Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 286860

Summary: <net-libs/libssh-0.3.4: multiple overflows
Product: Gentoo Security Reporter: Thomas Beinicke <merlin>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 289676    

Description Thomas Beinicke 2009-09-28 21:57:00 UTC 
Version bump to 0.3.4.
A simple change of the ebuild name and regenerating the manifest worked.
KDE4 trunk depends on 0.3.4 as well, here is the changelog.
ChangeLog:

    * Added ssh_basename() and ssh_dirname().
    * Added a portable ssh_mkdir function().
    * Added a sftp_tell64() function.
    * Added missing NULL pointer checks to crypt_set_algorithms_server.
    * Fixed ssh_write_knownhost if ~/.ssh doesn’t exist.
    * Fixed a possible integer overflow in buffer_get_data().
    * Fixed possible security bug in packet_decrypt().
    * Fixed a possible stack overflow in agent code.


Reproducible: Always

Steps to Reproduce:
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-29 01:01:03 UTC 
0.3.4 is in the tree. Looks like we need to actually stabilise something greater than 0.1.1 (formerly 0.11) this time.
Comment 2 Thomas Beinicke 2009-09-29 06:35:57 UTC 
It works fine with the kde4 kioslaves which it depends on I don't know what other packages depend on it though.
Stabilizing might be a good idea though.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2009-10-18 07:15:43 UTC 
(In reply to comment #1)
> 0.3.4 is in the tree. Looks like we need to actually stabilise something
> greater than 0.1.1 (formerly 0.11) this time.

Yup. We'll open bug in a month or... well since kde uses it we'll have to stabilize them together I guess. Anyway no need to keep fixed bugs open.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2009-10-18 07:21:59 UTC 
Err, I closed and after that noticed that this bug is assigned on security... it's just there are no security tags Status Whiteboard... Well, some distributions issued security announcements for this package (FreeBSD, Suse), so I think we need at least fast stabilize this new version.

http://www.watchmouse.com/en/vulnerability_solutions/SuSE-Security-Update-libssh-2009-09-22-.html
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2009-10-18 08:24:29 UTC 
Arch teams, please, stabilize libssh-0.3.4.
Comment 6 Markus Meier gentoo-dev 2009-10-19 21:21:33 UTC 
x86 stable
Comment 7 nixnut (RETIRED) gentoo-dev 2009-10-24 12:43:44 UTC 
ppc stable
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:48:28 UTC 
Thanks everyone.

I've got a novell account, but their bugtracker says: "You are not authorized to access bug #540628."

Closing noglsa.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-06 15:09:32 UTC 
netmon: please remove the old versions.
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2009-11-12 18:44:45 UTC 
(In reply to comment #9)
> netmon: please remove the old versions.

done.