Package: libssh / 0.4.5-3+squeeze3

CVE-2012-4561.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Description: Fix invalid free that could lead to denial of service or code execution (CVE-2012-4561)
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=455da60846d68c508f7fed5b381097b364647425
Origin: backport, http://git.libssh.org/projects/libssh.git/commit/?h=v0-5&id=d63f19c3000f8bc699ba99814bec9d7ddf6a5b20

--- a/libssh/keyfiles.c
+++ b/libssh/keyfiles.c
@@ -1133,7 +1133,7 @@ ssh_string try_publickey_from_file(ssh_s
   const char *priv;
   const char *pub;
   char *new;
-  ssh_string pubkey=NULL;
+  ssh_string pubkey;
 
   pub = keytab.publickey;
   if (pub == NULL) {
@@ -1153,13 +1153,13 @@ ssh_string try_publickey_from_file(ssh_s
   ssh_log(session, SSH_LOG_PACKET, "Trying to open publickey %s", pub);
   if (!ssh_file_readaccess_ok(pub)) {
     ssh_log(session, SSH_LOG_PACKET, "Failed to open publickey %s", pub);
-    goto error;
+    return NULL;
   }
 
   ssh_log(session, SSH_LOG_PACKET, "Trying to open privatekey %s", priv);
   if (!ssh_file_readaccess_ok(priv)) {
     ssh_log(session, SSH_LOG_PACKET, "Failed to open privatekey %s", priv);
-    goto error;
+    return NULL;
   }
 
   ssh_log(session, SSH_LOG_PACKET, "Success opening public and private key");
@@ -1174,18 +1174,18 @@ ssh_string try_publickey_from_file(ssh_s
         "Wasn't able to open public key file %s: %s",
         pub,
         ssh_get_error(session));
-    goto error;
+    return NULL;
   }
 
   new = realloc(*privkeyfile, strlen(priv) + 1);
   if (new == NULL) {
     string_free(pubkey);
-    goto error;
+    return NULL;
   }
 
   strcpy(new, priv);
   *privkeyfile = new;
-error:
+
   return pubkey;
 }
 
--- a/libssh/keys.c
+++ b/libssh/keys.c
@@ -86,6 +86,7 @@ ssh_public_key publickey_make_dss(ssh_se
     buffer_free(buffer);
     return NULL;
   }
+  ZERO_STRUCTP(key);
 
   key->type = TYPE_DSS;
   key->type_c = ssh_type_to_char(key->type);
@@ -171,6 +172,7 @@ ssh_public_key publickey_make_rsa(ssh_se
     buffer_free(buffer);
     return NULL;
   }
+  ZERO_STRUCTP(key);
 
   key->type = type;
   key->type_c = ssh_type_to_char(key->type);
@@ -878,6 +880,7 @@ SIGNATURE *signature_from_string(ssh_ses
     ssh_set_error(session, SSH_FATAL, "Not enough space");
     return NULL;
   }
+  ZERO_STRUCTP(sign);
 
   tmpbuf = buffer_new();
   if (tmpbuf == NULL) {
@@ -1261,6 +1264,7 @@ ssh_string ssh_do_sign(ssh_session sessi
   if (sign == NULL) {
     return NULL;
   }
+  ZERO_STRUCTP(sign);
 
   switch(privatekey->type) {
     case TYPE_DSS:
@@ -1414,6 +1418,7 @@ ssh_string ssh_sign_session_id(ssh_sessi
   if (sign == NULL) {
     return NULL;
   }
+  ZERO_STRUCTP(sign);
 
   switch(privatekey->type) {
     case TYPE_DSS: