Bug 14957

Summary: libssh new security issue CVE-2014-8132
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628526/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: libssh-0.5.5-2.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-05 23:24:34 CET 
Fedora has issued an advisory on December 20:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147464.html

The issue is fixed upstream in 0.6.4:
http://www.libssh.org/2014/12/19/libssh-0-6-4-security-and-bugfix-release/

Updated package committed to Cauldron SVN.  Freeze push requested.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated libssh packages fix security vulnerability:

Double free vulnerability in the ssh_packet_kexinit function in kex.c in
libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial
of service via a crafted kexinit packet (CVE-2014-8132).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8132
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147464.html
========================

Updated packages in core/updates_testing:
========================
libssh4-0.5.5-2.2.mga4
libssh-devel-0.5.5-2.2.mga4

from libssh-0.5.5-2.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Herman Viaene 2015-01-06 10:15:52 CET 
MGA4-64 on HP Probook 6555b KDE.
No ijnstallation issues. As per bug 12942, I checked that I can stop/start sshd succesfully.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 2 Herman Viaene 2015-01-06 10:31:19 CET 
MGA4-32 on Acer D620 Xfce.
Same result as Comment 1.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA-32-OK

Comment 3 David Walser 2015-01-06 15:50:14 CET 
Not so fast.  sshd has nothing to do with this.

$ urpmq --whatrequires libssh4 | uniq
hydra
kdebase4-runtime
libssh-devel
libssh4
remmina
remmina-plugins-nx
sshtrix
x2goclient
x2goclient-mozilla-plugin
xbmc

I believe Claire tested hydra last time we updated this.

Whiteboard: MGA4-64-OK MGA-32-OK => (none)

Comment 4 claire robinson 2015-01-06 16:17:17 CET 
https://bugs.mageia.org/show_bug.cgi?id=8880#c2
Comment 5 Herman Viaene 2015-01-06 16:20:23 CET 
David, I believe you. So, bug 12942 Comment 1 set me on the wrong foot??
Comment 6 Herman Viaene 2015-01-08 10:32:51 CET 
MGA4-64 on HP Probook 6555b KDE
No installation issues.
Used hydra to test:
strace -o hydra hydra -l tester -p tester ssh://localhost
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 10:28:35
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-08 10:28:35
strace confirms that libssh.so.4 is used.

Whiteboard: (none) => MGA4-64-OK

Comment 7 Herman Viaene 2015-01-08 10:39:14 CET 
MGA4-32 on AcerD620.
Same results as Comment 6.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 8 claire robinson 2015-01-08 13:18:47 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-01-08 13:36:49 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0014.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED