15861 – libssh new security issue CVE-2015-3146

Bug 15861 - libssh new security issue CVE-2015-3146

Summary: libssh new security issue CVE-2015-3146

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/644038/
Whiteboard:	has_procedure advisory MGA4-32-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-05-06 16:45 CEST by David Walser
Modified:	2015-05-12 19:08 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	libssh-0.5.5-2.2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-05-06 16:45:31 CEST

Upstream has released version 0.6.5 on April 30, fixing a security issue:
https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/

They also made a patch available for 0.5.5.

Update checked into Cauldron SVN.  Freeze push requested.

Patch checked into Mageia 4 SVN.

Reproducible: 

Steps to Reproduce:

David Walser 2015-05-06 16:45:42 CEST

Blocks: (none) => 14674
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-05-06 21:01:32 CEST

Patched package uploaded for Mageia 4.

Testing procedure (please note that openssh does *not* use this):
https://bugs.mageia.org/show_bug.cgi?id=8880#c2

Advisory:
========================

Updated libssh packages fix security vulnerability:

libssh versions 0.5.1 and above, but before 0.6.5, have a logical error in the
handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected
error did not set the session into the error state correctly and further
processed the packet which leads to a null pointer dereference. This is the
packet after the initial key exchange and doesnât require authentication.
This could be used for a Denial of Service (DoS) attack (CVE-2015-3146).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3146
https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
========================

Updated packages in core/updates_testing:
========================
libssh4-0.5.5-2.3.mga4
libssh-devel-0.5.5-2.3.mga4

from libssh-0.5.5-2.3.mga4.src.rpm

Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-05-07 19:22:52 CEST

kio_sftp also uses this (sftp:/ protocol in Konqueror).

Comment 3 David Walser 2015-05-08 16:31:19 CEST

kio_sftp is really neat.  Very straightforward to use:
http://blog.cynapses.org/2009/07/24/kio_sftp-in-action/

Tested OK Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Shlomi Fish 2015-05-11 15:16:26 CEST

Tested OK Mageia 4 x86-64 using hydra and kio_sftp. Updating is fine.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK

Comment 5 claire robinson 2015-05-11 17:29:00 CEST

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-05-11 22:11:40 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0209.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-12 19:08:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644038/

Note You need to log in before you can comment on or make changes to this bug.