From owner-freebsd-security  Thu Mar  7  6:39:36 2002
Delivered-To: freebsd-security@freebsd.org
Received: from jochem.dyndns.org (cc40670-a.groni1.gr.nl.home.com [217.120.131.23])
	by hub.freebsd.org (Postfix) with ESMTP id B0E5537B41C
	for <security@FreeBSD.org>; Thu,  7 Mar 2002 06:39:21 -0800 (PST)
Received: (from jochem@localhost)
	by jochem.dyndns.org (8.11.6/8.11.6) id g27EdDD28265
	for security@FreeBSD.org; Thu, 7 Mar 2002 15:39:13 +0100 (CET)
	(envelope-from jochem)
Date: Thu, 7 Mar 2002 15:39:12 +0100
From: Jochem Kossen <j.kossen@home.nl>
To: security@FreeBSD.org
Subject: OpenSSH root hole
Message-ID: <20020307143912.GA28250@jochem.dyndns.org>
Mail-Followup-To: security@FreeBSD.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Yup, a new hole has been found in OpenSSH...

Impact: HIGH: Existing users will gain root privileges.

The advisory at http://www.pine.nl/advisories/pine-cert-20020301.txt
says the FreeBSD OpenSSH port has been updated. Does anyone know when
OpenSSH in base will be updated?

The hole scares me a bit, although the patch is extremely small :)

--- channels_old.c	Mon Mar  4 02:07:06 2002
+++ channels.c	Mon Mar  4 02:07:16 2002
@@ -151,7 +151,7 @@
 channel_lookup(int id)
 {
 	Channel *c;
-	if (id < 0 || id > channels_alloc) {
+	if (id < 0 || id >= channels_alloc) {
 		log("channel_lookup: %d: bad id", id);
 		return NULL;
 	}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message