libssh Out-of-Bounds Read Vulnerability in SFTP Extension Name Handler

A buffer overrun vulnerability has been identified in libssh versions prior to 0.11.4 and 0.12.0. The issue arises in the SFTP extension name handler, specifically within the functions 'sftp_extensions_get_name' and 'sftp_extensions_get_data' in 'src/sftp.c'. The vulnerability allows for an out-of-bounds read by manipulating the 'idx' argument, which can be exploited remotely. While the functions are used internally by libssh without causing buffer overruns, they can be called by end-user applications, potentially leading to crashes or the unintended use of uninitialized data.

Impact

Exploitation of this vulnerability causes a read buffer overrun, allowing data to be accessed beyond the allocated memory for SFTP extensions. This could lead to application crashes or the exposure of uninitialized data, which could be misused by an attacker.

Remediation

Users are advised to upgrade to libssh version 0.11.4 or 0.12.0. Patches are also available for this vulnerability.