From owner-freebsd-security  Mon Nov  2 15:49:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA27830
          for freebsd-security-outgoing; Mon, 2 Nov 1998 15:49:45 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA27817
          for <FreeBSD-security@FreeBSD.ORG>; Mon, 2 Nov 1998 15:49:36 -0800 (PST)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.8/8.8.7) with SMTP id MAA09378;
	Tue, 3 Nov 1998 12:47:41 +1300 (NZDT)
	(envelope-from andrew@squiz.co.nz)
Date: Tue, 3 Nov 1998 12:47:41 +1300 (NZDT)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Warner Losh <imp@village.org>
cc: bow <bow@bow.net>, FreeBSD-security@FreeBSD.ORG
Subject: Re: [rootshell] Security Bulletin #25 (fwd) 
In-Reply-To: <199811022237.PAA16222@harmony.village.org>
Message-ID: <Pine.BSF.4.01.9811031239510.8161-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 2 Nov 1998, Warner Losh wrote:

> Just so everyone knows, this advisory was only a draft advisory and
> was cancelled over the weekend.  I saw the original advisory and
> checked stuff in based on it, since generally changes like this are
> good and can't hurt anything.  After I checked in the fixes to ssh, I
> discovered that it had been determined that there was no way of
> exploiting this buffer call because all the places that called it had
> bounds checking.

I had a brief look over the ssh code some months ago.  I didn't find
anything exploitable, but I did find things that made me uncomfortable,
like the logging routine that uses vsprintf (or something similarly
lacking in bounds checking) and expected all the places it was checked to
do the bounds checking.  

As far as I looked, they pretty much did, though in one place I noted that
it was dependent on the length of a domain name returned from a reverse
lookup.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message