[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] openssh security advisory
From: |
Loic Dachary |
Subject: |
Re: [Savannah-hackers] openssh security advisory |
Date: |
Mon, 22 Apr 2002 20:22:08 +0200 |
I guess you have an opinion on this subject ? As far as I can
tell it may match the savannah setup, but I'm not sure.
Cheers,
mathieu writes:
> Is savannah openssh server concerned by this security advisory ?
> Savannah use protocol 1 and kerberos...
>
>
> http://online.securityfocus.com/archive/1/268848
>
> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled
> with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing
> has been enabled in the sshd_config file. Ticket and token passing
> is not enabled by default.
>
> 1. Systems affected:
>
> All Versions of OpenSSH compiled with AFS/Kerberos support
> and ticket/token passing enabled contain a buffer overflow.
>
> Ticket/Token passing is disabled by default and available
> only in protocol version 1.
>
> 2. Impact:
>
> Remote users may gain privileged access for OpenSSH < 2.9.9
>
> Local users may gain privileged access for OpenSSH < 3.3
>
> No privileged access is possible for OpenSSH with
> UsePrivsep enabled.
>
> 3. Solution:
>
> Apply the following patch and replace radix.c with
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18
>
> 4. Credits:
>
> address@hidden for notifying the OpenSSH team.
> http://mantra.freeweb.hu/
>
> Appendix:
>
> Index: bufaux.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v
> retrieving revision 1.24
> diff -u -r1.24 bufaux.c
> --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24
> +++ bufaux.c 19 Apr 2002 12:55:29 -0000
> @@ -137,10 +137,18 @@
> BN_bin2bn(bin, len, value);
> xfree(bin);
> }
> -
> /*
> - * Returns an integer from the buffer (4 bytes, msb first).
> + * Returns integers from the buffer (msb first).
> */
> +
> +u_short
> +buffer_get_short(Buffer *buffer)
> +{
> + u_char buf[2];
> + buffer_get(buffer, (char *) buf, 2);
> + return GET_16BIT(buf);
> +}
> +
> u_int
> buffer_get_int(Buffer *buffer)
> {
> @@ -158,8 +166,16 @@
> }
>
> /*
> - * Stores an integer in the buffer in 4 bytes, msb first.
> + * Stores integers in the buffer, msb first.
> */
> +void
> +buffer_put_short(Buffer *buffer, u_short value)
> +{
> + char buf[2];
> + PUT_16BIT(buf, value);
> + buffer_append(buffer, buf, 2);
> +}
> +
> void
> buffer_put_int(Buffer *buffer, u_int value)
> {
> Index: bufaux.h
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v
> retrieving revision 1.17
> diff -u -r1.17 bufaux.h
> --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17
> +++ bufaux.h 19 Apr 2002 12:55:56 -0000
> @@ -23,6 +23,9 @@
> void buffer_get_bignum(Buffer *, BIGNUM *);
> void buffer_get_bignum2(Buffer *, BIGNUM *);
>
> +u_short buffer_get_short(Buffer *);
> +void buffer_put_short(Buffer *, u_short);
> +
> u_int buffer_get_int(Buffer *);
> void buffer_put_int(Buffer *, u_int);
>
>
>
>
>
>
> --
> mathieu
> * http://humeur.coleumes.org Il y a t-il eu un s,bi(Bisme le 21 avril
> 2002 *
> * http://gpg.coleumes.org GPG Key *
>
> _______________________________________________
> Savannah-hackers mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/savannah-hackers