Date: Wed, 17 Sep 2003 07:44:29 +0200 From: "horcy" <apehaar@text-only.demon.nl> To: <security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh Message-ID: <006301c37cde$c36dc200$0201a8c0@horcy> References: <200309161817.h8GIH1GL072348@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
how do i run that second line.
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
yes i'm a n00b but what ever i try i get some error msg telling me that it
didnt work. i just started sshd with:
sh /usr/sbin/sshd and worked too.
But you would make me a very happy n00b if somebody can explain it :-)
Regards,
horcy
http://www.text-only.demon.nl
----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
Sent: Tuesday, September 16, 2003 8:17 PM
Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
============================================================================
=
> FreeBSD-SA-03:12 Security
Advisory
> FreeBSD,
Inc.
>
> Topic: OpenSSH buffer management error
>
> Category: core, ports
> Module: openssh, ports_openssh, openssh-portable
> Announced: 2003-09-16
> Credits: The OpenSSH Project <openssh@openssh.org>
> Affects: All FreeBSD releases after 4.0-RELEASE
> FreeBSD 4-STABLE prior to the correction date
> openssh port prior to openssh-3.6.1_1
> openssh-portable port prior to openssh-portable-3.6.1p2_1
> Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
> 2003-09-16 16:27:57 UTC (RELENG_5_1)
> 2003-09-16 17:34:32 UTC (RELENG_5_0)
> 2003-09-16 16:24:02 UTC (RELENG_4_8)
> 2003-09-16 16:45:16 UTC (RELENG_4_7)
> 2003-09-16 17:44:15 UTC (RELENG_4_6)
> 2003-09-16 17:45:23 UTC (RELENG_4_5)
> 2003-09-16 17:46:02 UTC (RELENG_4_4)
> 2003-09-16 17:46:37 UTC (RELENG_4_3)
> 2003-09-16 12:43:09 UTC (ports/security/openssh)
> 2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
> CVE: CAN-2003-0693
> FreeBSD only: NO
>
> I. Background
>
> OpenSSH is a free version of the SSH protocol suite of network
> connectivity tools. OpenSSH encrypts all traffic (including
> passwords) to effectively eliminate eavesdropping, connection
> hijacking, and other network-level attacks. Additionally, OpenSSH
> provides a myriad of secure tunneling capabilities, as well as a
> variety of authentication methods. `ssh' is the client application,
> while `sshd' is the server.
>
> II. Problem Description
>
> When a packet is received that is larger than the space remaining in
> the currently allocated buffer, OpenSSH's buffer management attempts
> to reallocate a larger buffer. During this process, the recorded size
> of the buffer is increased. The new size is then range checked. If
> the range check fails, then fatal() is called to cleanup and exit.
> In some cases, the cleanup code will attempt to zero and free the
> buffer that just had its recorded size (but not actual allocation)
> increased. As a result, memory outside of the allocated buffer will
> be overwritten with NUL bytes.
>
> III. Impact
>
> A remote attacker can cause OpenSSH to crash. The bug is not believed
> to be exploitable for code execution on FreeBSD.
>
> IV. Workaround
>
> Do one of the following:
>
> 1) Disable the base system sshd by executing the following command as
> root:
>
> # kill `cat /var/run/sshd.pid`
>
> Be sure that sshd is not restarted when the system is restarted
> by adding the following line to the end of /etc/rc.conf:
>
> sshd_enable="NO"
>
> AND
>
> Deinstall the openssh or openssh-portable ports if you have one of
> them installed.
>
> V. Solution
>
> Do one of the following:
>
> [For OpenSSH included in the base system]
>
> 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
> RELENG_4_8, or RELENG_4_7 security branch dated after
> the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
> 4.7-RELEASE-p15, respectively).
>
> 2) FreeBSD systems prior to the correction date:
>
> The following patches have been verified to apply to FreeBSD 4.x and
> FreeBSD 5.x systems prior to the correction date.
>
> Download the appropriate patch and detached PGP signature from the
following
> locations, and verify the signature using your PGP utility.
