Bug 871612 (CVE-2012-4559, CVE-2012-6063)

Summary: CVE-2012-4559 CVE-2012-6063 libssh: multiple double free() flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aris, asn, jrusnack, plautrba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh 0.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 12:39:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 861982, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
none
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
none
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
none
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
none
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
none
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch none

Description Vincent Danen 2012-10-30 20:55:49 UTC 
Florian Weimer of the Red Hat Product Security Team reported several instances of code in libssh where a heap region is deallocated twice, first in the main path and then on the error path.  This could crash the process using libssh, or possible allow for the execution of arbitrary code.

The identified affected variables are:

agent.c:agent_sign_data(): request
channels.c:channel_request(): req
auth.c:ssh_userauth_pubkey(): user, service, method, algo, pkstr
sftp.c:sftp_parse_attr_3(): longname, name
sftp.c:sftp_mkdir(): buffer, path
keyfiles.c:try_publickey_from_file(): pubkey

sftp.c:sftp_mkdir() has been corrected via the following git commit:

http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2
Comment 1 Vincent Danen 2012-10-30 20:57:01 UTC 
Andreas Schneider also noted:

sftp_parse_attr_3() can be used for a DoS. It is used by sftp_readdir() and the sftp_*stat() functions. So a special crafted sftp packet to the client, which is pretty easy to do, can be sent to the client.

The server implementations are probably not vulnerable because they call the functions with expectname = 0.
Comment 2 Andreas Schneider 2012-11-14 08:48:31 UTC 
Created attachment 644659 [details]
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Comment 3 Andreas Schneider 2012-11-14 08:48:57 UTC 
Created attachment 644660 [details]
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Comment 4 Andreas Schneider 2012-11-14 08:49:28 UTC 
Created attachment 644661 [details]
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Comment 5 Andreas Schneider 2012-11-14 16:41:15 UTC 
Created attachment 644984 [details]
CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Comment 6 Andreas Schneider 2012-11-14 16:41:36 UTC 
Created attachment 644985 [details]
CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Comment 7 Andreas Schneider 2012-11-14 16:42:01 UTC 
Created attachment 644986 [details]
CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Comment 8 Vincent Danen 2012-11-20 15:29:27 UTC 
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 9 Vincent Danen 2012-11-20 15:35:08 UTC 
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 10 Fedora Update System 2012-11-27 05:27:09 UTC 
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-11-29 04:00:27 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-11-29 06:03:33 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Vincent Danen 2012-11-30 22:58:06 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6063 to
the following vulnerability:

Name: CVE-2012-6063
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6063
Assigned: 20121130
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612
Reference: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2
Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/

Double free vulnerability in the sftp_mkdir function in sftp.c in
libssh before 0.5.3 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via unspecified
vectors, a different vector than CVE-2012-4559.
Comment 14 Vincent Danen 2012-11-30 22:59:14 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4559 to
the following vulnerability:

Name: CVE-2012-4559
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559
Assigned: 20120821
Reference: http://www.openwall.com/lists/oss-security/2012/11/20/3
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612
Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Reference: http://www.securityfocus.com/bid/56604

Multiple double free vulnerabilities in the (1) agent_sign_data
function in agent.c, (2) channel_request function in channels.c, (3)
ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function
in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in
libssh before 0.5.3 allow remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via unspecified
vectors.
Comment 15 Fedora Update System 2012-12-06 06:57:33 UTC 
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.