Bug 675526 (CVE-2019-6109, CVE-2019-6110)

Summary:	[TRACKER] scp client: multiple vulnerabilities (CVE-2019-{6109,6110})
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	moonlapse81, phmagic
Priority:	Normal	Keywords:	Tracker
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	675522, 675524
Bug Blocks:

Description Thomas Deutschmann (RETIRED) gentoo-dev

2019-01-15 17:57:23 UTC

CVE-2019-6109:
OpenSSH has a vulnerability in the scp client utility. Due to missing character encoding in the progress display, the object name can be used to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

CVE-2019-6110:
OpenSSH has a vulnerability in the scp client utility. Due to accepting and displaying arbitrary stderr output from the scp server, a malicious server can manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

Comment 1 NATTkA bot gentoo-dev

2020-04-10 08:30:46 UTC

Unable to check for sanity:

> no match for package: net-misc/openssh-7.9_p1-r4

Comment 2 NATTkA bot gentoo-dev

2020-04-12 19:30:17 UTC

Unable to check for sanity:

> dependent bug #675522 has errors

Comment 3 NATTkA bot gentoo-dev

2020-04-13 14:41:19 UTC

Resetting sanity check; package list is empty or all packages are done.