Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

From: horcy (apehaar_at_text-only.demon.nl)
Date: 09/17/03

  • Next message: horcy: "thx Mike && Troy -nt-" 
    To: <security@freebsd.org>
Date: Wed, 17 Sep 2003 07:44:29 +0200

    # kill `cat /var/run/sshd.pid`
    # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

    how do i run that second line.

    # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

    yes i'm a n00b but what ever i try i get some error msg telling me that it
    didnt work. i just started sshd with:
    sh /usr/sbin/sshd and worked too.
    But you would make me a very happy n00b if somebody can explain it :-)

    Regards,

    horcy
    http://www.text-only.demon.nl

    ----- Original Message -----
    From: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    To: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
    Sent: Tuesday, September 16, 2003 8:17 PM
    Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    ============================================================================
    =
    > FreeBSD-SA-03:12 Security
    Advisory
    > FreeBSD,
    Inc.
    >
    > Topic: OpenSSH buffer management error
    >
    > Category: core, ports
    > Module: openssh, ports_openssh, openssh-portable
    > Announced: 2003-09-16
    > Credits: The OpenSSH Project <openssh@openssh.org>
    > Affects: All FreeBSD releases after 4.0-RELEASE
    > FreeBSD 4-STABLE prior to the correction date
    > openssh port prior to openssh-3.6.1_1
    > openssh-portable port prior to openssh-portable-3.6.1p2_1
    > Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
    > 2003-09-16 16:27:57 UTC (RELENG_5_1)
    > 2003-09-16 17:34:32 UTC (RELENG_5_0)
    > 2003-09-16 16:24:02 UTC (RELENG_4_8)
    > 2003-09-16 16:45:16 UTC (RELENG_4_7)
    > 2003-09-16 17:44:15 UTC (RELENG_4_6)
    > 2003-09-16 17:45:23 UTC (RELENG_4_5)
    > 2003-09-16 17:46:02 UTC (RELENG_4_4)
    > 2003-09-16 17:46:37 UTC (RELENG_4_3)
    > 2003-09-16 12:43:09 UTC (ports/security/openssh)
    > 2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
    > CVE: CAN-2003-0693
    > FreeBSD only: NO
    >
    > I. Background
    >
    > OpenSSH is a free version of the SSH protocol suite of network
    > connectivity tools. OpenSSH encrypts all traffic (including
    > passwords) to effectively eliminate eavesdropping, connection
    > hijacking, and other network-level attacks. Additionally, OpenSSH
    > provides a myriad of secure tunneling capabilities, as well as a
    > variety of authentication methods. `ssh' is the client application,
    > while `sshd' is the server.
    >
    > II. Problem Description
    >
    > When a packet is received that is larger than the space remaining in
    > the currently allocated buffer, OpenSSH's buffer management attempts
    > to reallocate a larger buffer. During this process, the recorded size
    > of the buffer is increased. The new size is then range checked. If
    > the range check fails, then fatal() is called to cleanup and exit.
    > In some cases, the cleanup code will attempt to zero and free the
    > buffer that just had its recorded size (but not actual allocation)
    > increased. As a result, memory outside of the allocated buffer will
    > be overwritten with NUL bytes.
    >
    > III. Impact
    >
    > A remote attacker can cause OpenSSH to crash. The bug is not believed
    > to be exploitable for code execution on FreeBSD.
    >
    > IV. Workaround
    >
    > Do one of the following:
    >
    > 1) Disable the base system sshd by executing the following command as
    > root:
    >
    > # kill `cat /var/run/sshd.pid`
    >
    > Be sure that sshd is not restarted when the system is restarted
    > by adding the following line to the end of /etc/rc.conf:
    >
    > sshd_enable="NO"
    >
    > AND
    >
    > Deinstall the openssh or openssh-portable ports if you have one of
    > them installed.
    >
    > V. Solution
    >
    > Do one of the following:
    >
    > [For OpenSSH included in the base system]
    >
    > 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
    > RELENG_4_8, or RELENG_4_7 security branch dated after
    > the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
    > 4.7-RELEASE-p15, respectively).
    >
    > 2) FreeBSD systems prior to the correction date:
    >
    > The following patches have been verified to apply to FreeBSD 4.x and
    > FreeBSD 5.x systems prior to the correction date.
    >
    > Download the appropriate patch and detached PGP signature from the
    following
    > locations, and verify the signature using your PGP utility.
    >
    > [FreeBSD 4.3 through 4.5]
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
    >
    > [FreeBSD 4.6 and later, FreeBSD 5.0 and later]
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
    > # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
    >
    > Execute the following commands as root:
    >
    > # cd /usr/src
    > # patch < /path/to/sshd.patch
    > # cd /usr/src/secure/lib/libssh
    > # make depend && make all install
    > # cd /usr/src/secure/usr.sbin/sshd
    > # make depend && make all install
    > # cd /usr/src/secure/usr.bin/ssh
    > # make depend && make all install
    >
    > Be sure to restart `sshd' after updating.
    >
    > # kill `cat /var/run/sshd.pid`
    > # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
    >
