Bug#211324: ssh: Further potential security bugs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#211324: ssh: Further potential security bugs
From: Ewen McNeill <ewen@basilica.la.naos.co.nz>
Date: Wed, 17 Sep 2003 13:04:19 +1200
Message-id: <[🔎] 20030917010419.CF1A63C486E7@basilica.la.naos.co.nz>
Reply-to: Ewen McNeill <ewen@basilica.la.naos.co.nz>, 211324@bugs.debian.org

Package: ssh
Version: 1:3.4p1-1.1
Severity: grave
Tags: security
Justification: user security hole

Further to bug 211205 which was resolved by DSA-382-1:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211205

the OpenBSD project have released OpenSSH 3.7.1 which contains further
updates for similar issues to the one fixed by OpenSSH 3.7.  While they
do not know if these bugs are exploitable (which they also said about
the 3.7 buffer.c update) it may be worth investigating the additional 
updates in 3.7.1 and seeing if any of them are applicable to the
versions in Debian, and if so reissuing the security update.  (The diff 
between 3.7 and 3.7.1 is short and only seems to contain the potential
security fixes.)

The grave/user security rating on the bug is because of the concern
that some of these additional issues found may be security issues.

I enclose the OpenBSD advisory:

-=- cut here -=-
From: Markus Friedl <markus@openbsd.org>
To: security-announce@openbsd.org
Subject: OpenSSH Security Advisory: buffer.adv
Date: Wed, 17 Sep 2003 01:13:29 +0200
Message-ID: <20030916231329.GA25160@folly>

This is the 2nd revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
        management errors.  It is uncertain whether these errors are
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

        Other implementations sharing common origin may also have
        these issues.

2. Solution:

	Upgrade to OpenSSH 3.7.1 or apply the following patch.

===================================================================
Appendix A: patch for OpenSSH 3.6.1 and earlier

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
+++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }
 
 /*
@@ -69,6 +74,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;
 
 	if (len > 0x100000)
@@ -98,11 +104,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry. */
-	buffer->alloc += len + 32768;
-	if (buffer->alloc > 0xa00000)
+	
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
 		fatal("buffer_append_space: alloc %u not supported",
-		    buffer->alloc);
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -228,12 +228,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the array.  */
 		found = channels_alloc;
-		channels_alloc += 10;
 		if (channels_alloc > 10000)
 			fatal("channel_new: internal error: channels_alloc %d "
 			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
+		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}


===================================================================
Appendix B: patch for OpenSSH 3.7

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- buffer.c	16 Sep 2003 03:03:47 -0000	1.17
+++ buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }
 
 /*
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -228,12 +228,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the array.  */
 		found = channels_alloc;
-		channels_alloc += 10;
 		if (channels_alloc > 10000)
 			fatal("channel_new: internal error: channels_alloc %d "
 			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
+		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}

===================================================================
-=- cut here -=-

Ewen

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux basilica 2.4.21-xfs-lvm107-ll-acpi-skas-bluezmh2-nomodv #1 Mon Sep 8 18:19:23 NZST 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                 3.47             Add and remove users and groups
ii  debconf                 1.2.35woody1     Debian configuration management sy
ii  libc6                   2.2.5-11.5       GNU C Library: Shared libraries an
ii  libpam-modules          0.72-35          Pluggable Authentication Modules f
ii  libpam0g                0.72-35          Pluggable Authentication Modules l
ii  libssl0.9.6             0.9.6c-2.woody.3 SSL shared libraries
ii  libwrap0                7.6-9            Wietse Venema's TCP wrappers libra
ii  zlib1g                  1:1.1.4-1        compression library - runtime

Reply to:

Follow-Ups:
- Bug#211324: ssh: Further potential security bugs
  - From: Colin Watson <cjwatson@debian.org>
- Bug#211324: marked as done (ssh: Further potential security bugs)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#211305: ssh: Hostbased authentication broken after security upgrade
Next by Date: Accepted openssh 1:3.6.1p2-7 (i386 source)
Previous by thread: Bug#211305: ssh: Hostbased authentication broken after security upgrade
Next by thread: Bug#211324: ssh: Further potential security bugs
Index(es):
- Date
- Thread