Bug#211324: marked as done (ssh: Further potential security bugs)
Your message dated Tue, 16 Sep 2003 22:33:10 -0400
with message-id <E19zS7y-0002ya-00@auric.debian.org>
and subject line Bug#211324: fixed in openssh 1:3.6.1p2-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Sep 2003 01:05:32 +0000
>From ewen@basilica.la.naos.co.nz Tue Sep 16 20:04:57 2003
Return-path: <ewen@basilica.la.naos.co.nz>
Received: from synagogue.naos.co.nz [203.79.85.250]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19zQkb-00077A-00; Tue, 16 Sep 2003 20:04:57 -0500
Received: from basilica.la.naos.co.nz (home.naos.co.nz [203.79.72.36])
by synagogue.naos.co.nz (Postfix) with ESMTP id 90C89846EE1
for <submit@bugs.debian.org>; Wed, 17 Sep 2003 13:04:54 +1200 (NZST)
Received: by basilica.la.naos.co.nz (Postfix, from userid 501)
id CF1A63C486E7; Wed, 17 Sep 2003 13:04:19 +1200 (NZST)
From: Ewen McNeill <ewen@basilica.la.naos.co.nz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: Further potential security bugs
X-Mailer: reportbug 1.50
Date: Wed, 17 Sep 2003 13:04:19 +1200
Message-Id: <[🔎] 20030917010419.CF1A63C486E7@basilica.la.naos.co.nz>
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-12.3 required=4.0
tests=BAYES_30,HAS_PACKAGE,PATCH_UNIFIED_DIFF
autolearn=ham version=2.53-bugs.debian.org_2003_9_16
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp)
Package: ssh
Version: 1:3.4p1-1.1
Severity: grave
Tags: security
Justification: user security hole
Further to bug 211205 which was resolved by DSA-382-1:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211205
the OpenBSD project have released OpenSSH 3.7.1 which contains further
updates for similar issues to the one fixed by OpenSSH 3.7. While they
do not know if these bugs are exploitable (which they also said about
the 3.7 buffer.c update) it may be worth investigating the additional
updates in 3.7.1 and seeing if any of them are applicable to the
versions in Debian, and if so reissuing the security update. (The diff
between 3.7 and 3.7.1 is short and only seems to contain the potential
security fixes.)
The grave/user security rating on the bug is because of the concern
that some of these additional issues found may be security issues.
I enclose the OpenBSD advisory:
-=- cut here -=-
From: Markus Friedl <markus@openbsd.org>
To: security-announce@openbsd.org
Subject: OpenSSH Security Advisory: buffer.adv
Date: Wed, 17 Sep 2003 01:13:29 +0200
Message-ID: <20030916231329.GA25160@folly>
This is the 2nd revision of the Advisory.
This document can be found at: http://www.openssh.com/txt/buffer.adv
1. Versions affected:
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
management errors. It is uncertain whether these errors are
potentially exploitable, however, we prefer to see bugs
fixed proactively.
Other implementations sharing common origin may also have
these issues.
2. Solution:
Upgrade to OpenSSH 3.7.1 or apply the following patch.
===================================================================
Appendix A: patch for OpenSSH 3.6.1 and earlier
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.18
diff -u -r1.16 -r1.18
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
@@ -69,6 +74,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +104,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
===================================================================
Appendix B: patch for OpenSSH 3.7
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- buffer.c 16 Sep 2003 03:03:47 -0000 1.17
+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
@@ -23,8 +23,11 @@
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -r1.194 -r1.195
--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
@@ -228,12 +228,13 @@
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
===================================================================
-=- cut here -=-
Ewen
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux basilica 2.4.21-xfs-lvm107-ll-acpi-skas-bluezmh2-nomodv #1 Mon Sep 8 18:19:23 NZST 2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages ssh depends on:
ii adduser 3.47 Add and remove users and groups
ii debconf 1.2.35woody1 Debian configuration management sy
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6c-2.woody.3 SSL shared libraries
ii libwrap0 7.6-9 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.4-1 compression library - runtime
---------------------------------------
Received: (at 211324-close) by bugs.debian.org; 17 Sep 2003 02:39:45 +0000
>From katie@auric.debian.org Tue Sep 16 21:39:44 2003
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19zSEK-0000NK-00; Tue, 16 Sep 2003 21:39:44 -0500
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
id 19zS7y-0002ya-00; Tue, 16 Sep 2003 22:33:10 -0400
From: Colin Watson <cjwatson@debian.org>
To: 211324-close@bugs.debian.org
X-Katie: $Revision: 1.35 $
Subject: Bug#211324: fixed in openssh 1:3.6.1p2-8
Message-Id: <E19zS7y-0002ya-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Tue, 16 Sep 2003 22:33:10 -0400
Delivered-To: 211324-close@bugs.debian.org
Source: openssh
Source-Version: 1:3.6.1p2-8
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh_3.6.1p2-8.diff.gz
to pool/main/o/openssh/openssh_3.6.1p2-8.diff.gz
openssh_3.6.1p2-8.dsc
to pool/main/o/openssh/openssh_3.6.1p2-8.dsc
ssh-askpass-gnome_3.6.1p2-8_i386.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.6.1p2-8_i386.deb
ssh_3.6.1p2-8_i386.deb
to pool/main/o/openssh/ssh_3.6.1p2-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 211324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Sep 2003 03:07:19 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source i386
Version: 1:3.6.1p2-8
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 211324
Changes:
openssh (1:3.6.1p2-8) unstable; urgency=high
.
* Merge more buffer allocation fixes from new upstream version 3.7.1p1
(closes: #211324).
Files:
1be764ac7efec82f66c69809cd06ae3c 847 net standard openssh_3.6.1p2-8.dsc
f2b4082c2e4db7d0da9d34b76a2570a3 80369 net standard openssh_3.6.1p2-8.diff.gz
65134ed2aca40b74c72eca0649f0149e 650492 net standard ssh_3.6.1p2-8_i386.deb
d8f97cbbf72382f2706cf6208a10c2ab 43088 gnome optional ssh-askpass-gnome_3.6.1p2-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQE/Z8bz9t0zAhD6TNERAnnlAJ97x5gXCCHN4i4ds+639au6TG0ydgCbBE1s
e9xzsLwzsD4+hSxXhslqedI=
=aEAZ
-----END PGP SIGNATURE-----
Reply to: