Bug 1687307 (CVE-2019-3859) - CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
Summary: CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_...
Status: NEW
Alias: CVE-2019-3859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190313,repor...
Keywords: Security
Depends On: 1690247 1690248 1688440 1688441 1688442 1690408 1696058 1697701
Blocks: 1687317
TreeView+ depends on / blocked
 
Reported: 2019-03-11 08:57 UTC by Andrej Nemec
Modified: 2019-06-08 23:54 UTC (History)
17 users (show)

(edit)
An out of bounds read flaw was discovered in libssh2 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2019-03-11 08:57:41 UTC
A server could send a specially crafted partial packet in response to various
commands such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel startup/open/forward/
setenv/request pty/x11 and session start up. The result would be a memory out of
 bounds read.

Comment 2 Andrej Nemec 2019-03-12 09:15:32 UTC
Acknowledgments:

Name: the libssh2 project
Upstream: Chris Coulson (Canonical Ltd.)

Comment 6 Riccardo Schirone 2019-03-15 10:06:51 UTC
Upstream patch:
https://github.com/libssh2/libssh2/commit/dc109a7f518757741590bb993c0c8412928ccec2

Comment 7 Doran Moppert 2019-03-19 04:41:31 UTC
Statement:

This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.

Comment 9 Dhananjay Arunesh 2019-03-19 06:33:43 UTC
External References:

https://www.libssh2.org/CVE-2019-3859.html

Comment 10 Dhananjay Arunesh 2019-03-19 06:47:30 UTC
Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1690246]


Created mingw-libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690247]

Comment 11 Dhananjay Arunesh 2019-03-19 06:48:59 UTC
Created mingw-libssh2 tracking bugs for this issue:

Affects: epel-7 [bug 1690248]

Comment 12 Kamil Dudka 2019-03-19 11:26:18 UTC
(In reply to Dhananjay Arunesh from comment #8)
> Upstream Patch:
> https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

The current version of the patch (SHA1 a411eed4) triggers a severe regression so a follow-up fix is needed:

https://github.com/libssh2/libssh2/pull/327

Comment 13 Andrej Nemec 2019-03-19 12:28:42 UTC
Created libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690408]


Note You need to log in before you can comment on or make changes to this bug.