From http://www.openwall.com/lists/oss-security/2012/11/20/3 :
As reported to distros@ on 20121114:
A number of flaws were found in libssh prior to 0.5.3 by Xi Wang and Florian
Weimer of the Red Hat Product Security Team:
CVE-2012-4559: multiple double free() flaws
CVE-2012-4560: multiple buffer overflow flaws
CVE-2012-4561: multiple invalid free() flaws
CVE-2012-4562: multiple improper overflow checks
Patches for the flaws are attached to the bugs in our bugzilla.
0.5.3 added to CVS. Feel free to start the stabilization process.
Arches, please test and mark stable =net-libs/libssh-0.5.3
Target keywords: amd64 ppc ppc64 x86
Archtested on x86: Everything OK.
- Package compiles with all USE-flags combinations and all 9 tests in the test phase pass.
- Rdeps successfully compile and link against =net-libs/libssh-0.5.3
- Repoman reports no warnings.
- Verified functionality of libssh by using net-analyzer/hydra, no discrepancies found.
Double free vulnerability in the sftp_mkdir function in sftp.c in libssh
before 0.5.3 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via unspecified vectors, a different
vector than CVE-2012-4559.
Multiple integer overflows in libssh before 0.5.3 allow remote attackers to
cause a denial of service (infinite loop or crash) and possibly execute
arbitrary code via unspecified vectors, which triggers a buffer overflow,
infinite loop, or possibly some other unspecified vulnerabilities.
The (1) publickey_make_dss, (2) publickey_make_rsa, (3)
signature_from_string, (4) ssh_do_sign, and (5) ssh_sign_session_id
functions in keys.c in libssh before 0.5.3 free "an invalid pointer on an
error path," which might allow remote attackers cause a denial of service
(crash) via unspecified vectors.
Multiple buffer overflows in libssh before 0.5.3 allow remote attackers to
cause a denial of service (crash) or possibly execute arbitrary code via
Multiple double free vulnerabilities in the (1) agent_sign_data function in
agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey
function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5)
try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow
remote attackers to cause a denial of service (crash) and possibly execute
arbitrary code via unspecified vectors.
x86 done, Thanks Dan Dexter for testing.
GLSA draft ready.
Nothing to do for kde here anymore.
This issue was resolved and addressed in
GLSA 201402-26 at http://security.gentoo.org/glsa/glsa-201402-26.xml
by GLSA coordinator Chris Reffett (creffett).