Bug 871617 (CVE-2012-4561)

Summary: CVE-2012-4561 libssh: multiple invalid free() flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aris, asn, plautrba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh 0.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 12:39:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 861968, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
none
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
none
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
none
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch none

Description Vincent Danen 2012-10-30 21:09:58 UTC 
Florian Weimer of the Red Hat Product Security Team reported the existence of several unitialized heap allocations in the following functions:

keys.c:publickey_make_dss() (key)
keys.c:publickey_make_rsa() (key)
keys.c:signature_from_string() (sign)
keys.c:ssh_do_sign() (sign)
keys.c:ssh_sign_session_id() (sign)

This could lead to freeing an invalid pointer on an error path, which could lead to a crash in the process using libssh.
Comment 1 Andreas Schneider 2012-11-14 08:49:57 UTC 
Created attachment 644662 [details]
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Comment 2 Andreas Schneider 2012-11-14 08:50:19 UTC 
Created attachment 644663 [details]
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Comment 3 Andreas Schneider 2012-11-14 16:45:10 UTC 
Created attachment 644998 [details]
CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Comment 4 Andreas Schneider 2012-11-14 16:45:37 UTC 
Created attachment 644999 [details]
CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Comment 5 Vincent Danen 2012-11-20 15:27:35 UTC 
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 6 Vincent Danen 2012-11-20 15:35:48 UTC 
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 7 Fedora Update System 2012-11-27 05:29:46 UTC 
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-11-29 04:00:50 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-11-29 06:03:52 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-06 06:57:48 UTC 
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.