[VulnWatch] OpenSSH Security Advisory: buffer.adv

From: Chris Wysopal (weld_at_vulnwatch.org)
Date: 09/16/03

  • Next message: SGI Security Coordinator: "[VulnWatch] IRIX 6.5.21 NFS export vulnerability"
    Date: Tue, 16 Sep 2003 16:02:08 +0000 (GMT)
    To: vulnwatch@vulnwatch.org
    
    

    List: openbsd-misc
    Subject: OpenSSH Security Advisory: buffer.adv
    From: Markus Friedl <markus () openbsd ! org>
    Date: 2003-09-16 12:32:15
    [Download message RAW]

    This is the 1st revision of the Advisory.

    This document can be found at: http://www.openssh.com/txt/buffer.adv

    1. Versions affected:

            All versions of OpenSSH's sshd prior to 3.7 contain a buffer
            management error. It is uncertain whether this error is
            potentially exploitable, however, we prefer to see bugs
            fixed proactively.

    2. Solution:

            Upgrade to OpenSSH 3.7 or apply the following patch.

    Appendix:

    Index: buffer.c
    ===================================================================
    RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
    retrieving revision 1.16
    retrieving revision 1.17
    diff -u -r1.16 -r1.17
    --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
    +++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
    @@ -69,6 +69,7 @@
     void *
     buffer_append_space(Buffer *buffer, u_int len)
     {
    + u_int newlen;
             void *p;

             if (len > 0x100000)
    @@ -98,11 +99,13 @@
                     goto restart;
             }
             /* Increase the size of the buffer and retry. */
    - buffer->alloc += len + 32768;
    - if (buffer->alloc > 0xa00000)
    +
    + newlen = buffer->alloc + len + 32768;
    + if (newlen > 0xa00000)
                     fatal("buffer_append_space: alloc %u not supported",
    - buffer->alloc);
    - buffer->buf = xrealloc(buffer->buf, buffer->alloc);
    + newlen);
    + buffer->buf = xrealloc(buffer->buf, newlen);
    + buffer->alloc = newlen;
             goto restart;
             /* NOTREACHED */
     }


  • Next message: SGI Security Coordinator: "[VulnWatch] IRIX 6.5.21 NFS export vulnerability"