1687307 – (CVE-2019-3859) CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Bug 1687307 (CVE-2019-3859) - CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Summary: CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3859
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1688440 1688441 1688442 1690247 1690248 1690408 1696058 1697701
Blocks:	1687317
TreeView+	depends on / blocked

Reported:	2019-03-11 08:57 UTC by Andrej Nemec
Modified:	2023-09-26 13:22 UTC (History)
CC List:	15 users (show)
Fixed In Version:	libssh2 1.8.1
Doc Type:	If docs needed, set a value
Doc Text:	An out of bounds read flaw was discovered in libssh2 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.
Clone Of:
Environment:
Last Closed:	2021-10-27 03:26:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2019-03-11 08:57:41 UTC

A server could send a specially crafted partial packet in response to various
commands such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel startup/open/forward/
setenv/request pty/x11 and session start up. The result would be a memory out of
 bounds read.

Comment 2 Andrej Nemec 2019-03-12 09:15:32 UTC

Acknowledgments:

Name: the libssh2 project
Upstream: Chris Coulson (Canonical Ltd.)

Comment 6 Riccardo Schirone 2019-03-15 10:06:51 UTC

Upstream patch:
https://github.com/libssh2/libssh2/commit/dc109a7f518757741590bb993c0c8412928ccec2

Comment 7 Doran Moppert 2019-03-19 04:41:31 UTC

Statement:

This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.

Comment 8 Dhananjay Arunesh 2019-03-19 06:33:41 UTC

Reference:
https://www.openwall.com/lists/oss-security/2019/03/18/3

Upstream Patch:
https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

Comment 9 Dhananjay Arunesh 2019-03-19 06:33:43 UTC

External References:

https://www.libssh2.org/CVE-2019-3859.html

Comment 10 Dhananjay Arunesh 2019-03-19 06:47:30 UTC

Created libssh tracking bugs for this issue:

Affects: fedora-all [bug 1690246]


Created mingw-libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690247]

Comment 11 Dhananjay Arunesh 2019-03-19 06:48:59 UTC

Created mingw-libssh2 tracking bugs for this issue:

Affects: epel-7 [bug 1690248]

Comment 12 Kamil Dudka 2019-03-19 11:26:18 UTC

(In reply to Dhananjay Arunesh from comment #8)
> Upstream Patch:
> https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

The current version of the patch (SHA1 a411eed4) triggers a severe regression so a follow-up fix is needed:

https://github.com/libssh2/libssh2/pull/327

Comment 13 Andrej Nemec 2019-03-19 12:28:42 UTC

Created libssh2 tracking bugs for this issue:

Affects: fedora-all [bug 1690408]

Note You need to log in before you can comment on or make changes to this bug.