Bug 15470

Summary: libssh2 new security issue CVE-2015-1782
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/636262/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: libssh2-1.4.3-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-11 15:08:10 CET 
Upstream has issued an advisory today (March 11):
http://www.libssh2.org/adv_20150311.html

Debian has issued an advisory for this today:
https://www.debian.org/security/2015/dsa-3182

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated libssh2 packages fix security vulnerability:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading
and using the SSH_MSG_KEXINIT packet without doing sufficient range checks
when negotiating a new SSH session with a remote server. A malicious attacker
could man in the middle a real server and cause a client using the libssh2
library to crash (denial of service) or otherwise read and use unintended
memory areas in this process (CVE-2015-1782).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
http://www.libssh2.org/adv_20150311.html
https://www.debian.org/security/2015/dsa-3182
========================

Updated packages in core/updates_testing:
========================
libssh2_1-1.4.3-3.1.mga4
libssh2-devel-1.4.3-3.1.mga4

from libssh2-1.4.3-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-03-11 15:24:32 CET 
There is no known exploit for the vulnerability currently, thus no PoC.

You can test libssh2 via curl using the sftp protocol.

I used it to download a small text file from a remote machine, like this:

curl -u david -k sftp://192.168.0.4/~/foo.ldif

The -u option sets the remote user name you are connecting with.  The -k option is needed unless the remote machine's SSL certificate for the SSH service is signed by a recognized CA (hint, it's not, so you need this option).  The 192.168.0.4 is the remote machine (can be a hostname or IP), the ~ in the URL means the user's home directory, and foo.ldif is the example filename I used.

I verified that this does actually use libssh2 through strace, where I saw:
send(3, "SSH-2.0-libssh2_1.4.3\r\n", 23, MSG_NOSIGNAL) = 23

The curl command worked fine before and after the update.

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 2 Shlomi Fish 2015-03-11 17:03:35 CET 
Works fine on a Mageia 4 x86-64 VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

David Walser 2015-03-11 19:18:51 CET

URL: (none) => http://lwn.net/Vulnerabilities/636262/

Comment 3 claire robinson 2015-03-12 12:51:52 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-03-12 16:31:29 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED