ports/56946: openssh secuirity fix while portfreeze
dirk.meyer at dinoex.sub.org
dirk.meyer at dinoex.sub.org
Wed Sep 17 12:00:43 UTC 2003
>Number: 56946
>Category: ports
>Synopsis: openssh secuirity fix while portfreeze
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 17 05:00:41 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Dirk Meyer
>Release: FreeBSD 4.8-STABLE i386
>Organization:
privat
>Environment:
>Description:
first security patch was not sufficent.
http://www.openssh.com/txt/buffer.adv
>How-To-Repeat:
>Fix:
appove or apply this patch
Index: openssh/Makefile
===================================================================
RCS file: /home/pcvs/ports/security/openssh/Makefile,v
retrieving revision 1.120
diff -u -r1.120 Makefile
--- openssh/Makefile 16 Sep 2003 12:43:09 -0000 1.120
+++ openssh/Makefile 17 Sep 2003 11:55:57 -0000
@@ -7,7 +7,7 @@
PORTNAME= openssh
PORTVERSION= 3.6.1
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
Index: openssh/files/patch-buffer.c
===================================================================
RCS file: /home/pcvs/ports/security/openssh/files/patch-buffer.c,v
retrieving revision 1.1
diff -u -r1.1 patch-buffer.c
--- openssh/files/patch-buffer.c 16 Sep 2003 12:43:10 -0000 1.1
+++ openssh/files/patch-buffer.c 17 Sep 2003 11:55:57 -0000
@@ -1,39 +1,110 @@
-*** buffer.c.orig Sat Jun 29 06:33:59 2002
---- buffer.c Tue Sep 16 00:33:54 2003
-***************
-*** 69,74 ****
---- 69,75 ----
- void *
- buffer_append_space(Buffer *buffer, u_int len)
- {
-+ u_int newlen;
- void *p;
-
- if (len > 0x100000)
-***************
-*** 98,108 ****
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-! buffer->alloc += len + 32768;
-! if (buffer->alloc > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! buffer->alloc);
-! buffer->buf = xrealloc(buffer->buf, buffer->alloc);
- goto restart;
- /* NOTREACHED */
- }
---- 99,111 ----
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-!
-! newlen = buffer->alloc + len + 32768;
-! if (newlen > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! newlen);
-! buffer->buf = xrealloc(buffer->buf, newlen);
-! buffer->alloc = newlen;
- goto restart;
- /* NOTREACHED */
- }
+Subject: OpenSSH Security Advisory: buffer.adv
+
+This is the 2nd revision of the Advisory.
+
+This document can be found at: http://www.openssh.com/txt/buffer.adv
+
+1. Versions affected:
+
+ All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+ management errors. It is uncertain whether these errors are
+ potentially exploitable, however, we prefer to see bugs
+ fixed proactively.
+
+ Other implementations sharing common origin may also have
+ these issues.
+
+2. Solution:
+
+ Upgrade to OpenSSH 3.7.1 or apply the following patch.
+
+===================================================================
+Appendix A: patch for OpenSSH 3.6.1 and earlier
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+- buffer->alloc = 4096;
+- buffer->buf = xmalloc(buffer->alloc);
++ const u_int len = 4096;
++
++ buffer->alloc = 0;
++ buffer->buf = xmalloc(len);
++ buffer->alloc = len;
+ buffer->offset = 0;
+ buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+- memset(buffer->buf, 0, buffer->alloc);
+- xfree(buffer->buf);
++ if (buffer->alloc > 0) {
++ memset(buffer->buf, 0, buffer->alloc);
++ xfree(buffer->buf);
++ }
+ }
+
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++ u_int newlen;
+ void *p;
+
+ if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ goto restart;
+ }
+ /* Increase the size of the buffer and retry. */
+- buffer->alloc += len + 32768;
+- if (buffer->alloc > 0xa00000)
++
++ newlen = buffer->alloc + len + 32768;
++ if (newlen > 0xa00000)
+ fatal("buffer_append_space: alloc %u not supported",
+- buffer->alloc);
+- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++ newlen);
++ buffer->buf = xrealloc(buffer->buf, newlen);
++ buffer->alloc = newlen;
+ goto restart;
+ /* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
+@@ -228,12 +228,13 @@
+ if (found == -1) {
+ /* There are no free slots. Take last+1 slot and expand the array. */
+ found = channels_alloc;
+- channels_alloc += 10;
+ if (channels_alloc > 10000)
+ fatal("channel_new: internal error: channels_alloc %d "
+ "too big.", channels_alloc);
++ channels = xrealloc(channels,
++ (channels_alloc + 10) * sizeof(Channel *));
