Florian Weimer of the Red Hat Product Security Team reported several instances of code in libssh where a heap region is deallocated twice, first in the main path and then on the error path. This could crash the process using libssh, or possible allow for the execution of arbitrary code. The identified affected variables are: agent.c:agent_sign_data(): request channels.c:channel_request(): req auth.c:ssh_userauth_pubkey(): user, service, method, algo, pkstr sftp.c:sftp_parse_attr_3(): longname, name sftp.c:sftp_mkdir(): buffer, path keyfiles.c:try_publickey_from_file(): pubkey sftp.c:sftp_mkdir() has been corrected via the following git commit: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2
Andreas Schneider also noted: sftp_parse_attr_3() can be used for a DoS. It is used by sftp_readdir() and the sftp_*stat() functions. So a special crafted sftp packet to the client, which is pretty easy to do, can be sent to the client. The server implementations are probably not vulnerable because they call the functions with expectname = 0.
Created attachment 644659 [details] CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Created attachment 644660 [details] CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Created attachment 644661 [details] CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Created attachment 644984 [details] CVE-2012-4559-Ensure-we-don-t-free-blob-or-request-t.patch
Created attachment 644985 [details] CVE-2012-4559-Ensure-that-we-don-t-free-req-twice.patch
Created attachment 644986 [details] CVE-2012-4559-Make-sure-we-don-t-free-name-and-longn.patch
Fixed upstream: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/
Created libssh tracking bugs for this issue Affects: fedora-all [bug 878521]
libssh-0.5.3-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
libssh-0.5.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6063 to the following vulnerability: Name: CVE-2012-6063 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6063 Assigned: 20121130 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612 Reference: http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2 Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559.
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4559 to the following vulnerability: Name: CVE-2012-4559 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4559 Assigned: 20120821 Reference: http://www.openwall.com/lists/oss-security/2012/11/20/3 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=871612 Reference: http://www.libssh.org/2012/11/20/libssh-0-5-3-security-release/ Reference: http://www.securityfocus.com/bid/56604 Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
libssh-0.5.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.