Bug 861566 (CVE-2014-1692) - VUL-0: CVE-2014-1692: openssh: J-PAKE uninitialized variable use
Summary: VUL-0: CVE-2014-1692: openssh: J-PAKE uninitialized variable use
Status: RESOLVED UPSTREAM
Alias: CVE-2014-1692
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-31 15:05 UTC by Alexander Bergmann
Modified: 2015-03-05 14:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-01-31 15:05:32 UTC 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c

Revision 1.10: download - view: text, markup, annotated - select for diffs
Wed Jan 29 00:21:41 2014 UTC (3 hours, 14 minutes ago) by djm
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.9: preferred, coloured
Changes since revision 1.9: +4 -1 lines
In the experimental, never-enabled JPAKE code: clear returned digest and
length in hash_buffer() for error cases; could lead to memory corruption
later if EVP_Digest* fails.  Pointed out by Mark Dowd

As I understand it this can be enabled via code edit/gcc command line
options, so not sure if this qualified for a CVE or not (vuln in code,
yes, is code reachable? not under any default setup, and even on
non-default you have to go pretty far off to enable it).

!!! J-PAKE support is not enabled in any SLE or openSUSE version !!!

CVE-2014-1692 was assigned to this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1059052
Comment 1 Alexander Bergmann 2014-01-31 15:06:56 UTC 
closing