Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 575484 (CVE-2016-0739) - <net-libs/libssh-0.7.3: Wrong calculation of Diffie Hellman secret length (CVE-2016-0739)
Summary: <net-libs/libssh-0.7.3: Wrong calculation of Diffie Hellman secret length (CV...
Alias: CVE-2016-0739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on:
Reported: 2016-02-23 15:08 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2016-06-26 13:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-23 15:08:50 UTC
libssh versions 0.1 and above have a bits/bytes confusion bug and generate the an anormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. There are practical algorithms (Baby steps/Giant steps, Pollard’s rho) that can solve this problem in O(2^63) operations.

commit 50920493b9b2de35f9b18577eb55bd0ebe826ce7
Author: Lars Wendler <>
Date:   Tue Feb 23 16:01:21 2016

    net-libs/libssh: Security bump to version 0.7.3 (CVE-2016-0739).
    Package-Manager: portage-2.2.27
    Signed-off-by: Lars Wendler <>
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-23 15:17:35 UTC

*** This bug has been marked as a duplicate of bug 575474 ***
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-23 15:19:26 UTC
Was actually too quick there, this would affect both libssh and libssh2 so better track it in separate bugs anyways
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 07:51:04 UTC
I restored keywords for IA64 since I found no evidence that they had been dropped knowingly.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 07:58:28 UTC
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-27 12:13:51 UTC
Stable for HPPA PPC64.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-02 14:00:15 UTC
amd64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-13 11:44:19 UTC
Added to existing GLSA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-03-13 11:58:25 UTC
CVE-2016-0739 (
  A type confusion issue was found in the way libssh generated ephemeral
  secrets for the diffie-hellman-group1 and diffie-hellman-group14 key
  exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use
  significantly less secure random parameters.
Comment 9 Markus Meier gentoo-dev 2016-03-13 12:30:07 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-15 16:40:12 UTC
x86 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:23:59 UTC
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-16 12:07:36 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-19 11:36:35 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-03-20 12:01:08 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-20 17:24:33 UTC
commit ca3613078e0fe6f913bee37728bbf4dd45860a93
Author: Lars Wendler <>
Date:   Sun Mar 20 17:59:29 2016

    net-libs/libssh: Security cleanup (bug #575484).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <>
Comment 16 Johannes Huber (RETIRED) gentoo-dev 2016-03-25 16:48:59 UTC
Thanks all. Removing kde from cc.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 13:00:52 UTC
This issue was resolved and addressed in
 GLSA 201606-12 at
by GLSA coordinator Aaron Bauman (b-man).