From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 03:39:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AEEB16A4B3 for ; Fri, 19 Sep 2003 03:39:55 -0700 (PDT) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [81.196.201.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB2A43FBF for ; Fri, 19 Sep 2003 03:39:53 -0700 (PDT) (envelope-from Vlad.Galu@rdsnet.ro) Received: (qmail 65295 invoked from network); 16 Sep 2003 14:36:03 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (81.196.201.65) by 0 with SMTP; 16 Sep 2003 14:36:03 -0000 Date: Tue, 16 Sep 2003 17:36:03 +0300 From: Vlad Galu To: freebsd-security@freebsd.org In-Reply-To: <20030916134347.GA30359@madman.celabo.org> References: <20030916134347.GA30359@madman.celabo.org> Organization: Romania Data Systems X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20030919103953.1AB2A43FBF@mx1.FreeBSD.org> Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 10:39:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 16 Sep 2003 08:43:47 -0500 "Jacques A. Vidrine" wrote: > OK, an official OpenSSH advisory was released, see here: > http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > > So what this basically does is: not incrementing buffer->alloc, but using a new integer variable instead, which we compare to 0xa00000. How does this help ? I'm not an expert in off-by-one vulnerabilities. It'd be nice if someone enlightened me a little bit. > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > applied to the security branches as well today. Attached are patches: I noticed the patch being commited to the openssh ports. Is it going to be merged in the source tree as well ? I took the liberty of modifying buffer.c myself, like Jacques' patch did. > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > > Currently, I don't believe that this bug is actually exploitable for > code execution on FreeBSD, but I reserve the right to be wrong :-) > > Cheers, > -- > Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se > - ------ Vlad Galu Senior IP Engineer Romania Data Systems NOC in Bucharest Phone: +40 21 30 10 850 Web: http://www.rdsnet.ro PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x53ABCE97 - ----------------------------------------------------------------------- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such a person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Zx/TP5WtpVOrzpcRAkZKAJ4i0nMg+SjVPSo7Kzw2qzHpYk/IhQCdHnmA 7MT6DO9f+vmEpTwWoz3A76w= =zwK5 -----END PGP SIGNATURE-----