Bug 24532

libssh2-1.8.1-1.mga7 uploaded for Cauldron by David Geiger.

CC: (none) => geiger.david68210
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11

Hmmm! 5 patches doesn't apply properly!

Better to go with 1.8.1 for mga6 too?

SUSE has issued an advisory for this today (March 19):
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005203.html

So the patches should be backportable.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Possible integer overflow in transport read allows out-of-bounds write. (CVE-2019-3855)

Possible integer overflow in keyboard interactive handling allows out-of-bounds write. (CVE-2019-3856)

Possible integer overflow leading to zero-byte allocation and out-of-bounds write. (CVE-2019-3857)

Possible zero-byte allocation leading to an out-of-bounds read. (CVE-2019-3858)

Out-of-bounds reads with specially crafted payloads due to unchecked use of `_libssh2_packet_require` and `_libssh2_packet_requirev`. (CVE-2019-3859)

Out-of-bounds reads with specially crafted SFTP packets. (CVE-2019-3860)

Out-of-bounds reads with specially crafted SSH packets. (CVE-2019-3861)

Out-of-bounds memory comparison. (CVE-2019-3862)

Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes. (CVE-2019-3863)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863
https://www.openwall.com/lists/oss-security/2019/03/18/3
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005203.html
========================

Updated packages in core/updates_testing:
========================
lib(64)ssh2_1-1.7.0-2.1.mga6
lib(64)ssh2-devel-1.7.0-2.1.mga6

from SRPMS:
libssh2-1.7.0-2.1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: libssh2-1.8.0-2.mga7.src.rpm => libssh2-1.7.0-2.mga6.src.rpm
CC: (none) => nicolas.salguero

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Checked content of the libssh2. It just contains the libssh.so file, so it has nothing to do directly with the ssh server.
Checked at CLI:
# urpmq --whatrequires libssh2_1
aria2
aria2
and further
mc
ssh server does not show on this list.

So tried both commands from CLI as
$ strace -o libssh.txt mc
similar for aria
and both traces show calls to libssh2.so.1 and mc and aria work OK
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Non-devel library installs cleanly on 64-bit. Validating. Suggested advisory in comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0139.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

For additional reference, Debian has issued an advisory for this on April 13:
https://www.debian.org/security/2019/dsa-4431