Recent security update broke server-side keyboard-interactive authentication

Bug #1805348 reported by Martin Pitt on 2018-11-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libssh (Debian)
Fix Released
Unknown
libssh (Ubuntu)
Undecided
Unassigned
Trusty
High
Marc Deslauriers
Xenial
High
Marc Deslauriers
Bionic
High
Marc Deslauriers
Cosmic
High
Marc Deslauriers

Bug Description

0.8.4 and the backported fixes for CVE-2018-10933 cause server-side keyboard-interactive authentication to completely break. See https://bugs.libssh.org/T117 for details and a reproducer.

This was fixed upstream as part of the 0.8.5 release, so disco is fine. For 16.04/18.04/18.10, please backport the fix:

  https://git.libssh.org/projects/libssh.git/commit/?id=4ea46eecce9f4

CVE References

Martin Pitt (pitti) on 2018-11-27
tags: added: bionic cosmic regression-release xenial
Changed in libssh (Ubuntu):
status: New → Fix Released
Changed in libssh (Ubuntu Xenial):
status: New → Triaged
Changed in libssh (Ubuntu Bionic):
status: New → Triaged
Changed in libssh (Ubuntu Cosmic):
status: New → Triaged
Changed in libssh (Ubuntu Xenial):
importance: Undecided → High
Changed in libssh (Ubuntu Bionic):
importance: Undecided → High
Changed in libssh (Ubuntu Cosmic):
importance: Undecided → High
Changed in libssh (Debian):
status: Unknown → New
Changed in libssh (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libssh (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libssh (Ubuntu Cosmic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in libssh (Ubuntu Trusty):
status: New → Triaged
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
information type: Public → Public Security
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this pitti, I'll prepare a regression fix!

Marc Deslauriers (mdeslaur) wrote :

Packages that fix this regression and a couple of others are available for testing in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libssh - 0.8.1-1ubuntu0.3

---------------
libssh (0.8.1-1ubuntu0.3) cosmic-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
    - debian/patches/CVE-2018-10933-regression.patch: set correct state
      after sending INFO_REQUEST in src/server.c.
    - debian/patches/CVE-2018-10933-regression2.patch: add missing break in
      src/packet.c.
    - debian/patches/CVE-2018-10933-regression3.patch: set correct state
      after sending GSSAPI_RESPONSE in src/gssapi.c.

 -- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 09:59:21 -0500

Changed in libssh (Ubuntu Cosmic):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libssh - 0.6.1-0ubuntu3.5

---------------
libssh (0.6.1-0ubuntu3.5) trusty-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
    - debian/patches/CVE-2018-10933-regression.patch: set correct state
      after sending INFO_REQUEST in src/server.c.
    - debian/patches/CVE-2018-10933-regression2.patch: add missing break in
      src/packet.c.
    - debian/patches/CVE-2018-10933-regression3.patch: set correct state
      after sending GSSAPI_RESPONSE in src/gssapi.c.

 -- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:05:25 -0500

Changed in libssh (Ubuntu Trusty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libssh - 0.6.3-4.3ubuntu0.2

---------------
libssh (0.6.3-4.3ubuntu0.2) xenial-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
    - debian/patches/CVE-2018-10933-regression.patch: set correct state
      after sending INFO_REQUEST in src/server.c.
    - debian/patches/CVE-2018-10933-regression2.patch: add missing break in
      src/packet.c.
    - debian/patches/CVE-2018-10933-regression3.patch: set correct state
      after sending GSSAPI_RESPONSE in src/gssapi.c.

 -- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:04:57 -0500

Changed in libssh (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libssh - 0.8.0~20170825.94fa1e38-1ubuntu0.2

---------------
libssh (0.8.0~20170825.94fa1e38-1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions (LP: #1805348)
    - debian/patches/CVE-2018-10933-regression.patch: set correct state
      after sending INFO_REQUEST in src/server.c.
    - debian/patches/CVE-2018-10933-regression2.patch: add missing break in
      src/packet.c.
    - debian/patches/CVE-2018-10933-regression3.patch: set correct state
      after sending GSSAPI_RESPONSE in src/gssapi.c.

 -- Marc Deslauriers <email address hidden> Tue, 27 Nov 2018 10:01:15 -0500

Changed in libssh (Ubuntu Bionic):
status: Triaged → Fix Released
Martin Pitt (pitti) wrote :

Wow, thanks Marc, this was super-fast!

Changed in libssh (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.