ArchLinux: 201903-12: libssh2: multiple issues

    Date22 Mar 2019
    CategoryArchLinux
    483
    Posted ByLinuxSecurity Advisories
    The package libssh2 before version 1.8.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.
    Arch Linux Security Advisory ASA-201903-12
    ==========================================
    
    Severity: Critical
    Date    : 2019-03-22
    CVE-ID  : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
              CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
              CVE-2019-3863
    Package : libssh2
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-926
    
    Summary
    =======
    
    The package libssh2 before version 1.8.1-1 is vulnerable to multiple
    issues including arbitrary code execution and information disclosure.
    
    Resolution
    ==========
    
    Upgrade to 1.8.1-1.
    
    # pacman -Syu "libssh2>=1.8.1-1"
    
    The problems have been fixed upstream in version 1.8.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-3855 (arbitrary code execution)
    
    A out-of-bounds write has been found in libssh2 before 1.8.1, where a
    malicious server could send a specially crafted packet which could
    result in an unchecked integer overflow. The value would then be used
    to allocate memory causing a possible memory write out of bounds error.
    
    - CVE-2019-3856 (arbitrary code execution)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a value approaching unsigned int max number of keyboard prompt
    requests which could result in an unchecked integer overflow. The value
    would then be used to allocate memory causing a possible memory write
    out of bounds error.
    
    - CVE-2019-3857 (arbitrary code execution)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with
    a length of max unsigned integer value. The length would then have a
    value of 1 added to it and used to allocate memory causing a possible
    memory write out of bounds error or zero byte allocation.
    
    - CVE-2019-3858 (information disclosure)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a specially crafted partial SFTP packet with a zero value for the
    payload length. This zero value would be used to then allocate memory
    resulting in a zero byte allocation and possible out of bounds read.
    
    - CVE-2019-3859 (information disclosure)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a specially crafted partial packet in response to various commands
    such as: sha1 and sha226 key exchange, user auth list, user auth
    password response, public key auth response, channel
    startup/open/forward/ setenv/request pty/x11 and session start up. The
    result would be a memory out of bounds read.
    
    - CVE-2019-3860 (information disclosure)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a specially crafted partial SFTP packet with a empty payload in
    response to various SFTP commands such as read directory, file status,
    status vfs and symlink. The result would be a memory out of bounds
    read.
    
    - CVE-2019-3861 (information disclosure)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a specially crafted SSH packet with a padding length value greater
    than the packet length. This would result in a buffer read out of
    bounds when decompressing the packet or result in a corrupted packet
    value.
    
    - CVE-2019-3862 (information disclosure)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit
    status message and no payload. This would result in an out of bounds
    memory comparison.
    
    - CVE-2019-3863 (arbitrary code execution)
    
    An issue has been found in libssh2 before 1.8.1 where a server could
    send a multiple keyboard interactive response messages whose total
    length are greater than unsigned char max characters. This value is
    used as an index to copy memory causing in an out of bounds memory
    write error.
    
    Impact
    ======
    
    A malicious server could access sensitive information or execute
    arbitrary code on a vulnerable client.
    
    References
    ==========
    
    https://www.libssh2.org/mail/libssh2-devel-archive-2019-03/0009.shtml
    https://www.libssh2.org/CVE-2019-3855.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
    https://www.libssh2.org/CVE-2019-3856.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
    https://www.libssh2.org/CVE-2019-3857.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
    https://www.libssh2.org/CVE-2019-3858.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
    https://www.libssh2.org/CVE-2019-3859.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
    https://www.libssh2.org/CVE-2019-3860.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
    https://www.libssh2.org/CVE-2019-3861.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
    https://www.libssh2.org/CVE-2019-3862.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
    https://www.libssh2.org/CVE-2019-3863.html
    https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
    https://security.archlinux.org/CVE-2019-3855
    https://security.archlinux.org/CVE-2019-3856
    https://security.archlinux.org/CVE-2019-3857
    https://security.archlinux.org/CVE-2019-3858
    https://security.archlinux.org/CVE-2019-3859
    https://security.archlinux.org/CVE-2019-3860
    https://security.archlinux.org/CVE-2019-3861
    https://security.archlinux.org/CVE-2019-3862
    https://security.archlinux.org/CVE-2019-3863
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.