Package: libssh / 0.4.5-3+squeeze3

CVE-2012-4559.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
Description: Fix double free that could lead to denial of service or code execution (CVE-2012-4559)
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=4d8420f3282ed07fc99fc5e930c17df27ef1e9b2
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=1471f2c67a23602898e783c97b65aea9cc6356a4
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=6236001ff4f9017c9f842d6548baba9760c95f5c
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=46b2eb3c147a29478809f1ab95e924e1bb7e3768

--- a/libssh/agent.c
+++ b/libssh/agent.c
@@ -438,6 +438,7 @@ ssh_string agent_sign_data(struct ssh_se
   }
 
   string_free(blob);
+  blob = NULL;
 
   reply = buffer_new();
   if (reply == NULL) {
@@ -450,6 +451,7 @@ ssh_string agent_sign_data(struct ssh_se
     return NULL;
   }
   buffer_free(request);
+  request = NULL;
 
   /* check if reply is valid */
   if (buffer_get_u8(reply, (uint8_t *) &type) != sizeof(uint8_t)) {
--- a/libssh/channels.c
+++ b/libssh/channels.c
@@ -1057,6 +1057,7 @@ static int channel_request(ssh_channel c
       buffer_add_u32(session->out_buffer, htonl(channel->remote_channel)) < 0 ||
       buffer_add_ssh_string(session->out_buffer, req) < 0 ||
       buffer_add_u8(session->out_buffer, reply == 0 ? 0 : 1) < 0) {
+    string_free(req);
     goto error;
   }
   string_free(req);
@@ -1099,7 +1100,6 @@ static int channel_request(ssh_channel c
   return rc;
 error:
   buffer_reinit(session->out_buffer);
-  string_free(req);
 
   leave_function();
   return rc;
--- a/libssh/sftp.c
+++ b/libssh/sftp.c
@@ -1178,8 +1178,8 @@ static char *sftp_parse_longname(const c
                    so that number of pairs equals extended_count              */
 static sftp_attributes sftp_parse_attr_3(sftp_session sftp, ssh_buffer buf,
     int expectname) {
-  ssh_string longname = NULL;
-  ssh_string name = NULL;
+  ssh_string longname;
+  ssh_string name;
   sftp_attributes attr;
   uint32_t flags = 0;
   int ok = 0;
@@ -1194,19 +1194,27 @@ static sftp_attributes sftp_parse_attr_3
   /* This isn't really a loop, but it is like a try..catch.. */
   do {
     if (expectname) {
-      if ((name = buffer_get_ssh_string(buf)) == NULL ||
-          (attr->name = string_to_char(name)) == NULL) {
-        break;
+      name = buffer_get_ssh_string(buf);
+      if (name == NULL) {
+          break;
       }
+      attr->name = string_to_char(name);
       string_free(name);
+      if (attr->name == NULL) {
+          break;
+      }
 
       ssh_log(sftp->session, SSH_LOG_RARE, "Name: %s", attr->name);
 
-      if ((longname=buffer_get_ssh_string(buf)) == NULL ||
-          (attr->longname=string_to_char(longname)) == NULL) {
-        break;
+      longname = buffer_get_ssh_string(buf);
+      if (longname == NULL) {
+          break;
       }
+      attr->longname = string_to_char(longname);
       string_free(longname);
+      if (attr->longname == NULL) {
+        break;
+      }
 
       /* Set owner and group if we talk to openssh and have the longname */
       if (ssh_get_openssh_version(sftp->session)) {
@@ -1311,8 +1319,6 @@ static sftp_attributes sftp_parse_attr_3
 
   if (!ok) {
     /* break issued somewhere */
-    string_free(name);
-    string_free(longname);
     string_free(attr->extended_type);
     string_free(attr->extended_data);
     SAFE_FREE(attr->name);
@@ -2250,6 +2256,7 @@ int sftp_mkdir(sftp_session sftp, const
       sftp_packet_write(sftp, SSH_FXP_MKDIR, buffer) < 0) {
     buffer_free(buffer);
     string_free(path);
+    return -1;
   }
   buffer_free(buffer);
   string_free(path);