security fixes: landed in 1.8.1

Author: bagder

CVE-2019-3855.md

@@ -0,0 +1,59 @@
+Possible integer overflow in transport read allows out-of-bounds write
+=======================================
+
+Project libssh2 Security Advisory, March 14 2019 -
+[Permalink](https://www.libssh2.org/CVE-2019-3855.html)
+
+VULNERABILITY
+-------------
+
+A malicious server could send a specially crafted packet which could result in
+an unchecked integer overflow. The value would then be used to allocate memory
+causing a possible memory write out of bounds error (CWE-130).
+
+There are no known exploits of this flaw at this time.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2019-3855 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: all versions to and including 1.8.0
+- Not affected versions: libssh2 >= 1.8.1
+
+THE SOLUTION
+------------
+
+libssh2 1.8.1 ensures packet length value is below `LIBSSH2_PACKET_MAXPAYLOAD`
+(4000 bytes) before processing payload.
+
+A patch for this problem is available at:
+
+    <patch URL>
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+A - Upgrade to libssh2 1.8.1 or later
+
+B - Apply the patch and rebuild libssh2
+
+TIME LINE
+---------
+
+It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
+
+libssh2 1.8.1 as released on March 14 2019, coordinated with the publication
+of this advisory.
+
+CREDITS
+-------
+
+Reported by Chris Coulson of Canonical Ltd.

CVE-2019-3855.t

@@ -0,0 +1,14 @@
+#include "doctype.t"
+#include "setup.t"
+HEAD(libssh2 Security Advisory: CVE-2019-3855)
+#include "body.t"
+#include "menu.t"
+
+TITLE(libssh2 Security Advisory: CVE-2019-3855)
+BOXTOP
+
+#include "CVE-2019-3855.gen"
+
+BOXBOT
+
+#include "footer.t"

CVE-2019-3856.md

@@ -0,0 +1,62 @@
+Possible integer overflow in keyboard interactive handling allows out-of-bounds write
+=======================================
+
+Project libssh2 Security Advisory, March 14 2019 -
+[Permalink](https://www.libssh2.org/CVE-2019-3856.html)
+
+VULNERABILITY
+-------------
+
+A server could send a value approching unsinged int max number of keyboard
+prompt requests which could result in an unchecked interger overflow. The value
+would then be used to allocate memory causing a possible memory write out of
+bounds error (CWE-130).
+
+
+There are no known exploits of this flaw at this time.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2019-3856 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: all versions to and including 1.8.0
+- Not affected versions: libssh2 >= 1.8.1
+
+THE SOLUTION
+------------
+
+libssh2 1.9.0 ensures keyboard prompt requests value is less than 100 before
+proceeding with the login process.
+
+
+A patch for this problem is available at:
+
+    <patch URL>
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+A - Upgrade to libssh2 1.8.1 or later
+
+B - Apply the patch and rebuild libssh2
+
+TIME LINE
+---------
+
+It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
+
+libssh2 1.8.1 was released on <date>, coordinated with the
+publication of this advisory.
+
+CREDITS
+-------
+
+Reported by Chris Coulson of Canonical Ltd.

CVE-2019-3856.t

@@ -0,0 +1,14 @@
+#include "doctype.t"
+#include "setup.t"
+HEAD(libssh2 Security Advisory: CVE-2019-3856)
+#include "body.t"
+#include "menu.t"
+
+TITLE(libssh2 Security Advisory: CVE-2019-3856)
+BOXTOP
+
+#include "CVE-2019-3856.gen"
+
+BOXBOT
+
+#include "footer.t"

CVE-2019-3857.md

@@ -0,0 +1,62 @@
+Possible integer overflow leading to zero-byte allocation and out-of-bounds write
+=================================================================================
+
+Project libssh2 Security Advisory, March 14 2019 -
+[Permalink](https://www.libssh2.org/CVE-2019-3857.html)
+
+VULNERABILITY
+-------------
+
+A server could send a `SSH_MSG_CHANNEL_REQUEST` packet with an exit signal
+message with a length of max unsigned integer value. The length would then
+have a value of 1 added to it and used to allocate memory causing a possible
+memory write out of bounds error or zero byte allocation (CWE-130).
+
+
+There are no known exploits of this flaw at this time.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2019-3857 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: versions 1.2.8 up to and including 1.8.0
+- Not affected versions: libssh2 >= 1.8.1
+
+THE SOLUTION
+------------
+
+libssh2 1.8.1 ensures the length of the message plus 1 is less than `UINT_MAX`
+before allocating memory using the computed value.
+
+
+A patch for this problem is available at:
+
+    <patch URL>
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+A - Upgrade to libssh2 1.8.1 or later
+
+B - Apply the patch and rebuild libssh2
+
+TIME LINE
+---------
+
+It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
+
+libssh2 1.8.1 was released on <date>, coordinated with the
+publication of this advisory.
+
+CREDITS
+-------
+
+Reported by Chris Coulson of Canonical Ltd.

