Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701598 (CVE-2019-14889) - <net-libs/libssh-0.9.3: unsanitized location in scp could lead to unwanted command execution (CVE-2019-14889)
Summary: <net-libs/libssh-0.9.3: unsanitized location in scp could lead to unwanted co...
Alias: CVE-2019-14889
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on:
Reported: 2019-11-30 16:40 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-03-15 16:18 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-30 16:40:48 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-12-12 16:58:34 UTC

When the libssh SCP client connects to a server, the scp
command, which includes a user-provided path, is executed
on the server-side. In case the library is used in a way
where users can influence the third parameter of
ssh_scp_new(), it would become possible for an attacker to
inject arbitrary commands, leading to a compromise of the
remote target.

Patch Availability

Patches addressing the issues have been posted to:

Additionally, libssh 0.9.3 and 0.8.8 have been issued as
security releases to correct the defect.
SSH administrators are advised to upgrade to these releases
or apply the patch as soon as possible.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-12 17:00:57 UTC
The bug has been referenced in the following commit(s):

commit ead108fac74cf8a7b1b201848e872057718ed335
Author:     Lars Wendler <>
AuthorDate: 2019-12-12 17:00:22 +0000
Commit:     Lars Wendler <>
CommitDate: 2019-12-12 17:00:51 +0000

    net-libs/libssh: Security bump to version 0.9.3 (CVE-2019-14889)
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Lars Wendler <>

 net-libs/libssh/Manifest            |   1 +
 net-libs/libssh/libssh-0.9.3.ebuild | 116 ++++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2019-12-18 15:20:28 UTC
Arches please stabilise.
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-19 15:44:24 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2019-12-19 21:10:12 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-20 12:51:08 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-20 12:51:56 UTC
ia64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:05:49 UTC
arm stable
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-12-24 19:50:21 UTC
arm64 stable
Comment 10 Rolf Eike Beer archtester 2019-12-28 16:53:08 UTC
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-12-30 15:34:11 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2019-12-30 15:53:59 UTC
ppc stable
Comment 13 Larry the Git Cow gentoo-dev 2020-01-26 10:55:01 UTC
The bug has been referenced in the following commit(s):

commit 78a2814f6e83699b6d46d6d28097e5a5d0fbecc4
Author:     Andreas Sturmlechner <>
AuthorDate: 2020-01-26 10:53:50 +0000
Commit:     Andreas Sturmlechner <>
CommitDate: 2020-01-26 10:54:49 +0000

    net-libs/libssh: Drop 0.9.0
    Package-Manager: Portage-2.3.85, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <>

 net-libs/libssh/Manifest                          |   1 -
 net-libs/libssh/files/libssh-0.9.0-libressl.patch |  33 ------
 net-libs/libssh/libssh-0.9.0.ebuild               | 117 ----------------------
 3 files changed, 151 deletions(-)
Comment 14 Andreas Sturmlechner gentoo-dev 2020-01-26 10:55:44 UTC
Cleanup done, security please proceed.
Comment 15 Andreas Sturmlechner gentoo-dev 2020-02-05 20:19:54 UTC
anyways, KDE proj out
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:04:30 UTC
New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 16:18:21 UTC
This issue was resolved and addressed in
 GLSA 202003-27 at
by GLSA coordinator Thomas Deutschmann (whissi).