Bug 1305971 (CVE-2016-0739) - CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length
Summary: CVE-2016-0739 libssh: bits/bytes confusion resulting in truncated Difffie-Hel...
Alias: CVE-2016-0739
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1310046 1310047 1311259 1311260 1311276 1311277
Blocks: 1305973
TreeView+ depends on / blocked
Reported: 2016-02-09 17:23 UTC by Kurt Seifried
Modified: 2019-09-29 13:44 UTC (History)
6 users (show)

Fixed In Version: libssh 0.7.3
Doc Type: Bug Fix
Doc Text:
A type confusion issue was found in the way libssh generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
Clone Of:
Last Closed: 2016-04-01 04:05:07 UTC

Attachments (Terms of Use)
libssh-CVE-2016-0739.patch (1.99 KB, patch)
2016-02-09 17:34 UTC, Kurt Seifried
no flags Details | Diff
CVE-2016-0739 advisory text (2.33 KB, text/plain)
2016-02-19 09:33 UTC, Andreas Schneider
no flags Details
Patch (1.85 KB, patch)
2016-02-22 11:40 UTC, Tomas Hoger
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0566 normal SHIPPED_LIVE Moderate: libssh security update 2016-04-01 03:20:27 UTC

Description Kurt Seifried 2016-02-09 17:23:43 UTC
Andreas Schneider of Red Hat reports:

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.

This issue may be worked around by using other key exchange methods, such as
curve25519-sha256@libssh.org or ecdh-sha2-nistp256, both are not vulnerable.
By default, an unpatched libssh implementation will already attempt to use
these two more secure methods when supported by the other party.

Comment 1 Kurt Seifried 2016-02-09 17:34:37 UTC
Created attachment 1122470 [details]

Comment 2 Kurt Seifried 2016-02-09 17:35:26 UTC
The embargo is currently set for Feb 23rd, 2016 14:00 CET.

Comment 3 Andreas Schneider 2016-02-19 09:33:49 UTC
Created attachment 1128493 [details]
CVE-2016-0739 advisory text

Comment 8 Tomas Hoger 2016-02-22 11:40:46 UTC
Created attachment 1129246 [details]

The same patch as attached in comment 1, but with correct white spaces / indent.

Comment 10 Stef Walter 2016-02-22 11:58:06 UTC
Tomas, thanks. That patch applies well.

Comment 13 Stef Walter 2016-02-22 12:33:19 UTC
I'm unsure how one would verify that the patch applied, but I see this in the build log:

+ echo 'Patch #1 (libssh-CVE-2016-0739.patch):'
Patch #1 (libssh-CVE-2016-0739.patch):
+ /usr/bin/cat /builddir/build/SOURCES/libssh-CVE-2016-0739.patch
+ /usr/bin/patch -p1 --fuzz=0
patching file src/dh.c

And I have checked that the patch file starts with:

From dc2eaa017fe77e53bd9f1d4327a480d9bfe6cc6a Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Tue, 9 Feb 2016 15:09:27 +0100
Subject: [PATCH] dh: fix CVE-2016-0739

Due to a byte/bit confusion, the DH secret was too short. This file was
completely reworked and will be commited in a future version.

Comment 14 Andreas Schneider 2016-02-22 14:31:07 UTC
The only way to verify this, is to build libssh with:


Then do a rsa connection using the libssh example client ./examples/samplessh. It will print x (the random secret bignum) on the command line.

Comment 15 Tomas Hoger 2016-02-23 18:16:02 UTC
Fixed upstream in version 0.7.3:


Comment 16 Tomas Hoger 2016-02-23 18:19:36 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311259]
Affects: epel-all [bug 1311260]

Comment 17 Tomas Hoger 2016-02-23 18:21:54 UTC
External Reference:


Comment 19 Kurt Seifried 2016-02-23 19:38:49 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1311276]
Affects: epel-all [bug 1311277]

Comment 20 Martin Prpič 2016-02-24 10:00:54 UTC

Name: Aris Adamantiadis

Comment 21 errata-xmlrpc 2016-03-31 23:25:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2016:0566 https://rhn.redhat.com/errata/RHSA-2016-0566.html

Note You need to log in before you can comment on or make changes to this bug.