From owner-freebsd-isp Tue Nov 24 12:54:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04845 for freebsd-isp-outgoing; Tue, 24 Nov 1998 12:54:45 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from wind.freenet.am ([194.151.101.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04831; Tue, 24 Nov 1998 12:54:32 -0800 (PST) (envelope-from casper@acc.am) Received: from lemming.acc.am (acc.freenet.am [194.151.101.251]) by wind.freenet.am (8.9.1/8.9.1) with ESMTP id AAA13495; Wed, 25 Nov 1998 00:54:09 +0400 (GMT) Received: from acc.am (nightmar.acc.am [192.168.100.108]) by lemming.acc.am (8.9.1a/8.9.1) with ESMTP id AAA23622; Wed, 25 Nov 1998 00:55:10 +0400 (AMT) Message-ID: <365B1CFA.52F840DF@acc.am> Date: Wed, 25 Nov 1998 00:54:18 +0400 From: Casper Organization: ACC X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: "freebsd-isp@FreeBSD.ORG" , "freebsd-security@FreeBSD.ORG" Subject: Again about logical bug in SSH2.0 & FBSD - patch Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Below is a small patch made by me. It working about one week on my home FreeBSD 3.0 - SNAP 16.08.98 /*- really old for developer! :)-*/machine , and i have no problems ... I'll try to patch sftpd as soon as possible .... Feel free to write all messages and suggessions to nightmar@acc.am In ssh distribution ./apps/ssh/sshchsession.c look for lines like this ( beginning on /*line 695 of 1786 (38%), character 21335 of 59636 (35%) */ in version 2.0.10) and apply the patch provided : [--cut--] [-- original code --] /* Get the user's shell, and the last component of it. */ shell = ssh_user_shell(session->common->user_data); shell_no_path = strrchr(shell, '/'); if (shell_no_path) shell_no_path++; else shell_no_path = shell; /* Start the command. */ switch (op) { case SSH_SESSION_SHELL: [-- end original code --] [-- comment these lines -] /* Start the shell. Set initial character to '-'. */ /* buf[0] = '-'; strncpy(buf + 1, shell_no_path, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0;*/ /* Execute the shell. */ /* argv[0] = buf; argv[1] = NULL;*/ /* print motd, if "PrintMotd yes" and it exists */ /* if(session->common->config->print_motd) { f = fopen("/etc/motd", "r"); if (f) { while (fgets(linebuf, sizeof(linebuf), f)) fputs(linebuf, stdout); fclose(f); } }*/ /* execve(shell, argv, env); */ [-- end comment these lines -] [-- insert these lines --] argv[0] = "/usr/bin/login"; argv[1] = "-f"; argv[2] = session->common->user; /*-i didn't check the code that generates this string and /usr/bin/login source, so potential buffer -overrun in login ... i hope that i'm wrong :) ... -*/ argv[3] = NULL; execve("/usr/bin/login", argv, env); [-- end insert these lines --] /* Executing the shell failed. */ perror(shell); exit(254); [--cut--] See ya ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message