This is an important SECURITY and maintenance release in order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.
- CVE-2012-4559 – Fix multiple double free() flaws
- CVE-2012-4560 – Fix multiple buffer overflow flaws
- CVE-2012-4561 – Fix multiple invalid free() flaws
- CVE-2012-4562 – Fix multiple improper overflow checks
The double free in sftp_parse_attr_3() could be used for a Denial of Service attack against a libssh client implementation. The sftp server implementations are probably not vulnerable. However we suggest everyone to update to version 0.5.3.
Thanks to Xi Wang and Florian Weimer for the reports, help and fixes.
The security patches are available as a tarball here.
- CVE-2012-4559 Fixed multiple double free() flaws.
- CVE-2012-4560 Fixed multiple buffer overflow flaws.
- CVE-2012-4561 Fixed multiple invalid free() flaws.
- BUG #84 – Fix bug in sftp_mkdir not returning on error.
- BUG #85 – Fixed a possible channel infinite loop if the connection dropped.
- BUG #88 – Added missing channel request_state and set it to accepted.
- BUG #89 – Reset error state to no error on successful SSHv1 authentiction.
- Fixed a possible use after free in ssh_free().
- Fixed multiple possible NULL pointer dereferences.
- Fixed multiple memory leaks in error paths.
- Fixed timeout handling.
- Fixed regression in pre-connected socket setting.
- Handle all unknown global messages.