595342 – <net-misc/openssh-7.3_p1-r6: Remote pre-auth crash

Bug 595342 - <net-misc/openssh-7.3_p1-r6: Remote pre-auth crash

Summary: <net-misc/openssh-7.3_p1-r6: Remote pre-auth crash

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2016-09-28 07:59 UTC by Hanno Böck
Modified:	2016-12-07 10:33 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2016-09-28 07:59:37 UTC

This tweet indicates that there is a remotely triggerable crash in openssh:
https://twitter.com/robertswiecki/status/780436362105393153

Here's the supposed fix:
https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737

Details are scarce. Although it's "just" a crash / NULL deref it could lock an admin out of a server if the sshd service isn't automatically restarted.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-09-28 08:42:52 UTC

commit c938f8ceb36e6791d096ae9df9819f6b3be5315c
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Sep 28 10:27:46 2016

    net-misc/openssh: Sec-revbump to fix remote pre-auth crash (bug #595342).
    
    Package-Manager: portage-2.3.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

Comment 2 Agostino Sarubbo gentoo-dev

2016-09-28 08:50:13 UTC

Ready to stabilize?

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-09-28 11:23:23 UTC

Arches please test and mark stable =net-misc/openssh-7.3_p1-r6 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux

Comment 4 Agostino Sarubbo gentoo-dev

2016-09-28 12:32:42 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2016-09-28 12:33:10 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-28 18:00:11 UTC

Stable for PPC64.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-28 18:00:27 UTC

oops, wrong bug

Comment 8 Paul B. Henson 2016-09-28 19:13:24 UTC

(In reply to Hanno Boeck from comment #0)
> 
> Details are scarce. Although it's "just" a crash / NULL deref it could lock
> an admin out of a server if the sshd service isn't automatically restarted.

Unless I misunderstand, this looks like a an issue during the key exchange between the ssh client and the ssh server, which takes place with a child of the master sshd process? So you're basically DoS'ing your own session? How would this impact the parent sshd process and prevent it from spawning other children to handle other attempted connections to the server?

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-29 03:36:12 UTC

Stable for HPPA.

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-29 03:36:35 UTC

Stable for PPC64.

Comment 11 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-29 09:10:35 UTC

Stable on alpha.

Comment 12 Agostino Sarubbo gentoo-dev

2016-09-29 09:42:50 UTC

sparc stable

Comment 13 Agostino Sarubbo gentoo-dev

2016-09-29 12:40:40 UTC

ppc stable

Comment 14 Agostino Sarubbo gentoo-dev

2016-09-29 13:16:31 UTC

arm stable

Comment 15 Agostino Sarubbo gentoo-dev

2016-09-29 13:33:09 UTC

ia64 stable.

Maintainer(s), please cleanup.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2016-12-07 10:33:12 UTC

This issue was resolved and addressed in
 GLSA 201612-18 at https://security.gentoo.org/glsa/201612-18
by GLSA coordinator Aaron Bauman (b-man).