Bug 1183137 (CVE-2021-28041)

Summary: VUL-0: CVE-2021-28041: openssh-openssl1,openssh: double free in ssh-agent
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: ali.abdallah, gianluca.gabrielli, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/279339/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2021-03-07 10:35:18 UTC

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few
less-common scenarios, such as unconstrained agent-socket access on a legacy
operating system, or the forwarding of an agent to an attacker-controlled host.

Comment 1 Marcus Meissner 2021-04-29 10:46:04 UTC
according to external eval, only openssh 8.2 and newer are affected.
Comment 2 Marcus Meissner 2021-10-04 14:40:28 UTC

is 8.4, so would be affected
Comment 3 Ali Abdallah 2021-10-26 09:33:38 UTC
@Marcus, on [1] page for this cve (CVE-2021-28041), the wrong bug is linked.

SUSE Bugzilla entries: 1183135 [RESOLVED / DUPLICATE], 1183137 [NEW] 

bug 1183135 is about grub2 heap out-of-bound write, actually the whiteboard entry of that bug contains CVE-2021-28041 instead of the correct grub2 CVE-2021-3408.

In addition, the minimal (single line) fix for ssh-agent CVE-2021-28041 released on most Linux distros is [2].

[1] https://www.suse.com/security/cve/CVE-2021-28041.html
[2] https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
Comment 4 Marcus Meissner 2021-10-26 09:46:44 UTC
I removed the 1183135 association from our db, should be reflect in 2 hours rebuild of the cve pages.
Comment 6 Swamp Workflow Management 2021-12-22 14:26:39 UTC
openSUSE-SU-2021:4153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183137
CVE References: CVE-2021-28041
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    openssh-8.4p1-3.9.1, openssh-askpass-gnome-8.4p1-3.9.1
Comment 7 Swamp Workflow Management 2021-12-22 14:31:38 UTC
SUSE-SU-2021:4153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1183137
CVE References: CVE-2021-28041
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    openssh-8.4p1-3.9.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    openssh-8.4p1-3.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    openssh-askpass-gnome-8.4p1-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    openssh-8.4p1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Hans Petter Jansson 2022-03-03 00:31:04 UTC
Verified this is both in SP3 and SP4. Can be closed if maint/security agree.
Comment 9 Gianluca Gabrielli 2022-03-03 11:09:47 UTC
SLE-15-SP4 takes it from SUSE:SLE-15-SP3:Update, so everything is done here. Thanks