>
> [FreeBSD 4.3 through 4.5]
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc
>
> [FreeBSD 4.6 and later, FreeBSD 5.0 and later]
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc
>
> Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/sshd.patch
> # cd /usr/src/secure/lib/libssh
> # make depend && make all install
> # cd /usr/src/secure/usr.sbin/sshd
> # make depend && make all install
> # cd /usr/src/secure/usr.bin/ssh
> # make depend && make all install
>
> Be sure to restart `sshd' after updating.
>
> # kill `cat /var/run/sshd.pid`
> # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})
>
> [For the OpenSSH ports]
>
> One of the following:
>
> 1) Upgrade your entire ports collection and rebuild the OpenSSH port.
>
> 2) Deinstall the old package and install a new package obtained from
> the following directory:
>
> [i386]
> ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/
>
> [other platforms]
> Packages are not automatically generated for other platforms at this
> time due to lack of build resources.
>
> 3) Download a new port skeleton for the openssh or openssh-portable
> port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or the
> package can be obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz
>
> Be sure to restart `sshd' after updating.
>
> # kill `cat /var/run/sshd.pid`
> # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh
start
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in the FreeBSD base system and ports collection.
>
> Branch Revision
> Path
> - ------------------------------------------------------------------------
-
> [Base system]
> RELENG_4
> src/crypto/openssh/buffer.c 1.1.1.1.2.5
> src/crypto/openssh/version.h 1.1.1.1.2.11
> RELENG_5_1
> src/UPDATING 1.251.2.4
> src/crypto/openssh/buffer.c 1.1.1.6.4.1
> src/crypto/openssh/version.h 1.20.2.1
> src/sys/conf/newvers.sh 1.50.2.5
> RELENG_5_0
> src/UPDATING 1.229.2.18
> src/crypto/openssh/buffer.c 1.1.1.6.2.1
> src/crypto/openssh/version.h 1.18.2.1
> src/sys/conf/newvers.sh 1.48.2.13
> RELENG_4_8
> src/UPDATING 1.73.2.80.2.7
> src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
> src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
> src/sys/conf/newvers.sh 1.44.2.29.2.6
> RELENG_4_7
> src/UPDATING 1.73.2.74.2.18
> src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
> src/sys/conf/newvers.sh 1.44.2.26.2.17
> RELENG_4_6
> src/UPDATING 1.73.2.68.2.46
> src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
> src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
> src/sys/conf/newvers.sh 1.44.2.23.2.35
> RELENG_4_5
> src/UPDATING 1.73.2.50.2.47
> src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
> src/sys/conf/newvers.sh 1.44.2.20.2.31
> RELENG_4_4
> src/UPDATING 1.73.2.43.2.48
> src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
> src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
> src/sys/conf/newvers.sh 1.44.2.17.2.39
> RELENG_4_3
> src/UPDATING 1.73.2.28.2.35
> src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
> src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
> src/sys/conf/newvers.sh 1.44.2.14.2.25
> [Ports]
> ports/security/openssh-portable/Makefile 1.73
> ports/security/openssh-portable/files/patch-buffer.c 1.1
> ports/security/openssh/Makefile 1.120
> ports/security/openssh/files/patch-buffer.c 1.1
> - ------------------------------------------------------------------------
-
>
> Branch Version string
> - ------------------------------------------------------------------------
-
> HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
> RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
> RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
> RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
> RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
> RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
> RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
> RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
> RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
> - ------------------------------------------------------------------------
-
>
> To view the version string of the OpenSSH server, execute the
> following command:
>
> % /usr/sbin/sshd -\?
>
> The version string is also displayed when a client connects to the
> server.
>
> To view the version string of the OpenSSH client, execute the
> following command:
>
> % /usr/bin/ssh -V
>
> VII. References
>
>
<URL:http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/0
00063.html>
>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2003-0693 to this issue.
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693>;
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (FreeBSD)
>
> iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ
> PW0VvEnS7MMUYyekHuz49ro=
> =vcm1
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to
"freebsd-security-notifications-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006301c37cde$c36dc200$0201a8c0>