Bug 871614 (CVE-2012-4560)

Summary: CVE-2012-4560 libssh: multiple buffer overflow flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aris, asn, plautrba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 12:39:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 861966, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4560-Fix-possible-integer-overflow-in-ssh_g.patch
none
CVE-2012-4560-Fix-multiple-integer-overflows-in-buff.patch
none
CVE-2012-4560-Fix-a-possible-infinite-loop-in-buffer.patch
none
CVE-2012-4560-Fix-possible-integer-overflows.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch none

Description Vincent Danen 2012-10-30 21:02:33 UTC 
Florian Weimer of the Red Hat Product Security Team reported two cases where a function in libssh would write one past the end of the buffer (the u buffer in misc.c:ssh_path_expand_tilde() and the buf buffer in misc.c:ssh_path_expand_escape()).
Comment 1 Andreas Schneider 2012-11-14 08:51:17 UTC 
Created attachment 644664 [details]
CVE-2012-4560-Fix-possible-integer-overflow-in-ssh_g.patch
Comment 2 Andreas Schneider 2012-11-14 08:51:36 UTC 
Created attachment 644665 [details]
CVE-2012-4560-Fix-multiple-integer-overflows-in-buff.patch
Comment 3 Andreas Schneider 2012-11-14 08:52:00 UTC 
Created attachment 644666 [details]
CVE-2012-4560-Fix-a-possible-infinite-loop-in-buffer.patch
Comment 4 Andreas Schneider 2012-11-14 08:52:21 UTC 
Created attachment 644667 [details]
CVE-2012-4560-Fix-possible-integer-overflows.patch
Comment 5 Andreas Schneider 2012-11-14 08:52:43 UTC 
Created attachment 644668 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Comment 6 Andreas Schneider 2012-11-14 08:53:09 UTC 
Created attachment 644669 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Comment 7 Andreas Schneider 2012-11-14 16:43:58 UTC 
Created attachment 644988 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Comment 8 Andreas Schneider 2012-11-14 16:44:24 UTC 
Created attachment 644990 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Comment 9 Vincent Danen 2012-11-20 15:28:40 UTC 
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 10 Vincent Danen 2012-11-20 15:35:26 UTC 
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 11 Fedora Update System 2012-11-27 05:27:41 UTC 
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-11-29 04:00:37 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2012-11-29 06:03:44 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-12-06 06:57:42 UTC 
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.