From e5bfac69b19fb7f7a9889c6999fd335394ed07f6 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 29 2019 12:52:28 +0000
Subject: import libssh2-1.4.3-12.el7_6.3


---

diff --git a/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch b/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch
new file mode 100644
index 0000000..d25f99b
--- /dev/null
+++ b/SOURCES/0008-libssh2-1.8.0-CVE-2019-3862.patch
@@ -0,0 +1,75 @@
+From 0e4e9825e637a15707a910539d71fe65e7e12d7b Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:45:22 +0100
+Subject: [PATCH] Resolves: CVE-2019-3862 - fix out-of-bounds memory comparison
+
+... with specially crafted message channel request
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
+---
+ src/packet.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index aa10633..c950b5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -774,8 +774,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = _libssh2_ntohu32(data + 5);
+                 unsigned char want_reply = 1;
+ 
+-                if(len < (datalen - 10))
+-                    want_reply = data[9 + len];
++                if((len + 9) < datalen)
++                    want_reply = data[len + 9];
+ 
+                 _libssh2_debug(session,
+                                LIBSSH2_TRACE_CONN,
+@@ -783,6 +783,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                                channel, len, data + 9, want_reply);
+ 
+                 if (len == sizeof("exit-status") - 1
++                    && (sizeof("exit-status") - 1 + 9) <= datalen
+                     && !memcmp("exit-status", data + 9,
+                                sizeof("exit-status") - 1)) {
+ 
+@@ -791,7 +792,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                         channelp =
+                             _libssh2_channel_locate(session, channel);
+ 
+-                    if (channelp) {
++                    if (channelp && (sizeof("exit-status") + 13) <= datalen) {
+                         channelp->exit_status =
+                             _libssh2_ntohu32(data + 9 + sizeof("exit-status"));
+                         _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+@@ -804,13 +805,14 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+                 }
+                 else if (len == sizeof("exit-signal") - 1
++                         && (sizeof("exit-signal") - 1 + 9) <= datalen
+                          && !memcmp("exit-signal", data + 9,
+                                     sizeof("exit-signal") - 1)) {
+                     /* command terminated due to signal */
+                     if(datalen >= 20)
+                         channelp = _libssh2_channel_locate(session, channel);
+ 
+-                    if (channelp) {
++                    if (channelp && (sizeof("exit-signal") + 13) <= datalen) {
+                         /* set signal name (without SIG prefix) */
+                         uint32_t namelen =
+                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
+@@ -826,9 +828,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                         if (!channelp->exit_signal)
+                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                                                 "memory for signal name");
+-                        else {
++                        else if ((sizeof("exit-signal") + 13 + namelen <= datalen)) {
+                             memcpy(channelp->exit_signal,
+-                                   data + 13 + sizeof("exit_signal"), namelen);
++                                   data + 13 + sizeof("exit-signal"), namelen);
+                             channelp->exit_signal[namelen] = '\0';
+                             /* TODO: save error message and language tag */
+                             _libssh2_debug(session, LIBSSH2_TRACE_CONN,
+-- 
+2.17.2
+
diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec
index acb202d..6873bb3 100644
--- a/SPECS/libssh2.spec
+++ b/SPECS/libssh2.spec
@@ -12,7 +12,7 @@
 
 Name:		libssh2
 Version:	1.4.3
-Release:	12%{?dist}.2
+Release:	12%{?dist}.3
 Summary:	A library implementing the SSH2 protocol
 Group:		System Environment/Libraries
 License:	BSD
@@ -42,6 +42,9 @@ Patch202:   0002-libssh2-1.8.0-CVE-2019-3856.patch
 # fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
 Patch203:   0003-libssh2-1.8.0-CVE-2019-3857.patch
 
+# fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+Patch208:   0008-libssh2-1.8.0-CVE-2019-3862.patch
+
 # fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
 Patch209:   0009-libssh2-1.8.0-CVE-2019-3863.patch
 
@@ -133,6 +136,7 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
 %patch201 -p1
 %patch202 -p1
 %patch203 -p1
+%patch208 -p1
 %patch209 -p1
 
 # scp: send valid commands for remote execution (#1489733)
@@ -207,6 +211,9 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
+* Mon May 27 2019 Kamil Dudka <kdudka@redhat.com> 1.4.3-12.el7_6.3
+- fix out-of-bounds memory comparison with specially crafted message channel request (CVE-2019-3862)
+
 * Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.4.3-12.el7_6.2
 - sanitize public header file (detected by rpmdiff)