Control: tags 924965 + pending
Dear maintainer,
I've prepared an NMU for libssh2 (versioned as 1.8.0-2.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
diff -Nru libssh2-1.8.0/debian/changelog libssh2-1.8.0/debian/changelog
--- libssh2-1.8.0/debian/changelog 2018-06-23 21:45:38.0 +0200
+++ libssh2-1.8.0/debian/changelog 2019-03-31 16:06:20.0 +0200
@@ -1,3 +1,29 @@
+libssh2 (1.8.0-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Possible integer overflow in transport read allows out-of-bounds write
+(CVE-2019-3855) (Closes: #924965)
+ * Possible integer overflow in keyboard interactive handling allows
+out-of-bounds write (CVE-2019-3856) (Closes: #924965)
+ * Possible integer overflow leading to zero-byte allocation and
+out-of-bounds write (CVE-2019-3857) (Closes: #924965)
+ * Possible zero-byte allocation leading to an out-of-bounds read
+(CVE-2019-3858) (Closes: #924965)
+ * Out-of-bounds reads with specially crafted payloads due to unchecked use
+of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
+(Closes: #924965)
+ * Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
+(Closes: #924965)
+ * Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
+(Closes: #924965)
+ * Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
+ * Integer overflow in user authenicate keyboard interactive allows
+out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
+ * Fixed misapplied patch for user auth.
+ * moved MAX size declarations
+
+ -- Salvatore Bonaccorso Sun, 31 Mar 2019 16:06:20 +0200
+
libssh2 (1.8.0-2) unstable; urgency=low
* Add missing zlib1g-dev dependency (Closes: #900558).
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3855.patch libssh2-1.8.0/debian/patches/CVE-2019-3855.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3855.patch 1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3855.patch 2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,22 @@
+Description: Possible integer overflow in transport read allows out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3855
+Forwarded: not-needed
+Last-Update: 2019-03-30
+
+--- a/src/transport.c
b/src/transport.c
+@@ -438,6 +438,12 @@ int _libssh2_transport_read(LIBSSH2_SESS
+ return LIBSSH2_ERROR_DECRYPT;
+
+ p->padding_length = block[4];
++if(p->packet_length < 1) {
++return LIBSSH2_ERROR_DECRYPT;
++}
++else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++}
+
+ /* total_num is the number of bytes following the initial
+(5 bytes) packet length and padding length fields */
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3856.patch libssh2-1.8.0/debian/patches/CVE-2019-3856.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3856.patch 1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3856.patch 2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,23 @@
+Description: Possible integer overflow in keyboard interactive handling allows out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3856
+Forwarded: not-needed
+Last-Update: 2019-03-30
+
+--- a/src/userauth.c
b/src/userauth.c
+@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SE
+ /* int num-prompts */
+ session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
+ s += 4;
++if(session->userauth_kybd_num_prompts &&
++ session->userauth_kybd_num_prompts > 100) {
++ _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++ "Too many replies for "
++ "keyboard-interactive prompts");
++ goto cleanup;
++}
+
+ if(session->userauth_kybd_num_prompts) {
+ session->userauth_kybd_prompts =
diff -Nru libssh2-1.8.0/debian/patches/CVE-2019-3857.patch libssh2-1.8.0/debian/patches/CVE-2019-3857.patch
--- libssh2-1.8.0/debian/patches/CVE-2019-3857.patch 1970-01-01 01:00:00.0 +0100
+++ libssh2-1.8.0/debian/patches/CVE-2019-3857.patch 2019-03-31 16:06:20.0 +0200
@@ -0,0 +1,48 @@
+Description: Possible integer overflow leading to zero-byte allocation and out-of-bounds write
+Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
+Bug-Debian: https://bugs.debian.org/924965
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3857