Bug 701598 (CVE-2019-14889)

Comment 1 Thomas Deutschmann (RETIRED) 2019-12-12 16:58:34 UTC

===========
Description
===========

When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/

Additionally, libssh 0.9.3 and 0.8.8 have been issued as
security releases to correct the defect.
SSH administrators are advised to upgrade to these releases
or apply the patch as soon as possible.

Comment 2 Larry the Git Cow 2019-12-12 17:00:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ead108fac74cf8a7b1b201848e872057718ed335

commit ead108fac74cf8a7b1b201848e872057718ed335
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-12-12 17:00:22 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-12-12 17:00:51 +0000

    net-libs/libssh: Security bump to version 0.9.3 (CVE-2019-14889)
    
    Bug: https://bugs.gentoo.org/701598
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/libssh/Manifest            |   1 +
 net-libs/libssh/libssh-0.9.3.ebuild | 116 ++++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)

Comment 3 Andreas Sturmlechner 2019-12-18 15:20:28 UTC

Arches please stabilise.

Comment 4 Agostino Sarubbo 2019-12-19 15:44:24 UTC

amd64 stable

Comment 5 Rolf Eike Beer 2019-12-19 21:10:12 UTC

sparc stable

Comment 6 Agostino Sarubbo 2019-12-20 12:51:08 UTC

x86 stable

Comment 7 Agostino Sarubbo 2019-12-20 12:51:56 UTC

ia64 stable

Comment 8 Mikle Kolyada (RETIRED) 2019-12-24 14:05:49 UTC

arm stable

Comment 9 Aaron Bauman (RETIRED) 2019-12-24 19:50:21 UTC

arm64 stable

Comment 10 Rolf Eike Beer 2019-12-28 16:53:08 UTC

hppa stable

Comment 11 Agostino Sarubbo 2019-12-30 15:34:11 UTC

ppc64 stable

Comment 12 Agostino Sarubbo 2019-12-30 15:53:59 UTC

ppc stable

Comment 13 Larry the Git Cow 2020-01-26 10:55:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78a2814f6e83699b6d46d6d28097e5a5d0fbecc4

commit 78a2814f6e83699b6d46d6d28097e5a5d0fbecc4
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-01-26 10:53:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-01-26 10:54:49 +0000

    net-libs/libssh: Drop 0.9.0
    
    Bug: https://bugs.gentoo.org/701598
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libssh/Manifest                          |   1 -
 net-libs/libssh/files/libssh-0.9.0-libressl.patch |  33 ------
 net-libs/libssh/libssh-0.9.0.ebuild               | 117 ----------------------
 3 files changed, 151 deletions(-)

Comment 14 Andreas Sturmlechner 2020-01-26 10:55:44 UTC

Cleanup done, security please proceed.

Comment 15 Andreas Sturmlechner 2020-02-05 20:19:54 UTC

anyways, KDE proj out

Comment 16 Thomas Deutschmann (RETIRED) 2020-03-15 16:04:30 UTC

New GLSA request filed.

Comment 17 GLSAMaker/CVETool Bot 2020-03-15 16:18:21 UTC

This issue was resolved and addressed in
 GLSA 202003-27 at https://security.gentoo.org/glsa/202003-27
by GLSA coordinator Thomas Deutschmann (whissi).