Upstream has issued an advisory today (March 11): http://www.libssh2.org/adv_20150311.html Debian has issued an advisory for this today: https://www.debian.org/security/2015/dsa-3182 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated libssh2 packages fix security vulnerability: Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process (CVE-2015-1782). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782 http://www.libssh2.org/adv_20150311.html https://www.debian.org/security/2015/dsa-3182 ======================== Updated packages in core/updates_testing: ======================== libssh2_1-1.4.3-3.1.mga4 libssh2-devel-1.4.3-3.1.mga4 from libssh2-1.4.3-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
There is no known exploit for the vulnerability currently, thus no PoC. You can test libssh2 via curl using the sftp protocol. I used it to download a small text file from a remote machine, like this: curl -u david -k sftp://192.168.0.4/~/foo.ldif The -u option sets the remote user name you are connecting with. The -k option is needed unless the remote machine's SSL certificate for the SSH service is signed by a recognized CA (hint, it's not, so you need this option). The 192.168.0.4 is the remote machine (can be a hostname or IP), the ~ in the URL means the user's home directory, and foo.ldif is the example filename I used. I verified that this does actually use libssh2 through strace, where I saw: send(3, "SSH-2.0-libssh2_1.4.3\r\n", 23, MSG_NOSIGNAL) = 23 The curl command worked fine before and after the update. Testing complete Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Works fine on a Mageia 4 x86-64 VBox VM.
CC: (none) => shlomifWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/636262/
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0107.html
Status: NEW => RESOLVEDResolution: (none) => FIXED