summaryrefslogtreecommitdiffstats
path: root/0001-libssh2-1.8.0-CVE-2019-3855.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-libssh2-1.8.0-CVE-2019-3855.patch')
-rw-r--r--0001-libssh2-1.8.0-CVE-2019-3855.patch33
1 files changed, 33 insertions, 0 deletions
diff --git a/0001-libssh2-1.8.0-CVE-2019-3855.patch b/0001-libssh2-1.8.0-CVE-2019-3855.patch
new file mode 100644
index 0000000..746b515
--- /dev/null
+++ b/0001-libssh2-1.8.0-CVE-2019-3855.patch
@@ -0,0 +1,33 @@
+From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:16:53 +0100
+Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
+---
+ src/transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/transport.c b/src/transport.c
+index 8725da0..5349284 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -434,8 +434,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+ * and we can extract packet and padding length from it
+ */
+ p->packet_length = _libssh2_ntohu32(block);
+- if (p->packet_length < 1)
++ if(p->packet_length < 1) {
+ return LIBSSH2_ERROR_DECRYPT;
++ }
++ else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++ return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++ }
+
+ p->padding_length = block[4];
+
+--
+2.17.2
+
generated by cgit (git 2.34.1) at 2024-06-30 02:17:55 +0000