Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 533366 (CVE-2014-8132) - <net-libs/libssh-0.6.4: Double free on dangling pointers in initial key exchange packet (CVE-2014-8132)
Summary: <net-libs/libssh-0.6.4: Double free on dangling pointers in initial key excha...
Status: RESOLVED FIXED
Alias: CVE-2014-8132
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.libssh.org/2014/12/19/libs...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 533424
Blocks:
  Show dependency tree
 
Reported: 2014-12-23 08:17 UTC by Agostino Sarubbo
Modified: 2016-06-26 13:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-23 08:17:56 UTC
From ${URL} :

This is an important SECURITY and maintenance release in order to address CVE-2014-8132 – Double free on dangling pointers in initial key exchange packet.
libssh versions 0.5.1 and above could leave dangling pointers in the session
crypto structures. It is possible to send a malicious kexinit package to
eventually cause a server to do a double-free before this fix.

This could be used for a Denial of Service attack.

As this was found by a libssh developer there are no currently known exploits
for this problem (as of December 19th 2014).


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-07 01:31:05 UTC
CVE-2014-8132 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8132):
  Double free vulnerability in the ssh_packet_kexinit function in kex.c in
  libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a
  denial of service via a crafted kexinit packet.
Comment 2 Jeroen Roovers gentoo-dev 2015-01-07 15:48:44 UTC
I guess I'm waiting for KDE people to give an OK.
Comment 3 Johannes Huber gentoo-dev 2015-01-15 21:26:24 UTC
(In reply to Jeroen Roovers from comment #2)
> I guess I'm waiting for KDE people to give an OK.

Arches please stabilize =net-libs/libssh-0.6.4.
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-16 08:17:59 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-16 08:18:13 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-31 10:33:01 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-18 08:51:33 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Johannes Huber gentoo-dev 2015-02-18 18:14:01 UTC
Thanks all. Cleanuo done by Jeroen. Removing kde herd from cc here as it is nothing to do for us anymore. 

+
+  18 Feb 2015; Jeroen Roovers <jer@gentoo.org> -libssh-0.6.3.ebuild,
+  -libssh-0.6.3-r1.ebuild:
+  Old.
+
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-24 00:32:00 UTC
Maintainer(s), Thank you for cleanup!

Security Please Vote.
First Vote: Yes
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:24:09 UTC
YES too, request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 13:00:37 UTC
This issue was resolved and addressed in
 GLSA 201606-12 at https://security.gentoo.org/glsa/201606-12
by GLSA coordinator Aaron Bauman (b-man).