ports/56946: openssh secuirity fix while portfreeze

dirk.meyer at dinoex.sub.org dirk.meyer at dinoex.sub.org
Wed Sep 17 12:00:43 UTC 2003


>Number:         56946
>Category:       ports
>Synopsis:       openssh secuirity fix while portfreeze
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 17 05:00:41 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Meyer
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
privat
>Environment:

>Description:

	first security patch was not sufficent.

	http://www.openssh.com/txt/buffer.adv

>How-To-Repeat:

>Fix:

	appove or apply this patch

Index: openssh/Makefile
===================================================================
RCS file: /home/pcvs/ports/security/openssh/Makefile,v
retrieving revision 1.120
diff -u -r1.120 Makefile
--- openssh/Makefile	16 Sep 2003 12:43:09 -0000	1.120
+++ openssh/Makefile	17 Sep 2003 11:55:57 -0000
@@ -7,7 +7,7 @@
 
 PORTNAME=	openssh
 PORTVERSION=	3.6.1
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
 		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
Index: openssh/files/patch-buffer.c
===================================================================
RCS file: /home/pcvs/ports/security/openssh/files/patch-buffer.c,v
retrieving revision 1.1
diff -u -r1.1 patch-buffer.c
--- openssh/files/patch-buffer.c	16 Sep 2003 12:43:10 -0000	1.1
+++ openssh/files/patch-buffer.c	17 Sep 2003 11:55:57 -0000
@@ -1,39 +1,110 @@
-*** buffer.c.orig	Sat Jun 29 06:33:59 2002
---- buffer.c	Tue Sep 16 00:33:54 2003
-***************
-*** 69,74 ****
---- 69,75 ----
-  void *
-  buffer_append_space(Buffer *buffer, u_int len)
-  {
-+ 	u_int newlen;
-  	void *p;
-  
-  	if (len > 0x100000)
-***************
-*** 98,108 ****
-  		goto restart;
-  	}
-  	/* Increase the size of the buffer and retry. */
-! 	buffer->alloc += len + 32768;
-! 	if (buffer->alloc > 0xa00000)
-  		fatal("buffer_append_space: alloc %u not supported",
-! 		    buffer->alloc);
-! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
-  	goto restart;
-  	/* NOTREACHED */
-  }
---- 99,111 ----
-  		goto restart;
-  	}
-  	/* Increase the size of the buffer and retry. */
-! 	
-! 	newlen = buffer->alloc + len + 32768;
-! 	if (newlen > 0xa00000)
-  		fatal("buffer_append_space: alloc %u not supported",
-! 		    newlen);
-! 	buffer->buf = xrealloc(buffer->buf, newlen);
-! 	buffer->alloc = newlen;
-  	goto restart;
-  	/* NOTREACHED */
-  }
+Subject: OpenSSH Security Advisory: buffer.adv
+
+This is the 2nd revision of the Advisory.
+
+This document can be found at:  http://www.openssh.com/txt/buffer.adv
+
+1. Versions affected:
+
+        All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+        management errors.  It is uncertain whether these errors are
+        potentially exploitable, however, we prefer to see bugs
+        fixed proactively.
+
+        Other implementations sharing common origin may also have
+        these issues.
+
+2. Solution:
+
+	Upgrade to OpenSSH 3.7.1 or apply the following patch.
+
+===================================================================
+Appendix A: patch for OpenSSH 3.6.1 and earlier
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
++++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+-	buffer->alloc = 4096;
+-	buffer->buf = xmalloc(buffer->alloc);
++	const u_int len = 4096;
++
++	buffer->alloc = 0;
++	buffer->buf = xmalloc(len);
++	buffer->alloc = len;
+ 	buffer->offset = 0;
+ 	buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+-	memset(buffer->buf, 0, buffer->alloc);
+-	xfree(buffer->buf);
++	if (buffer->alloc > 0) {
++		memset(buffer->buf, 0, buffer->alloc);
++		xfree(buffer->buf);
++	}
+ }
+ 
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++	u_int newlen;
+ 	void *p;
+ 
+ 	if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ 		goto restart;
+ 	}
+ 	/* Increase the size of the buffer and retry. */
+-	buffer->alloc += len + 32768;
+-	if (buffer->alloc > 0xa00000)
++	
++	newlen = buffer->alloc + len + 32768;
++	if (newlen > 0xa00000)
+ 		fatal("buffer_append_space: alloc %u not supported",
+-		    buffer->alloc);
+-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++		    newlen);
++	buffer->buf = xrealloc(buffer->buf, newlen);
++	buffer->alloc = newlen;
+ 	goto restart;
+ 	/* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
++++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
+@@ -228,12 +228,13 @@
+ 	if (found == -1) {
+ 		/* There are no free slots.  Take last+1 slot and expand the array.  */
+ 		found = channels_alloc;
+-		channels_alloc += 10;
+ 		if (channels_alloc > 10000)
+ 			fatal("channel_new: internal error: channels_alloc %d "
+ 			    "too big.", channels_alloc);
++		channels = xrealloc(channels,
++		    (channels_alloc + 10) * sizeof(Channel *));
++		channels_alloc += 10;
+ 		debug2("channel: expanding %d", channels_alloc);
+-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ 		for (i = found; i < channels_alloc; i++)
+ 			channels[i] = NULL;
+ 	}
+
+
Index: openssh-portable/Makefile
===================================================================
RCS file: /home/pcvs/ports/security/openssh-portable/Makefile,v
retrieving revision 1.73
diff -u -r1.73 Makefile
--- openssh-portable/Makefile	16 Sep 2003 12:43:10 -0000	1.73
+++ openssh-portable/Makefile	17 Sep 2003 11:55:57 -0000
@@ -7,7 +7,7 @@
 
