Bug 15470 - libssh2 new security issue CVE-2015-1782
Summary: libssh2 new security issue CVE-2015-1782
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/636262/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-11 15:08 CET by David Walser
Modified: 2015-03-12 16:31 CET (History)
2 users (show)

See Also:
Source RPM: libssh2-1.4.3-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-11 15:08:10 CET
Upstream has issued an advisory today (March 11):
http://www.libssh2.org/adv_20150311.html

Debian has issued an advisory for this today:
https://www.debian.org/security/2015/dsa-3182

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated libssh2 packages fix security vulnerability:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading
and using the SSH_MSG_KEXINIT packet without doing sufficient range checks
when negotiating a new SSH session with a remote server. A malicious attacker
could man in the middle a real server and cause a client using the libssh2
library to crash (denial of service) or otherwise read and use unintended
memory areas in this process (CVE-2015-1782).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
http://www.libssh2.org/adv_20150311.html
https://www.debian.org/security/2015/dsa-3182
========================

Updated packages in core/updates_testing:
========================
libssh2_1-1.4.3-3.1.mga4
libssh2-devel-1.4.3-3.1.mga4

from libssh2-1.4.3-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-03-11 15:24:32 CET
There is no known exploit for the vulnerability currently, thus no PoC.

You can test libssh2 via curl using the sftp protocol.

I used it to download a small text file from a remote machine, like this:

curl -u david -k sftp://192.168.0.4/~/foo.ldif

The -u option sets the remote user name you are connecting with.  The -k option is needed unless the remote machine's SSL certificate for the SSH service is signed by a recognized CA (hint, it's not, so you need this option).  The 192.168.0.4 is the remote machine (can be a hostname or IP), the ~ in the URL means the user's home directory, and foo.ldif is the example filename I used.

I verified that this does actually use libssh2 through strace, where I saw:
send(3, "SSH-2.0-libssh2_1.4.3\r\n", 23, MSG_NOSIGNAL) = 23

The curl command worked fine before and after the update.

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 2 Shlomi Fish 2015-03-11 17:03:35 CET
Works fine on a Mageia 4 x86-64 VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

David Walser 2015-03-11 19:18:51 CET

URL: (none) => http://lwn.net/Vulnerabilities/636262/

Comment 3 claire robinson 2015-03-12 12:51:52 CET
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-03-12 16:31:29 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.