Florian Weimer of the Red Hat Product Security Team reported two cases where a function in libssh would write one past the end of the buffer (the u buffer in misc.c:ssh_path_expand_tilde() and the buf buffer in misc.c:ssh_path_expand_escape()).
Created attachment 644664 [details] CVE-2012-4560-Fix-possible-integer-overflow-in-ssh_g.patch
Created attachment 644665 [details] CVE-2012-4560-Fix-multiple-integer-overflows-in-buff.patch
Created attachment 644666 [details] CVE-2012-4560-Fix-a-possible-infinite-loop-in-buffer.patch
Created attachment 644667 [details] CVE-2012-4560-Fix-possible-integer-overflows.patch
Created attachment 644668 [details] CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Created attachment 644669 [details] CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Created attachment 644988 [details] CVE-2012-4560-Fix-a-write-one-past-the-end-of-the-u-.patch
Created attachment 644990 [details] CVE-2012-4560-Fix-a-write-one-past-the-end-of-buf.patch
Fixed upstream: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Created libssh tracking bugs for this issue Affects: fedora-all [bug 878521]
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.