Date: Tue, 16 Sep 2003 17:36:03 +0300 From: Vlad Galu <Vlad.Galu@rdsnet.ro> To: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up Message-ID: <20030919103953.1AB2A43FBF@mx1.FreeBSD.org> In-Reply-To: <20030916134347.GA30359@madman.celabo.org> References: <20030916134347.GA30359@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 16 Sep 2003 08:43:47 -0500 "Jacques A. Vidrine" <nectar@FreeBSD.org> wrote: > OK, an official OpenSSH advisory was released, see here: > <URL: > http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > > So what this basically does is: not incrementing buffer->alloc, but using a new integer variable instead, which we compare to 0xa00000. How does this help ? I'm not an expert in off-by-one vulnerabilities. It'd be nice if someone enlightened me a little bit. > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > applied to the security branches as well today. Attached are patches: I noticed the patch being commited to the openssh ports. Is it going to be merged in the source tree as well ? I took the liberty of modifying buffer.c myself, like Jacques' patch did. > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > > Currently, I don't believe that this bug is actually exploitable for > code execution on FreeBSD, but I reserve the right to be wrong :-) > > Cheers, > -- > Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se > - ------ Vlad Galu Senior IP Engineer Romania Data Systems NOC in Bucharest Phone: +40 21 30 10 850 Web: http://www.rdsnet.ro PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x53ABCE97 - ----------------------------------------------------------------------- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such a person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Zx/TP5WtpVOrzpcRAkZKAJ4i0nMg+SjVPSo7Kzw2qzHpYk/IhQCdHnmA 7MT6DO9f+vmEpTwWoz3A76w= =zwK5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030919103953.1AB2A43FBF>