A server could send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value. The length would then have a value of 1 added to it and used to allocate memory causing a possible memory write out of bounds error or zero byte allocation.
Acknowledgments: Name: the libssh2 project Upstream: Chris Coulson (Canonical Ltd.)
Function _libssh2_packet_add() in packet.c does not properly check the namelen value of a SSH_MSG_CHANNEL_REQUEST message, with an exit signal. The value could overflow and is used to allocate memory later on.
The attacker needs to: - trick the user to connect to a malicious server or - trick the user to connect to a compromised server or - intercept and modify the traffic For these reasons User Interaction (UI) is set to Required(R) and Attack Complexity (AC) is set to High (H).
Upstream patch: https://github.com/libssh2/libssh2/commit/dc109a7f518757741590bb993c0c8412928ccec2
Statement: This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.
Reference: https://www.openwall.com/lists/oss-security/2019/03/18/3 Upstream Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
External References: https://www.libssh2.org/CVE-2019-3857.html
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1690246] Created mingw-libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690247]
Created mingw-libssh2 tracking bugs for this issue: Affects: epel-7 [bug 1690248]
Created libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690408]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0679 https://access.redhat.com/errata/RHSA-2019:0679
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1175 https://access.redhat.com/errata/RHSA-2019:1175
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1652 https://access.redhat.com/errata/RHSA-2019:1652
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1791 https://access.redhat.com/errata/RHSA-2019:1791
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1943 https://access.redhat.com/errata/RHSA-2019:1943
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2019:2399 https://access.redhat.com/errata/RHSA-2019:2399