Bug 17494

Summary: openssh new security issues CVE-2016-0777 and CVE-2016-0778
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dpremy, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/672071/
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: openssh-6.6p1-5.5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-01-14 18:23:06 CET 
OpenSSH has released version 7.1p2 today (January 14):
http://www.openssh.com/txt/release-7.1p2

The main security issue it fixed is CVE-2016-0777, which is a bug in the roaming feature that can allow ssh private keys to be compromised.  There is also a minor bug with the roaming feature, CVE-2016-0778 (not specifically mentioned in the announcement), which is a buffer overflow.  The upstream fix for both of these is to completely disable this useless feature.

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated openssh packages fix security vulnerability:

An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this flaw to
leak portions of memory (possibly including private SSH keys) of a
successfully authenticated OpenSSH client (CVE-2016-0777).

A buffer overflow flaw was found in the way the OpenSSH client roaming feature
was implemented. A malicious server could potentially use this flaw to execute
arbitrary code on a successfully authenticated OpenSSH client if that client
used certain non-default configuration options (CVE-2016-0778).

The issue only affects OpenSSH clients making use of the ProxyCommand feature.
This update disables the roaming feature completely.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0777
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0778
http://www.openssh.com/security.html
========================

Updated packages in core/updates_testing:
========================
openssh-6.6p1-5.6.mga5
openssh-clients-6.6p1-5.6.mga5
openssh-server-6.6p1-5.6.mga5
openssh-askpass-common-6.6p1-5.6.mga5
openssh-askpass-6.6p1-5.6.mga5
openssh-askpass-gnome-6.6p1-5.6.mga5
openssh-ldap-6.6p1-5.6.mga5

from openssh-6.6p1-5.6.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-14 18:27:28 CET 
More information than you ever wanted about these issues:
http://openwall.com/lists/oss-security/2016/01/14/7
Comment 2 David Remy 2016-01-14 21:55:39 CET 
In Hyper-V on Windows 10, M5, x86_64

Package(s) under test:
openssh-clients openssh-server openssh

% sudo urpmi openssh-clients
Package openssh-clients-6.6p1-5.6.mga5.x86_64 is already installed

% sudo urpmi openssh-server
Package openssh-server-6.6p1-5.6.mga5.x86_64 is already installed

% sudo urpmi openssh
Package openssh-6.6p1-5.6.mga5.x86_64 is already installed

Tested ssh from this system to HP Networking hardware with no errors
Tested ssh from this system to various other patched and unpatched linux servers with no errors

Tested ssh to this system from patched and unpatched linux servers, putty and kitty with no errors

CC: (none) => dpremy

Comment 3 David Walser 2016-01-15 19:18:06 CET 
RedHat has issued an advisory for this on January 14:
https://rhn.redhat.com/errata/RHSA-2016-0043.html

Advisory:
========================

Updated openssh packages fix security vulnerability:

An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this flaw to
leak portions of memory (possibly including private SSH keys) of a
successfully authenticated OpenSSH client (CVE-2016-0777).

A buffer overflow flaw was found in the way the OpenSSH client roaming feature
was implemented. A malicious server could potentially use this flaw to execute
arbitrary code on a successfully authenticated OpenSSH client if that client
used certain non-default configuration options (CVE-2016-0778).

The issue only affects OpenSSH clients making use of the ProxyCommand feature.
This update disables the roaming feature completely.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
https://rhn.redhat.com/errata/RHSA-2016-0043.html
http://www.openssh.com/security.html

URL: (none) => http://lwn.net/Vulnerabilities/672071/

Comment 4 David Walser 2016-01-15 19:20:36 CET 
OK'ing this based on David's test and mine on i586.  I actually use a ProxyCommand and that's still working fine too.

Please validate and upload this update ASAP :o)

Whiteboard: (none) => MGA5-32-OK MGA5-64-OK

Comment 5 RĂ©mi Verschelde 2016-01-15 20:02:19 CET 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-01-15 20:44:33 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0022.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED