Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
From: Jochen Voss <voss@debian.org>
Date: Thu, 12 Oct 2006 20:39:22 +0100
Message-id: <[🔎] 20061012193922.11553.14354.reportbug@burmah.maths.warwick.ac.uk>
Reply-to: Jochen Voss <voss@debian.org>, 392669@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
File: /usr/sbin/sshd

Hello,

recently I discovered the following bit of code in the source file
"openssh-4.3p2/openbsd-compat/xmmap.c" (function 'xmmap', around line
51):

    #define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
        if (address == (void *)MAP_FAILED) {
                char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
                int tmpfd;
                mode_t old_umask;

                old_umask = umask(0177);
                tmpfd = mkstemp(tmpname);

The array 'tmpname' has enough space to contain the string
MM_SWAP_TEMPLATE, but not the terminating '\0' byte.  Therefore
'mkstemp' is called with an unterminated string.

I did not check whether this bug is exploitable in any form, but it
should be fixed anyway.

I hope this helps,
Jochen

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)

Versions of packages openssh-server depends on:
ii  adduser  3.97                            Add and remove users and groups
ii  debconf  1.5.6                           Debian configuration management sy
ii  dpkg     1.13.22                         package maintenance system for Deb
ii  libc6    2.3.6.ds1-6                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii  libkrb53 1.4.4-3                         MIT Kerberos runtime libraries
ii  libpam-m 0.79-3.2                        Pluggable Authentication Modules f
ii  libpam-r 0.79-3.2                        Runtime support for the PAM librar
ii  libpam0g 0.79-3.2                        Pluggable Authentication Modules l
ii  libselin 1.30.28-2                       SELinux shared libraries
ii  libssl0. 0.9.8c-3                        SSL shared libraries
ii  libwrap0 7.6.dbs-11                      Wietse Venema's TCP wrappers libra
ii  openssh- 1:4.3p2-5                       Secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-13                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: true
  ssh/encrypted_host_key_but_no_keygen:

Reply to:

Follow-Ups:
- Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
  - From: "Justin Pryzby" <pryzbyj@justinpryzby.com>
- Bug#392669: marked as done (/usr/sbin/sshd: off-by-one error in function 'xmmap')
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#391964: openssh-client: Non-ASCII characters not displayed correctly
Next by Date: SSH Server Authentication
Previous by thread: Transaction Record LpY7YE16
Next by thread: Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
Index(es):
- Date
- Thread