Bug 1128481 – VUL-0: CVE-2019-3860: libssh2_org: Out-of-bounds reads with specially crafted SFTP packets

Bug 1128481 - (CVE-2019-3860) VUL-0: CVE-2019-3860: libssh2_org: Out-of-bounds reads with specially crafted SFTP packets

(CVE-2019-3860)
Summary:	VUL-0: CVE-2019-3860: libssh2_org: Out-of-bounds reads with specially crafted...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/225976/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-08 10:35 UTC by Karol Babioch
Modified:	2019-08-21 22:37 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2019-03-08 10:35:10 UTC

Out-of-bounds reads with specially crafted SFTP packets

=======================================

Project libssh2 Security Advisory, <date> -
[Permalink](<link>)

VULNERABILITY
-------------

A server could send a specially crafted partial SFTP packet with a empty payload
in response to various SFTP commands such as read directory, file status,
status vfs and symlink. The result would be a memory out of bounds read
(CWE-130).

There are no known exploits of this flaw at this time.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
<assigned CVE> to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: versions 0.3 up to and including 1.8.0
- Not affected versions: libssh2 >= 1.9.0

THE SOLUTION
------------

libssh2 1.8.1 ensures the length of the payload is the required length before
reading the packet buffer content.


A patch for this problem is available at:

    <patch URL>

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to libssh2 1.8.1 or later

B - Apply the patch and rebuild libssh2

TIME LINE
---------

It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.

libssh2 1.8.1 was released on <date>, coordinated with the
publication of this advisory.

CREDITS
-------

Reported by Chris Coulson of Canonical Ltd.

Comment 2 Karol Babioch 2019-03-08 10:36:24 UTC

CRD: 2019-03-13
URL: https://libssh2.org/9/7.txt

Comment 7 Pedro Monreal Gonzalez 2019-03-19 12:00:50 UTC

All submissions done:
SLE-15          https://build.suse.de/request/show/186850
SLE-12          https://build.suse.de/request/show/187066
SLE-11-SP4      https://build.suse.de/request/show/187010
SLE-11          https://build.suse.de/request/show/187022

Updated to 1.8.1 in Factory:
https://build.opensuse.org/request/show/686341

Comment 8 Swamp Workflow Management 2019-03-20 13:18:05 UTC

SUSE-SU-2019:13982-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libssh2_org-1.4.3-17.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    libssh2_org-1.4.3-17.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libssh2_org-1.4.3-17.3.1

Comment 9 Swamp Workflow Management 2019-03-20 14:12:41 UTC

SUSE-SU-2019:0655-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE OpenStack Cloud 7 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Enterprise Storage 4 (src):    libssh2_org-1.4.3-20.3.1
SUSE CaaS Platform ALL (src):    libssh2_org-1.4.3-20.3.1
SUSE CaaS Platform 3.0 (src):    libssh2_org-1.4.3-20.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    libssh2_org-1.4.3-20.3.1

Comment 12 Swamp Workflow Management 2019-03-28 20:10:47 UTC

openSUSE-SU-2019:1075-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
openSUSE Leap 42.3 (src):    libssh2_org-1.4.3-19.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 13 Swamp Workflow Management 2019-03-29 23:17:22 UTC

SUSE-SU-2019:13997-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.5.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-04-02 16:14:54 UTC

openSUSE-SU-2019:1109-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
openSUSE Leap 15.0 (src):    libssh2_org-1.8.0-lp150.3.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2019-06-21 13:14:29 UTC

SUSE-SU-2019:14099-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1128481,1136570
CVE References: CVE-2019-3860
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    libssh2_org-1.4.3-17.9.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libssh2_org-1.4.3-17.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2019-06-21 13:40:35 UTC

SUSE-SU-2019:1606-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1128481,1136570
CVE References: CVE-2019-3860
Sources used:
SUSE OpenStack Cloud 7 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP4 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP3 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-LTSS (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libssh2_org-1.4.3-20.9.1
SUSE Enterprise Storage 4 (src):    libssh2_org-1.4.3-20.9.1
SUSE CaaS Platform ALL (src):    libssh2_org-1.4.3-20.9.1
SUSE CaaS Platform 3.0 (src):    libssh2_org-1.4.3-20.9.1
OpenStack Cloud Magnum Orchestration 7 (src):    libssh2_org-1.4.3-20.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2019-06-21 13:44:30 UTC

SUSE-SU-2019:14098-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1128481,1136570
CVE References: CVE-2019-3860
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2019-06-27 10:15:01 UTC

openSUSE-SU-2019:1640-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1128481,1136570
CVE References: CVE-2019-3860
Sources used:
openSUSE Leap 42.3 (src):    libssh2_org-1.4.3-19.9.1

Comment 22 Marcus Meissner 2019-07-11 06:55:18 UTC

done

Comment 23 Swamp Workflow Management 2019-08-21 16:10:48 UTC

SUSE-SU-2019:1606-2: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1128481,1136570
CVE References: CVE-2019-3860
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libssh2_org-1.4.3-20.9.1
SUSE OpenStack Cloud 8 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP5 (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libssh2_org-1.4.3-20.9.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    libssh2_org-1.4.3-20.9.1
SUSE Enterprise Storage 5 (src):    libssh2_org-1.4.3-20.9.1
HPE Helion Openstack 8 (src):    libssh2_org-1.4.3-20.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.