From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 2 Mar 2021 11:01:02 +0100 Subject: import from RHEL 7.7 --- 0002-libssh2-1.8.0-CVE-2019-3856.patch | 44 ++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 0002-libssh2-1.8.0-CVE-2019-3856.patch (limited to '0002-libssh2-1.8.0-CVE-2019-3856.patch') diff --git a/0002-libssh2-1.8.0-CVE-2019-3856.patch b/0002-libssh2-1.8.0-CVE-2019-3856.patch new file mode 100644 index 0000000..40c9e9b --- /dev/null +++ b/0002-libssh2-1.8.0-CVE-2019-3856.patch @@ -0,0 +1,44 @@ +From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 19 Mar 2019 13:22:24 +0100 +Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard + interactive handling + +... resulting in out of bounds write + +Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch + +I believe that: + + `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)` + +... can be simplified as: + + `(session->userauth_kybd_num_prompts > 100)` + +Signed-off-by: Kamil Dudka +--- + src/userauth.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/userauth.c b/src/userauth.c +index cdfa25e..3946cf9 100644 +--- a/src/userauth.c ++++ b/src/userauth.c +@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session, + /* int num-prompts */ + session->userauth_kybd_num_prompts = _libssh2_ntohu32(s); + s += 4; ++ if(session->userauth_kybd_num_prompts && ++ session->userauth_kybd_num_prompts > 100) { ++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY, ++ "Too many replies for " ++ "keyboard-interactive prompts"); ++ goto cleanup; ++ } + + if(session->userauth_kybd_num_prompts) { + session->userauth_kybd_prompts = +-- +2.17.2 + -- cgit