REDHAT-BUG-1158089

First published: Tue Oct 28 2014(Updated: )

Description of problem: Maybe it is possible to send a malicious kexinit package to eventually cause a server to a double-free. I guess this is only a DoS. Source code: <a href="http://git.libssh.org/projects/libssh.git/">http://git.libssh.org/projects/libssh.git/</a> Patch: From f6b9f851b962e3a587f3f99b7cb97d130f0c77b9 Mon Sep 17 00:00:00 2001 From: Jon Simons &lt;jon&gt; Date: Sat, 18 Oct 2014 23:23:26 -0700 Subject: [PATCH] kex: fixup error path in ssh_packet_kexinit Before this change, dangling pointers can be unintentionally left in the respective next_crypto kex methods slots. Ensure to set all slots to NULL in the error-out path. Signed-off-by: Jon Simons &lt;jon&gt; --- src/kex.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/kex.c b/src/kex.c index f1a1b56..ee00ec3 100644 --- a/src/kex.c +++ b/src/kex.c @@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ error: ssh_string_free(str); for (i = 0; i &lt; SSH_KEX_METHODS; i++) { + if (server_kex) { + session-&gt;next_crypto-&gt;client_kex.methods[i] = NULL; + } else { /* client */ + session-&gt;next_crypto-&gt;server_kex.methods[i] = NULL; + } SAFE_FREE(strings[i]); } -- 1.9.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/type
• agent/last-modified-date
• agent/first-publish-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2014-8132
• agent/severity
• agent/event
• agent/description
• agent/trending
• agent/source
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/libssh
• canonical/libssh