libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. External Reference: https://bugs.gentoo.org/734624
Created libssh tracking bugs for this issue: Affects: fedora-all [bug 1862457]
Flaw summary: In sftp_get_client_message() of sftpserver.c, there is code msg->complete_message = ssh_buffer_new();. There is no check for msg->complete_message being NULL and it is immediately passed into ssh_buffer_add_data() and then buffer_verify(), which will cause a NULL pointer dereference in the case where ssh_buffer_new() returned NULL. ssh_buffer_new() could return NULL if either calloc() or ssh_buffer_allocate_size() (which in some cases calls realloc()) fails an allocation in libssh-0.9.0 which is shipped with Red Hat Enterprise Linux 8. The flaw exists in libssh-0.7.1 as shipped with Red Hat Enterprise Linux 7 Extras channel, but the code is slightly different: ssh_buffer_new() calls malloc() instead of calloc() and does not call ssh_buffer_allocate_size(), so the flaw would rely solely on malloc() failing/returning NULL in libssh-0.7.1. This flaw could cause a crash in the sftpserver. However, because the allocations are based off of sizeof(struct ssh_buffer_struct) or a hardcoded size in malloc(), realloc() & calloc() calls, instead of externally provided input, there is no direct attacker-controlled code path to remotely trigger a NULL pointer dereference in this case.
Upstream patches: https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53 https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40 https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181 https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b
Upstream bug tracker: https://bugs.libssh.org/T232 Merge request: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/120 I've lowered the impact Low because there is no demonstrated way for an attacker to reliably force a NULL pointer dereference via a code path here. An attacker would likely need to groom the system via other means or exploitation of other flaws, in order to create conditions that would cause an allocation failure.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
NOTE: this flaw exists in the file sftpserver.c, not tftpserver.c. tfpserver.c does not exist in libssh and it appears to be a typo which propagated across all of the advisories, trackers, CVE, etc...
Statement: libssh2 as shipped with Red Hat Enterprise Linux 6, 7, and 8 are NOT affected by this flaw; libssh2 and libssh are different codebases and libssh2 does not contain the vulnerable code. Red Hat Product Security has set the impact of this flaw to Low because there is no demonstrated way for an attacker to reliably force a NULL pointer dereference via a code path in the affected libssh code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4387 https://access.redhat.com/errata/RHSA-2021:4387
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:4750 https://access.redhat.com/errata/RHSA-2021:4750