Florian Weimer of the Red Hat Product Security Team reported the existence of several unitialized heap allocations in the following functions: keys.c:publickey_make_dss() (key) keys.c:publickey_make_rsa() (key) keys.c:signature_from_string() (sign) keys.c:ssh_do_sign() (sign) keys.c:ssh_sign_session_id() (sign) This could lead to freeing an invalid pointer on an error path, which could lead to a crash in the process using libssh.
Created attachment 644662 [details] CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Created attachment 644663 [details] CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Created attachment 644998 [details] CVE-2012-4561-Fix-error-handling-of-try_publickey_fr.patch
Created attachment 644999 [details] CVE-2012-4561-Fix-possible-free-s-on-invalid-pointer.patch
Fixed upstream: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Created libssh tracking bugs for this issue Affects: fedora-all [bug 878521]
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.