[ASA-201903-12] libssh2: multiple issues

Remi Gacogne rgacogne at archlinux.org
Fri Mar 22 22:14:17 UTC 2019


Arch Linux Security Advisory ASA-201903-12
==========================================

Severity: Critical
Date    : 2019-03-22
CVE-ID  : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
          CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
          CVE-2019-3863
Package : libssh2
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-926

Summary
=======

The package libssh2 before version 1.8.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
==========

Upgrade to 1.8.1-1.

# pacman -Syu "libssh2>=1.8.1-1"

The problems have been fixed upstream in version 1.8.1.

Workaround
==========

None.

Description
===========

- CVE-2019-3855 (arbitrary code execution)

A out-of-bounds write has been found in libssh2 before 1.8.1, where a
malicious server could send a specially crafted packet which could
result in an unchecked integer overflow. The value would then be used
to allocate memory causing a possible memory write out of bounds error.

- CVE-2019-3856 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a value approaching unsigned int max number of keyboard prompt
requests which could result in an unchecked integer overflow. The value
would then be used to allocate memory causing a possible memory write
out of bounds error.

- CVE-2019-3857 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with
a length of max unsigned integer value. The length would then have a
value of 1 added to it and used to allocate memory causing a possible
memory write out of bounds error or zero byte allocation.

- CVE-2019-3858 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a zero value for the
payload length. This zero value would be used to then allocate memory
resulting in a zero byte allocation and possible out of bounds read.

- CVE-2019-3859 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial packet in response to various commands
such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel
startup/open/forward/ setenv/request pty/x11 and session start up. The
result would be a memory out of bounds read.

- CVE-2019-3860 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a empty payload in
response to various SFTP commands such as read directory, file status,
status vfs and symlink. The result would be a memory out of bounds
read.

- CVE-2019-3861 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH packet with a padding length value greater
than the packet length. This would result in a buffer read out of
bounds when decompressing the packet or result in a corrupted packet
value.

- CVE-2019-3862 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit
status message and no payload. This would result in an out of bounds
memory comparison.

- CVE-2019-3863 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a multiple keyboard interactive response messages whose total
length are greater than unsigned char max characters. This value is
used as an index to copy memory causing in an out of bounds memory
write error.

Impact
======

A malicious server could access sensitive information or execute
arbitrary code on a vulnerable client.

References
==========

https://www.libssh2.org/mail/libssh2-devel-archive-2019-03/0009.shtml
https://www.libssh2.org/CVE-2019-3855.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
https://www.libssh2.org/CVE-2019-3856.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
https://www.libssh2.org/CVE-2019-3857.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
https://www.libssh2.org/CVE-2019-3858.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
https://www.libssh2.org/CVE-2019-3859.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
https://www.libssh2.org/CVE-2019-3860.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
https://www.libssh2.org/CVE-2019-3861.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
https://www.libssh2.org/CVE-2019-3862.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
https://www.libssh2.org/CVE-2019-3863.html
https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
https://security.archlinux.org/CVE-2019-3855
https://security.archlinux.org/CVE-2019-3856
https://security.archlinux.org/CVE-2019-3857
https://security.archlinux.org/CVE-2019-3858
https://security.archlinux.org/CVE-2019-3859
https://security.archlinux.org/CVE-2019-3860
https://security.archlinux.org/CVE-2019-3861
https://security.archlinux.org/CVE-2019-3862
https://security.archlinux.org/CVE-2019-3863

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190322/6c2cef7e/attachment-0001.sig>


More information about the arch-security mailing list