[openssh-unix-announce] OpenSSH Security Advisory: buffer.adv
Markus Friedl markus at openbsd.org
Tue Sep 16 14:32:18 EST 2003
This is the 1st revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer
management error. It is uncertain whether this error is
potentially exploitable, however, we prefer to see bugs
Upgrade to OpenSSH 3.7 or apply the following patch.
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
@@ -69,6 +69,7 @@
buffer_append_space(Buffer *buffer, u_int len)
+ u_int newlen;
if (len > 0x100000)
@@ -98,11 +99,13 @@
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
/* NOTREACHED */
Sanely formatted patch here.
The official word is that the openssh developers don't know if the bug is remotely exploitable. But given all I've heard over the past couple of weeks, plus the increased port 22 scanning reported at http://www.heise.de/security/news/meldung/40331, I'm inclined to assume the worst -- remote root exploit is out there in the wild.
The bug will be assigned CAN-2003-0693. Number was assigned on 2003-08-14. Looks like a botched coordinated release.
new Debian x86 debs have been uploaded to security.debian.org.
Red Hat has new RPMs now.