libssh: CVE-2013-0176 NULL dereference denial of service

Debian Bug report logs - #698963
libssh: CVE-2013-0176 NULL dereference denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libssh: CVE-2013-0176 NULL dereference denial of service

Date: Fri, 25 Jan 2013 13:51:27 -0500

[Message part 1 (text/plain, inline)]

Package: libssh
Version: 0.5.3-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu raring ubuntu-patch



*** /tmp/tmpWGDf6_/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via NULL dereference
    - debian/patches/CVE-2013-0176.patch: properly handle client that
      doesn't send a matching key in src/server.c.
    - CVE-2013-0176


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal'), (100, 'quantal-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-22-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[libssh_0.5.3-1ubuntu1.debdiff (text/x-diff, attachment)]

Message #12 received at 698963-close@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 698963-close@bugs.debian.org

Subject: Bug#698963: fixed in libssh 0.5.4-1

Date: Tue, 05 Feb 2013 00:32:32 +0000

Source: libssh
Source-Version: 0.5.4-1

We believe that the bug you reported is fixed in the latest version of
libssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698963@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated libssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 05 Feb 2013 01:06:40 +0100
Source: libssh
Binary: libssh-4 libssh-dev libssh-dbg libssh-doc
Architecture: source all amd64
Version: 0.5.4-1
Distribution: unstable
Urgency: low
Maintainer: Laurent Bigonville <bigon@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description: 
 libssh-4   - tiny C SSH library
 libssh-dbg - tiny C SSH library. Debug symbols
 libssh-dev - tiny C SSH library. Development files
 libssh-doc - tiny C SSH library. Documentation files
Closes: 698963
Changes: 
 libssh (0.5.4-1) unstable; urgency=low
 .
   * New upstream security release
     - Fix NULL dereference leads to denial of service
       (Closes: #698963, CVE-2013-0176)
   * debian/patches/0003-fix-typo.patch: Fix typo in error message
Checksums-Sha1: 
 57a459e4fd1f9b3767c5df7c914dab485d5e495d 1678 libssh_0.5.4-1.dsc
 4a372378db8fffaf28d5c79d80b2235843aa587c 321265 libssh_0.5.4.orig.tar.gz
 28bf4c5378f682dc9efb17edee6886a285bf8e4b 8382 libssh_0.5.4-1.debian.tar.gz
 1385efbc4d955ad36cecf5d5e6330688cf322607 273430 libssh-doc_0.5.4-1_all.deb
 bcf6fa325c36467f4c6802d38cdb6e098eadbe3f 130636 libssh-4_0.5.4-1_amd64.deb
 03b1009c375288dc8615f768bbc3ff5f935694b5 184214 libssh-dev_0.5.4-1_amd64.deb
 a62477d7617073ccc1deacebdccfac688a2bf9b9 360428 libssh-dbg_0.5.4-1_amd64.deb
Checksums-Sha256: 
 b14fb8839ee9b3b89d313bbd2cd0072251e1b7796a6e61a30c32fb6e0efe2c10 1678 libssh_0.5.4-1.dsc
 5f3825caebf7c47e6c6025aa048cb967e32c2b6cbfdc04109f05a35cbf4dca80 321265 libssh_0.5.4.orig.tar.gz
 92f42f6508dc2b826e131ad08754f2d5d036f88bdec84b422b53cb6ddc2ba549 8382 libssh_0.5.4-1.debian.tar.gz
 d720c7e9d4ebbec5e63bde8e0ed027868cecb857f305752b30d5ec04e3be3e18 273430 libssh-doc_0.5.4-1_all.deb
 6ea5cfc56145d5f2bc20b37035ba0588716d21821874ee9b2c86a19c03f59184 130636 libssh-4_0.5.4-1_amd64.deb
 703103231e80ab25836c914927e1739458fcb785f5005d703392264e6cd8ae20 184214 libssh-dev_0.5.4-1_amd64.deb
 9346aeb6327a424df588f6af9cadaa9dd6c1c270a038be8b5747615a77fe4adf 360428 libssh-dbg_0.5.4-1_amd64.deb
Files: 
 83dd71d7621a68b4c4eec0d7ee67052d 1678 libs optional libssh_0.5.4-1.dsc
 b8b4e733c13dfabae33b2688ef82dacc 321265 libs optional libssh_0.5.4.orig.tar.gz
 4a6045a94e1035f799c6b68ca41804c2 8382 libs optional libssh_0.5.4-1.debian.tar.gz
 0b88cb8b23a209709b939d37a06898e8 273430 doc optional libssh-doc_0.5.4-1_all.deb
 6121d65d2caa340e2798772450797fb8 130636 libs optional libssh-4_0.5.4-1_amd64.deb
 2c32268d6988242259a4b9efd0731e27 184214 libdevel optional libssh-dev_0.5.4-1_amd64.deb
 2225e22e938a35e24674070910072144 360428 debug extra libssh-dbg_0.5.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJREE93AAoJEB/FiR66sEPVsb4IAJM+7NUDd1o1sd0WDt+OSrHV
qkcVZy1x1tyApyMgYYHRC65FALlUdZa+arymTYoFUVVE9IRk0/szfaY3Y+dH8bTW
UCDkvNEXH+zBZtIT0/IQPGpgVKZ8mq7VzFsVLM4Z5ablC3UibsiIn0sgISn0dwkI
+lZKj0bG3eo/avNznPNcRSXhbsl90/Uvwe+A7jhUGUvROTLhebRIAfU9XAqrYMG5
+lzBrr8TFPD/ydQIcXGTQY673kYMmaZ0faq40CtQRYubYEI6nOFAdCqrTLSAOJ2e
1NkzAbtPAmqdDJiT4JzJxApEyUWGk1hBMSQTC6zEi3XW25yvP+RJYG36jvGhaUM=
=ADKJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.