Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 697046 (CVE-2019-16905) - <net-misc/openssh-8.0_p1-r4: an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type (CVE-2019-16905)
Summary: <net-misc/openssh-8.0_p1-r4: an exploitable integer overflow bug was found in...
Status: CONFIRMED
Alias: CVE-2019-16905
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openssh.com/txt/release-8.1
Whiteboard: B2 [glsa+ cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-09 07:10 UTC by Jeroen Roovers
Modified: 2019-11-07 19:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2019-10-09 07:10:27 UTC
OpenSSH 8.1 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Security
========

 * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
   overflow bug was found in the private key parsing code for the XMSS
   key type. This key type is still experimental and support for it is
   not compiled by default. No user-facing autoconf option exists in
   portable OpenSSH to enable it. This bug was found by Adam Zabrocki
   and reported via SecuriTeam's SSD program.

 * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
   rest in RAM against speculation and memory side-channel attacks like
   Spectre, Meltdown and Rambleed. This release encrypts private keys
   when they are not in use with a symmetric key that is derived from a
   relatively large "prekey" consisting of random data (currently 16KB).
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-10-09 13:13:26 UTC
Gentoo allows usage of XMSS key type since commit fe902146e84a9b2beb8c1748d7735e5b38928e75 via USE flag "xmss" which is disabled by default.
Comment 2 Larry the Git Cow gentoo-dev 2019-10-09 16:18:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0148cb4b99350b09cc7eaa229ad42d4b6009d0e9

commit 0148cb4b99350b09cc7eaa229ad42d4b6009d0e9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-09 16:17:12 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-09 16:17:29 +0000

    net-misc/openssh: fix integer overflows
    
    - Fix integer overflow in XMSS private key parsing
    - Fix an unreachable integer overflow similar to the XMSS case
    - Fix putty tests
    
    Closes: https://bugs.gentoo.org/493866
    Bug: https://bugs.gentoo.org/697046
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/Manifest                          |   1 +
 ...integer-overflow-similar-to-the-XMSS-case.patch |  76 ++++
 ...eger-overflow-in-XMSS-private-key-parsing.patch |  14 +
 .../files/openssh-8.0_p1-fix-putty-tests.patch     |  57 +++
 net-misc/openssh/openssh-8.0_p1-r4.ebuild          | 467 +++++++++++++++++++++
 5 files changed, 615 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-10-09 16:19:03 UTC
We will move stable keywords shortly.
Comment 4 Larry the Git Cow gentoo-dev 2019-10-09 20:39:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c16aa18318891f1224dba19390ae85e22bde6f0

commit 4c16aa18318891f1224dba19390ae85e22bde6f0
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-09 20:39:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-09 20:39:43 +0000

    net-misc/openssh: security cleanup
    
    Bug: https://bugs.gentoo.org/697046
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/Manifest                 |   1 -
 net-misc/openssh/openssh-8.0_p1-r3.ebuild | 463 ------------------------------
 2 files changed, 464 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16a48f47227819cfb092a2579f6c4ba50a5dedcf

commit 16a48f47227819cfb092a2579f6c4ba50a5dedcf
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-09 20:38:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-09 20:39:42 +0000

    net-misc/openssh: move stable keywords
    
    Bug: https://bugs.gentoo.org/697046
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/openssh/openssh-8.0_p1-r4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-10-26 14:41:53 UTC
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-11-07 19:03:23 UTC
This issue was resolved and addressed in
 GLSA 201911-01 at https://security.gentoo.org/glsa/201911-01
by GLSA coordinator Aaron Bauman (b-man).
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-11-07 19:03:57 UTC
re-opened for cleanup