packet handling
   code. Reported by Ben Hawkes.

http://www.openssh.com/txt/release-7.1p2

Related upstream commit is:

https://anongit.mindrot.org/openssh.git/commit/?id=d77148e3a3ef6c29b26ec74331455394581aa257

Comment 1 Jakub Jelen 2016-01-15 03:17:57 EST

For the record, this bug was introduced by upstream commit in openssh-6.8:
https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0

The function packet_disconnect() (terminating connection and exiting) was replaced by sshpkt_disconnect() which only sends disconnect message, but does not terminate the execution. This might lead to operation on the buffer of wrong size.

This does not affect any released version of RHEL.

Comment 2 Tomas Hoger 2016-01-15 04:09:09 EST

Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298840]

Comment 3 Tomas Hoger 2016-01-15 04:09:15 EST

Created gsi-openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298841]

Comment 4 Tomas Hoger 2016-01-15 04:19:38 EST

Only OpenSSH versions 6.8 - 7.1 were affected by this issue.  Therefore, openssh packages in Red Hat Enterprise Linux 7 and earlier were not affected by this issue.

Comment 5 Tomas Hoger 2016-01-15 14:37:12 EST

CVE-2016-1907 was assigned to this issue:

http://seclists.org/oss-sec/2016/q1/112

Comment 6 Fedora Update System 2016-01-17 13:50:14 EST

openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-01-28 19:21:43 EST

gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-02-01 01:32:29 EST

gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.