OpenSSH heads-up
Jacques A. Vidrine
nectar at FreeBSD.org
Tue Sep 16 06:43:50 PDT 2003
OK, an official OpenSSH advisory was released, see here:
<URL: http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html >
The fix is currently in FreeBSD -CURRENT and -STABLE. It will be
applied to the security branches as well today. Attached are patches:
buffer46.patch -- For FreeBSD 4.6-RELEASE and later
buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier
Currently, I don't believe that this bug is actually exploitable for
code execution on FreeBSD, but I reserve the right to be wrong :-)
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
-------------- next part --------------
Index: crypto/openssh/buffer.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.3
diff -c -c -r1.1.1.1.2.3 buffer.c
*** crypto/openssh/buffer.c 28 Sep 2001 01:33:33 -0000 1.1.1.1.2.3
--- crypto/openssh/buffer.c 16 Sep 2003 13:19:26 -0000
***************
*** 69,74 ****
--- 69,76 ----
void
buffer_append_space(Buffer *buffer, char **datap, u_int len)
{
+ u_int newlen;
+
/* If the buffer is empty, start using it from the beginning. */
if (buffer->offset == buffer->end) {
buffer->offset = 0;
***************
*** 93,100 ****
goto restart;
}
/* Increase the size of the buffer and retry. */
! buffer->alloc += len + 32768;
! buffer->buf = xrealloc(buffer->buf, buffer->alloc);
goto restart;
}
--- 95,106 ----
goto restart;
}
/* Increase the size of the buffer and retry. */
! newlen = buffer->alloc + len + 32768;
! if (newlen > 0xa00000)
! fatal("buffer_append_space: alloc %u not supported",
! newlen);
! buffer->buf = xrealloc(buffer->buf, newlen);
! buffer->alloc = newlen;
goto restart;
}
-------------- next part --------------
Index: crypto/openssh/buffer.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.4
diff -c -c -r1.1.1.1.2.4 buffer.c
*** crypto/openssh/buffer.c 3 Jul 2002 22:11:41 -0000 1.1.1.1.2.4
--- crypto/openssh/buffer.c 16 Sep 2003 13:10:22 -0000
***************
*** 69,74 ****
--- 69,75 ----
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
***************
*** 98,108 ****
goto restart;
}
/* Increase the size of the buffer and retry. */
! buffer->alloc += len + 32768;
! if (buffer->alloc > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
! buffer->alloc);
! buffer->buf = xrealloc(buffer->buf, buffer->alloc);
goto restart;
/* NOTREACHED */
}
--- 99,111 ----
goto restart;
}
/* Increase the size of the buffer and retry. */
!
! newlen = buffer->alloc + len + 32768;
! if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
! newlen);
! buffer->buf = xrealloc(buffer->buf, newlen);
! buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030916/206d2d9d/attachment.bin
More information about the freebsd-security
mailing list