Date: Wed, 17 Sep 2003 13:58:56 +0200 (CEST) From: dirk.meyer@dinoex.sub.org To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/56946: openssh secuirity fix while portfreeze Message-ID: <200309171158.h8HBwu7U066341@home.dinoex.sub.de> Resent-Message-ID: <200309171200.h8HC0fLN019480@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 56946 >Category: ports >Synopsis: openssh secuirity fix while portfreeze >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 17 05:00:41 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Dirk Meyer >Release: FreeBSD 4.8-STABLE i386 >Organization: privat >Environment: >Description: first security patch was not sufficent. http://www.openssh.com/txt/buffer.adv >How-To-Repeat: >Fix: appove or apply this patch Index: openssh/Makefile =================================================================== RCS file: /home/pcvs/ports/security/openssh/Makefile,v retrieving revision 1.120 diff -u -r1.120 Makefile --- openssh/Makefile 16 Sep 2003 12:43:09 -0000 1.120 +++ openssh/Makefile 17 Sep 2003 11:55:57 -0000 @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.6.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ Index: openssh/files/patch-buffer.c =================================================================== RCS file: /home/pcvs/ports/security/openssh/files/patch-buffer.c,v retrieving revision 1.1 diff -u -r1.1 patch-buffer.c --- openssh/files/patch-buffer.c 16 Sep 2003 12:43:10 -0000 1.1 +++ openssh/files/patch-buffer.c 17 Sep 2003 11:55:57 -0000 @@ -1,39 +1,110 @@ -*** buffer.c.orig Sat Jun 29 06:33:59 2002 ---- buffer.c Tue Sep 16 00:33:54 2003 -*************** -*** 69,74 **** ---- 69,75 ---- - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -*************** -*** 98,108 **** - goto restart; - } - /* Increase the size of the buffer and retry. */ -! buffer->alloc += len + 32768; -! if (buffer->alloc > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! buffer->alloc); -! buffer->buf = xrealloc(buffer->buf, buffer->alloc); - goto restart; - /* NOTREACHED */ - } ---- 99,111 ---- - goto restart; - } - /* Increase the size of the buffer and retry. */ -! -! newlen = buffer->alloc + len + 32768; -! if (newlen > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! newlen); -! buffer->buf = xrealloc(buffer->buf, newlen); -! buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } +Subject: OpenSSH Security Advisory: buffer.adv + +This is the 2nd revision of the Advisory. + +This document can be found at: http://www.openssh.com/txt/buffer.adv + +1. Versions affected: + + All versions of OpenSSH's sshd prior to 3.7.1 contain buffer + management errors. It is uncertain whether these errors are + potentially exploitable, however, we prefer to see bugs + fixed proactively. + + Other implementations sharing common origin may also have + these issues. + +2. Solution: + + Upgrade to OpenSSH 3.7.1 or apply the following patch. + +=================================================================== +Appendix A: patch for OpenSSH 3.6.1 and earlier + +Index: buffer.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.16 +retrieving revision 1.18 +diff -u -r1.16 -r1.18 +--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 ++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 +@@ -23,8 +23,11 @@ + void + buffer_init(Buffer *buffer) + { +- buffer->alloc = 4096; +- buffer->buf = xmalloc(buffer->alloc); ++ const u_int len = 4096; ++ ++ buffer->alloc = 0; ++ buffer->buf = xmalloc(len); ++ buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +@@ -34,8 +37,10 @@ + void + buffer_free(Buffer *buffer) + { +- memset(buffer->buf, 0, buffer->alloc); +- xfree(buffer->buf); ++ if (buffer->alloc > 0) { ++ memset(buffer->buf, 0, buffer->alloc); ++ xfree(buffer->buf); ++ } + } + + /* +@@ -69,6 +74,7 @@ + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +@@ -98,11 +104,13 @@ + goto restart; + } + /* Increase the size of the buffer and retry. */ +- buffer->alloc += len + 32768; +- if (buffer->alloc > 0xa00000) ++ ++ newlen = buffer->alloc + len + 32768; ++ if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +- buffer->alloc); +- buffer->buf = xrealloc(buffer->buf, buffer->alloc); ++ newlen); ++ buffer->buf = xrealloc(buffer->buf, newlen); ++ buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: channels.