 PORTNAME=	openssh
 PORTVERSION=	3.6.1p2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
Index: openssh-portable/files/patch-buffer.c
===================================================================
RCS file: /home/pcvs/ports/security/openssh-portable/files/patch-buffer.c,v
retrieving revision 1.1
diff -u -r1.1 patch-buffer.c
--- openssh-portable/files/patch-buffer.c	16 Sep 2003 12:43:10 -0000	1.1
+++ openssh-portable/files/patch-buffer.c	17 Sep 2003 11:55:57 -0000
@@ -1,39 +1,110 @@
-*** buffer.c.orig	Sat Jun 29 06:33:59 2002
---- buffer.c	Tue Sep 16 00:33:54 2003
-***************
-*** 69,74 ****
---- 69,75 ----
-  void *
-  buffer_append_space(Buffer *buffer, u_int len)
-  {
-+ 	u_int newlen;
-  	void *p;
-  
-  	if (len > 0x100000)
-***************
-*** 98,108 ****
-  		goto restart;
-  	}
-  	/* Increase the size of the buffer and retry. */
-! 	buffer->alloc += len + 32768;
-! 	if (buffer->alloc > 0xa00000)
-  		fatal("buffer_append_space: alloc %u not supported",
-! 		    buffer->alloc);
-! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
-  	goto restart;
-  	/* NOTREACHED */
-  }
---- 99,111 ----
-  		goto restart;
-  	}
-  	/* Increase the size of the buffer and retry. */
-! 	
-! 	newlen = buffer->alloc + len + 32768;
-! 	if (newlen > 0xa00000)
-  		fatal("buffer_append_space: alloc %u not supported",
-! 		    newlen);
-! 	buffer->buf = xrealloc(buffer->buf, newlen);
-! 	buffer->alloc = newlen;
-  	goto restart;
-  	/* NOTREACHED */
-  }
+Subject: OpenSSH Security Advisory: buffer.adv
+
+This is the 2nd revision of the Advisory.
+
+This document can be found at:  http://www.openssh.com/txt/buffer.adv
+
+1. Versions affected:
+
+        All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+        management errors.  It is uncertain whether these errors are
+        potentially exploitable, however, we prefer to see bugs
+        fixed proactively.
+
+        Other implementations sharing common origin may also have
+        these issues.
+
+2. Solution:
+
+	Upgrade to OpenSSH 3.7.1 or apply the following patch.
+
+===================================================================
+Appendix A: patch for OpenSSH 3.6.1 and earlier
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
++++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+-	buffer->alloc = 4096;
+-	buffer->buf = xmalloc(buffer->alloc);
++	const u_int len = 4096;
++
++	buffer->alloc = 0;
++	buffer->buf = xmalloc(len);
++	buffer->alloc = len;
+ 	buffer->offset = 0;
+ 	buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+-	memset(buffer->buf, 0, buffer->alloc);
+-	xfree(buffer->buf);
++	if (buffer->alloc > 0) {
++		memset(buffer->buf, 0, buffer->alloc);
++		xfree(buffer->buf);
++	}
+ }
+ 
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++	u_int newlen;
+ 	void *p;
+ 
+ 	if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ 		goto restart;
+ 	}
+ 	/* Increase the size of the buffer and retry. */
+-	buffer->alloc += len + 32768;
+-	if (buffer->alloc > 0xa00000)
++	
++	newlen = buffer->alloc + len + 32768;
++	if (newlen > 0xa00000)
+ 		fatal("buffer_append_space: alloc %u not supported",
+-		    buffer->alloc);
+-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++		    newlen);
++	buffer->buf = xrealloc(buffer->buf, newlen);
++	buffer->alloc = newlen;
+ 	goto restart;
+ 	/* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
++++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
+@@ -228,12 +228,13 @@
+ 	if (found == -1) {
+ 		/* There are no free slots.  Take last+1 slot and expand the array.  */
+ 		found = channels_alloc;
+-		channels_alloc += 10;
+ 		if (channels_alloc > 10000)
+ 			fatal("channel_new: internal error: channels_alloc %d "
+ 			    "too big.", channels_alloc);
++		channels = xrealloc(channels,
++		    (channels_alloc + 10) * sizeof(Channel *));
++		channels_alloc += 10;
+ 		debug2("channel: expanding %d", channels_alloc);
+-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ 		for (i = found; i < channels_alloc; i++)
+ 			channels[i] = NULL;
+ 	}
+
+
>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list