Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1035832: libssh: CVE-2023-1667 CVE-2023-2283
8 views
Skip to first unread message
Salvatore Bonaccorso
May 9, 2023, 4:42:14 PM5/9/23
to
Source: libssh
Version: 0.10.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 0.9.3-1
Control: found -1 0.9.5-1+deb11u1
Hi,
The following vulnerabilities were published for libssh.
CVE-2023-1667[0]:
| Potential NULL dereference during rekeying with algorithm guessing
CVE-2023-2283[1]:
| Authorization bypass in pki_verify_data_signature
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1667
https://www.cve.org/CVERecord?id=CVE-2023-1667
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
[1] https://security-tracker.debian.org/tracker/CVE-2023-2283
https://www.cve.org/CVERecord?id=CVE-2023-2283
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
Regards,
Salvatore
Version: 0.10.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 0.9.3-1
Control: found -1 0.9.5-1+deb11u1
Hi,
The following vulnerabilities were published for libssh.
CVE-2023-1667[0]:
| Potential NULL dereference during rekeying with algorithm guessing
CVE-2023-2283[1]:
| Authorization bypass in pki_verify_data_signature
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-1667
https://www.cve.org/CVERecord?id=CVE-2023-1667
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
[1] https://security-tracker.debian.org/tracker/CVE-2023-2283
https://www.cve.org/CVERecord?id=CVE-2023-2283
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
Regards,
Salvatore
Martin Pitt
May 10, 2023, 2:30:05 AM5/10/23
to
Control: tag -1 pending
Hello Salvatore,
Salvatore Bonaccorso [2023-05-09 22:30 +0200]:
make it into the release in time. With upstream's extensive unit tests and
Debian's reverse dependency autopkgtesting etc. I have enough confidence in
that.
I also checked buster. It's not affected by CVE-2023-2283, that code does not
exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it
is wildly different. Upstream does not maintain the 0.8 branch any more, and
I'm afraid I will not have the time/skills to analyze, understand, and backport
the patches myself, at least not to an extent where I'd have faith in them.
I'll attempt to backport the fixes for stable now.
https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
changes before and beyond the actual security fix: some memory leak fixes,
moving some code around, indentation fixes, more unit tests. Personally I'd
rather trust upstream's release validation and update to 0.9.7 wholesale than
trying to pick it apart, but how is the Debian security team stanza wrt.
upstream microreleases these days?
Thanks,
Martin
Hello Salvatore,
Salvatore Bonaccorso [2023-05-09 22:30 +0200]:
> The following vulnerabilities were published for libssh.
>
> CVE-2023-1667[0]:
> | Potential NULL dereference during rekeying with algorithm guessing
>
> CVE-2023-2283[1]:
> | Authorization bypass in pki_verify_data_signature
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
I uploaded the new upstream release to unstable, with urgency=high to hopefully
>
> CVE-2023-1667[0]:
> | Potential NULL dereference during rekeying with algorithm guessing
>
> CVE-2023-2283[1]:
> | Authorization bypass in pki_verify_data_signature
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
make it into the release in time. With upstream's extensive unit tests and
Debian's reverse dependency autopkgtesting etc. I have enough confidence in
that.
I also checked buster. It's not affected by CVE-2023-2283, that code does not
exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it
is wildly different. Upstream does not maintain the 0.8 branch any more, and
I'm afraid I will not have the time/skills to analyze, understand, and backport
the patches myself, at least not to an extent where I'd have faith in them.
I'll attempt to backport the fixes for stable now.
https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
changes before and beyond the actual security fix: some memory leak fixes,
moving some code around, indentation fixes, more unit tests. Personally I'd
rather trust upstream's release validation and update to 0.9.7 wholesale than
trying to pick it apart, but how is the Debian security team stanza wrt.
upstream microreleases these days?
Thanks,
Martin
Martin Pitt
May 10, 2023, 3:40:04 AM5/10/23
to
Hello security team,
Martin Pitt [2023-05-10 8:19 +0200]:
cherry-picks which changed the actual security fix from "hairy and risky" to
"only causes minor and obvious conflicts".
https://salsa.debian.org/debian/libssh/-/commit/5aa68cee3d2e8a50402ef77623ff8ceac9eb183c
https://salsa.debian.org/debian/libssh/-/commit/baa5cda9287580b16d3ecd9ecfc7fef82f2e12c2
They were taken from
https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 as "95% clean"
cherry-picks, which I found the best compromise wrt. minimizing risk. See the
Debian commit messages for details. I built the package in a clean bullseye
container, unit tests and autopkgtest pass.
The commit messages are more wordy than appropriate for the changelog. I'd use
a similar format as for unstable [1], e.g.
-------------- ✂️ ------------------
* Fix authenticated remote DoS through potential NULL dereference
during rekeying with algorithm guessing (CVE-2023-1667)
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
* Fix client authentication bypass in pki_verify_data_signature()
in low-memory conditions with OpenSSL backend; gcrypt backend is
not affected (CVE-2023-2283, Closes: #1035832)
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
-------------- ✂️ ------------------
I'm happy to upload to the queue if/once you give me the signal, or massage the
patches/changelog according to your liking.
Thanks,
Martin
[1] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9
Martin Pitt [2023-05-10 8:19 +0200]:
> I'll attempt to backport the fixes for stable now.
> https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
> changes before and beyond the actual security fix: some memory leak fixes,
> moving some code around, indentation fixes, more unit tests. Personally I'd
> rather trust upstream's release validation and update to 0.9.7 wholesale than
> trying to pick it apart, but how is the Debian security team stanza wrt.
> upstream microreleases these days?
