Bug 871617 (CVE-2012-4561)

Summary: CVE-2012-4561 libssh: multiple invalid free() flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aris, asn, plautrba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121120,reported=20121001,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/libssh=affected
Fixed In Version: libssh 0.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 08:39:08 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 861968, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
none
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
none
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
none
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch none

Description Vincent Danen 2012-10-30 17:09:58 EDT
Florian Weimer of the Red Hat Product Security Team reported the existence of several unitialized heap allocations in the following functions:

keys.c:publickey_make_dss() (key)
keys.c:publickey_make_rsa() (key)
keys.c:signature_from_string() (sign)
keys.c:ssh_do_sign() (sign)
keys.c:ssh_sign_session_id() (sign)

This could lead to freeing an invalid pointer on an error path, which could lead to a crash in the process using libssh.
Comment 1 Andreas Schneider 2012-11-14 03:49:57 EST
Created attachment 644662 [details]
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Comment 2 Andreas Schneider 2012-11-14 03:50:19 EST
Created attachment 644663 [details]
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Comment 3 Andreas Schneider 2012-11-14 11:45:10 EST
Created attachment 644998 [details]
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Comment 4 Andreas Schneider 2012-11-14 11:45:37 EST
Created attachment 644999 [details]
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Comment 5 Vincent Danen 2012-11-20 10:27:35 EST
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 6 Vincent Danen 2012-11-20 10:35:48 EST
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 7 Fedora Update System 2012-11-27 00:29:46 EST
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-11-28 23:00:50 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-11-29 01:03:52 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-06 01:57:48 EST
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.