This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 871614 (CVE-2012-4560)

Summary: CVE-2012-4560 libssh: multiple buffer overflow flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aris, asn, plautrba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121120,reported=20121001,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/libssh=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 08:39:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 861966, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4560-Fix-possible-integer-overflow-in-ssh_g.patch
none
CVE-2012-4560-Fix-multiple-integer-overflows-in-buff.patch
none
CVE-2012-4560-Fix-a-possible-infinite-loop-in-buffer.patch
none
CVE-2012-4560-Fix-possible-integer-overflows.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
none
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch none

Description Vincent Danen 2012-10-30 17:02:33 EDT
Florian Weimer of the Red Hat Product Security Team reported two cases where a function in libssh would write one past the end of the buffer (the u buffer in misc.c:ssh_path_expand_tilde() and the buf buffer in misc.c:ssh_path_expand_escape()).
Comment 1 Andreas Schneider 2012-11-14 03:51:17 EST
Created attachment 644664 [details]
CVE-2012-4560-Fix-possible-integer-overflow-in-ssh_g.patch
Comment 2 Andreas Schneider 2012-11-14 03:51:36 EST
Created attachment 644665 [details]
CVE-2012-4560-Fix-multiple-integer-overflows-in-buff.patch
Comment 3 Andreas Schneider 2012-11-14 03:52:00 EST
Created attachment 644666 [details]
CVE-2012-4560-Fix-a-possible-infinite-loop-in-buffer.patch
Comment 4 Andreas Schneider 2012-11-14 03:52:21 EST
Created attachment 644667 [details]
CVE-2012-4560-Fix-possible-integer-overflows.patch
Comment 5 Andreas Schneider 2012-11-14 03:52:43 EST
Created attachment 644668 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Comment 6 Andreas Schneider 2012-11-14 03:53:09 EST
Created attachment 644669 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Comment 7 Andreas Schneider 2012-11-14 11:43:58 EST
Created attachment 644988 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Comment 8 Andreas Schneider 2012-11-14 11:44:24 EST
Created attachment 644990 [details]
CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Comment 9 Vincent Danen 2012-11-20 10:28:40 EST
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 10 Vincent Danen 2012-11-20 10:35:26 EST
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 11 Fedora Update System 2012-11-27 00:27:41 EST
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-11-28 23:00:37 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2012-11-29 01:03:44 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-12-06 01:57:42 EST
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.