Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
File: /usr/sbin/sshd
Hello,
recently I discovered the following bit of code in the source file
"openssh-4.3p2/openbsd-compat/xmmap.c" (function 'xmmap', around line
51):
#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
if (address == (void *)MAP_FAILED) {
char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
int tmpfd;
mode_t old_umask;
old_umask = umask(0177);
tmpfd = mkstemp(tmpname);
The array 'tmpname' has enough space to contain the string
MM_SWAP_TEMPLATE, but not the terminating '\0' byte. Therefore
'mkstemp' is called with an unterminated string.
I did not check whether this bug is exploitable in any form, but it
should be fixed anyway.
I hope this helps,
Jochen
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages openssh-server depends on:
ii adduser 3.97 Add and remove users and groups
ii debconf 1.5.6 Debian configuration management sy
ii dpkg 1.13.22 package maintenance system for Deb
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii libkrb53 1.4.4-3 MIT Kerberos runtime libraries
ii libpam-m 0.79-3.2 Pluggable Authentication Modules f
ii libpam-r 0.79-3.2 Runtime support for the PAM librar
ii libpam0g 0.79-3.2 Pluggable Authentication Modules l
ii libselin 1.30.28-2 SELinux shared libraries
ii libssl0. 0.9.8c-3 SSL shared libraries
ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-5 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: true
ssh/encrypted_host_key_but_no_keygen:
Reply to: