[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2023-6918: removal of unused evp functions & types


Hi,
This CVE is about checking return code from the crypto library API
calls, which could fail and cause some unexpected behavior such as
usage of uninitialized memory, DoS, ... Our analysis did not show any
important exploitable code path (but it was in supported libssh
versions -- this might not be the case in older ones!).

The removed functions evp, evp_update, evp_final all return void so
they are not fixable with current singature. As always, we recommend
to update to the supported libssh version which has this fix already
backported. If you really need to use older libssh version, you will
likely have to fix these functions by
 * checking crypto library API calls results in these functions
 * returning the meaningful result from these functions
 * checking the return values from these evp() functions

In any case, if you do the backports anyway and you want somebody to
have a look into them, opening a merge request on gitlab would be
best. More eyes will see more issues and if there are more people
interested in these patches, it might save somebody some more time. We
can accept the changes, but we will likely not do release though.

Best regards,
Jakub Jelen

On Sun, Feb 25, 2024 at 6:17 AM Sean Whitton <spwhitton@xxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> Thank you again for the information in January regarding backporting the
> fix for CVE-2023-48795 to older libssh.  I am now working to backport
> the fix for CVE-2023-6918, and have a quick question.
> There is a commit labelled
>
>     CVE-2023-6918: Remove unused evp functions and types
>
> but this is non-trivial to backport because the functions are not unused
> in the older libssh.  My question is, is there a security concern with
> these functions, or was this commit just tidying up?
>
> I'm asking because the commit message is prefixed with the CVE number,
> which makes me think it might be significant for the vulnerability.
>
> Thanks!
>
> --
> Sean Whitton


Follow-Ups:
Re: CVE-2023-6918: removal of unused evp functions & typesSean Whitton <spwhitton@xxxxxxxxxxxxxx>
References:
CVE-2023-6918: removal of unused evp functions & typesSean Whitton <spwhitton@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org