Paul Fisher (rao) wrote,
From http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html



[openssh-unix-announce] OpenSSH Security Advisory: buffer.adv
Markus Friedl markus at openbsd.org
Tue Sep 16 14:32:18 EST 2003

This is the 1st revision of the Advisory.

This document can be found at: http://www.openssh.com/txt/buffer.adv

1. Versions affected:

All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
fixed proactively.

2. Solution:

Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
@@ -69,6 +69,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;

if (len > 0x100000)
@@ -98,11 +99,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}



Sanely formatted patch here.

The official word is that the openssh developers don't know if the bug is remotely exploitable. But given all I've heard over the past couple of weeks, plus the increased port 22 scanning reported at http://www.heise.de/security/news/meldung/40331, I'm inclined to assume the worst -- remote root exploit is out there in the wild.

Update:
The bug will be assigned CAN-2003-0693. Number was assigned on 2003-08-14. Looks like a botched coordinated release.

Update 2:
new Debian x86 debs have been uploaded to security.debian.org.

Update 3:
Red Hat has new RPMs now.
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic
  • 4 comments