===========================================================
== Subject:     Read buffer overrun when handling SFTP extensions
==
== CVE ID#:     -
==
== Versions:    libssh < 0.11.4; < 0.12.0
==
== Summary:     libssh allows reading behind the SFTP extension buffers
==              when the caller requests extension at index one larger
==              than the extension count.
==
== Component:   client, sftp only
==
===========================================================

===========
Description
===========

The functions `sftp_extensions_get_name()` and `sftp_extensions_get_data()`
had a wrong bounds check allowing to overrun allocated buffer, when queried
for the extension name or data at an index matching the amount of extensions.

The functions are used internally by libssh, which does not overrun the buffer,
but they can be also used by end user applications if they want to query support
for specific extension they want to use.

This is programming error. Vulnerable applications could cause crashes or
printing or making decisions on uninitialized/unexpected data, but these are not
controlled by any malicious server.

==================
Patch Availability
==================

Patches addressing the issues have been posted to:
https://www.libssh.org/security/
Additionally, libssh 0.11.4 and 0.12.0 have been issued
as security releases to correct the defect.  SSH administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==========
Workaround
==========

Make sure your application is not accessing the extensions beyond bounds.

=======
Credits
=======

Originally reported by nevv of CTyun Red-Shield Security Lab.
Patches provided by Jakub Jelen of the libssh team.

==========================================================
== The libssh team
==========================================================