libssh Integer Overflow Vulnerability in Base64 Conversion Function Leading to Heap Corruption

A vulnerability exists in the libssh package, specifically in 32-bit builds, where the 'bin_to_base64()' function can suffer from an integer overflow. This overflow occurs when 'ssh_get_fingerprint_hash()' is fed an excessively large input buffer, causing a memory under-allocation. The resulting out-of-bounds write can corrupt the heap. Although this issue is not present in supported Red Hat products, it is crucial for users of libssh to be aware of it.

Impact

Exploitation of this vulnerability can lead to a heap corruption, allowing for a write operation beyond the allocated memory bounds. Such memory corruption can often be exploited to execute arbitrary code.

Reproduction

To reproduce this vulnerability, use a 32-bit build of libssh and call the 'ssh_get_fingerprint_hash()' function with a buffer larger than 1GB. This will trigger the integer overflow in the 'bin_to_base64()' function, causing a memory under-allocation and an out-of-bounds write that corrupts the heap.

Remediation

Users are advised to upgrade to libssh version 0.11.2 or apply the available patch. After applying the patch, the 'bin_to_base64()' function will reject inputs larger than 256MB, preventing the integer overflow.