RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1489733 - libssh2 sends uninitialized memory over SCP in SSH_MSG_CHANNEL_REQUEST
Summary: libssh2 sends uninitialized memory over SCP in SSH_MSG_CHANNEL_REQUEST
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libssh2
Version: 7.4
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Radka Brychtova
Mirek Jahoda
URL:
Whiteboard:
Depends On: 1489736
Blocks: 1420851 1442779 1549617 1549689 1551061
TreeView+ depends on / blocked
 
Reported: 2017-09-08 08:47 UTC by Stepan Broz
Modified: 2021-12-10 15:15 UTC (History)
7 users (show)

Fixed In Version: libssh2-1.4.3-12.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1489736 (view as bug list)
Environment:
Last Closed: 2018-10-30 10:40:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Suggested patch (deleted)
2017-09-08 08:47 UTC, Stepan Broz 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3480791 0 None None None 2018-06-07 18:38:47 UTC
Red Hat Product Errata RHBA-2018:3156 0 None None None 2018-10-30 10:40:29 UTC

Description Stepan Broz 2017-09-08 08:47:27 UTC 
Description of the problem:

When doing SCP transfers using libssh2 client (e.g. curl), libssh2 generates a command to be sent in SSH_MSG_CHANNEL_REQUEST (exec request) based on path received as a user input, adds quotes around the path, and the scp command and its options. However the memory used for the command string was not initialized and uninitialized memory is sent over the secure channel. This may potentially leak some private information to the SCP/SSH remote server, and the unexpected bytes after the terminating quote 

There is an upstream fix for that in libssh2-1.8.0, libssh2 github commits: 

https://github.com/libssh2/libssh2/commit/b99204f2896b0cdafa3ecc0736f0252ce44c32c7#diff-692a9f59c318be98d982afb140caade9

and 

https://github.com/libssh2/libssh2/commit/1e7988cb0d8dae32148b04dd93e919a770599f30#diff-692a9f59c318be98d982afb140caade9

There is also an upstream fix improving the command length calculation, it seems: 

https://github.com/libssh2/libssh2/commit/3d3347c0625ce29b5581a0aa45e6e3be580769f1#diff-692a9f59c318be98d982afb140caade9

However, none of the above patches actually fixes the unexpected bytes in the command itself completely. The libssh2 library now appends a null terminating character at the end and some SCP/SSH server implementations (e.g. BrickFTP) fail on that and libssh2 clients cannot be used to do SCP transfers with them.

According to RFC 4521 definition of a string, null terminating characters are not used:

https://tools.ietf.org/html/rfc4251#section-9.5

I suggest a patch where the command length will not be increased by 1 after appending a terminating char and therefore the terminating null char will not be transferred. Please consider a necessity of the terminating null in general.


Version-Release number of selected component (if applicable):

Detected in libssh2-1.4.3-10.el7_2.1 (uninitialized memory)
Not fixed completely in libssh2-1.8.0-2.fc26 (null terminating char)

How reproducible:

The uninitialized memory and null terminating chars are visible when doing scp transfers using libssh2 built with --enable-debug, and a version of curl that uses the libssh2 debug function (commented out define in ssh.c).

Steps to Reproduce:

1. Build libssh2 with --enable-debug, build curl and libcurl with the line "#define CURL_LIBSSH2_DEBUG" uncommented in lib/ssh.c.
2. Use "curl --insecure -v -u user -T hello.txt scp://serverhostname/~/hello2.txt" to do an SCP upload.
3. Inspect the debug output.

Actual results:

Look for the exec request before encrypting:

[libssh2] 0.754346 Conn: starting request(exec) on channel 0/0, message=scp -t 'hello2.txt'
=> libssh2_transport_write plain (18 bytes)
0000: 62 00 00 00 00 00 00 00  04 65 78 65 63 01 00 00 : b........exec...
0010: 00 28                                            : .(
=> libssh2_transport_write plain2 (40 bytes)
0000: 73 63 70 20 2D 74 20 27  68 65 6C 6C 6F 32 2E 74 : scp -t 'hello2.t
0010: 78 74 27 00 6E 65 63 74  69 6F 6E 00 00 00 04 00 : xt'.nection.....
0020: 30 00 00 00 00 00 00 00                          : 0.......
[libssh2] 0.754375 Socket: Sent 100/100 bytes at 0xcc68c0

See the remains of a previous string appended after the scp -t 'hello2.txt' command?

Expected results:

The last byte of the command shall be the terminating single quote, not even a null byte.

Additional info:

To verify the upload/download functionality with e.g. BrickFTP service, you can setup a 30days trial account. BrickFTP SCP/SFTP server fails on SCP download/upload with curl/libssh2.

Fedora 26 and latest git have only the "null termination char" part of this bug.
Comment 3 Kamil Dudka 2017-09-26 15:52:23 UTC 
upstream commits:

https://github.com/libssh2/libssh2/commit/b99204f2
https://github.com/libssh2/libssh2/commit/1e7988cb
https://github.com/libssh2/libssh2/commit/2d59b41d
https://github.com/libssh2/libssh2/commit/3d3347c0
https://github.com/libssh2/libssh2/commit/819ef4f2
Comment 32 errata-xmlrpc 2018-10-30 10:40:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3156
Note You need to log in before you can comment on or make changes to this bug.