Package: libssh2 / 1.7.0-1+deb9u1

Metadata

Package Version Patches format
libssh2 1.7.0-1+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Add lgpg error to .pc to facilitate static linking.patch | (download)

libssh2.pc.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] add -lgpg-error to .pc to facilitate static linking

Note that this patch is Debian-specific as we know that libssh2 is linked
to gcrypt.

Patching configure.ac to add gpg-error as a dependent library is not good, as it
would cause overlinking of libssh2, and there is no separate variable for
"static dependencies".

All this mess ought to be solved in gcrypt inself by providing .pc file,
but it is not.


0001 Do not expose private libraries to us.patch | (download)

libssh2.pc.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] do not expose private libraries to users of libssh2

Reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747417

CVE 2019 3855.patch | (download)

src/transport.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 possible integer overflow in transport read allows out-of-bounds write
CVE 2019 3856.patch | (download)

src/userauth.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 possible integer overflow in keyboard interactive handling allows out-of-bounds write
CVE 2019 3857.patch | (download)

include/libssh2.h | 12 12 + 0 - 0 !
src/packet.c | 11 9 + 2 - 0 !
2 files changed, 21 insertions(+), 2 deletions(-)

 possible integer overflow leading to zero-byte allocation and out-of-bounds write
CVE 2019 3858.patch | (download)

src/sftp.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 possible zero-byte allocation leading to an out-of-bounds read 
CVE 2019 3859.patch | (download)

src/channel.c | 26 22 + 4 - 0 !
src/kex.c | 24 24 + 0 - 0 !
src/session.c | 5 5 + 0 - 0 !
src/userauth.c | 35 29 + 6 - 0 !
4 files changed, 80 insertions(+), 10 deletions(-)

 out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev
CVE 2019 3860.patch | (download)

src/sftp.c | 309 252 + 57 - 0 !
1 file changed, 252 insertions(+), 57 deletions(-)

 out-of-bounds reads with specially crafted sftp packets
CVE 2019 3861.patch | (download)

src/transport.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 out-of-bounds reads with specially crafted ssh packets
CVE 2019 3862.patch | (download)

src/packet.c | 14 8 + 6 - 0 !
1 file changed, 8 insertions(+), 6 deletions(-)

 out-of-bounds memory comparison
CVE 2019 3863.patch | (download)

src/userauth.c | 13 11 + 2 - 0 !
1 file changed, 11 insertions(+), 2 deletions(-)

 integer overflow in user authenicate keyboard interactive allows out-of-bounds writes
Fixed misapplied patch 327.patch | (download)

src/userauth.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 fixed misapplied patch (#327)
moved MAX size declarations 330.patch | (download)

include/libssh2.h | 12 0 + 12 - 0 !
src/libssh2_priv.h | 12 12 + 0 - 0 !
2 files changed, 12 insertions(+), 12 deletions(-)

 moved max size declarations #330