Bug 1687307 (CVE-2019-3859)

Summary: CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, dfediuck, djuran, eedri, erik-fedora, kdudka, mgoldboi, michal.skrivanek, mike, paul, rjones, rschiron, sbonazzo, security-response-team, sherold
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh2 1.8.1 Doc Type: If docs needed, set a value
Doc Text:
An out of bounds read flaw was discovered in libssh2 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:26:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1688440, 1688441, 1688442, 1690247, 1690248, 1690408, 1696058, 1697701    
Bug Blocks: 1687317    

Description Andrej Nemec 2019-03-11 08:57:41 UTC 
A server could send a specially crafted partial packet in response to various
commands such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel startup/open/forward/
setenv/request pty/x11 and session start up. The result would be a memory out of
 bounds read.
Comment 2 Andrej Nemec 2019-03-12 09:15:32 UTC 
Acknowledgments:

Name: the libssh2 project
Upstream: Chris Coulson (Canonical Ltd.)
Comment 6 Riccardo Schirone 2019-03-15 10:06:51 UTC 
Upstream patch:
https://github.com/libssh2/libssh2/commit/dc109a7f518757741590bb993c0c8412928ccec2
Comment 7 Doran Moppert 2019-03-19 04:41:31 UTC 
Statement:

This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.
Comment 8 Dhananjay Arunesh 2019-03-19 06:33:41 UTC 
Reference:
https://www.openwall.com/lists/oss-security/2019/03/18/3

Upstream Patch:
https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
Comment 9 Dhananjay Arunesh 2019-03-19 06:33:43 UTC 
External References:

https://www.libssh2.org/CVE-2019-3859.html
Comment 10 Dhananjay Arunesh 2019-03-19 06:47:30 UTC 
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1690246]


Created mingw-libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690247]
Comment 11 Dhananjay Arunesh 2019-03-19 06:48:59 UTC 
Created mingw-libssh2 tracking bugs for this issue:

Affects: epel-7 [bug 1690248]
Comment 12 Kamil Dudka 2019-03-19 11:26:18 UTC 
(In reply to Dhananjay Arunesh from comment #8)
> Upstream Patch:
> https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

The current version of the patch (SHA1 a411eed4) triggers a severe regression so a follow-up fix is needed:

https://github.com/libssh2/libssh2/pull/327
Comment 13 Andrej Nemec 2019-03-19 12:28:42 UTC 
Created libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690408]