Bugzilla – Bug 928323
VUL-1: CVE-2015-3146: libssh: Null pointer dereference in NEWKEYS + KEXDH_REPLY packet
Last modified: 2016-04-27 20:20:31 UTC
JFYI The update is prepared in home:lmuelle:branches:OBS_Maintained:libssh based on the code Jim offered in home:jmcdough:branches:OBS_Maintained:libssh The project is hidden, Jim is maintainer too, and _no_ submit request got filed yet.
(In reply to Lars Müller from comment #14) > JFYI The update is prepared in home:lmuelle:branches:OBS_Maintained:libssh > based on the code Jim offered in home:jmcdough:branches:OBS_Maintained:libssh https://build.opensuse.org/request/show/305090 I hope it's enough to set reviewer role to the security-team
Public via https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/ This is an important SECURITY and maintenance release in order to address CVE-2015-3146 – Possible double free on a dangling pointer with crafted kexinit packet. libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer dereference. This is the packet after the initial key exchange and doesn’t require authentication. This could be used for a Denial of Service (DoS) attack. The bug was found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP). https://www.libssh.org/security/advisories/CVE-2014-8132.txt =========================================================== == Subject: CVE-2014-8132: Double free on dangling pointers in initial key exchange packet. == == CVE ID#: CVE-2014-8132 == == Versions: All versions of libssh later than 0.5.1 == == Summary: A malicious initial key exchange packet could lead to a double == free crashing the server. == == This doesn't require any authentication. == =========================================================== =========== Description =========== libssh versions 0.5.1 and above could leave dangling pointers in the session crypto structures. It is possible to send a malicious kexinit package to eventually cause a server to do a double-free before this fix. This could be used for a Denial of Service attack. As this was found by a libssh developer there are no currently known exploits for this problem (as of December 19th 2014). ================== Patch Availability ================== Patches addressing the issue have been posted to: https://www.libssh.org/ libssh versions 0.6.4 has been released to address this issue. ========== Workaround ========== None. ======= Credits ======= This problem was found by Jon Simons. He contributed a lot of code to the libssh project. Patches provided by Jon Simons and the libssh Team. ========================================================== == The libssh Team ==========================================================
openSUSE-SU-2015:0860-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 928323 CVE References: CVE-2015-3146 Sources used: openSUSE 13.2 (src): libssh-0.6.3-2.7.1 openSUSE 13.1 (src): libssh-0.5.5-2.15.1
Looks like RESOLVED then
(SLE updates are still in QA)
not yet released, reopen
bugbot adjusting priority
SUSE-SU-2015:1707-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 928323 CVE References: CVE-2015-3146 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libssh-0.6.3-8.1
released
SUSE-SU-2015:1707-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 928323 CVE References: CVE-2015-3146 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libssh-0.6.3-8.1 SUSE Linux Enterprise Desktop 12 (src): libssh-0.6.3-8.1