49114 – libssh2: Multiple issues (4.2)

Bug 49114 - libssh2: Multiple issues (4.2)

Summary: libssh2: Multiple issues (4.2)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 4.2-5-errata
Assignee:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-27 11:11 CET by Quality Assurance
Modified:	2019-03-27 16:44 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2019-03-27 11:11:37 CET

New Debian libssh2 1.4.3-4.1+deb8u2 fixes:
This update addresses the following issues:
* Integer overflow in transport read resulting in out of bounds write  (CVE-2019-3855)
* Integer overflow in keyboard interactive handling resulting in out of  bounds write (CVE-2019-3856)
* Integer overflow in SSH packet processing channel resulting in out of  bounds write (CVE-2019-3857)
* Zero-byte allocation with a specially crafted SFTP packed leading to an  out-of-bounds read (CVE-2019-3858)
* Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev  resulting in out-of-bounds read (CVE-2019-3859)
* Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
* Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
* Out-of-bounds memory comparison with specially crafted message channel  request (CVE-2019-3862)
* Integer overflow in user authenticate keyboard interactive allows  out-of-bounds writes (CVE-2019-3863)

Comment 1 Quality Assurance

2019-03-27 11:15:05 CET

--- mirror/ftp/4.2/unmaintained/4.2-0/source/libssh2_1.4.3-4.1+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/libssh2_1.4.3-4.1+deb8u2.dsc
@@ -1,3 +1,27 @@
+1.4.3-4.1+deb8u2 [Mon, 25 Mar 2019 15:10:21 +0100] Mike Gabriel <sunweaver@debian.org>:
+
+  * Non-maintainer upload by the LTS team. (Closes: #924965).
+  * CVE-2019-3855: Do packet length bounds check in _libssh2_transport_read()
+    (src/transport.c).
+  * CVE-2019-3856, CVE-2019-3863: Bounds checks in
+    userauth_keyboard_interactive() (src/userauth.c). 
+  * CVE-2019-3857: Fix possible out zero byte/incorrect bounds allocation
+    in _libssh2_packet_add() (src/packet.c).
+  * CVE-2019-3858: Prevent zero-byte allocation in sftp_packet_read()
+    which could lead to an out-of-bounds read.
+  * CVE-2019-3859: Response length check in session_startup()
+    (src/transport.c), and bounds checks in various functions
+    (src/kex.c, src/channel.c).
+  * CVE-2019-3860: Add a required_size parameter to sftp_packet_require
+    et. al. to require callers of these functions to handle packets that
+    are too short.
+  * CVE-2019-3861: Sanitize padding_length - _libssh2_transport_read().
+    This prevents an underflow resulting in a potential out-of-bounds read
+    if a server sends a too-large padding_length, possibly with malicious
+    intent.
+  * CVE-2019-3862: Additional length checks to prevent out-of-bounds
+    reads and writes in _libssh2_packet_add().
+
 1.4.3-4.1+deb8u1 [Thu, 18 Feb 2016 20:28:13 +0100] Salvatore Bonaccorso <carnil@debian.org>:
 
   * Non-maintainer upload by the Security Team.

<http://10.200.17.11/4.2-5/#8629105941683578856>

Comment 2 Philipp Hahn

2019-03-27 11:25:38 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 381c5ecaaf Bug #49114: libssh2 1.4.3-4.1+deb8u2
 doc/errata/staging/libssh2.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

Comment 3 Arvid Requate

2019-03-27 16:44:56 CET

<http://errata.software-univention.de/ucs/4.2/622.html>