++ channels_alloc += 10;
+ debug2("channel: expanding %d", channels_alloc);
+- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ for (i = found; i < channels_alloc; i++)
+ channels[i] = NULL;
+ }
+
+
Index: openssh-portable/Makefile
===================================================================
RCS file: /home/pcvs/ports/security/openssh-portable/Makefile,v
retrieving revision 1.73
diff -u -r1.73 Makefile
--- openssh-portable/Makefile 16 Sep 2003 12:43:10 -0000 1.73
+++ openssh-portable/Makefile 17 Sep 2003 11:55:57 -0000
@@ -7,7 +7,7 @@
PORTNAME= openssh
PORTVERSION= 3.6.1p2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
Index: openssh-portable/files/patch-buffer.c
===================================================================
RCS file: /home/pcvs/ports/security/openssh-portable/files/patch-buffer.c,v
retrieving revision 1.1
diff -u -r1.1 patch-buffer.c
--- openssh-portable/files/patch-buffer.c 16 Sep 2003 12:43:10 -0000 1.1
+++ openssh-portable/files/patch-buffer.c 17 Sep 2003 11:55:57 -0000
@@ -1,39 +1,110 @@
-*** buffer.c.orig Sat Jun 29 06:33:59 2002
---- buffer.c Tue Sep 16 00:33:54 2003
-***************
-*** 69,74 ****
---- 69,75 ----
- void *
- buffer_append_space(Buffer *buffer, u_int len)
- {
-+ u_int newlen;
- void *p;
-
- if (len > 0x100000)
-***************
-*** 98,108 ****
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-! buffer->alloc += len + 32768;
-! if (buffer->alloc > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! buffer->alloc);
-! buffer->buf = xrealloc(buffer->buf, buffer->alloc);
- goto restart;
- /* NOTREACHED */
- }
---- 99,111 ----
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-!
-! newlen = buffer->alloc + len + 32768;
-! if (newlen > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! newlen);
-! buffer->buf = xrealloc(buffer->buf, newlen);
-! buffer->alloc = newlen;
- goto restart;
- /* NOTREACHED */
- }
+Subject: OpenSSH Security Advisory: buffer.adv
+
+This is the 2nd revision of the Advisory.
+
+This document can be found at: http://www.openssh.com/txt/buffer.adv
+
+1. Versions affected:
+
+ All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+ management errors. It is uncertain whether these errors are
+ potentially exploitable, however, we prefer to see bugs
+ fixed proactively.
+
+ Other implementations sharing common origin may also have
+ these issues.
+
+2. Solution:
+
+ Upgrade to OpenSSH 3.7.1 or apply the following patch.
+
+===================================================================
+Appendix A: patch for OpenSSH 3.6.1 and earlier
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+- buffer->alloc = 4096;
+- buffer->buf = xmalloc(buffer->alloc);
++ const u_int len = 4096;
++
++ buffer->alloc = 0;
++ buffer->buf = xmalloc(len);
++ buffer->alloc = len;
+ buffer->offset = 0;
+ buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+- memset(buffer->buf, 0, buffer->alloc);
+- xfree(buffer->buf);
++ if (buffer->alloc > 0) {
++ memset(buffer->buf, 0, buffer->alloc);
++ xfree(buffer->buf);
++ }
+ }
+
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++ u_int newlen;
+ void *p;
+
+ if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ goto restart;
+ }
+ /* Increase the size of the buffer and retry. */
+- buffer->alloc += len + 32768;
+- if (buffer->alloc > 0xa00000)
++
++ newlen = buffer->alloc + len + 32768;
++ if (newlen > 0xa00000)
+ fatal("buffer_append_space: alloc %u not supported",
+- buffer->alloc);
+- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++ newlen);
++ buffer->buf = xrealloc(buffer->buf, newlen);
++ buffer->alloc = newlen;
+ goto restart;
+ /* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
+@@ -228,12 +228,13 @@
+ if (found == -1) {
+ /* There are no free slots. Take last+1 slot and expand the array. */
+ found = channels_alloc;
+- channels_alloc += 10;
+ if (channels_alloc > 10000)
+ fatal("channel_new: internal error: channels_alloc %d "
+ "too big.", channels_alloc);
++ channels = xrealloc(channels,
++ (channels_alloc + 10) * sizeof(Channel *));
++ channels_alloc += 10;
+ debug2("channel: expanding %d", channels_alloc);
+- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ for (i = found; i < channels_alloc; i++)
+ channels[i] = NULL;
+ }
+
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list