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/channels.c,v +retrieving revision 1.194 +retrieving revision 1.195 +diff -u -r1.194 -r1.195 +--- channels.c 29 Aug 2003 10:04:36 -0000 1.194 ++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 +@@ -228,12 +228,13 @@ + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } + + Index: openssh-portable/Makefile =================================================================== RCS file: /home/pcvs/ports/security/openssh-portable/Makefile,v retrieving revision 1.73 diff -u -r1.73 Makefile --- openssh-portable/Makefile 16 Sep 2003 12:43:10 -0000 1.73 +++ openssh-portable/Makefile 17 Sep 2003 11:55:57 -0000 @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.6.1p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ Index: openssh-portable/files/patch-buffer.c =================================================================== RCS file: /home/pcvs/ports/security/openssh-portable/files/patch-buffer.c,v retrieving revision 1.1 diff -u -r1.1 patch-buffer.c --- openssh-portable/files/patch-buffer.c 16 Sep 2003 12:43:10 -0000 1.1 +++ openssh-portable/files/patch-buffer.c 17 Sep 2003 11:55:57 -0000 @@ -1,39 +1,110 @@ -*** buffer.c.orig Sat Jun 29 06:33:59 2002 ---- buffer.c Tue Sep 16 00:33:54 2003 -*************** -*** 69,74 **** ---- 69,75 ---- - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -*************** -*** 98,108 **** - goto restart; - } - /* Increase the size of the buffer and retry. */ -! buffer->alloc += len + 32768; -! if (buffer->alloc > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! buffer->alloc); -! buffer->buf = xrealloc(buffer->buf, buffer->alloc); - goto restart; - /* NOTREACHED */ - } ---- 99,111 ---- - goto restart; - } - /* Increase the size of the buffer and retry. */ -! -! newlen = buffer->alloc + len + 32768; -! if (newlen > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! newlen); -! buffer->buf = xrealloc(buffer->buf, newlen); -! buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } +Subject: OpenSSH Security Advisory: buffer.adv + +This is the 2nd revision of the Advisory. + +This document can be found at: http://www.openssh.com/txt/buffer.adv + +1. Versions affected: + + All versions of OpenSSH's sshd prior to 3.7.1 contain buffer + management errors. It is uncertain whether these errors are + potentially exploitable, however, we prefer to see bugs + fixed proactively. + + Other implementations sharing common origin may also have + these issues. + +2. Solution: + + Upgrade to OpenSSH 3.7.1 or apply the following patch. + +=================================================================== +Appendix A: patch for OpenSSH 3.6.1 and earlier + +Index: buffer.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.16 +retrieving revision 1.18 +diff -u -r1.16 -r1.18 +--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 ++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 +@@ -23,8 +23,11 @@ + void + buffer_init(Buffer *buffer) + { +- buffer->alloc = 4096; +- buffer->buf = xmalloc(buffer->alloc); ++ const u_int len = 4096; ++ ++ buffer->alloc = 0; ++ buffer->buf = xmalloc(len); ++ buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +@@ -34,8 +37,10 @@ + void + buffer_free(Buffer *buffer) + { +- memset(buffer->buf, 0, buffer->alloc); +- xfree(buffer->buf); ++ if (buffer->alloc > 0) { ++ memset(buffer->buf, 0, buffer->alloc); ++ xfree(buffer->buf); ++ } + } + + /* +@@ -69,6 +74,7 @@ + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +@@ -98,11 +104,13 @@ + goto restart; + } + /* Increase the size of the buffer and retry. */ +- buffer->alloc += len + 32768; +- if (buffer->alloc > 0xa00000) ++ ++ newlen = buffer->alloc + len + 32768; ++ if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +- buffer->alloc); +- buffer->buf = xrealloc(buffer->buf, buffer->alloc); ++ newlen); ++ buffer->buf = xrealloc(buffer->buf, newlen); ++ buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: channels.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/channels.c,v +retrieving revision 1.194 +retrieving revision 1.195 +diff -u -r1.194 -r1.195 +--- channels.c 29 Aug 2003 10:04:36 -0000 1.194 ++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 +@@ -228,12 +228,13 @@ + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } + + >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309171158.h8HBwu7U066341>