diff --git a/CVE-2019-17498.patch b/CVE-2019-17498.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fc086486f944c6f2a5b15323e24dd1a3b5b8855d
--- /dev/null
+++ b/CVE-2019-17498.patch
@@ -0,0 +1,105 @@
+diff -Nur old-libssh2-1.9.0/src/packet.c libssh2-1.9.0/src/packet.c
+--- old-libssh2-1.9.0/src/packet.c      2019-12-24 03:06:34.642095230 -0500
++++ libssh2-1.9.0/src/packet.c  2019-12-24 03:16:50.554095230 -0500
+@@ -419,8 +419,8 @@
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@
+
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
++
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
+-
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -539,22 +529,21 @@
+                 int always_display = data[1];
+
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
+
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
+             /*
+@@ -579,7 +568,7 @@
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/libssh2.spec b/libssh2.spec
index 69807ce2b253567e9196701d0c0388e078676da5..e9691d42e6257c6d1d6e52bfbf8f448f58aa3ea4 100644
--- a/libssh2.spec
+++ b/libssh2.spec
@@ -1,11 +1,13 @@
 Name:		libssh2
 Version:	1.9.0
-Release:	1
+Release:	2
 Summary:	A library implementing the SSH2 protocol
 License:	BSD
 URL:		https://www.libssh2.org/
 Source0:	https://libssh2.org/download/libssh2-%{version}.tar.gz
 
+Patch6000:      CVE-2019-17498.patch
+
 BuildRequires:	coreutils findutils /usr/bin/man zlib-devel
 BuildRequires:	gcc make sed openssl-devel > 1:1.0.1 openssh-server
 BuildRequires:	glibc-langpack-en
@@ -84,5 +86,11 @@ LC_ALL=en_US.UTF-8 make -C tests check
 %{_mandir}/man3/libssh2_*.3*
 
 %changelog
+* Tue Dec 24 2019 zhouyihang<zhouyihang1@huawei.com> - 1.9.0-2
+- Type:cves
+- ID:CVE-2019-17498
+- SUG:restart
+- DESC: fix CVE-2019-17498
+
 * Sun Sep 15 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.9.0-1
 - Package init