1 files changed, 44 insertions, 0 deletions

diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch
new file mode 100644
index 0000000..40c9e9b
--- /dev/null
+++ b/0002-libssh2-1.8.0-CVE-2019-3856.patch
@@ -0,0 +1,44 @@
+From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:22:24 +0100
+Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
+ interactive handling
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
+
+I believe that:
+
+    `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
+
+... can be simplified as:
+
+    `(session->userauth_kybd_num_prompts > 100)`
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/userauth.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index cdfa25e..3946cf9 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+             /* int       num-prompts */
+             session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
+             s += 4;
++            if(session->userauth_kybd_num_prompts && 
++               session->userauth_kybd_num_prompts > 100) {
++               _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                              "Too many replies for "
++                              "keyboard-interactive prompts");
++               goto cleanup;
++            }
+ 
+             if(session->userauth_kybd_num_prompts) {
+                 session->userauth_kybd_prompts =
+-- 
+2.17.2
+