Bug 8188 - libssh new security issues fixed in 0.5.3
: libssh new security issues fixed in 0.5.3
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527128/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-23 17:16 CET by David Walser
Modified: 2012-11-29 22:14 CET (History)
11 users (show)

See Also:
Source RPM: libssh-0.5.2-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-11-23 17:16:22 CET
Upstream security advisory from November 20:
http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/

CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562

Not immediately clear if 0.4.7 (Mageia 1) is affected.
Comment 1 David Walser 2012-11-23 17:19:48 CET
This library is used by xbmc, x2goclient, hydra, and kdebase4-runtime.
Comment 2 David Walser 2012-11-23 17:21:01 CET
Some of the other bugs fixed in 0.5.3 (like use after free, for example) are sometimes considered security bugs too.

Should we just strictly use the CVE patches for the Mageia 2 update (currently has 0.5.2) or update to 0.5.3?
Comment 3 David Walser 2012-11-26 16:00:04 CET
SuSE has issued an advisory for this on November 21:
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html

Given that is for version 0.2, 0.4 should be affected.
Comment 4 David Walser 2012-11-26 19:49:15 CET
Fixed in Cauldron by updating to 0.5.3.
Comment 5 David Walser 2012-11-26 19:56:01 CET
CVE patches rediffed for 0.5.2 and 0.4.7.

If anyone wants to update Mageia 2 to 0.5.3 instead, please speak up soon.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated libssh packages fix security vulnerabilities:

Multiple double free flaws, buffer overflow flaws, invalid free flaws, and
improper overflow checks in libssh before 0.5.3 could enable a denial of
service attack against libssh clients (CVE-2012-4559, CVE-2012-4560,
CVE-2012-4561 and CVE-2012-4562).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562
http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html
========================

Updated packages in core/updates_testing:
========================
libssh4-0.4.7-1.1.mga1
libssh-devel-0.4.7-1.1.mga1
libssh4-0.5.2-1.1.mga2
libssh-devel-0.5.2-1.1.mga2

from SRPMS:
libssh-0.4.7-1.1.mga1.src.rpm
libssh-0.5.2-1.1.mga2.src.rpm
Comment 6 Dave Hodgins 2012-11-27 03:52:35 CET
Testing complete on Mageia 2 x86-64.

No poc, so just testing that it works.  For testing, I restarted kde,
to ensure the new version of the lib would be used, and then used

konqueror fish://dave@mine/home/dave

to access my old computer, which is setup for passwordless ssh
access, with the following in .ssh/config
Host mine
 Hostname 192.168.10.101
 Port munged
 User dave

I'll test i586 and Mageia 1 shortly.
Comment 7 Dave Hodgins 2012-11-27 04:03:22 CET
Testing complete on Mageia 2 i586, Mageia1 x86-64 and i586.

Could someone from the sysadmin team push the srpm
libssh-0.5.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
libssh-0.4.7-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated libssh packages fix security vulnerabilities:

Multiple double free flaws, buffer overflow flaws, invalid free flaws, and
improper overflow checks in libssh before 0.5.3 could enable a denial of
service attack against libssh clients (CVE-2012-4559, CVE-2012-4560,
CVE-2012-4561 and CVE-2012-4562).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562
http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00015.html

https://bugs.mageia.org/show_bug.cgi?id=8188
Comment 8 David Walser 2012-11-27 20:23:11 CET
Ubuntu has issued an advisory for this on November 26:
http://www.ubuntu.com/usn/usn-1640-1/

Theirs actually addresses all 4 CVEs, and notes possible remote code execution.

I'm updating the advisory based on this.

Advisory: Updated libssh packages fix security vulnerabilities:

Multiple double free flaws, buffer overflow flaws, invalid free flaws, and
improper overflow checks in libssh before 0.5.3 could enable a denial of
service attack against libssh clients, or possibly arbitrary code execution (CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4562
http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
http://www.ubuntu.com/usn/usn-1640-1/

https://bugs.mageia.org/show_bug.cgi?id=8188
Comment 9 Thomas Backlund 2012-11-29 22:14:16 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0344

Note You need to log in before you can comment on or make changes to this bug.