diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/changelog libssh-0.8.0~20170825.94fa1e38/debian/changelog
--- libssh-0.8.0~20170825.94fa1e38/debian/changelog	2020-04-07 17:16:14.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/changelog	2020-07-31 18:46:18.000000000 +0000
@@ -1,3 +1,13 @@
+libssh (0.8.0~20170825.94fa1e38-1ubuntu0.7) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: NULL pointer dereference
+    - debian/patches/CVE-2020-16135-*.patch: fix a NULL dereference
+      checking the return of ssh_buffer_new() and added others checks
+      in src/sftpservcer.c, src/buffer.c.
+    - CVE-2020-16135
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Fri, 31 Jul 2020 15:46:18 -0300
+
 libssh (0.8.0~20170825.94fa1e38-1ubuntu0.6) bionic-security; urgency=medium
 
   * SECURITY UPDATE: denial of service via AES-CTR ciphers
diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-1.patch libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-1.patch
--- libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-1.patch	2020-07-31 18:45:30.000000000 +0000
@@ -0,0 +1,31 @@
+From 1493b4466fa394b321d196ad63dd6a4fa395d337 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new()
+
+Thanks to Ramin Farajpour Cami for spotting this.
+
+Fixes T232
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/sftpserver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: libssh-0.8.0~20170825.94fa1e38/src/sftpserver.c
+===================================================================
+--- libssh-0.8.0~20170825.94fa1e38.orig/src/sftpserver.c
++++ libssh-0.8.0~20170825.94fa1e38/src/sftpserver.c
+@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_mess
+ 
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
++  if (msg->complete_message == NULL) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
++
+   ssh_buffer_add_data(msg->complete_message,
+                       ssh_buffer_get(payload),
+                       ssh_buffer_get_len(payload));
diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-2.patch libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-2.patch
--- libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-2.patch	2020-07-31 18:45:42.000000000 +0000
@@ -0,0 +1,33 @@
+From dbfb7f44aa905a7103bdde9a198c1e9b0f480c2e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:05:51 +0200
+Subject: [PATCH] sftpserver: Add missing return check for
+ ssh_buffer_add_data()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/sftpserver.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+Index: libssh-0.8.0~20170825.94fa1e38/src/sftpserver.c
+===================================================================
+--- libssh-0.8.0~20170825.94fa1e38.orig/src/sftpserver.c
++++ libssh-0.8.0~20170825.94fa1e38/src/sftpserver.c
+@@ -70,9 +70,14 @@ sftp_client_message sftp_get_client_mess
+       return NULL;
+   }
+ 
+-  ssh_buffer_add_data(msg->complete_message,
+-                      ssh_buffer_get(payload),
+-                      ssh_buffer_get_len(payload));
++  rc = ssh_buffer_add_data(msg->complete_message,
++                           ssh_buffer_get(payload),
++                           ssh_buffer_get_len(payload));
++  if (rc < 0) {
++      ssh_set_error_oom(session);
++      sftp_client_message_free(msg);
++      return NULL;
++  }
+ 
+   ssh_buffer_get_u32(payload, &msg->id);
+ 
diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-3.patch libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-3.patch
--- libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-3.patch	2020-07-31 18:45:54.000000000 +0000
@@ -0,0 +1,61 @@
+From 65ae496222018221080dd753a52f6d70bf3ca5f3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:10:11 +0200
+Subject: [PATCH] buffer: Reformat ssh_buffer_add_data()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/buffer.c | 35 ++++++++++++++++++-----------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+
+Index: libssh-0.8.0~20170825.94fa1e38/src/buffer.c
+===================================================================
+--- libssh-0.8.0~20170825.94fa1e38.orig/src/buffer.c
++++ libssh-0.8.0~20170825.94fa1e38/src/buffer.c
+@@ -218,28 +218,29 @@ int ssh_buffer_reinit(struct ssh_buffer_
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+-  buffer_verify(buffer);
++    buffer_verify(buffer);
+ 
+-  if (data == NULL) {
+-      return -1;
+-  }
++    if (data == NULL) {
++        return -1;
++    }
+ 
+-  if (buffer->used + len < len) {
+-    return -1;
+-  }
++    if (buffer->used + len < len) {
++        return -1;
++    }
+ 
+-  if (buffer->allocated < (buffer->used + len)) {
+-    if(buffer->pos > 0)
+-      buffer_shift(buffer);
+-    if (realloc_buffer(buffer, buffer->used + len) < 0) {
+-      return -1;
++    if (buffer->allocated < (buffer->used + len)) {
++        if (buffer->pos > 0) {
++            buffer_shift(buffer);
++        }
++        if (realloc_buffer(buffer, buffer->used + len) < 0) {
++            return -1;
++        }
+     }
+-  }
+ 
+-  memcpy(buffer->data+buffer->used, data, len);
+-  buffer->used+=len;
+-  buffer_verify(buffer);
+-  return 0;
++    memcpy(buffer->data + buffer->used, data, len);
++    buffer->used += len;
++    buffer_verify(buffer);
++    return 0;
+ }
+ 
+ /**
diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-4.patch libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-4.patch
--- libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/patches/CVE-2020-16135-4.patch	2020-07-31 18:46:11.000000000 +0000
@@ -0,0 +1,25 @@
+From df0acab3a077bd8ae015e3e8b4c71ff31b5900fe Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:11:21 +0200
+Subject: [PATCH] buffer: Add NULL check for 'buffer' argument
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: libssh-0.8.0~20170825.94fa1e38/src/buffer.c
+===================================================================
+--- libssh-0.8.0~20170825.94fa1e38.orig/src/buffer.c
++++ libssh-0.8.0~20170825.94fa1e38/src/buffer.c
+@@ -218,6 +218,10 @@ int ssh_buffer_reinit(struct ssh_buffer_
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
++    if (buffer == NULL) {
++        return -1;
++    }
++
+     buffer_verify(buffer);
+ 
+     if (data == NULL) {
diff -Nru libssh-0.8.0~20170825.94fa1e38/debian/patches/series libssh-0.8.0~20170825.94fa1e38/debian/patches/series
--- libssh-0.8.0~20170825.94fa1e38/debian/patches/series	2020-04-07 17:13:41.000000000 +0000
+++ libssh-0.8.0~20170825.94fa1e38/debian/patches/series	2020-07-31 18:46:07.000000000 +0000
@@ -19,3 +19,7 @@
 CVE-2019-14889-4.patch
 CVE-2019-14889-5.patch
 CVE-2020-1730.patch
+CVE-2020-16135-1.patch
+CVE-2020-16135-2.patch
+CVE-2020-16135-3.patch
+CVE-2020-16135-4.patch