[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] ALERT: possibility of remote root exploit in openssh



Topic
=====
possibility of remote root exploit in openssh

Problem Description
===================
A bug has been found in the OpenSSH buffer handling code. This bug has
the potential of being remotely exploitable. Upgrading to a fixed
version immediately is strongly advised.

Affected Versions
=================
All versions of OpenSSH's sshd prior to 3.7

Solution
========
Upgrade to openssh-3.7p1 or apply the patch that is appended at the
end of the advisory (setion Patch). Or upgrade to a patched version
for your distribution. At the time of writing only RedHat has released
patched openssh versions. New information will be posted to this list
as soon as it becomes available.

RedHat 7.1
----------
rpm -Fvh openssh-3.1p1-9.i386.rpm \
         openssh-clients-3.1p1-9.i386.rpm \
         openssh-server-3.1p1-9.i386.rpm \
         openssh-askpass-3.1p1-9.i386.rpm \
         openssh-askpass-gnome-3.1p1-9.i386.rpm

RedHat 7.2, 7.3
---------------
rpm -Fvh openssh-3.1p1-10.i386.rpm \
         openssh-clients-3.1p1-10.i386.rpm \
         openssh-server-3.1p1-10.i386.rpm \
         openssh-askpass-3.1p1-10.i386.rpm \
         openssh-askpass-gnome-3.1p1-10.i386.rpm

RedHat 8.0
----------
rpm -Fvh openssh-3.4p1-5.i386.rpm \
         openssh-clients-3.4p1-5.i386.rpm \
         openssh-server-3.4p1-5.i386.rpm \
         openssh-askpass-3.4p1-5.i386.rpm \
         openssh-askpass-gnome-3.4p1-5.i386.rpm

RedHat 9
--------
rpm -Fvh openssh-3.5p1-9.i386.rpm \
         openssh-clients-3.5p1-9.i386.rpm \
         openssh-server-3.5p1-9.i386.rpm \
         openssh-askpass-3.5p1-9.i386.rpm \
         openssh-askpass-gnome-3.5p1-9.i386.rpm

Patch
=====
cd to the directory that contains the source code of your openssh version.
Save the following patch in a file openssh-buffer.patch and run
patch -p0 < openssh-buffer.patch

--- buffer.c	Wed Jun 26 02:14:27 2002
+++ buffer.c	Mon Sep 15 20:31:03 2003
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;
 
 	if (len > 0x100000)
@@ -98,11 +99,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry. */
-	buffer->alloc += len + 32768;
-	if (buffer->alloc > 0xa00000)
+	
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
 		fatal("buffer_append_space: alloc %u not supported",
-		    buffer->alloc);
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }