Package: libssh2 / 1.8.0-2.1

CVE-2019-3856.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Description: Possible integer overflow in keyboard interactive handling allows out-of-bounds write
Origin: upstream, https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
Bug-Debian: https://bugs.debian.org/924965
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3856
Forwarded: not-needed
Last-Update: 2019-03-30

--- a/src/userauth.c
+++ b/src/userauth.c
@@ -1734,6 +1734,13 @@ userauth_keyboard_interactive(LIBSSH2_SE
             /* int       num-prompts */
             session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
             s += 4;
+            if(session->userauth_kybd_num_prompts && 
+               session->userauth_kybd_num_prompts > 100) {
+               _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
+                              "Too many replies for "
+                              "keyboard-interactive prompts");
+               goto cleanup;
+            }
 
             if(session->userauth_kybd_num_prompts) {
                 session->userauth_kybd_prompts =