CVE-2019-3857.t

@@ -0,0 +1,14 @@
+#include "doctype.t"
+#include "setup.t"
+HEAD(libssh2 Security Advisory: CVE-2019-3857)
+#include "body.t"
+#include "menu.t"
+
+TITLE(libssh2 Security Advisory: CVE-2019-3857)
+BOXTOP
+
+#include "CVE-2019-3857.gen"
+
+BOXBOT
+
+#include "footer.t"

CVE-2019-3858.md

@@ -0,0 +1,61 @@
+Possible zero-byte allocation leading to an out-of-bounds read 
+=======================================
+
+Project libssh2 Security Advisory, March 14 2019 -
+[Permalink](https://www.libssh2.org/CVE-2019-3858.html)
+
+VULNERABILITY
+-------------
+
+A server could send a specially crafted partial SFTP packet with a zero value
+for the payload length. This zero value would be used to then allocate memory
+resulting in a zero byte allocation and possible out of bounds read (CWE-130).
+
+
+There are no known exploits of this flaw at this time.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2019-3858 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: versions 0.3 up to and including 1.8.0
+- Not affected versions: libssh2 >= 1.8.1
+
+THE SOLUTION
+------------
+
+libssh2 1.9.0 ensures the length of the payload is not zero before allocing
+the memory buffer using the value.
+
+
+A patch for this problem is available at:
+
+    <patch URL>
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+A - Upgrade to libssh2 1.8.1 or later
+
+B - Apply the patch and rebuild libssh2
+
+TIME LINE
+---------
+
+It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
+
+libssh2 1.8.1 was released on March 14 2019, coordinated with the publication
+of this advisory.
+
+CREDITS
+-------
+
+Reported by Chris Coulson of Canonical Ltd.

CVE-2019-3858.t

@@ -0,0 +1,14 @@
+#include "doctype.t"
+#include "setup.t"
+HEAD(libssh2 Security Advisory: CVE-2019-3858)
+#include "body.t"
+#include "menu.t"
+
+TITLE(libssh2 Security Advisory: CVE-2019-3858)
+BOXTOP
+
+#include "CVE-2019-3858.gen"
+
+BOXBOT
+
+#include "footer.t"

CVE-2019-3859.md

@@ -0,0 +1,63 @@
+Out-of-bounds reads with specially crafted payloads due to unchecked use of
+`_libssh2_packet_require` and `_libssh2_packet_requirev`
+=======================================
+
+Project libssh2 Security Advisory, March 14 2019 -
+[Permalink](https://www.libssh2.org/CVE-2019-3859.html)
+
+VULNERABILITY
+-------------
+
+A server could send a specially crafted partial packet in response to various
+commands such as: sha1 and sha226 key exchange, user auth list, user auth
+password response, public key auth response, channel startup/open/forward/
+setenv/request pty/x11 and session start up. The result would be a memory out
+of bounds read (CWE-130).
+
+There are no known exploits of this flaw at this time.
+
+INFO
+----
+
+The Common Vulnerabilities and Exposures (CVE) project has assigned the name
+CVE-2019-3859 to this issue.
+
+AFFECTED VERSIONS
+-----------------
+
+- Affected versions: versions 0.1 up to and including 1.8.0
+- Not affected versions: libssh2 >= 1.8.1
+
+THE SOLUTION
+------------
+
+libssh2 1.9.0 ensures the length of the payload is the required length before
+reading the packet buffer content.
+
+
+A patch for this problem is available at:
+
+    <patch URL>
+
+RECOMMENDATIONS
+---------------
+
+We suggest you take one of the following actions immediately, in order of
+preference:
+
+A - Upgrade to libssh2 1.8.1 or greater
+
+B - Apply the patch and rebuild libssh2
+
+TIME LINE
+---------
+
+It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
+
+libssh2 1.8.1 was released on March 14 2019, coordinated with the publication
+of this advisory.
+
+CREDITS
+-------
+
+Reported by Chris Coulson of Canonical Ltd.

CVE-2019-3859.t

@@ -0,0 +1,14 @@
+#include "doctype.t"
+#include "setup.t"
+HEAD(libssh2 Security Advisory: CVE-2019-3859)
+#include "body.t"
+#include "menu.t"
+
+TITLE(libssh2 Security Advisory: CVE-2019-3859)
+BOXTOP
+
+#include "CVE-2019-3859.gen"
+
+BOXBOT
+
+#include "footer.t"