Arch Linux Security Advisory ASA-201903-12
=========================================
Severity: Critical
Date    : 2019-03-22
CVE-ID  : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
          CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
          CVE-2019-3863
Package : libssh2
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-926

Summary
======
The package libssh2 before version 1.8.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
=========
Upgrade to 1.8.1-1.

# pacman -Syu "libssh2>=1.8.1-1"

The problems have been fixed upstream in version 1.8.1.

Workaround
=========
None.

Description
==========
- CVE-2019-3855 (arbitrary code execution)

A out-of-bounds write has been found in libssh2 before 1.8.1, where a
malicious server could send a specially crafted packet which could
result in an unchecked integer overflow. The value would then be used
to allocate memory causing a possible memory write out of bounds error.

- CVE-2019-3856 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a value approaching unsigned int max number of keyboard prompt
requests which could result in an unchecked integer overflow. The value
would then be used to allocate memory causing a possible memory write
out of bounds error.

- CVE-2019-3857 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with
a length of max unsigned integer value. The length would then have a
value of 1 added to it and used to allocate memory causing a possible
memory write out of bounds error or zero byte allocation.

- CVE-2019-3858 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a zero value for the
payload length. This zero value would be used to then allocate memory
resulting in a zero byte allocation and possible out of bounds read.

- CVE-2019-3859 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial packet in response to various commands
such as: sha1 and sha226 key exchange, user auth list, user auth
password response, public key auth response, channel
startup/open/forward/ setenv/request pty/x11 and session start up. The
result would be a memory out of bounds read.

- CVE-2019-3860 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted partial SFTP packet with a empty payload in
response to various SFTP commands such as read directory, file status,
status vfs and symlink. The result would be a memory out of bounds
read.

- CVE-2019-3861 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH packet with a padding length value greater
than the packet length. This would result in a buffer read out of
bounds when decompressing the packet or result in a corrupted packet
value.

- CVE-2019-3862 (information disclosure)

An issue has been found in libssh2 before 1.8.1 where a server could
send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit
status message and no payload. This would result in an out of bounds
memory comparison.

- CVE-2019-3863 (arbitrary code execution)

An issue has been found in libssh2 before 1.8.1 where a server could
send a multiple keyboard interactive response messages whose total
length are greater than unsigned char max characters. This value is
used as an index to copy memory causing in an out of bounds memory
write error.

Impact
=====
A malicious server could access sensitive information or execute
arbitrary code on a vulnerable client.

References
=========
https://libssh2.org/mail/libssh2-devel-archive-2019-03/0009.shtml
https://libssh2.org/CVE-2019-3855.html
https://libssh2.org/CVE-2019-3856.html
https://libssh2.org/CVE-2019-3857.html
https://libssh2.org/CVE-2019-3858.html
https://libssh2.org/CVE-2019-3859.html
https://libssh2.org/CVE-2019-3860.html
https://libssh2.org/CVE-2019-3861.html
https://libssh2.org/CVE-2019-3862.html
https://libssh2.org/CVE-2019-3863.html
https://security.archlinux.org/CVE-2019-3855
https://security.archlinux.org/CVE-2019-3856
https://security.archlinux.org/CVE-2019-3857
https://security.archlinux.org/CVE-2019-3858
https://security.archlinux.org/CVE-2019-3859
https://security.archlinux.org/CVE-2019-3860
https://security.archlinux.org/CVE-2019-3861
https://security.archlinux.org/CVE-2019-3862
https://security.archlinux.org/CVE-2019-3863

ArchLinux: 201903-12: libssh2: multiple issues

March 22, 2019

Summary

- CVE-2019-3855 (arbitrary code execution) A out-of-bounds write has been found in libssh2 before 1.8.1, where a malicious server could send a specially crafted packet which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error.
- CVE-2019-3856 (arbitrary code execution)
An issue has been found in libssh2 before 1.8.1 where a server could send a value approaching unsigned int max number of keyboard prompt requests which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error.
- CVE-2019-3857 (arbitrary code execution)
An issue has been found in libssh2 before 1.8.1 where a server could send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value. The length would then have a value of 1 added to it and used to allocate memory causing a possible memory write out of bounds error or zero byte allocation.
- CVE-2019-3858 (information disclosure)
An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a zero value for the payload length. This zero value would be used to then allocate memory resulting in a zero byte allocation and possible out of bounds read.
- CVE-2019-3859 (information disclosure)
An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, public key auth response, channel startup/open/forward/ setenv/request pty/x11 and session start up. The result would be a memory out of bounds read.
- CVE-2019-3860 (information disclosure)
An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a empty payload in response to various SFTP commands such as read directory, file status, status vfs and symlink. The result would be a memory out of bounds read.
- CVE-2019-3861 (information disclosure)
An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH packet with a padding length value greater than the packet length. This would result in a buffer read out of bounds when decompressing the packet or result in a corrupted packet value.
- CVE-2019-3862 (information disclosure)
An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. This would result in an out of bounds memory comparison.
- CVE-2019-3863 (arbitrary code execution)
An issue has been found in libssh2 before 1.8.1 where a server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.

Resolution

Upgrade to 1.8.1-1. # pacman -Syu "libssh2>=1.8.1-1"
The problems have been fixed upstream in version 1.8.1.

References

https://libssh2.org/mail/libssh2-devel-archive-2019-03/0009.shtml https://libssh2.org/CVE-2019-3855.html https://libssh2.org/CVE-2019-3856.html https://libssh2.org/CVE-2019-3857.html https://libssh2.org/CVE-2019-3858.html https://libssh2.org/CVE-2019-3859.html https://libssh2.org/CVE-2019-3860.html https://libssh2.org/CVE-2019-3861.html https://libssh2.org/CVE-2019-3862.html https://libssh2.org/CVE-2019-3863.html https://security.archlinux.org/CVE-2019-3855 https://security.archlinux.org/CVE-2019-3856 https://security.archlinux.org/CVE-2019-3857 https://security.archlinux.org/CVE-2019-3858 https://security.archlinux.org/CVE-2019-3859 https://security.archlinux.org/CVE-2019-3860 https://security.archlinux.org/CVE-2019-3861 https://security.archlinux.org/CVE-2019-3862 https://security.archlinux.org/CVE-2019-3863

Severity
CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
CVE-2019-3863
Package : libssh2
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-926

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved