new file mode 100644

@@ -0,0 +1,17 @@

+diff --git a/src/transport.c b/src/transport.c

+index 8725da0..1c5a13c 100644

+--- a/src/transport.c

+@@ -438,6 +438,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)

+                 return LIBSSH2_ERROR_DECRYPT;

+ 

+             p->padding_length = block[4];

++            if(p->packet_length < 1) {

++                return LIBSSH2_ERROR_DECRYPT;

++            }

++            else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {

++                return LIBSSH2_ERROR_OUT_OF_BOUNDARY;

++            }

+ 

+             /* total_num is the number of bytes following the initial

+                (5 bytes) packet length and padding length fields */

@@ -1,7 +1,7 @@

 Summary:        libssh2 is a library implementing the SSH2 protocol.

 Name:           libssh2

 Version:        1.8.0

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        BSD

 URL:            https://www.libssh2.org/

 Group:          System Environment/NetworkingLibraries

@@ -9,6 +9,7 @@ Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://www.libssh2.org/download/libssh2-%{version}.tar.gz

 %define sha1    libssh2=baf2d1fb338eee531ba9b6b121c64235e089e0f5

+Patch0:         CVE-2019-3855.patch

 BuildRequires:  openssl-devel

 BuildRequires:  zlib-devel

@@ -27,13 +28,10 @@ These are the header files of libssh2.

 %prep

 %setup -q

+%patch0 -p1

 %build

-./configure --prefix=%{_prefix} \

-    --bindir=%{_bindir} \

-    --libdir=%{_libdir} \

-    --mandir=%{_mandir} \

-    --disable-static \

+%configure --disable-static \

     --enable-shared

 make

@@ -53,6 +51,8 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';'

 %{_mandir}/man3/*

 %changelog

+*   Thu Mar 28 2019 Tapas Kundu <tkundu@vmware.com> 1.8.0-2

+-   Fix for CVE-2019-3855

 *   Wed Nov 30 2016 Xiaolin Li <xiaolinl@vmware.com> 1.8.0-1

 -   Add libssh2 1.8.0 package.