    > [For the OpenSSH ports]
    >
    > One of the following:
    >
    > 1) Upgrade your entire ports collection and rebuild the OpenSSH port.
    >
    > 2) Deinstall the old package and install a new package obtained from
    > the following directory:
    >
    > [i386]
    > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
    >
    > [other platforms]
    > Packages are not automatically generated for other platforms at this
    > time due to lack of build resources.
    >
    > 3) Download a new port skeleton for the openssh or openssh-portable
    > port from:
    >
    > http://www.freebsd.org/ports/
    >
    > and use it to rebuild the port.
    >
    > 4) Use the portcheckout utility to automate option (3) above. The
    > portcheckout port is available in /usr/ports/devel/portcheckout or the
    > package can be obtained from:
    >
    >
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
    >
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
    >
    > Be sure to restart `sshd' after updating.
    >
    > # kill `cat /var/run/sshd.pid`
    > # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh
    start
    >
    > VI. Correction details
    >
    > The following list contains the revision numbers of each file that was
    > corrected in the FreeBSD base system and ports collection.
    >
    > Branch Revision
    > Path
    > - ------------------------------------------------------------------------
    -
    > [Base system]
    > RELENG_4
    > src/crypto/openssh/buffer.c 1.1.1.1.2.5
    > src/crypto/openssh/version.h 1.1.1.1.2.11
    > RELENG_5_1
    > src/UPDATING 1.251.2.4
    > src/crypto/openssh/buffer.c 1.1.1.6.4.1
    > src/crypto/openssh/version.h 1.20.2.1
    > src/sys/conf/newvers.sh 1.50.2.5
    > RELENG_5_0
    > src/UPDATING 1.229.2.18
    > src/crypto/openssh/buffer.c 1.1.1.6.2.1
    > src/crypto/openssh/version.h 1.18.2.1
    > src/sys/conf/newvers.sh 1.48.2.13
    > RELENG_4_8
    > src/UPDATING 1.73.2.80.2.7
    > src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
    > src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
    > src/sys/conf/newvers.sh 1.44.2.29.2.6
    > RELENG_4_7
    > src/UPDATING 1.73.2.74.2.18
    > src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
    > src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
    > src/sys/conf/newvers.sh 1.44.2.26.2.17
    > RELENG_4_6
    > src/UPDATING 1.73.2.68.2.46
    > src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
    > src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
    > src/sys/conf/newvers.sh 1.44.2.23.2.35
    > RELENG_4_5
    > src/UPDATING 1.73.2.50.2.47
    > src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
    > src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
    > src/sys/conf/newvers.sh 1.44.2.20.2.31
    > RELENG_4_4
    > src/UPDATING 1.73.2.43.2.48
    > src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
    > src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
    > src/sys/conf/newvers.sh 1.44.2.17.2.39
    > RELENG_4_3
    > src/UPDATING 1.73.2.28.2.35
    > src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
    > src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
    > src/sys/conf/newvers.sh 1.44.2.14.2.25
    > [Ports]
    > ports/security/openssh-portable/Makefile 1.73
    > ports/security/openssh-portable/files/patch-buffer.c 1.1
    > ports/security/openssh/Makefile 1.120
    > ports/security/openssh/files/patch-buffer.c 1.1
    > - ------------------------------------------------------------------------
    -
    >
    > Branch Version string
    > - ------------------------------------------------------------------------
    -
    > HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
    > RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
    > RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
    > RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
    > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
    > RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
    > RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
    > RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
    > RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
    > - ------------------------------------------------------------------------
    -
    >
    > To view the version string of the OpenSSH server, execute the
    > following command:
    >
    > % /usr/sbin/sshd -\?
    >
    > The version string is also displayed when a client connects to the
    > server.
    >
    > To view the version string of the OpenSSH client, execute the
    > following command:
    >
    > % /usr/bin/ssh -V
    >
    > VII. References
    >
    >
    <URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/0
    00063.html>
    >
    > The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    > assigned the name CAN-2003-0693 to this issue.
    > <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.3 (FreeBSD)
    >
    > iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
    > PW0VvEnS7MMUYyekHuz49ro=
    > =vcm1
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > freebsd-security-notifications@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
    > To unsubscribe, send any mail to
    "freebsd-security-notifications-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: horcy: "thx Mike && Troy -nt-"

    Relevant Pages
    • Quantcast