[Bug 1991650] [NEW] MIR: libssh2
Simon Chopin
1991650 at bugs.launchpad.net
Tue Oct 4 10:09:08 UTC 2022
Public bug reported:
[Availability]
The package libssh2 is already in Ubuntu universe (and even was in main for a time).
It builds on the architectures it is designed to work on:
i386 amd64 armhf arm64 s390x ppc64el riscv64
Link to package: https://launchpad.net/ubuntu/+source/libssh2
[Rationale]
The package libssh2 is required in Ubuntu main as a dependency of src:cargo,
which will be the object of its own MIR.
It should NOT be promoted to main until the cargo MIR is accepted.
It would be great and useful to community/processes to have the
package libssh2 in Ubuntu main, but there is no definitive deadline.
[Security]
libssh2 had 13 known security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782 lack of validation of network-supplied LENGTH, causing read past the packet buffer. Fixed in 1.5.0, see https://www.libssh2.org/adv_20150311.html for their advisory.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787 "bits/bytes confusion bug", weaker crypto (MitM risks). Fixed in 1.7.0, see https://www.libssh2.org/adv_20160223.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3855.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3856.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3857.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3858.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3859.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3860.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3861.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3862.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3863.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115 In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115 DoS, memory read due to out-of-bound read. Fixed in 1.9.0, no advisory has been published in the libssh2 website.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498 DoS, memory read due to integer overflow leading to out-of-bound read. Fixed in 1.10.0, but no advisory has been published on the libssh2 website.
CVE-2019-3855 to -3863 have all been reported by Chris Coulson,
presumable from an earlier security review from a previous MIR?
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install (as a library)
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libssh2
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
Build logs: https://launchpadlibrarian.net/588624160/buildlog_ubuntu-jammy-amd64.libssh2_1.10.0-3_BUILDING.txt.gz
The package runs an autopkgtest, and is currently passing on
all architectures but i386 (never succeeded there, fails due to depending gcc:i386)
The autopkgtests are just the unit tests run against the installed library.
[Quality assurance - packaging]
- debian/watch is present and works (but outputs a warning, which trips up tracker.debian.org somehow)
- debian/control defines a correct Maintainer field
Here are the logs of a recent rebuild:
https://launchpadlibrarian.net/627042984/buildlog_ubuntu-kinetic-amd64.libssh2_1.10.0-3~ppa2_BUILDING.txt.gz
Note that there are massive deprecation warnings as the package uses OpenSSL APIs that have been deprecated in OpenSSL 3.0. Upstream doesn't have concrete plans to handle OpenSSL 3.0 yet. All other warnings are only on example code.
I wasn't able to produce a --pedantic lintian run on my local builder as the package
FTBFS on it (presumably due to recent changes in openssh-server breaking things on my system, since it builds
fine on LP builders). I'm still investigating that, but in the mean time, there are these results:
https://lintian.debian.org/sources/libssh2
The package doesn't have any overrides.
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy:
https://sources.debian.org/src/libssh2/1.10.0-3/debian/rules/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package was test rebuilt in PPA recently:
https://launchpad.net/~schopin/+archive/ubuntu/rebuilds/+sourcepub/13981899/+listing-archive-extra
[Background information]
The Package description explains the package well
Link to upstream project: https://www.libssh2.org/
** Affects: libssh2 (Ubuntu)
Importance: High
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libssh2 in Ubuntu.
https://bugs.launchpad.net/bugs/1991650
Title:
MIR: libssh2
Status in libssh2 package in Ubuntu:
New
Bug description:
[Availability]
The package libssh2 is already in Ubuntu universe (and even was in main for a time).
It builds on the architectures it is designed to work on:
i386 amd64 armhf arm64 s390x ppc64el riscv64
Link to package: https://launchpad.net/ubuntu/+source/libssh2
[Rationale]
The package libssh2 is required in Ubuntu main as a dependency of src:cargo,
which will be the object of its own MIR.
It should NOT be promoted to main until the cargo MIR is accepted.
It would be great and useful to community/processes to have the
package libssh2 in Ubuntu main, but there is no definitive deadline.
[Security]
libssh2 had 13 known security issues in the past:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782 lack of validation of network-supplied LENGTH, causing read past the packet buffer. Fixed in 1.5.0, see https://www.libssh2.org/adv_20150311.html for their advisory.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787 "bits/bytes confusion bug", weaker crypto (MitM risks). Fixed in 1.7.0, see https://www.libssh2.org/adv_20160223.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3855.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3856.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3857.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3858.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3859.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3860.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3861.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862 DoS, memory read due to out-of-bound read. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3862.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863 Remote execution due to integer overflow leading to out-of-bounds write flaw. Fixed in 1.8.1, see https://www.libssh2.org/CVE-2019-3863.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115 In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115 DoS, memory read due to out-of-bound read. Fixed in 1.9.0, no advisory has been published in the libssh2 website.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498 DoS, memory read due to integer overflow leading to out-of-bound read. Fixed in 1.10.0, but no advisory has been published on the libssh2 website.
CVE-2019-3855 to -3863 have all been reported by Chris Coulson,
presumable from an earlier security review from a previous MIR?
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install (as a library)
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libssh2
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail
Build logs: https://launchpadlibrarian.net/588624160/buildlog_ubuntu-jammy-amd64.libssh2_1.10.0-3_BUILDING.txt.gz
The package runs an autopkgtest, and is currently passing on
all architectures but i386 (never succeeded there, fails due to depending gcc:i386)
The autopkgtests are just the unit tests run against the installed library.
[Quality assurance - packaging]
- debian/watch is present and works (but outputs a warning, which trips up tracker.debian.org somehow)
- debian/control defines a correct Maintainer field
Here are the logs of a recent rebuild:
https://launchpadlibrarian.net/627042984/buildlog_ubuntu-kinetic-amd64.libssh2_1.10.0-3~ppa2_BUILDING.txt.gz
Note that there are massive deprecation warnings as the package uses OpenSSL APIs that have been deprecated in OpenSSL 3.0. Upstream doesn't have concrete plans to handle OpenSSL 3.0 yet. All other warnings are only on example code.
I wasn't able to produce a --pedantic lintian run on my local builder as the package
FTBFS on it (presumably due to recent changes in openssh-server breaking things on my system, since it builds
fine on LP builders). I'm still investigating that, but in the mean time, there are these results:
https://lintian.debian.org/sources/libssh2
The package doesn't have any overrides.
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy:
https://sources.debian.org/src/libssh2/1.10.0-3/debian/rules/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package was test rebuilt in PPA recently:
https://launchpad.net/~schopin/+archive/ubuntu/rebuilds/+sourcepub/13981899/+listing-archive-extra
[Background information]
The Package description explains the package well
Link to upstream project: https://www.libssh2.org/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug/1991650/+subscriptions
More information about the foundations-bugs
mailing list