This is a security release to especially address CVE-2019-14889 (low impact) but also to harden the source code.
This security update is the result of a sponsored security audit of libssh by the the Mozilla Open Source Support program (MOSS). A company called Cure53 was hired to do the the security audit, which took place in late September and beginning of October. Thank you very much Mozilla for the funding and Cure53 for working with us to make libssh better!
After the audit was finished and the libssh team got an audit report from Cure53. The libssh team started to go through the report and address all the issues found. We created 133 patches: 72 files changed, 2898 insertions(+), 1456 deletions(-).
After we fixed all issues, the code was reviewed and passed our CI, we sent our work back to Cure53 to verify that we addressed all issues. The verification report can be found here.
Cure53 wrote in their report: Cure53 found the codebase of libssh to be surprisingly clean, easy to understand and audit. The libssh team is trying to keep a high code quality so that security bugs are avoided by good code. However SSH is a complex protocol and we have a big code base. There will be always bugs, but we hope that we avoid serious bugs in future. Also we hope to attract contributors by a readable and easy to understand code base.
Thanks to Huzaifa Sidhpurwala from Red Hat Product Security who helped us vetting the audit report.
If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.
You can download libssh here.
ChangeLog for libssh 0.9.3
- Fixed CVE-2019-14889 – SCP: Unsanitized location leads to command execution
- SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
- SSH-01-006 General: Various unchecked Null-derefs cause DOS
- SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
- SSH-01-010 SSH: Deprecated hash function in fingerprinting
- SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
- SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
- SSH-01-001 State Machine: Initial machine states should be set explicitly
- SSH-01-002 Kex: Differently bound macros used to iterate same array
- SSH-01-005 Code-Quality: Integer sign confusion during assignments
- SSH-01-008 SCP: Protocol Injection via unescaped File Names
- SSH-01-009 SSH: Update documentation which RFCs are implemented
- SSH-01-012 PKI: Information leak via uninitialized stack buffer
ChangeLog for libssh 0.8.8
- Fixed CVE-2019-14889 – SCP: Unsanitized location leads to command execution