Bug 1128493 – VUL-0: CVE-2019-3863: libssh2_org: Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes with specially crafted keyboard responses

Bug 1128493 - (CVE-2019-3863) VUL-0: CVE-2019-3863: libssh2_org: Integer overflow in user authenicate keyboard interactive allows out-of-bounds writes with specially crafted keyboard responses

(CVE-2019-3863)
Summary:	VUL-0: CVE-2019-3863: libssh2_org: Integer overflow in user authenicate keybo...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/225980/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-08 11:07 UTC by Karol Babioch
Modified:	2019-05-22 00:48 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2019-03-08 11:07:53 UTC

Integer overflow in user authenicate keyboard interactive allows out-of-bounds
writes with specially crafted keyboard responses

=======================================

Project libssh2 Security Advisory, <date> -
[Permalink](<link>)

VULNERABILITY
-------------

A server could send a multiple keyboard interactive response messages whose
total length are greater than unsigned char max characters. This value is
used as an index to copy memory causing in an out of bounds memory write error.
(CWE-130).

There are no known exploits of this flaw at this time.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
<assigned CVE> to this issue.

AFFECTED VERSIONS
-----------------

- Affected versions: versions 0.1 up to and including 1.8.0
- Not affected versions: libssh2 >= 1.8.1

THE SOLUTION
------------

libssh2 1.8.1 ensures the current memory index value plus the length of the
response message will fit into the memory buffer before copying the value and
incrementing the index value.

A patch for this problem is available at:

    <patch URL>

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

A - Upgrade to libssh2 1.8.1 or later

B - Apply the patch and rebuild libssh2

TIME LINE
---------

It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.

libssh2 1.8.1 was released on <date>, coordinated with the
publication of this advisory.

CREDITS
-------

Reported by Chris Coulson of Canonical Ltd.

Comment 2 Karol Babioch 2019-03-08 11:08:36 UTC

CRD: 2019-03-13
URL: https://libssh2.org/9/10.txt

Comment 7 Karol Babioch 2019-03-19 06:07:58 UTC

Making public.

Comment 8 Pedro Monreal Gonzalez 2019-03-19 12:01:18 UTC

All submissions done:
SLE-15          https://build.suse.de/request/show/186850
SLE-12          https://build.suse.de/request/show/187066
SLE-11-SP4      https://build.suse.de/request/show/187010
SLE-11          https://build.suse.de/request/show/187022

Updated to 1.8.1 in Factory:
https://build.opensuse.org/request/show/686341

Comment 9 Swamp Workflow Management 2019-03-20 13:18:28 UTC

SUSE-SU-2019:13982-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libssh2_org-1.4.3-17.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    libssh2_org-1.4.3-17.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libssh2_org-1.4.3-17.3.1

Comment 10 Swamp Workflow Management 2019-03-20 14:13:03 UTC

SUSE-SU-2019:0655-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE OpenStack Cloud 7 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libssh2_org-1.4.3-20.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libssh2_org-1.4.3-20.3.1
SUSE Enterprise Storage 4 (src):    libssh2_org-1.4.3-20.3.1
SUSE CaaS Platform ALL (src):    libssh2_org-1.4.3-20.3.1
SUSE CaaS Platform 3.0 (src):    libssh2_org-1.4.3-20.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    libssh2_org-1.4.3-20.3.1

Comment 13 Swamp Workflow Management 2019-03-28 20:11:09 UTC

openSUSE-SU-2019:1075-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
openSUSE Leap 42.3 (src):    libssh2_org-1.4.3-19.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-03-29 23:17:45 UTC

SUSE-SU-2019:13997-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091236,1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libssh2_org-1.2.9-4.2.12.5.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2019-04-02 16:15:16 UTC

openSUSE-SU-2019:1109-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128471,1128472,1128474,1128476,1128480,1128481,1128490,1128492,1128493
CVE References: CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
Sources used:
openSUSE Leap 15.0 (src):    libssh2_org-1.8.0-lp150.3.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 16 Marcus Meissner 2019-05-09 05:42:23 UTC

released