CVE-2023-3603

Name	CVE-2023-3603
Description	A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libssh (PTS)	buster	0.8.7-1+deb10u1	fixed
	buster (security)	0.8.7-1+deb10u2	fixed
	bullseye (security), bullseye	0.9.8-0+deb11u1	fixed
	bookworm, bookworm (security)	0.10.6-0+deb12u1	fixed
	sid, trixie	0.10.6-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libssh	source	(unstable)	(not affected)

Notes

- libssh <not-affected> (Vulnerable code not present in 0.10.5/any released version)
https://www.libssh.org/security/advisories/CVE-2023-3603.txt
https://git.libssh.org/projects/libssh.git/commit/?id=fe80f47b0ae8902d229ef9b8a1b4fa949b92e720
https://bugzilla.redhat.com/show_bug.cgi?id=2221791