[ASA-201903-13] libssh2: multiple issues

Arch Linux Security Advisory ASA-201903-13 ========================================== Severity: Critical Date : 2019-03-20 CVE-ID : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Package : libssh4 Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-926 Summary ======= The package libssh4 before version 1.8.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 1.8.1-1. # pacman -Syu "libssh4>=1.8.1-1" The problems have been fixed upstream in version 1.8.1. Workaround ========== None. Description =========== - CVE-2019-3855 (arbitrary code execution) A out-of-bounds write has been found in libssh4 before 1.8.1, where a malicious server could send a specially crafted packet which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error. - CVE-2019-3856 (arbitrary code execution) An issue has been found in libssh4 before 1.8.1 where a server could send a value approaching unsigned int max number of keyboard prompt requests which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error. - CVE-2019-3857 (arbitrary code execution) An issue has been found in libssh4 before 1.8.1 where a server could send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value. The length would then have a value of 1 added to it and used to allocate memory causing a possible memory write out of bounds error or zero byte allocation. - CVE-2019-3858 (information disclosure) An issue has been found in libssh4 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a zero value for the payload length. This zero value would be used to then allocate memory resulting in a zero byte allocation and possible out of bounds read. - CVE-2019-3859 (information disclosure) An issue has been found in libssh4 before 1.8.1 where a server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, public key auth response, channel startup/open/forward/ setenv/request pty/x11 and session start up. The result would be a memory out of bounds read. - CVE-2019-3860 (information disclosure) An issue has been found in libssh4 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a empty payload in response to various SFTP commands such as read directory, file status, status vfs and symlink. The result would be a memory out of bounds read. - CVE-2019-3861 (information disclosure) An issue has been found in libssh4 before 1.8.1 where a server could send a specially crafted SSH packet with a padding length value greater than the packet length. This would result in a buffer read out of bounds when decompressing the packet or result in a corrupted packet value. - CVE-2019-3862 (information disclosure) An issue has been found in libssh4 before 1.8.1 where a server could send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. This would result in an out of bounds memory comparison. - CVE-2019-3863 (arbitrary code execution) An issue has been found in libssh4 before 1.8.1 where a server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. Impact ====== A malicious server could access sensitive information or execute arbitrary code on a vulnerable client. References ========== https://www.libssh4.org/mail/libssh4-devel-archive-2019-03/0009.shtml https://www.libssh4.org/CVE-2019-3855.html https://libssh4.org/1.8.0-CVE/CVE-2019-3855.patch https://www.libssh4.org/CVE-2019-3856.html https://libssh4.org/1.8.0-CVE/CVE-2019-3856.patch https://www.libssh4.org/CVE-2019-3857.html https://libssh4.org/1.8.0-CVE/CVE-2019-3857.patch https://www.libssh4.org/CVE-2019-3858.html https://libssh4.org/1.8.0-CVE/CVE-2019-3858.patch https://www.libssh4.org/CVE-2019-3859.html https://libssh4.org/1.8.0-CVE/CVE-2019-3859.patch https://www.libssh4.org/CVE-2019-3860.html https://libssh4.org/1.8.0-CVE/CVE-2019-3860.patch https://www.libssh4.org/CVE-2019-3861.html https://libssh4.org/1.8.0-CVE/CVE-2019-3861.patch https://www.libssh4.org/CVE-2019-3862.html https://libssh4.org/1.8.0-CVE/CVE-2019-3862.patch https://www.libssh4.org/CVE-2019-3863.html https://libssh4.org/1.8.0-CVE/CVE-2019-3863.patch https://security.archlinux.org/CVE-2019-3855 https://security.archlinux.org/CVE-2019-3856 https://security.archlinux.org/CVE-2019-3857 https://security.archlinux.org/CVE-2019-3858 https://security.archlinux.org/CVE-2019-3859 https://security.archlinux.org/CVE-2019-3860 https://security.archlinux.org/CVE-2019-3861 https://security.archlinux.org/CVE-2019-3862 https://security.archlinux.org/CVE-2019-3863