From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 06:43:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BD0B16A4B3 for ; Tue, 16 Sep 2003 06:43:50 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E7A43FB1 for ; Tue, 16 Sep 2003 06:43:49 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 9A39354840 for ; Tue, 16 Sep 2003 08:43:48 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 044786D454; Tue, 16 Sep 2003 08:43:47 -0500 (CDT) Date: Tue, 16 Sep 2003 08:43:47 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20030916134347.GA30359@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 13:43:50 -0000 --XOIedfhf+7KOe/yw Content-Type: multipart/mixed; boundary="huq684BweRXVnRxX" Content-Disposition: inline --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable OK, an official OpenSSH advisory was released, see here: The fix is currently in FreeBSD -CURRENT and -STABLE. It will be applied to the security branches as well today. Attached are patches: buffer46.patch -- For FreeBSD 4.6-RELEASE and later buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier Currently, I don't believe that this bug is actually exploitable for code execution on FreeBSD, but I reserve the right to be wrong :-) Cheers, --=20 Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer45.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.3 diff -c -c -r1.1.1.1.2.3 buffer.c *** crypto/openssh/buffer.c 28 Sep 2001 01:33:33 -0000 1.1.1.1.2.3 --- crypto/openssh/buffer.c 16 Sep 2003 13:19:26 -0000 *************** *** 69,74 **** --- 69,76 ---- void buffer_append_space(Buffer *buffer, char **datap, u_int len) { + u_int newlen; +=20 /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset =3D=3D buffer->end) { buffer->offset =3D 0; *************** *** 93,100 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; } =20 --- 95,106 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) ! fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; } =20 --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer46.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.4 diff -c -c -r1.1.1.1.2.4 buffer.c *** crypto/openssh/buffer.c 3 Jul 2002 22:11:41 -0000 1.1.1.1.2.4 --- crypto/openssh/buffer.c 16 Sep 2003 13:10:22 -0000 *************** *** 69,74 **** --- 69,75 ---- void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; =20 if (len > 0x100000) *************** *** 98,108 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! buffer->alloc); ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; /* NOTREACHED */ } --- 99,111 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! =09 ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; /* NOTREACHED */ } --huq684BweRXVnRxX-- --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZxORFdaIBMps37IRArwEAJ4pkegMfNqSjkLvRgjCDDQa+9sXHwCfbgXd tlPyniRS899w5gbfV0HuuQk= =x62V -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw--