Bug 871612 (CVE-2012-4559, CVE-2012-6063)
Summary: | CVE-2012-4559 CVE-2012-6063 libssh: multiple double free() flaws | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aris, asn, jrusnack, plautrba, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libssh 0.5.3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-16 12:39:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 861982, 878521 | ||
Bug Blocks: | 815693 | ||
Attachments: |
Description
Vincent Danen
2012-10-30 20:55:49 UTC
Andreas Schneider also noted: sftp_parse_attr_3() can be used for a DoS. It is used by sftp_readdir() and the sftp_*stat() functions. So a special crafted sftp packet to the client, which is pretty easy to do, can be sent to the client. The server implementations are probably not vulnerable because they call the functions with expectname = 0. Created attachment 644659 [details]
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Created attachment 644660 [details]
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Created attachment 644661 [details]
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Created attachment 644984 [details]
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Created attachment 644985 [details]
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Created attachment 644986 [details]
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Fixed upstream: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ Created libssh tracking bugs for this issue Affects: fedora-all [bug 878521] libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6063 to the following vulnerability: Name: CVE-2012-6063 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6063 Assigned: 20121130 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612 Reference: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2 Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4559 to the following vulnerability: Name: CVE-2012-4559 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 Assigned: 20120821 Reference: http://www.openwall.com/lists/oss-security/2012/11/20/3 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612 Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ Reference: http://www.securityfocus.com/bid/56604 Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |