699856 – (CVE-2019-17498) <net-libs/libssh2-1.9.0_p20190913: integer overflow in SSH_MSG_DISCONNECT logic in packet.c (CVE-2019-17498)

Bug 699856 (CVE-2019-17498) - <net-libs/libssh2-1.9.0_p20190913: integer overflow in SSH_MSG_DISCONNECT logic in packet.c (CVE-2019-17498)

Summary: <net-libs/libssh2-1.9.0_p20190913: integer overflow in SSH_MSG_DISCONNECT log...

Status:	RESOLVED FIXED

Alias:	CVE-2019-17498

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-11-11 17:47 UTC by GLSAMaker/CVETool Bot
Modified:	2020-03-15 16:03 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	net-libs/libssh2-1.9.0_p20190913
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2019-11-11 17:47:05 UTC

CVE-2019-17498 (https://nvd.nist.gov/vuln/detail/CVE-2019-17498):
  In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
  packet.c has an integer overflow in a bounds check, enabling an attacker to
  specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A
  crafted SSH server may be able to disclose sensitive information or cause a
  denial of service condition on the client system when a user connects to the
  server.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-11-11 17:48:38 UTC

Reference:
https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ 
https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498
https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c#L480 
https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94

Comment 2 Michał Górny archtester

2019-11-11 17:55:08 UTC

I see upstream has some more bounds checking fixes in git.  I suppose the best way forward would be to take a snapshot.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2019-11-11 18:00:30 UTC

If upstream is going to tag new release in next few weeks it's also suitable to wait for that. According to current information it's just a DoS requiring a malicious SSH server victim will connect to...

Comment 4 Michał Górny archtester

2019-11-11 18:02:43 UTC

Given that upstream hasn't released this in 2 months...

Comment 5 Larry the Git Cow gentoo-dev

2019-11-11 18:03:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b4cfaf2877f50ad8f5d66927f26d833c8249960

commit 3b4cfaf2877f50ad8f5d66927f26d833c8249960
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-11-11 17:59:42 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-11-11 18:03:18 +0000

    net-libs/libssh2: Bump to 1.9.0_p20190913 snapshot
    
    Bug: https://bugs.gentoo.org/699856
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-libs/libssh2/Manifest                       |  1 +
 net-libs/libssh2/libssh2-1.9.0_p20190913.ebuild | 59 +++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

Comment 6 Agostino Sarubbo gentoo-dev

2019-11-12 10:07:47 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-11-12 10:17:31 UTC

s390 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-11-12 15:09:25 UTC

ppc64 stable

Comment 9 Rolf Eike Beer archtester

2019-11-12 18:09:52 UTC

sparc stable

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2019-11-12 22:12:30 UTC

arm64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2019-11-13 07:41:51 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2019-11-13 07:44:53 UTC

amd64 stable

Comment 13 Rolf Eike Beer archtester

2019-11-13 21:48:54 UTC

hppa stable

Comment 14 Agostino Sarubbo gentoo-dev

2019-11-14 11:58:17 UTC

ia64 stable

Comment 15 Matt Turner gentoo-dev

2019-11-22 16:23:26 UTC

alpha stable

Comment 16 Mikle Kolyada (RETIRED) archtester

2019-11-27 13:00:00 UTC

arm stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2019-11-27 13:00:30 UTC

sh stable

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2019-12-02 22:55:01 UTC

@ maintainer(s): Please cleanup and drop <net-libs/libssh2-1.9.0_p20190913!

Comment 19 Larry the Git Cow gentoo-dev

2019-12-03 09:48:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0632222d55eca178357c621fde6573db3a78045

commit b0632222d55eca178357c621fde6573db3a78045
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-12-03 08:48:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-12-03 09:48:02 +0000

    net-libs/libssh2: Remove old
    
    Bug: https://bugs.gentoo.org/699856
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-libs/libssh2/Manifest                          |   1 -
 net-libs/libssh2/files/libssh2-1.9.0-missing.patch | 181 ---------------------
 net-libs/libssh2/libssh2-1.9.0-r1.ebuild           |  58 -------
 net-libs/libssh2/libssh2-1.9.0.ebuild              |  57 -------
 4 files changed, 297 deletions(-)

Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 16:03:17 UTC

GLSA Vote: No!

Repository is clean, all done!