From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 22:44:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6ED116A4B3 for ; Tue, 16 Sep 2003 22:44:31 -0700 (PDT) Received: from post-20.mail.nl.demon.net (post-20.mail.nl.demon.net [194.159.73.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADA8C43FBD for ; Tue, 16 Sep 2003 22:44:30 -0700 (PDT) (envelope-from apehaar@text-only.demon.nl) Received: from [212.238.193.97] (helo=horcy) by post-20.mail.nl.demon.net with smtp (Exim 3.36 #2) id 19zV77-000L8x-00 for security@freebsd.org; Wed, 17 Sep 2003 05:44:29 +0000 Message-ID: <006301c37cde$c36dc200$0201a8c0@horcy> From: "horcy" To: References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> Date: Wed, 17 Sep 2003 07:44:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 05:44:32 -0000 # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) how do i run that second line. # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) yes i'm a n00b but what ever i try i get some error msg telling me that it didnt work. i just started sshd with: sh /usr/sbin/sshd and worked too. But you would make me a very happy n00b if somebody can explain it :-) Regards, horcy http://www.text-only.demon.nl ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Tuesday, September 16, 2003 8:17 PM Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================ = > FreeBSD-SA-03:12 Security Advisory > FreeBSD, Inc. > > Topic: OpenSSH buffer management error > > Category: core, ports > Module: openssh, ports_openssh, openssh-portable > Announced: 2003-09-16 > Credits: The OpenSSH Project > Affects: All FreeBSD releases after 4.0-RELEASE > FreeBSD 4-STABLE prior to the correction date > openssh port prior to openssh-3.6.1_1 > openssh-portable port prior to openssh-portable-3.6.1p2_1 > Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) > 2003-09-16 16:27:57 UTC (RELENG_5_1) > 2003-09-16 17:34:32 UTC (RELENG_5_0) > 2003-09-16 16:24:02 UTC (RELENG_4_8) > 2003-09-16 16:45:16 UTC (RELENG_4_7) > 2003-09-16 17:44:15 UTC (RELENG_4_6) > 2003-09-16 17:45:23 UTC (RELENG_4_5) > 2003-09-16 17:46:02 UTC (RELENG_4_4) > 2003-09-16 17:46:37 UTC (RELENG_4_3) > 2003-09-16 12:43:09 UTC (ports/security/openssh) > 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) > CVE: CAN-2003-0693 > FreeBSD only: NO > > I. Background > > OpenSSH is a free version of the SSH protocol suite of network > connectivity tools. OpenSSH encrypts all traffic (including > passwords) to effectively eliminate eavesdropping, connection > hijacking, and other network-level attacks. Additionally, OpenSSH > provides a myriad of secure tunneling capabilities, as well as a > variety of authentication methods. `ssh' is the client application, > while `sshd' is the server. > > II. Problem Description > > When a packet is received that is larger than the space remaining in > the currently allocated buffer, OpenSSH's buffer management attempts > to reallocate a larger buffer. During this process, the recorded size > of the buffer is increased. The new size is then range checked. If > the range check fails, then fatal() is called to cleanup and exit. > In some cases, the cleanup code will attempt to zero and free the > buffer that just had its recorded size (but not actual allocation) > increased. As a result, memory outside of the allocated buffer will > be overwritten with NUL bytes. > > III. Impact > > A remote attacker can cause OpenSSH to crash. The bug is not believed > to be exploitable for code execution on FreeBSD. > > IV. Workaround > > Do one of the following: > > 1) Disable the base system sshd by executing the following command as > root: > > # kill `cat /var/run/sshd.pid` > > Be sure that sshd is not restarted when the system is restarted > by adding the following line to the end of /etc/rc.conf: > > sshd_enable="NO" > > AND > > Deinstall the openssh or openssh-portable ports if you have one of > them installed. > > V. Solution > > Do one of the following: > > [For OpenSSH included in the base system] > > 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, > RELENG_4_8, or RELENG_4_7 security branch dated after > the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or > 4.7-RELEASE-p15, respectively). > > 2) FreeBSD systems prior to the correction date: > > The following patches have been verified to apply to FreeBSD 4.x and > FreeBSD 5.x systems prior to the correction date. > > Download the appropriate patch and detached PGP signature from the following > locations, and verify the signature using your PGP utility. > > [FreeBSD 4.3 through 4.5] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc > > [FreeBSD 4.6 and later, FreeBSD 5.0 and later] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc > > Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/sshd.patch > # cd /usr/src/secure/lib/libssh > # make depend && make all install > # cd /usr/src/secure/usr.sbin/sshd > # make depend && make all install > # cd /usr/src/secure/usr.bin/ssh > # make depend && make all install > > Be sure to restart `sshd' after updating. > > # kill `cat /var/run/sshd.pid` > # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) > > [For the OpenSSH ports] > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the OpenSSH port. > > 2) Deinstall the old package and install a new package obtained from > the following directory: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ > > [other platforms] > Packages are not automatically generated for other platforms at this > time due to lack of build resources. > > 3) Download a new port skeleton for the openssh or openssh-portable > port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz > > Be sure to restart `sshd' after updating. > > # kill `cat /var/run/sshd.pid` > # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in the FreeBSD base system and ports collection. > > Branch Revision > Path > - ------------------------------------------------------------------------ - > [Base system] > RELENG_4 > src/crypto/openssh/buffer.c 1.1.1.1.2.5 > src/crypto/openssh/version.h 1.1.1.1.2.11 > RELENG_5_1 > src/UPDATING 1.251.2.4 > src/crypto/openssh/buffer.c 1.1.1.6.4.1 > src/crypto/openssh/version.h 1.20.2.1 > src/sys/conf/newvers.sh 1.50.2.5 > RELENG_5_0 > src/UPDATING 1.229.2.18 > src/crypto/openssh/buffer.c 1.1.1.6.2.1 > src/crypto/openssh/version.h 1.18.2.1 > src/sys/conf/newvers.sh 1.48.2.13 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.7 > src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 > src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 > src/sys/conf/newvers.sh 1.44.2.29.2.6 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.18 > src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 > src/sys/conf/newvers.sh 1.44.2.26.2.17 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.46 > src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 > src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 > src/sys/conf/newvers.sh 1.44.2.23.2.35 > RELENG_4_5 > src/UPDATING 1.73.2.50.2.47 > src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 > src/sys/conf/newvers.sh 1.44.2.20.2.31 > RELENG_4_4 > src/UPDATING 1.73.2.43.2.48 > src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 > src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 > src/sys/conf/newvers.sh 1.44.2.17.2.39 > RELENG_4_3 > src/UPDATING 1.73.2.28.2.35 > src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 > src/sys/conf/newvers.sh 1.44.2.14.2.25 > [Ports] > ports/security/openssh-portable/Makefile 1.73 > ports/security/openssh-portable/files/patch-buffer.c 1.1 > ports/security/openssh/Makefile 1.120 > ports/security/openssh/files/patch-buffer.c 1.1 > - ------------------------------------------------------------------------ - > > Branch Version string > - ------------------------------------------------------------------------ - > HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 > RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 > RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 > RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 > RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 > RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 > RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 > RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916 > - ------------------------------------------------------------------------ - > > To view the version string of the OpenSSH server, execute the > following command: > > % /usr/sbin/sshd -\? > > The version string is also displayed when a client connects to the > server. > > To view the version string of the OpenSSH client, execute the > following command: > > % /usr/bin/ssh -V > > VII. References > > > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2003-0693 to this issue. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (FreeBSD) > > iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ > PW0VvEnS7MMUYyekHuz49ro= > =vcm1 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"