Project libssh2 Security Advisory, March 18 2019 - Permalink
A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. (CWE-130).
There are no known exploits of this flaw at this time.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2019-3863 to this issue.
- Affected versions: versions 0.1 up to and including 1.8.0
- Not affected versions: libssh2 >= 1.8.1
libssh2 1.8.1 ensures the current memory index value plus the length of the response message will fit into the memory buffer before copying the value and incrementing the index value.
A patch for this problem is available
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to libssh2 1.8.1 or later
B - Apply the patch and rebuild libssh2
It was first reported to the libssh2 project on Dec 3 2018 by Chris Coulson.
libssh2 1.8.1 was released on March 18 2019, coordinated with the publication of this advisory.
Reported by Chris Coulson of Canonical Ltd.