Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 675526 (CVE-2019-6109, CVE-2019-6110)

Summary: [TRACKER] scp client: multiple vulnerabilities (CVE-2019-{6109,6110})
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: moonlapse81, phmagic
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 675522, 675524    
Bug Blocks:    

Description Thomas Deutschmann gentoo-dev Security 2019-01-15 17:57:23 UTC
CVE-2019-6109:
OpenSSH has a vulnerability in the scp client utility. Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

CVE-2019-6110:
OpenSSH has a vulnerability in the scp client utility. Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.
Comment 1 NATTkA bot gentoo-dev 2020-04-10 08:30:46 UTC
Unable to check for sanity:

> no match for package: net-misc/openssh-7.9_p1-r4
Comment 2 NATTkA bot gentoo-dev 2020-04-12 19:30:17 UTC
Unable to check for sanity:

> dependent bug #675522 has errors
Comment 3 NATTkA bot gentoo-dev 2020-04-13 14:41:19 UTC
Resetting sanity check; package list is empty or all packages are done.