OpenSSH: Integer overflow — GLSA 201911-01

An integer overflow in OpenSSH might allow an attacker to execute arbitrary code.

Affected packages

net-misc/openssh on all architectures
Affected versions >= 8.0_p1-r2
Unaffected versions >= 8.0_p1-r4

Background

OpenSSH is a complete SSH protocol implementation that includes SFTP client and server support.

Description

OpenSSH, when built with “xmss” USE flag enabled, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key.

NOTE: This USE flag is disabled by default!

Impact

A remote attacker could connect to a vulnerable OpenSSH server using a special crafted XMSS key possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

Disable XMSS key type.

Resolution

All OpenSSH users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=net-misc/openssh/openssh-8.0_p1-r4"
 

References

Release date
November 07, 2019

Latest revision
November 07, 2019: 1

Severity
normal

Exploitable
remote

Bugzilla entries