A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, public key auth response, channel startup/open/forward/ setenv/request pty/x11 and session start up. The result would be a memory out of bounds read.
Acknowledgments: Name: the libssh2 project Upstream: Chris Coulson (Canonical Ltd.)
Upstream patch: https://github.com/libssh2/libssh2/commit/dc109a7f518757741590bb993c0c8412928ccec2
Statement: This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.
Reference: https://www.openwall.com/lists/oss-security/2019/03/18/3 Upstream Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
External References: https://www.libssh2.org/CVE-2019-3859.html
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1690246] Created mingw-libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690247]
Created mingw-libssh2 tracking bugs for this issue: Affects: epel-7 [bug 1690248]
(In reply to Dhananjay Arunesh from comment #8) > Upstream Patch: > https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch The current version of the patch (SHA1 a411eed4) triggers a severe regression so a follow-up fix is needed: https://github.com/libssh2/libssh2/pull/327
Created libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690408]