CVE-2019-5152

NameCVE-2019-5152
DescriptionAn exploitable information disclosure vulnerability exists in the network packet handling functionality of Shadowsocks-libev 3.3.2. When utilizing a Stream Cipher, a specially crafted set of network packets can cause an outbound connection from the server, resulting in information disclosure. An attacker can send arbitrary packets to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shadowsocks-libev (PTS)buster3.2.5+ds-1vulnerable
bullseye3.3.5+ds-4vulnerable
sid, bookworm3.3.5+ds-10vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shadowsocks-libevsource(unstable)(unfixed)unimportant

Notes

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0942
https://github.com/shadowsocks/shadowsocks-libev/issues/2525
Upstream has no plan to remove stream ciphers as per
https://github.com/shadowsocks/shadowsocks-libev/issues/2525#issuecomment-557551274
Documented insecure use case provided for backwards compatibility.
Search for package or bug name: Reporting problems