Bug 25704 - libssh2 new security issues CVE-2019-13115 and CVE-2019-17498
Summary: libssh2 new security issues CVE-2019-13115 and CVE-2019-17498
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
: 25934 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-11-17 19:10 CET by David Walser
Modified: 2019-12-24 11:42 CET (History)
7 users (show)

See Also:
Source RPM: libssh2-1.8.2-1.mga7.src.rpm
CVE: CVE-2019-13115, CVE-2019-17498
Status comment:


Attachments

David Walser 2019-11-17 19:11:35 CET

Whiteboard: (none) => MGA7TOO
CC: (none) => zombie.ryushu

Comment 1 David Walser 2019-11-17 23:14:05 CET
libssh2-1.9.0-2.mga8 uploaded by David Geiger to fix Cauldron.

Mageia 7 patched build failed.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2019-11-18 13:25:39 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498
https://www.debian.org/lts/security/2019/dla-1991
https://lists.debian.org/debian-lts-announce/2019/11/msg00010.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943562
https://security-tracker.debian.org/tracker/CVE-2019-17498
========================

Updated packages in core/updates_testing:
========================
lib(64)ssh2_1-1.8.2-1.1.mga7
lib(64)ssh2-devel-1.8.2-1.1.mga7

from SRPMS:
libssh2-1.8.2-1.1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2019-17498
Status: NEW => ASSIGNED
Source RPM: libssh2-1.9.0-1.mga8.src.rpm => libssh2-1.8.2-1.mga7.src.rpm

Comment 3 PC LX 2019-11-20 15:36:46 CET
Installed and tested without issues.

Tested with aria2c, mc and nmap.
Also tried testing with vlc but strace did not show the libssh2 being loaded or used.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


$ rpm -qa | grep ssh2
lib64ssh2_1-1.8.2-1.1.mga7
$ rpm -q mc aria2 nmap
mc-4.8.22-1.mga7
aria2-1.34.0-3.mga7
nmap-7.70-2.1.mga7
$ urpmq --whatrequires lib64ssh2_1 | sort -u
aria2
cargo
lib64git2_28
lib64ssh2_1
lib64ssh2-devel
lib64virt0
libvirt-utils
mc
medusa
nmap
php-ssh2
qemu-block-ssh
rls
vlc-plugin-common


$ strace -o strace.log mc sftp://pclx@localhost/tmp/
$ grep -i ssh strace.log
openat(AT_FDCWD, "/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/pclx/.ssh/config", O_RDONLY) = 9
sendto(9, "SSH-2.0-libssh2_1.8.2\r\n", 23, MSG_NOSIGNAL, NULL, 0) = 23
recvfrom(9, "\0\0\4<\7!\0\0\1\227\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\201"..., 16384, MSG_NOSIGNAL, NULL, NULL) = 1104
connect(10, {sa_family=AF_UNIX, sun_path="/tmp/ssh-KVklOAIawMGa/agent.1667"}, 110) = 0
recvfrom(10, "\f\0\0\0\3\0\0\2\25\0\0\0\7ssh-rsa\0\0\0\1#\0\0\2\1\0\317_"..., 1315, 0, NULL, NULL) = 1315
sendto(10, "\r\0\0\1\27\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\1\0\310,\23l"..., 664, 0, NULL, 0) = 664
recvfrom(10, "\16\0\0\1\17\0\0\0\7ssh-rsa\0\0\1\0'\220\216\373\3115-]\270\340:4"..., 276, 0, NULL, NULL) = 276


$ strace -o strace.log nmap -sV localhost | grep -i ssh
22/tcp   open  ssh     OpenSSH 8.0 (protocol 2.0)
$ grep -i ssh strace.log
openat(AT_FDCWD, "/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3
read(5, "ntry { filename = \"ssh-run.nse\","..., 4096) = 4096
read(5, "i/protocol $1/\n\n# SCS\nmatch ssh "..., 4096) = 4096
read(5, "ol $1/ cpe:/a:openbsd:openssh:$2"..., 4096) = 4096
read(5, "2\\.0-OpenSSH\\r?\\n| p/Linksys WRT"..., 4096) = 4096
read(5, "d/broadband router/\nmatch ssh m|"..., 4096) = 4096
read(5, "TPSSHD_5\\r\\n| p/CrushFTP sftpd/ "..., 4096) = 4096
read(5, "nston:dropbear_ssh_server/\nmatch"..., 4096) = 4096
recvfrom(6, "SSH-2.0-OpenSSH_8.0\r\n", 8192, 0, 0x7fffcf2ae2e0, [128->0]) = 21


$ strace -o strace.log aria2c 'sftp://pclx@localhost/tmp/test' &> /dev/null
$ grep -i ssh strace.log
openat(AT_FDCWD, "/usr/lib64/libssh2.so.1", O_RDONLY|O_CLOEXEC) = 3
sendto(5, "SSH-2.0-libssh2_1.8.2\r\n", 23, MSG_NOSIGNAL, NULL, 0) = 23
recvfrom(5, "\0\0\4<\10!\0\0\1\227\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\201"..., 16384, MSG_NOSIGNAL, NULL, NULL) = 1104

Whiteboard: (none) => MGA7-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2019-11-22 16:21:12 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:07:07 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2019-11-30 14:07:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0343.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Nicolas Salguero 2019-12-24 11:42:37 CET

Summary: libssh2 new security issue CVE-2019-17498 => libssh2 new security issues CVE-2019-13115 and CVE-2019-17498
CVE: CVE-2019-17498 => CVE-2019-13115, CVE-2019-17498

Comment 6 Nicolas Salguero 2019-12-24 11:42:44 CET
*** Bug 25934 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.