Bug 1218265

Summary: VUL-0: CVE-2023-48795: jujutsu: prefix truncation breaking ssh channel integrity aka Terrapin Attack
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Johannes Kastl <opensuse_buildservice>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: gus.kenion, hpj, meissner, ncutler, rfrohl, sascha.wessels, security-team, smash_bz, sreeves, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217950    

Comment 1 Carlos López 2023-12-20 11:37:34 UTC 
jujutsu embeds libssh2-sys, which links against a vulnerable libssh2
Comment 2 Johannes Kastl 2024-02-10 11:47:11 UTC 
Hi,
sorry for the late reply.

jujutsu aka jj was updated to 0.14.0 recently, 0.13.0 is already in Tumbleweed.

Is there a way to find out, which libssh2-sys versions are affected or safe?

Kind Regards,
Johannes
Comment 3 Marcus Meissner 2024-02-12 15:58:35 UTC 
$ cd vendor/libssh2-sys/libssh2/
$ grep -r LIBSSH2_VERSION  include/libssh2* 
include/libssh2.h:#define LIBSSH2_VERSION "1.10.1_DEV"

1.10.6 is the fixed version ... so its still too old.
Comment 4 Johannes Kastl 2024-03-23 16:31:22 UTC 
I just checked the current version 1.15.1 that landed in Factory. It still embeds 1.10.1_DEV.

I opened a security issue upstream, as this apparently has not been done. At least I found nothing in this regard.

Kind Regards
Johannes