Bug 1298746 (CVE-2016-1907) - CVE-2016-1907 openssh: out-of-bounds read in packet handling code
Summary: CVE-2016-1907 openssh: out-of-bounds read in packet handling code
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-1907
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1298840 1298841
Blocks: 1298744
TreeView+ depends on / blocked
 
Reported: 2016-01-14 22:19 UTC by Tomas Hoger
Modified: 2019-09-29 13:42 UTC (History)
6 users (show)

Fixed In Version: openssh 7.1p2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-15 09:19:38 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2016-01-14 22:19:14 UTC
OpenSSH 7.1p2 release notes mention the following security fix:

 * SECURITY: Fix an out of-bound read access in the packet handling
   code. Reported by Ben Hawkes.

http://www.openssh.com/txt/release-7.1p2

Related upstream commit is:

https://anongit.mindrot.org/openssh.git/commit/?id=d77148e3a3ef6c29b26ec74331455394581aa257

Comment 1 Jakub Jelen 2016-01-15 08:17:57 UTC
For the record, this bug was introduced by upstream commit in openssh-6.8:
https://anongit.mindrot.org/openssh.git/commit/packet.c?id=091c302829210c41e7f57c3f094c7b9c054306f0

The function packet_disconnect() (terminating connection and exiting) was replaced by sshpkt_disconnect() which only sends disconnect message, but does not terminate the execution. This might lead to operation on the buffer of wrong size.

This does not affect any released version of RHEL.

Comment 2 Tomas Hoger 2016-01-15 09:09:09 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298840]

Comment 3 Tomas Hoger 2016-01-15 09:09:15 UTC
Created gsi-openssh tracking bugs for this issue:

Affects: fedora-all [bug 1298841]

Comment 4 Tomas Hoger 2016-01-15 09:19:38 UTC
Only OpenSSH versions 6.8 - 7.1 were affected by this issue.  Therefore, openssh packages in Red Hat Enterprise Linux 7 and earlier were not affected by this issue.

Comment 5 Tomas Hoger 2016-01-15 19:37:12 UTC
CVE-2016-1907 was assigned to this issue:

http://seclists.org/oss-sec/2016/q1/112

Comment 6 Fedora Update System 2016-01-17 18:50:14 UTC
openssh-6.9p1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-01-29 00:21:43 UTC
gsi-openssh-7.1p2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-02-01 06:32:29 UTC
gsi-openssh-6.9p1-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.