Bug 15861

Summary: libssh new security issue CVE-2015-3146
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644038/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: libssh-0.5.5-2.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-06 16:45:31 CEST 
Upstream has released version 0.6.5 on April 30, fixing a security issue:
https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/

They also made a patch available for 0.5.5.

Update checked into Cauldron SVN.  Freeze push requested.

Patch checked into Mageia 4 SVN.

Reproducible: 

Steps to Reproduce:
David Walser 2015-05-06 16:45:42 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-06 21:01:32 CEST 
Patched package uploaded for Mageia 4.

Testing procedure (please note that openssh does *not* use this):
https://bugs.mageia.org/show_bug.cgi?id=8880#c2

Advisory:
========================

Updated libssh packages fix security vulnerability:

libssh versions 0.5.1 and above, but before 0.6.5, have a logical error in the
handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected
error did not set the session into the error state correctly and further
processed the packet which leads to a null pointer dereference. This is the
packet after the initial key exchange and doesnât require authentication.
This could be used for a Denial of Service (DoS) attack (CVE-2015-3146).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3146
https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
========================

Updated packages in core/updates_testing:
========================
libssh4-0.5.5-2.3.mga4
libssh-devel-0.5.5-2.3.mga4

from libssh-0.5.5-2.3.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-05-07 19:22:52 CEST 
kio_sftp also uses this (sftp:/ protocol in Konqueror).
Comment 3 David Walser 2015-05-08 16:31:19 CEST 
kio_sftp is really neat.  Very straightforward to use:
http://blog.cynapses.org/2009/07/24/kio_sftp-in-action/

Tested OK Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Shlomi Fish 2015-05-11 15:16:26 CEST 
Tested OK Mageia 4 x86-64 using hydra and kio_sftp. Updating is fine.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK

Comment 5 claire robinson 2015-05-11 17:29:00 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-05-11 22:11:40 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0209.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-12 19:08:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644038/