Bug 871620 (CVE-2012-4562)

Summary: CVE-2012-4562 libssh: multiple improper overflow checks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121120,reported=20121001,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/libssh=affected
Fixed In Version: libssh 0.5.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-16 08:38:57 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 861957, 878521    
Bug Blocks: 815693    
Attachments:
Description Flags
CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch
none
CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch
none
CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch
none
CVE-2012-4562-Fix-possible-string-related-integer-ov.patch none

Description Vincent Danen 2012-10-30 17:23:51 EDT
Florian Weimer of the Red Hat Product Security Team reported many instances of overflow checks in libssh's buffer.c that were incorrect:


  if ((buffer->pos + hostlen) > buffer->used) {

This should probably be:

  if (hostlen > buffer->used - buffer->pos) {

It seems this could be used to trigger a large memory allocation which is immediately freed, so this is mostly harmless (not exploitable for code execution or denial of service).


A similar problem occurs in buffer_add_data():

  if (buffer->allocated < (buffer->used + len)) {

len should stand on its own.


Likewise in buffer_prepend_data():

  if (buffer->allocated < (buffer->used - buffer->pos + len)) {


And buffer_pass_bytes(), buffer_pass_bytes_end(), buffer_get_mpint():

    if(buffer->used < buffer->pos+len)

  if(buffer->used < buffer->pos + len)

  if ((buffer->pos + len) > buffer->used) {


While it is not certain that any of these are actually be exploitable, the checks are incorrect and need to be fixed.
Comment 1 Vincent Danen 2012-11-14 11:34:18 EST
Another issue was found in src/dh.c: ssh_get_hexa(), as well as src/buffer.c: ssh_buffer_free(), and a few issues in src/string.c: ssh_string_to_char().
Comment 2 Andreas Schneider 2012-11-14 11:46:24 EST
Created attachment 645002 [details]
CVE-2012-4562-Fix-possible-integer-overflow-in-ssh_g.patch
Comment 3 Andreas Schneider 2012-11-14 11:46:44 EST
Created attachment 645003 [details]
CVE-2012-4562-Fix-multiple-integer-overflows-in-buff.patch
Comment 4 Andreas Schneider 2012-11-14 11:47:05 EST
Created attachment 645004 [details]
CVE-2012-4562-Fix-a-possible-infinite-loop-in-buffer.patch
Comment 5 Andreas Schneider 2012-11-14 11:47:34 EST
Created attachment 645018 [details]
CVE-2012-4562-Fix-possible-string-related-integer-ov.patch
Comment 6 Vincent Danen 2012-11-20 10:26:31 EST
Fixed upstream:

http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Comment 7 Vincent Danen 2012-11-20 10:40:49 EST
Created libssh tracking bugs for this issue

Affects: fedora-all [bug 878521]
Comment 8 Fedora Update System 2012-11-27 00:30:14 EST
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-11-28 23:00:59 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-11-29 01:04:01 EST
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-06 01:57:58 EST
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.