From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 2 Mar 2021 11:01:02 +0100
Subject: import from RHEL 7.7

---
 0007-libssh2-1.8.0-CVE-2019-3861.patch | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 0007-libssh2-1.8.0-CVE-2019-3861.patch

(limited to '0007-libssh2-1.8.0-CVE-2019-3861.patch')

diff --git a/0007-libssh2-1.8.0-CVE-2019-3861.patch b/0007-libssh2-1.8.0-CVE-2019-3861.patch
new file mode 100644
index 0000000..d40bb71
--- /dev/null
+++ b/0007-libssh2-1.8.0-CVE-2019-3861.patch
@@ -0,0 +1,28 @@
+From 77bc71f4ca2949a11110092034dd0705faa6d7b5 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:43:34 +0100
+Subject: [PATCH] Resolves: CVE-2019-3861 - fix out-of-bounds reads with
+ specially crafted SSH packets
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
+---
+ src/transport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/transport.c b/src/transport.c
+index 5349284..6224c4f 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -442,6 +442,9 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+             }
+ 
+             p->padding_length = block[4];
++            if ( p->padding_length > p->packet_length - 1 ) {
++                return LIBSSH2_ERROR_DECRYPT;
++            }
+ 
+             /* total_num is the number of bytes following the initial
+                (5 bytes) packet length and padding length fields */
+-- 
+2.17.2
+
-- 
cgit