I prepared a security update for the two CVEs, plus four "reformat code"
> https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
> changes before and beyond the actual security fix: some memory leak fixes,
> moving some code around, indentation fixes, more unit tests. Personally I'd
> rather trust upstream's release validation and update to 0.9.7 wholesale than
> trying to pick it apart, but how is the Debian security team stanza wrt.
> upstream microreleases these days?
cherry-picks which changed the actual security fix from "hairy and risky" to
"only causes minor and obvious conflicts".
https://salsa.debian.org/debian/libssh/-/commit/5aa68cee3d2e8a50402ef77623ff8ceac9eb183c
https://salsa.debian.org/debian/libssh/-/commit/baa5cda9287580b16d3ecd9ecfc7fef82f2e12c2
They were taken from
https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 as "95% clean"
cherry-picks, which I found the best compromise wrt. minimizing risk. See the
Debian commit messages for details. I built the package in a clean bullseye
container, unit tests and autopkgtest pass.
The commit messages are more wordy than appropriate for the changelog. I'd use
a similar format as for unstable [1], e.g.
-------------- ✂️ ------------------
* Fix authenticated remote DoS through potential NULL dereference
during rekeying with algorithm guessing (CVE-2023-1667)
https://www.libssh.org/security/advisories/CVE-2023-1667.txt
* Fix client authentication bypass in pki_verify_data_signature()
in low-memory conditions with OpenSSL backend; gcrypt backend is
not affected (CVE-2023-2283, Closes: #1035832)
https://www.libssh.org/security/advisories/CVE-2023-2283.txt
-------------- ✂️ ------------------
I'm happy to upload to the queue if/once you give me the signal, or massage the
patches/changelog according to your liking.
Thanks,
Martin
[1] https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9
Salvatore Bonaccorso
May 13, 2023, 4:00:05 AM5/13/23
to
Hi Martin,
On Wed, May 10, 2023 at 08:19:42AM +0200, Martin Pitt wrote:
> Control: tag -1 pending
>
> Hello Salvatore,
>
> Salvatore Bonaccorso [2023-05-09 22:30 +0200]:
> > The following vulnerabilities were published for libssh.
> >
> > CVE-2023-1667[0]:
> > | Potential NULL dereference during rekeying with algorithm guessing
> >
> > CVE-2023-2283[1]:
> > | Authorization bypass in pki_verify_data_signature
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> I uploaded the new upstream release to unstable, with urgency=high to hopefully
> make it into the release in time. With upstream's extensive unit tests and
> Debian's reverse dependency autopkgtesting etc. I have enough confidence in
> that.
Thanks for preparing the update. Note that at this stage of the freeze
it won't migrate anymore automatically. Can you please request for an
unblock by the release team? Note there is a strict deadline
approaching, so that should happen quickly. Note I'm not sure if
release team will want to have
* Bump Standards-Version to 4.6.2. No changes necessary.
and
* Bump debhelper from old 12 to 13.
* Avoid explicitly specifying -Wl,--as-needed linker flag.
included in this stage of the release.
> I also checked buster. It's not affected by CVE-2023-2283, that code does not
> exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it
> is wildly different. Upstream does not maintain the 0.8 branch any more, and
> I'm afraid I will not have the time/skills to analyze, understand, and backport
> the patches myself, at least not to an extent where I'd have faith in them.
>
> I'll attempt to backport the fixes for stable now.
> https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
> changes before and beyond the actual security fix: some memory leak fixes,
> moving some code around, indentation fixes, more unit tests. Personally I'd
> rather trust upstream's release validation and update to 0.9.7 wholesale than
> trying to pick it apart, but how is the Debian security team stanza wrt.
> upstream microreleases these days?
Thanks for this mail and the followup with the proposed update. We
come back to you on it.
Regards,
Salvatore
On Wed, May 10, 2023 at 08:19:42AM +0200, Martin Pitt wrote:
> Control: tag -1 pending
>
> Hello Salvatore,
>
> Salvatore Bonaccorso [2023-05-09 22:30 +0200]:
> > The following vulnerabilities were published for libssh.
> >
> > CVE-2023-1667[0]:
> > | Potential NULL dereference during rekeying with algorithm guessing
> >
> > CVE-2023-2283[1]:
> > | Authorization bypass in pki_verify_data_signature
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> I uploaded the new upstream release to unstable, with urgency=high to hopefully
> make it into the release in time. With upstream's extensive unit tests and
> Debian's reverse dependency autopkgtesting etc. I have enough confidence in
> that.
it won't migrate anymore automatically. Can you please request for an
unblock by the release team? Note there is a strict deadline
approaching, so that should happen quickly. Note I'm not sure if
release team will want to have
* Bump Standards-Version to 4.6.2. No changes necessary.
and
* Bump debhelper from old 12 to 13.
* Avoid explicitly specifying -Wl,--as-needed linker flag.
included in this stage of the release.
> I also checked buster. It's not affected by CVE-2023-2283, that code does not
> exist in the 0.8 branch at all. The code for CVE-2023-1667 does exist, but it
> is wildly different. Upstream does not maintain the 0.8 branch any more, and
> I'm afraid I will not have the time/skills to analyze, understand, and backport
> the patches myself, at least not to an extent where I'd have faith in them.
>
> I'll attempt to backport the fixes for stable now.
> https://git.libssh.org/projects/libssh.git/log/?h=stable-0.9 has quite some
> changes before and beyond the actual security fix: some memory leak fixes,
> moving some code around, indentation fixes, more unit tests. Personally I'd
> rather trust upstream's release validation and update to 0.9.7 wholesale than
> trying to pick it apart, but how is the Debian security team stanza wrt.
> upstream microreleases these days?
come back to you on it.
Regards,
Salvatore
0 new messages