Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Feb 2001 13:22:11 -0800 (PST)
From:      Matt Dillon <dillon@earth.backplane.com>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        green@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: OpenSSH port patch
Message-ID:  <200102092122.f19LMBh08953@earth.backplane.com>
References:   <20010209110044.I26076@fw.wintelcom.net>

next in thread | previous in thread | raw e-mail | index | archive | help
    I think it's a whole lot better then simply marking the package
    forbidden!  I was actually surprised that the package was marked
    forbidden, when the fix is only a few minutes of work.

					-Matt

:Please trim CC!
:
:This removes the 'forbidden' and adds a patch to correct the
:hash overflow as suggested by the Bindview audit.
:
:I'm cc'ing Brian Feldman (green) because he's maintainer, -ports
:because I'm not really good at ports and -security so that people
:can look this over.
:
:May I apply this patch?
:
:Index: Makefile
:===================================================================
:RCS file: /home/ncvs/ports/security/openssh/Makefile,v
:retrieving revision 1.57
:diff -u -u -r1.57 Makefile
:--- Makefile	2001/02/09 04:58:24	1.57
:+++ Makefile	2001/02/09 18:53:06
:@@ -20,8 +20,6 @@
: 
: .include <bsd.port.pre.mk>
: 
:-FORBIDDEN=	"Remote vulnerabilities"
:-
: CRYPTOLIBS=	-L${OPENSSLLIB} -lcrypto
: # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir...
: MAKE_ENV+=	DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}"
:Index: files/patch-az
:===================================================================
:RCS file: patch-az
:diff -N patch-az
:--- /dev/null	Fri Feb  9 10:59:20 2001
:+++ patch-az	Fri Feb  9 10:58:58 2001
:@@ -0,0 +1,11 @@
:+--- /home/bright/ssh/ssh/deattack.c	Fri Aug 18 19:17:12 2000
:++++ deattack.c	Fri Feb  9 10:58:54 2001
:+@@ -84,7 +84,7 @@
:+ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
:+ {
:+ 	static u_int16_t *h = (u_int16_t *) NULL;
:+-	static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
:++	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
:+ 	register u_int32_t i, j;
:+ 	u_int32_t l;
:+ 	register unsigned char *c;
:
:-- 
:-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
:"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102092122.f19LMBh08953>