From 2c66aa8e4ec5b4bfc80f991bb2b3069b108b6121 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 2 Mar 2021 11:01:02 +0100
Subject: import from RHEL 7.7

---
 0009-libssh2-1.8.0-CVE-2019-3863.patch | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 0009-libssh2-1.8.0-CVE-2019-3863.patch

(limited to '0009-libssh2-1.8.0-CVE-2019-3863.patch')

diff --git a/0009-libssh2-1.8.0-CVE-2019-3863.patch b/0009-libssh2-1.8.0-CVE-2019-3863.patch
new file mode 100644
index 0000000..77615fd
--- /dev/null
+++ b/0009-libssh2-1.8.0-CVE-2019-3863.patch
@@ -0,0 +1,40 @@
+From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:47:41 +0100
+Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
+ authenticate keyboard interactive
+
+... that allows out-of-bounds writes
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
+---
+ src/userauth.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index 3946cf9..ee924c5 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1808,8 +1808,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+ 
+             for(i = 0; i < session->userauth_kybd_num_prompts; i++) {
+                 /* string    response[1] (ISO-10646 UTF-8) */
+-                session->userauth_kybd_packet_len +=
+-                    4 + session->userauth_kybd_responses[i].length;
++                 if(session->userauth_kybd_responses[i].length <=
++                   (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
++                    session->userauth_kybd_packet_len +=
++                        4 + session->userauth_kybd_responses[i].length;
++                }
++                else {
++                    _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
++                                   "Unable to allocate memory for keyboard-"
++                                   "interactive response packet");
++                    goto cleanup;
++                }
+             }
+ 
+             /* A new userauth_kybd_data area is to be allocated, free the
+-- 
+2.17.2
+
-- 
cgit