Date: Tue, 16 Sep 2003 08:43:47 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: freebsd-security@freebsd.org Subject: OpenSSH heads-up Message-ID: <20030916134347.GA30359@madman.celabo.org>
next in thread | raw e-mail | index | archive | help
--XOIedfhf+7KOe/yw Content-Type: multipart/mixed; boundary="huq684BweRXVnRxX" Content-Disposition: inline --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable OK, an official OpenSSH advisory was released, see here: <URL: http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September= /000063.html > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be applied to the security branches as well today. Attached are patches: buffer46.patch -- For FreeBSD 4.6-RELEASE and later buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier Currently, I don't believe that this bug is actually exploitable for code execution on FreeBSD, but I reserve the right to be wrong :-) Cheers, --=20 Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer45.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.3 diff -c -c -r1.1.1.1.2.3 buffer.c *** crypto/openssh/buffer.c 28 Sep 2001 01:33:33 -0000 1.1.1.1.2.3 --- crypto/openssh/buffer.c 16 Sep 2003 13:19:26 -0000 *************** *** 69,74 **** --- 69,76 ---- void buffer_append_space(Buffer *buffer, char **datap, u_int len) { + u_int newlen; +=20 /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset =3D=3D buffer->end) { buffer->offset =3D 0; *************** *** 93,100 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; } =20 --- 95,106 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) ! fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; } =20 --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer46.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.4 diff -c -c -r1.1.1.1.2.4 buffer.c *** crypto/openssh/buffer.c 3 Jul 2002 22:11:41 -0000 1.1.1.1.2.4 --- crypto/openssh/buffer.c 16 Sep 2003 13:10:22 -0000 *************** *** 69,74 **** --- 69,75 ---- void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; =20 if (len > 0x100000) *************** *** 98,108 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! buffer->alloc); ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; /* NOTREACHED */ } --- 99,111 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! =09 ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; /* NOTREACHED */ } --huq684BweRXVnRxX-- --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZxORFdaIBMps37IRArwEAJ4pkegMfNqSjkLvRgjCDDQa+9sXHwCfbgXd tlPyniRS899w5gbfV0HuuQk= =x62V -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030916134347.GA30359>