diff --git a/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch b/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch
new file mode 100644
index 0000000..319e1fd
--- /dev/null
+++ b/SOURCES/0010-libssh2-1.8.0-CVE-2019-17498.patch
@@ -0,0 +1,232 @@
+From 1ea36437bb4b0f3ac42db5222cd7311363fa6ec9 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+
+Upstream-commit: dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/misc.c | 37 +++++++++++++++++++++++
+ src/misc.h | 10 +++++++
+ src/packet.c | 84 ++++++++++++++++++++++++----------------------------
+ 3 files changed, 85 insertions(+), 46 deletions(-)
+
+diff --git a/src/misc.c b/src/misc.c
+index f7faae7..1b2682f 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -643,3 +643,40 @@ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size)
+ }
+ return p;
+ }
++
++int _libssh2_check_length(struct string_buf *buf, size_t len)
++{
++ unsigned char *endp = &buf->data[buf->len];
++ size_t left = endp - buf->dataptr;
++ return ((len <= left) && (left <= buf->len));
++}
++
++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out)
++{
++ if(!_libssh2_check_length(buf, 4)) {
++ return -1;
++ }
++
++ *out = _libssh2_ntohu32(buf->dataptr);
++ buf->dataptr += 4;
++ return 0;
++}
++
++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
++ size_t *outlen)
++{
++ uint32_t data_len;
++ if(_libssh2_get_u32(buf, &data_len) != 0) {
++ return -1;
++ }
++ if(!_libssh2_check_length(buf, data_len)) {
++ return -1;
++ }
++ *outbuf = buf->dataptr;
++ buf->dataptr += data_len;
++
++ if(outlen)
++ *outlen = (size_t)data_len;
++
++ return 0;
++}
+diff --git a/src/misc.h b/src/misc.h
+index 54ae546..cf5abb5 100644
+--- a/src/misc.h
++++ b/src/misc.h
+@@ -49,6 +49,12 @@ struct list_node {
+ struct list_head *head;
+ };
+
++struct string_buf {
++ unsigned char *data;
++ unsigned char *dataptr;
++ size_t len;
++};
++
+ int _libssh2_error_flags(LIBSSH2_SESSION* session, int errcode, const char* errmsg, int errflags);
+ int _libssh2_error(LIBSSH2_SESSION* session, int errcode, const char* errmsg);
+
+@@ -80,6 +86,10 @@ void _libssh2_store_u32(unsigned char **buf, uint32_t value);
+ void _libssh2_store_str(unsigned char **buf, const char *str, size_t len);
+ void *_libssh2_calloc(LIBSSH2_SESSION* session, size_t size);
+
++int _libssh2_get_u32(struct string_buf *buf, uint32_t *out);
++int _libssh2_get_string(struct string_buf *buf, unsigned char **outbuf,
++ size_t *outlen);
++
+ #if defined(LIBSSH2_WIN32) && !defined(__MINGW32__) && !defined(__CYGWIN__)
+ /* provide a private one */
+ #undef HAVE_GETTIMEOFDAY
+diff --git a/src/packet.c b/src/packet.c
+index c950b5d..f180b77 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -416,10 +416,10 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ size_t datalen, int macstate)
+ {
+ int rc = 0;
+- char *message=NULL;
+- char *language=NULL;
+- size_t message_len=0;
+- size_t language_len=0;
++ unsigned char *message = NULL;
++ unsigned char *language = NULL;
++ size_t message_len = 0;
++ size_t language_len = 0;
+ LIBSSH2_CHANNEL *channelp = NULL;
+ size_t data_head = 0;
+ unsigned char msg = data[0];
+@@ -430,7 +430,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ "Packet type %d received, length=%d",
+ (int) msg, (int) datalen);
+
+- if ((macstate == LIBSSH2_MAC_INVALID) &&
++ if((macstate == LIBSSH2_MAC_INVALID) &&
+ (!session->macerror ||
+ LIBSSH2_MACERROR(session, (char *) data, datalen))) {
+ /* Bad MAC input, but no callback set or non-zero return from the
+@@ -456,9 +456,9 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ break;
+ }
+
+- if (session->packAdd_state == libssh2_NB_state_allocated) {
++ if(session->packAdd_state == libssh2_NB_state_allocated) {
+ /* A couple exceptions to the packet adding rule: */
+- switch (msg) {
++ switch(msg) {
+
+ /*
+ byte SSH_MSG_DISCONNECT
+@@ -469,32 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+
+ case SSH_MSG_DISCONNECT:
+ if(datalen >= 5) {
