[ubuntu-hardened] LibSSH2 vulns
Brian Morton
rokclimb15 at gmail.com
Tue Feb 14 04:49:52 UTC 2017
After further research it looks like an additional fix is needed for
2016-0787, which has already been merged upstream and is in use in Fedora.
https://www.libssh2.org/mail/libssh2-devel-archive-2016-04/0008.shtml
https://www.libssh2.org/mail/libssh2-devel-archive-2016-04/0009.shtml
Yakkety already has the fix for diffie_hellman_sha256 from upstream. I
think only the sha1 fix is needed in the affected versions of Ubuntu.
There is also some discussion in the upstream bug report and elsewhere that
the private exponent is unnecessarily long from an RFC standpoint (in other
crypto projects as well). All projects I checked use a prime - 1 bits
exponent to be conservative, so I plan to stick with that in the proposed
patch unless anyone thinks otherwise.
https://github.com/libssh2/libssh2/commit/ca5222ea819cc5ed797860070b4c6c1aeeb28420
https://github.com/libssh2/libssh2/pull/103/commits/41a7b087baa82ce26ad2e02099bce1dd485e835d
https://groups.google.com/forum/#!topic/sci.crypt/Fr0zPA6oWVU
On Mon, Feb 13, 2017 at 10:44 PM, Brian Morton <rokclimb15 at gmail.com> wrote:
> Hi security team,
>
> In reference to https://wiki.ubuntu.com/MeetingLogs/Security/20161212 I
> am working on libssh2 packaging for http://people.canonical.
> com/~ubuntu-security/cve/2016/CVE-2016-0739.html and
> http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0787.html
>
> LibSSH2 is clearly affected by CVE-2016-0787 which should be a trivial
> fix. However after a careful review of the code, I believe the package is
> NOT affected by CVE-2016-0739. That appears to only affect libssh. Can
> anyone confirm/deny? I think the CVE notice for 2016-0739 should be updated
> to only reflect libssh. The issues are so similar that they're effectively
> the same in terms of the internal lib functions involved, but I want to
> make sure the correct CVE references each package based on the issue
> description.
>
> Once this is confirmed I'll package a fix for 2016-0787 by itself.
>
> Thanks,
>
> Brian
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170213/a10adc64/attachment.html>
More information about the ubuntu-hardened
mailing list