CVE-2019-17498 (https://nvd.nist.gov/vuln/detail/CVE-2019-17498): In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
Reference: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498 https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480 https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94
I see upstream has some more bounds checking fixes in git. I suppose the best way forward would be to take a snapshot.
If upstream is going to tag new release in next few weeks it's also suitable to wait for that. According to current information it's just a DoS requiring a malicious SSH server victim will connect to...
Given that upstream hasn't released this in 2 months...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b4cfaf2877f50ad8f5d66927f26d833c8249960 commit 3b4cfaf2877f50ad8f5d66927f26d833c8249960 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-11-11 17:59:42 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-11-11 18:03:18 +0000 net-libs/libssh2: Bump to 1.9.0_p20190913 snapshot Bug: https://bugs.gentoo.org/699856 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-libs/libssh2/Manifest | 1 + net-libs/libssh2/libssh2-1.9.0_p20190913.ebuild | 59 +++++++++++++++++++++++++ 2 files changed, 60 insertions(+)
x86 stable
s390 stable
ppc64 stable
sparc stable
arm64 stable
ppc stable
amd64 stable
hppa stable
ia64 stable
alpha stable
arm stable
sh stable
@ maintainer(s): Please cleanup and drop <net-libs/libssh2-1.9.0_p20190913!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0632222d55eca178357c621fde6573db3a78045 commit b0632222d55eca178357c621fde6573db3a78045 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-12-03 08:48:24 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-12-03 09:48:02 +0000 net-libs/libssh2: Remove old Bug: https://bugs.gentoo.org/699856 Signed-off-by: Michał Górny <mgorny@gentoo.org> net-libs/libssh2/Manifest | 1 - net-libs/libssh2/files/libssh2-1.9.0-missing.patch | 181 --------------------- net-libs/libssh2/libssh2-1.9.0-r1.ebuild | 58 ------- net-libs/libssh2/libssh2-1.9.0.ebuild | 57 ------- 4 files changed, 297 deletions(-)
GLSA Vote: No! Repository is clean, all done!