CVE-2019-17498

Published: 21 October 2019

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

From the Ubuntu security team

It was discovered that libssh2 incorrectly handled bound checks in SSH_MSG_DISCONNECT. A remote attacker could possibly use this issue to cause a denial of service or obtain sensitive information.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
libssh2
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.0-1, 1.4.3-4.1+deb8u6)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.9.0-1)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94