From owner-freebsd-questions  Thu Oct 26  5:31:15 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from web805.mail.yahoo.com (web805.mail.yahoo.com [128.11.23.65])
	by hub.freebsd.org (Postfix) with SMTP id A6D8837B4D7
	for <freebsd-questions@freebsd.org>; Thu, 26 Oct 2000 05:31:07 -0700 (PDT)
Received: (qmail 29376 invoked by uid 60001); 26 Oct 2000 12:50:49 -0000
Message-ID: <20001026125049.29375.qmail@web805.mail.yahoo.com>
Received: from [212.124.86.132] by web805.mail.yahoo.com; Thu, 26 Oct 2000 05:50:49 PDT
Date: Thu, 26 Oct 2000 05:50:49 -0700 (PDT)
From: Zvezdelin Vladov <zvezdi_v@yahoo.com>
Subject: OpenSSH 2.1.x printf-style format string bugs!
To: security-officer@FreeBSD.org, freebsd-questions@freebsd.org,
	freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Dear Sirs,
Excuse me if I am wrong,
but on the RELENG_4 tag,
the openssh port seems to be the
old version, and as far as I can
see,( on the 
http://www.freebsd.org/cgi/cvsweb.cgi/src/
RELENG_4 tag) 
And there are *some* security problems with it:

http://www.openbsd.org/errata.html
028: SECURITY FIX: Oct 6, 2000
There are printf-style format string bugs in several
privileged programs. 

Looks like we've missed something.
Please note,
that -current has the patched (2.2.0) version
of openssh. 

Please note, that the openssh.2.2.0p1 distribution
downloaded from openssh.com, fixes it too.
Can't understand why this patch, among others:

 		if (fail) {
-			log(buf);
 			fclose(f);
+			log("%s",buf);
 			restore_uid();
 			return 0;
 		}
has been published at oct/06, and 2.2.0 is available
as of september, in which the above is patched.

Just last night compiled openssh2.2.0p1, on my
machine, just to replace the buggy code. 
̉he ports is with the old version, 
nomatter that it has been updated through cvsup
1 week ago, the same done with /usr/src/
tree.
As far as I noticed, the above
fragment has *not* been present on any of
the sources-the ports,
under /usr/ports/security/openssh/
and  the /usr/src/ RELENG_4
branch.(4.x-stable)


Regards,
Zvezdelin
Vladov


__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.
http://im.yahoo.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message