REDHAT-BUG-2436980
libssh can try to open any file during configuration parsing, when misconfigured or when local attacker can provide malicious configuration. This applies for all configuration loaded from default location, configuration provided through the `ssh_config_parse_file()` and `ssh_bind_config_parse_file()` functions as well as configuration files included from them directly or through glob wildcards. The possibly dangerous files involve block devices, fifo, named pipe or huge system files that could cause Denial of Service. The solution here is allowing to read only regular files and enforcing configuration file size limit of 16MB. Currently, maximum line length of a configuration file is 1K so this will effectively mean configuration files of 16K lines should still keep working.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2436980?
The severity of REDHAT-BUG-2436980 is considered high due to the potential for local attackers to gain unauthorized access to sensitive files.
How do I fix REDHAT-BUG-2436980?
To fix REDHAT-BUG-2436980, ensure that libssh configurations are correctly set and validated to prevent opening unauthorized files.
What versions of libssh are affected by REDHAT-BUG-2436980?
All versions of libssh that allow misconfigured or malicious configuration files are affected by REDHAT-BUG-2436980.
What type of attacks can be executed due to REDHAT-BUG-2436980?
REDHAT-BUG-2436980 allows local attackers to exploit misconfigurations to access arbitrary files on the system.
Is there a workaround for REDHAT-BUG-2436980?
A possible workaround for REDHAT-BUG-2436980 is to restrict file permissions and validate configuration files prior to use.