diff options
Diffstat (limited to '0009-libssh2-1.8.0-CVE-2019-3863.patch')
-rw-r--r-- | 0009-libssh2-1.8.0-CVE-2019-3863.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch new file mode 100644 index 0000000..77615fd --- /dev/null +++ b/0009-libssh2-1.8.0-CVE-2019-3863.patch @@ -0,0 +1,40 @@ +From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 19 Mar 2019 13:47:41 +0100 +Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user + authenticate keyboard interactive + +... that allows out-of-bounds writes + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch +--- + src/userauth.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/userauth.c b/src/userauth.c +index 3946cf9..ee924c5 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + + for(i = 0; i < session->userauth_kybd_num_prompts; i++) { + /* string response[1] (ISO-10646 UTF-8) */ +- session->userauth_kybd_packet_len += +- 4 + session->userauth_kybd_responses[i].length; ++ if(session->userauth_kybd_responses[i].length <= ++ (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) { ++ session->userauth_kybd_packet_len += ++ 4 + session->userauth_kybd_responses[i].length; ++ } ++ else { ++ _libssh2_error(session, LIBSSH2_ERROR_ALLOC, ++ "Unable to allocate memory for keyboard-" ++ "interactive response packet"); ++ goto cleanup; ++ } + } + + /* A new userauth_kybd_data area is to be allocated, free the +-- +2.17.2 + |