Bug 1687307 (CVE-2019-3859) - CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
Summary: CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_...
Status: NEW
Alias: CVE-2019-3859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1688440 1688441 1688442 1690247 1690248 1690408 1696058 1697701
Blocks: 1687317
TreeView+ depends on / blocked
Reported: 2019-03-11 08:57 UTC by Andrej Nemec
Modified: 2020-04-21 11:32 UTC (History)
17 users (show)

Fixed In Version: libssh2 1.8.1
Doc Type: If docs needed, set a value
Doc Text:
An out of bounds read flaw was discovered in libssh2 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Andrej Nemec 2019-03-11 08:57:41 UTC
A server could send a specially crafted partial packet in response to various
commands such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel startup/open/forward/
setenv/request pty/x11 and session start up. The result would be a memory out of
 bounds read.

Comment 2 Andrej Nemec 2019-03-12 09:15:32 UTC

Name: the libssh2 project
Upstream: Chris Coulson (Canonical Ltd.)

Comment 6 Riccardo Schirone 2019-03-15 10:06:51 UTC
Upstream patch:

Comment 7 Doran Moppert 2019-03-19 04:41:31 UTC

This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.

Comment 9 Dhananjay Arunesh 2019-03-19 06:33:43 UTC
External References:


Comment 10 Dhananjay Arunesh 2019-03-19 06:47:30 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1690246]

Created mingw-libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690247]

Comment 11 Dhananjay Arunesh 2019-03-19 06:48:59 UTC
Created mingw-libssh2 tracking bugs for this issue:

Affects: epel-7 [bug 1690248]

Comment 12 Kamil Dudka 2019-03-19 11:26:18 UTC
(In reply to Dhananjay Arunesh from comment #8)
> Upstream Patch:
> https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

The current version of the patch (SHA1 a411eed4) triggers a severe regression so a follow-up fix is needed:


Comment 13 Andrej Nemec 2019-03-19 12:28:42 UTC
Created libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690408]

Note You need to log in before you can comment on or make changes to this bug.