Log

CVE-2019-3838 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Sandbox escape
Description
+ It was found that the forceput operator could be extracted from the DefineResource method using methods similar to the ones described in CVE-2019-6116. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.
References
+ https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd95bb01
+ https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e8f95a
Notes
CVE-2019-3855 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A out-of-bounds write has been found in libssh2 before 1.8.1, where a malicious server could send a specially crafted packet which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error.
References
+ https://www.libssh2.org/CVE-2019-3855.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
Notes
CVE-2019-3856 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a value approaching unsigned int max number of keyboard prompt requests which could result in an unchecked integer overflow. The value would then be used to allocate memory causing a possible memory write out of bounds error.
References
+ https://www.libssh2.org/CVE-2019-3856.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
Notes
CVE-2019-3857 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value. The length would then have a value of 1 added to it and used to allocate memory causing a possible memory write out of bounds error or zero byte allocation.
References
+ https://www.libssh2.org/CVE-2019-3857.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
Notes
CVE-2019-3858 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a zero value for the payload length. This zero value would be used to then allocate memory resulting in a zero byte allocation and possible out of bounds read.
References
+ https://www.libssh2.org/CVE-2019-3858.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch
Notes
CVE-2019-3859 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, public key auth response, channel startup/open/forward/ setenv/request pty/x11 and session start up. The result would be a memory out of bounds read.
References
+ https://www.libssh2.org/CVE-2019-3859.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch
Notes
CVE-2019-3860 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted partial SFTP packet with a empty payload in response to various SFTP commands such as read directory, file status, status vfs and symlink. The result would be a memory out of bounds read.
References
+ https://www.libssh2.org/CVE-2019-3860.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch
Notes
CVE-2019-3861 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH packet with a padding length value greater than the packet length. This would result in a buffer read out of bounds when decompressing the packet or result in a corrupted packet value.
References
+ https://www.libssh2.org/CVE-2019-3861.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch
Notes
CVE-2019-3862 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a specially crafted SSH_MSG_CHANNEL_REQUEST packet with an exit status message and no payload. This would result in an out of bounds memory comparison.
References
+ https://www.libssh2.org/CVE-2019-3862.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch
Notes
CVE-2019-3863 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ An issue has been found in libssh2 before 1.8.1 where a server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
References
+ https://www.libssh2.org/CVE-2019-3863.html
+ https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
Notes