erlug
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Erlug] Fwd: OpenSSH Buffer Management Bug Advisory

from Daniele Palumbo [Permanent Link]
To: erlug@xxxxxxxxxxxxxx
Subject: [Erlug] Fwd: OpenSSH Buffer Management Bug Advisory
From: Daniele Palumbo <rocco@xxxxxxxxxxxxxxxx>
Date: Wed, 17 Sep 2003 01:02:25 +0200 
prego.
grazie.
gli update vari per redhat e debian ci sono, ed erano gli unici presenti su bugtraq al momento. 

a me sembra che il fix sia più un workaround, voi che dite?

bye
daniele

Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Date: Tue, 16 Sep 2003 10:27:37 -0600 (MDT)
From: Dave Ahmad <da@xxxxxxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OpenSSH Buffer Management Bug Advisory
X-Virus-Scanned: by AMaViS 0.3.12


The following advisory is listed on the OpenSSH security page.  It was up
some time ago before disappearing for a while and then reappearing in the
last few minutes.

---

Subject: OpenSSH Security Advisory: buffer.adv

This is the 1st revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7 contain a buffer
        management error.  It is uncertain whether this error is
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

2. Solution:

        Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c    26 Jun 2002 08:54:18 -0000      1.16
+++ buffer.c    16 Sep 2003 03:03:47 -0000      1.17
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+       u_int newlen;
        void *p;

        if (len > 0x100000)
@@ -98,11 +99,13 @@
                goto restart;
        }
        /* Increase the size of the buffer and retry. */
-       buffer->alloc += len + 32768;
-       if (buffer->alloc > 0xa00000)
+
+       newlen = buffer->alloc + len + 32768;
+       if (newlen > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
-                   buffer->alloc);
-       buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+                   newlen);
+       buffer->buf = xrealloc(buffer->buf, newlen);
+       buffer->alloc = newlen;
        goto restart;
        /* NOTREACHED */
 }


David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.
<Prev in Thread] Current Thread [Next in Thread>
  • [Erlug] Fwd: OpenSSH Buffer Management Bug Advisory, Daniele Palumbo <=
Previous by Date:  Re: [Erlug] Attenzione: presunto exploit ssh in giro, Andrea Paolini
Next by Date:  [Erlug] Risolto Mutt, vic
Previous by Thread:  [Erlug] Attenzione: presunto exploit ssh in giro, Davide Bolcioni
Next by Thread:  [Erlug] Risolto Mutt, vic
Indexes:  [Date] [Thread] [Top] [All Lists]