libssh 0.5.3 (SECURITY RELEASE)

This is an important SECURITY and maintenance release in order to address CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562.

The double free in sftp_parse_attr_3() could be used for a Denial of Service attack against a libssh client implementation. The sftp server implementations are probably not vulnerable. However we suggest everyone to update to version 0.5.3.

Thanks to Xi Wang and Florian Weimer for the reports, help and fixes.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.5.3 here. For Windows binaries we suggest to use the MSVC and MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

The security patches are available as a tarball here.

ChangeLog

  • CVE-2012-4559 Fixed multiple double free() flaws.
  • CVE-2012-4560 Fixed multiple buffer overflow flaws.
  • CVE-2012-4561 Fixed multiple invalid free() flaws.
  • BUG #84 – Fix bug in sftp_mkdir not returning on error.
  • BUG #85 – Fixed a possible channel infinite loop if the connection dropped.
  • BUG #88 – Added missing channel request_state and set it to accepted.
  • BUG #89 – Reset error state to no error on successful SSHv1 authentiction.
  • Fixed a possible use after free in ssh_free().
  • Fixed multiple possible NULL pointer dereferences.
  • Fixed multiple memory leaks in error paths.
  • Fixed timeout handling.
  • Fixed regression in pre-connected socket setting.
  • Handle all unknown global messages.