Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 542914 (CVE-2015-1782)

Summary: <net-libs/libssh2-1.5.0: Using SSH_MSG_KEXINIT data unbounded (CVE-2015-1782)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.libssh2.org/adv_20150311.html
Whiteboard: B3 [noglsa/cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-03-11 14:24:03 UTC 
From ${URL} :

The following issue was reported as affecting libssh2:

When negotiating a new SSH session with a remote server, one of libssh2's
functions for doing the key exchange (kex_agree_methods) was naively reading
data from the incoming packet and using it without doing sufficient range
checks. The SSH_MSG_KEXINIT packet arrives to libssh2 with a set of strings,
sent as a series of LENGTH + DATA pairs. libssh2 would go through the list and
read the LENGTH field, read the string following the LENGTH and then advance
the pointer LENGTH bytes in memory and expect to find the next LENGTH + DATA
pair there. Then move on until seven subsequent strings are taken care of. It
would naively assume that the (unsigned 32 bit) LENGTH fields were fine.

This packet arrives in the negotiating phase so the remote server has not yet
been deemed to be a known or trusted party.

A malicious attacker could man in the middle a real server and cause libssh2
using clients to crash (denial of service) or otherwise read and use
completely unintended memory areas in this process.

There are no known exploits of this flaw at this time.

External References:

http://www.libssh2.org/adv_20150311.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-12 09:17:51 UTC 
Arch teams, please test and mark stable:
=net-libs/libssh2-1.5.0
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-12 11:59:14 UTC 
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2015-03-13 09:26:44 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-13 09:27:40 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-03-25 16:08:32 UTC 
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-26 11:23:41 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-03-26 11:30:40 UTC 
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2015-03-28 06:53:46 UTC 
arm stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 17:10:43 UTC 
CVE-2015-1782 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1782):
  The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers
  to cause a denial of service (crash) or have other unspecified impact via
  crafted length values in an SSH_MSG_KEXINIT packet.
Comment 10 Agostino Sarubbo gentoo-dev 2015-03-30 09:51:41 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-03-30 10:04:16 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-04-04 15:28:06 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-17 16:33:07 UTC 
GLSA vote: No
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:19:59 UTC 
Client DoS => NO, closing. Thanks everyone.