Date: Fri, 9 Feb 2001 13:26:04 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Matt Dillon <dillon@earth.backplane.com> Cc: green@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: OpenSSH port patch Message-ID: <20010209132604.O26076@fw.wintelcom.net> In-Reply-To: <200102092122.f19LMBh08953@earth.backplane.com>; from dillon@earth.backplane.com on Fri, Feb 09, 2001 at 01:22:11PM -0800 References: <20010209110044.I26076@fw.wintelcom.net> <200102092122.f19LMBh08953@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Matt Dillon <dillon@earth.backplane.com> [010209 13:22] wrote:
> I think it's a whole lot better then simply marking the package
> forbidden! I was actually surprised that the package was marked
> forbidden, when the fix is only a few minutes of work.
I've been hopping around on IRC froathing at the mouth about getting
this patch in but no one has signed off on it and since I've got
little port-fu I'm nervous about making a bad situation worse.
>
> -Matt
>
> :Please trim CC!
> :
> :This removes the 'forbidden' and adds a patch to correct the
> :hash overflow as suggested by the Bindview audit.
> :
> :I'm cc'ing Brian Feldman (green) because he's maintainer, -ports
> :because I'm not really good at ports and -security so that people
> :can look this over.
> :
> :May I apply this patch?
> :
> :Index: Makefile
> :===================================================================
> :RCS file: /home/ncvs/ports/security/openssh/Makefile,v
> :retrieving revision 1.57
> :diff -u -u -r1.57 Makefile
> :--- Makefile 2001/02/09 04:58:24 1.57
> :+++ Makefile 2001/02/09 18:53:06
> :@@ -20,8 +20,6 @@
> :
> : .include <bsd.port.pre.mk>
> :
> :-FORBIDDEN= "Remote vulnerabilities"
> :-
> : CRYPTOLIBS= -L${OPENSSLLIB} -lcrypto
> : # Here, MANDIR is concetenated to DESTDIR which all forms the man install dir...
> : MAKE_ENV+= DESTDIR=${PREFIX} MANDIR=/man/man CRYPTOLIBS="${CRYPTOLIBS}"
> :Index: files/patch-az
> :===================================================================
> :RCS file: patch-az
> :diff -N patch-az
> :--- /dev/null Fri Feb 9 10:59:20 2001
> :+++ patch-az Fri Feb 9 10:58:58 2001
> :@@ -0,0 +1,11 @@
> :+--- /home/bright/ssh/ssh/deattack.c Fri Aug 18 19:17:12 2000
> :++++ deattack.c Fri Feb 9 10:58:54 2001
> :+@@ -84,7 +84,7 @@
> :+ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
> :+ {
> :+ static u_int16_t *h = (u_int16_t *) NULL;
> :+- static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
> :++ static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
> :+ register u_int32_t i, j;
> :+ u_int32_t l;
> :+ register unsigned char *c;
> :
> :--
> :-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
> :"I have the heart of a child; I keep it in a jar on my desk."
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010209132604.O26076>