rpms / libssh2

Clone
Source Code
GIT

Blame SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-stream-rhel
  1.   d780b0e0b99dea70ad33f182d61727048aaf9e7c
  2.   SOURCES
  3.   0001-libssh2-1.8.0-CVE-2019-3855.patch
Blob History Raw
4e9174 
From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
4e9174 
From: Kamil Dudka <kdudka@redhat.com>
4e9174 
Date: Tue, 19 Mar 2019 13:16:53 +0100
4e9174 
Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read
4e9174
4e9174 
... resulting in out of bounds write
4e9174
4e9174 
Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
4e9174 
---
4e9174 
 src/transport.c | 6 +++++-
4e9174 
 1 file changed, 5 insertions(+), 1 deletion(-)
4e9174
4e9174 
diff --git a/src/transport.c b/src/transport.c
4e9174 
index 8725da0..5349284 100644
4e9174 
--- a/src/transport.c
4e9174 
+++ b/src/transport.c
d780b0 
@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
4e9174 
              * and we can extract packet and padding length from it
4e9174 
              */
4e9174 
             p->packet_length = _libssh2_ntohu32(block);
4e9174 
-            if (p->packet_length < 1)
4e9174 
+            if(p->packet_length < 1) {
4e9174 
                 return LIBSSH2_ERROR_DECRYPT;
4e9174 
+            }
4e9174 
+            else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
4e9174 
+                return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
4e9174 
+            }
4e9174
4e9174 
             p->padding_length = block[4];
4e9174
4e9174 
--
4e9174 
2.17.2
4e9174

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation