[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2023-6918: removal of unused evp functions & types


Hello,

On Mon 26 Feb 2024 at 09:38am +01, Jakub Jelen wrote:

> This CVE is about checking return code from the crypto library API
> calls, which could fail and cause some unexpected behavior such as
> usage of uninitialized memory, DoS, ... Our analysis did not show any
> important exploitable code path (but it was in supported libssh
> versions -- this might not be the case in older ones!).
>
> The removed functions evp, evp_update, evp_final all return void so
> they are not fixable with current singature. As always, we recommend
> to update to the supported libssh version which has this fix already
> backported. If you really need to use older libssh version, you will
> likely have to fix these functions by
>  * checking crypto library API calls results in these functions
>  * returning the meaningful result from these functions
>  * checking the return values from these evp() functions
>
> In any case, if you do the backports anyway and you want somebody to
> have a look into them, opening a merge request on gitlab would be
> best. More eyes will see more issues and if there are more people
> interested in these patches, it might save somebody some more time. We
> can accept the changes, but we will likely not do release though.

Thank you for this information.  My work is currently awaiting internal
peer review, and then I'll look into posting an MR.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature


References:
CVE-2023-6918: removal of unused evp functions & typesSean Whitton <spwhitton@xxxxxxxxxxxxxx>
Re: CVE-2023-6918: removal of unused evp functions & typesJakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org