Bug 871620 (CVE-2012-4562)

Summary: CVE-2012-4562 libssh: multiple improper overflow checks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libssh 0.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 12:38:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 861957, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch
none
CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch
none
CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch
none
CVE-2012-4562-Fix-possible-string-related-integer-ov.patch none

Description Vincent Danen 2012-10-30 21:23:51 UTC 
Florian Weimer of the Red Hat Product Security Team reported many instances of overflow checks in libssh's buffer.c that were incorrect:


  if ((buffer->pos + hostlen) > buffer->used) {

This should probably be:

  if (hostlen > buffer->used - buffer->pos) {

It seems this could be used to trigger a large memory allocation which is immediately freed, so this is mostly harmless (not exploitable for code execution or denial of service).


A similar problem occurs in buffer_add_data():

  if (buffer->allocated < (buffer->used + len)) {

len should stand on its own.


Likewise in buffer_prepend_data():

  if (buffer->allocated < (buffer->used - buffer->pos + len)) {


And buffer_pass_bytes(), buffer_pass_bytes_end(), buffer_get_mpint():

    if(buffer->used < buffer->pos+len)

  if(buffer->used < buffer->pos + len)

  if ((buffer->pos + len) > buffer->used) {


While it is not certain that any of these are actually be exploitable, the checks are incorrect and need to be fixed.
Comment 1 Vincent Danen 2012-11-14 16:34:18 UTC 
Another issue was found in src/dh.c: ssh_get_hexa(), as well as src/buffer.c: ssh_buffer_free(), and a few issues in src/string.c: ssh_string_to_char().
Comment 2 Andreas Schneider 2012-11-14 16:46:24 UTC 
Created attachment 645002 [details]
CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch
Comment 3 Andreas Schneider 2012-11-14 16:46:44 UTC 
Created attachment 645003 [details]
CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch
Comment 4 Andreas Schneider 2012-11-14 16:47:05 UTC 
Created attachment 645004 [details]
CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch
Comment 5 Andreas Schneider 2012-11-14 16:47:34 UTC 
Created attachment 645018 [details]
CVE-2012-4562-Fix-possible-string-related-integer-ov.patch
Comment 6 Vincent Danen 2012-11-20 15:26:31 UTC 
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 7 Vincent Danen 2012-11-20 15:40:49 UTC 
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 8 Fedora Update System 2012-11-27 05:30:14 UTC 
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-11-29 04:00:59 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-11-29 06:04:01 UTC 
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-06 06:57:58 UTC 
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.