Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 548564 (CVE-2015-3146)

Summary: <net-libs/libssh-0.6.5: Possible double free on a dangling pointer with crafted kexinit packet (CVE-2015-3146)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 548468    

Description Agostino Sarubbo gentoo-dev 2015-05-04 07:17:25 UTC
From ${URL} :

This is an important SECURITY and maintenance release in order to address CVE-2015-3146 – Possible double free on a dangling pointer with crafted kexinit packet.

libssh versions 0.5.1 and above have a logical error in the handling of a SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY package. A detected error did not set the session into the error state correctly and further processed the packet which leads to a null pointer 
dereference. This is the packet after the initial key exchange and doesn’t require authentication.

This could be used for a Denial of Service (DoS) attack.

The bug was found and reported by Mariusz Ziulek from the Open Web Application Security Project (OWASP).

Advisories and patches for older versions can be found here.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh 0.6.5 here.

ChangeLog
Fixed CVE-2015-3146
Fixed port handling in config file
Fixed the build with libgcrypt
Fixed SFTP endian issues (rlo #179)
Fixed uninitilized sig variable (rlo #167)
Fixed polling issues which could result in a hang
Fixed handling of EINTR in ssh_poll() (rlo #186)
Fixed C99 issues with __func__
Fixed some memory leaks
Improved macro detection on Windows



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-05-07 09:37:48 UTC
+*libssh-0.6.5 (07 May 2015)
+
+  07 May 2015; Lars Wendler <polynomial-c@gentoo.org> +libssh-0.6.5.ebuild:
+  Security bump (bug #548564).
+

Arches please test and mark stable =net-libs/libssh-0.6.5 with target KEYWORDS:

~alpha amd64 ~arm ~arm64 hppa ppc ppc64 ~s390 ~sparc x86 ~amd64-linux ~x86-linux
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-08 04:49:00 UTC
Stable for HPPA.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-08 04:52:56 UTC
Stable for PPC64.
Comment 4 Agostino Sarubbo gentoo-dev 2015-05-13 07:57:26 UTC
amd64 stable
Comment 5 Pacho Ramos gentoo-dev 2015-05-15 11:21:37 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-05-19 07:26:16 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Johannes Huber (RETIRED) gentoo-dev 2015-05-31 12:43:36 UTC
Thanks all. Cleanup done by Jeroen. Removing maintainers then.

+
+  19 May 2015; Jeroen Roovers <jer@gentoo.org> -libssh-0.6.4.ebuild:
+  Old.
+
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:09:11 UTC
Vote: NO.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 22:14:51 UTC
GLSA Vote: No