From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Mar 2021 11:01:02 +0100 Subject: import from RHEL 7.7 --- 0001-libssh2-1.8.0-CVE-2019-3855.patch | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 0001-libssh2-1.8.0-CVE-2019-3855.patch (limited to '0001-libssh2-1.8.0-CVE-2019-3855.patch') diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch new file mode 100644 index 0000000..746b515 --- /dev/null +++ b/0001-libssh2-1.8.0-CVE-2019-3855.patch @@ -0,0 +1,33 @@ +From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:16:53 +0100 +Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch +--- + src/transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 8725da0..5349284 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * and we can extract packet and padding length from it + */ + p->packet_length = _libssh2_ntohu32(block); +- if (p->packet_length < 1) ++ if(p->packet_length < 1) { + return LIBSSH2_ERROR_DECRYPT; ++ } ++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) { ++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY; ++ } + + p->padding_length = block[4]; + +-- +2.17.2 + -- cgit