A server could send a specially crafted partial SFTP packet with a empty payload in response to various SFTP commands such as read directory, file status, status vfs and symlink. The result would be a memory out of bounds read.
Acknowledgments: Name: the libssh2 project Upstream: Chris Coulson (Canonical Ltd.)
Statement: This flaw was present in libssh2 packages included in Red Hat Virtualization Hypervisor and Management Appliance, however libssh2 in these hosts is never exposed to malicious clients or servers.
Reference: https://www.openwall.com/lists/oss-security/2019/03/18/3 Upstream Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
External References: https://www.libssh2.org/CVE-2019-3860.html
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1690246] Created mingw-libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690247]
Created mingw-libssh2 tracking bugs for this issue: Affects: epel-7 [bug 1690248]
Created libssh2 tracking bugs for this issue: Affects: fedora-all [bug 1690408]