OpenSSH heads-up

Jacques A. Vidrine nectar at FreeBSD.org
Tue Sep 16 06:43:50 PDT 2003


OK, an official OpenSSH advisory was released, see here:
<URL: http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html >

The fix is currently in FreeBSD -CURRENT and -STABLE.  It will be
applied to the security branches as well today.  Attached are patches:

   buffer46.patch -- For FreeBSD 4.6-RELEASE and later
   buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier

Currently, I don't believe that this bug is actually exploitable for
code execution on FreeBSD, but I reserve the right to be wrong :-)

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
-------------- next part --------------
Index: crypto/openssh/buffer.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.3
diff -c -c -r1.1.1.1.2.3 buffer.c
*** crypto/openssh/buffer.c	28 Sep 2001 01:33:33 -0000	1.1.1.1.2.3
--- crypto/openssh/buffer.c	16 Sep 2003 13:19:26 -0000
***************
*** 69,74 ****
--- 69,76 ----
  void
  buffer_append_space(Buffer *buffer, char **datap, u_int len)
  {
+ 	u_int	newlen;
+ 
  	/* If the buffer is empty, start using it from the beginning. */
  	if (buffer->offset == buffer->end) {
  		buffer->offset = 0;
***************
*** 93,100 ****
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	buffer->alloc += len + 32768;
! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  	goto restart;
  }
  
--- 95,106 ----
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	newlen = buffer->alloc + len + 32768;
! 	if (newlen > 0xa00000)
! 		fatal("buffer_append_space: alloc %u not supported",
! 		    newlen);
! 	buffer->buf = xrealloc(buffer->buf, newlen);
! 	buffer->alloc = newlen;
  	goto restart;
  }
  
-------------- next part --------------
Index: crypto/openssh/buffer.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.1.2.4
diff -c -c -r1.1.1.1.2.4 buffer.c
*** crypto/openssh/buffer.c	3 Jul 2002 22:11:41 -0000	1.1.1.1.2.4
--- crypto/openssh/buffer.c	16 Sep 2003 13:10:22 -0000
***************
*** 69,74 ****
--- 69,75 ----
  void *
  buffer_append_space(Buffer *buffer, u_int len)
  {
+ 	u_int newlen;
  	void *p;
  
  	if (len > 0x100000)
***************
*** 98,108 ****
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	buffer->alloc += len + 32768;
! 	if (buffer->alloc > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    buffer->alloc);
! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  	goto restart;
  	/* NOTREACHED */
  }
--- 99,111 ----
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	
! 	newlen = buffer->alloc + len + 32768;
! 	if (newlen > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    newlen);
! 	buffer->buf = xrealloc(buffer->buf, newlen);
! 	buffer->alloc = newlen;
  	goto restart;
  	/* NOTREACHED */
  }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030916/206d2d9d/attachment.bin


More information about the freebsd-security mailing list