/ | Mailing list | Docs | Examples | GitHub
libssh2 Security Advisory: CVE-2019-3863

Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes

Project libssh2 Security Advisory, March 18 2019 - Permalink

VULNERABILITY

A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. (CWE-130).

There are no known exploits of this flaw at this time.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-3863 to this issue.

AFFECTED VERSIONS

THE SOLUTION

libssh2 1.8.1 ensures the current memory index value plus the length of the response message will fit into the memory buffer before copying the value and incrementing the index value.

A patch for this problem is available

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to libssh2 1.8.1 or later

B - Apply the patch and rebuild libssh2

TIME LINE

It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.

libssh2 1.8.1 was released on March 18 2019, coordinated with the publication of this advisory.

CREDITS

Reported by Chris Coulson of Canonical Ltd.