+- size_t reason = _libssh2_ntohu32(data + 1);
+-
+- if(datalen >= 9) {
+- message_len = _libssh2_ntohu32(data + 5);
+-
+- if(message_len < datalen-13) {
+- /* 9 = packet_type(1) + reason(4) + message_len(4) */
+- message = (char *) data + 9;
+-
+- language_len = _libssh2_ntohu32(data + 9 + message_len);
+- language = (char *) data + 9 + message_len + 4;
+-
+- if(language_len > (datalen-13-message_len)) {
+- /* bad input, clear info */
+- language = message = NULL;
+- language_len = message_len = 0;
+- }
+- }
+- else
+- /* bad size, clear it */
+- message_len=0;
+- }
+- if (session->ssh_msg_disconnect) {
+- LIBSSH2_DISCONNECT(session, reason, message,
+- message_len, language, language_len);
++ uint32_t reason = 0;
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr++; /* advance past type */
++
++ _libssh2_get_u32(&buf, &reason);
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
++
++ if(session->ssh_msg_disconnect) {
++ LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
++
+ _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+ "Disconnect(%d): %s(%s)", reason,
+ message, language);
+@@ -534,23 +525,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ int always_display= data[1];
+
+ if(datalen >= 6) {
+- message_len = _libssh2_ntohu32(data + 2);
+-
+- if(message_len <= (datalen - 10)) {
+- /* 6 = packet_type(1) + display(1) + message_len(4) */
+- message = (char *) data + 6;
+- language_len = _libssh2_ntohu32(data + 6 + message_len);
+-
+- if(language_len <= (datalen - 10 - message_len))
+- language = (char *) data + 10 + message_len;
+- }
++ struct string_buf buf;
++ buf.data = (unsigned char *)data;
++ buf.dataptr = buf.data;
++ buf.len = datalen;
++ buf.dataptr += 2; /* advance past type & always display */
++
++ _libssh2_get_string(&buf, &message, &message_len);
++ _libssh2_get_string(&buf, &language, &language_len);
+ }
+
+- if (session->ssh_msg_debug) {
+- LIBSSH2_DEBUG(session, always_display, message,
+- message_len, language, language_len);
++ if(session->ssh_msg_debug) {
++ LIBSSH2_DEBUG(session, always_display,
++ (const char *)message,
++ message_len, (const char *)language,
++ language_len);
+ }
+ }
++
+ /*
+ * _libssh2_debug will actually truncate this for us so
+ * that it's not an inordinate about of data
+@@ -573,7 +565,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ uint32_t len =0;
+ unsigned char want_reply=0;
+ len = _libssh2_ntohu32(data + 1);
+- if(datalen >= (6 + len)) {
++ if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+ want_reply = data[5 + len];
+ _libssh2_debug(session,
+ LIBSSH2_TRACE_CONN,
+--
+2.20.1
+
diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec
index 302f94c..f704268 100644
--- a/SPECS/libssh2.spec
+++ b/SPECS/libssh2.spec
@@ -1,6 +1,6 @@
Name: libssh2
Version: 1.8.0
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: A library implementing the SSH2 protocol
Group: System Environment/Libraries
License: BSD
@@ -28,6 +28,9 @@ Patch8: 0008-libssh2-1.8.0-CVE-2019-3862.patch
# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
Patch9: 0009-libssh2-1.8.0-CVE-2019-3863.patch
+# fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+Patch10: 0010-libssh2-1.8.0-CVE-2019-17498.patch
+
Patch14: 0014-libssh2-1.4.3-scp-remote-exec.patch
Patch15: 0015-libssh2-1.4.3-debug-msgs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
@@ -86,6 +89,7 @@ developing applications that use libssh2.
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
# Replace hard wired port number in the test suite to avoid collisions
# between 32-bit and 64-bit builds running on a single build-host
@@ -169,6 +173,9 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/libssh2.pc
%changelog
+* Wed Oct 30 2019 Kamil Dudka <kdudka@redhat.com> - 1.8.0-4
+- fix integer overflow in SSH_MSG_DISCONNECT logic (CVE-2019-17498)
+
* Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.8.0-3
- sanitize public header file (detected by rpmdiff)