Bug 1218265 - VUL-0: CVE-2023-48795: jujutsu: prefix truncation breaking ssh channel integrity aka Terrapin Attack
Summary: VUL-0: CVE-2023-48795: jujutsu: prefix truncation breaking ssh channel integr...
Status: IN_PROGRESS
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Assignee: Johannes Kastl
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/387549/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2023-48795
  Show dependency treegraph
 
Reported: 2023-12-20 11:36 UTC by Carlos López
Modified: 2024-03-23 16:31 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2023-12-20 11:37:34 UTC 
jujutsu embeds libssh2-sys, which links against a vulnerable libssh2
Comment 2 Johannes Kastl 2024-02-10 11:47:11 UTC 
Hi,
sorry for the late reply.

jujutsu aka jj was updated to 0.14.0 recently, 0.13.0 is already in Tumbleweed.

Is there a way to find out, which libssh2-sys versions are affected or safe?

Kind Regards,
Johannes
Comment 3 Marcus Meissner 2024-02-12 15:58:35 UTC 
$ cd vendor/libssh2-sys/libssh2/
$ grep -r LIBSSH2_VERSION  include/libssh2* 
include/libssh2.h:#define LIBSSH2_VERSION "1.10.1_DEV"

1.10.6 is the fixed version ... so its still too old.
Comment 4 Johannes Kastl 2024-03-23 16:31:22 UTC 
I just checked the current version 1.15.1 that landed in Factory. It still embeds 1.10.1_DEV.

I opened a security issue upstream, as this apparently has not been done. At least I found nothing in this regard.

Kind Regards
Johannes