Your message dated Sat, 14 Oct 2006 00:54:09 +0100 with message-id <20061013235408.GA9592@burmah.seehuhn.de> and subject line Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap' has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: /usr/sbin/sshd: off-by-one error in function 'xmmap'
- From: Jochen Voss <voss@debian.org>
- Date: Thu, 12 Oct 2006 20:39:22 +0100
- Message-id: <[🔎] 20061012193922.11553.14354.reportbug@burmah.maths.warwick.ac.uk>
Package: openssh-server Version: 1:4.3p2-5 Severity: normal File: /usr/sbin/sshd Hello, recently I discovered the following bit of code in the source file "openssh-4.3p2/openbsd-compat/xmmap.c" (function 'xmmap', around line 51): #define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX" if (address == (void *)MAP_FAILED) { char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE; int tmpfd; mode_t old_umask; old_umask = umask(0177); tmpfd = mkstemp(tmpname); The array 'tmpname' has enough space to contain the string MM_SWAP_TEMPLATE, but not the terminating '\0' byte. Therefore 'mkstemp' is called with an unterminated string. I did not check whether this bug is exploitable in any form, but it should be fixed anyway. I hope this helps, Jochen -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.13 Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15) Versions of packages openssh-server depends on: ii adduser 3.97 Add and remove users and groups ii debconf 1.5.6 Debian configuration management sy ii dpkg 1.13.22 package maintenance system for Deb ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library ii libkrb53 1.4.4-3 MIT Kerberos runtime libraries ii libpam-m 0.79-3.2 Pluggable Authentication Modules f ii libpam-r 0.79-3.2 Runtime support for the PAM librar ii libpam0g 0.79-3.2 Pluggable Authentication Modules l ii libselin 1.30.28-2 SELinux shared libraries ii libssl0. 0.9.8c-3 SSL shared libraries ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra ii openssh- 1:4.3p2-5 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/insecure_rshd: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true * ssh/disable_cr_auth: true ssh/encrypted_host_key_but_no_keygen:
--- End Message ---
--- Begin Message ---
- To: Justin Pryzby <pryzbyj@justinpryzby.com>
- Cc: 392669-done@bugs.debian.org
- Subject: Re: Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
- From: Jochen Voss <voss@seehuhn.de>
- Date: Sat, 14 Oct 2006 00:54:09 +0100
- Message-id: <20061013235408.GA9592@burmah.seehuhn.de>
- In-reply-to: <[🔎] 2403.69.6.100.93.1160783144.squirrel@69.6.100.93>
- References: <[🔎] 20061012193922.11553.14354.reportbug@burmah.maths.warwick.ac.uk> <[🔎] 2302.69.6.100.93.1160780511.squirrel@69.6.100.93> <[🔎] 20061013231430.GA9345@burmah.seehuhn.de> <[🔎] 2403.69.6.100.93.1160783144.squirrel@69.6.100.93>
Hi Justin, On Fri, Oct 13, 2006 at 07:45:44PM -0400, Justin Pryzby wrote: > > The problem, reduced to a simpler form, is shown in the following > > example: > > > > voss@burmah [~] cat t.c > > #include <stdio.h> > > int > > main() > > { > > char string[4]="1234"; > > puts(string); > > return 0; > > } > > voss@burmah [~] gcc t.c > > voss@burmah [~] ./a.out > > 1234@o?=o? > > Clearly 'string' was not terminated there. Why do you think that the > > original issue is different? > Whether you use > > #define FOO "1234" > > or > > char foo[]="1234"; > > strlen(foo) = 4 (does not include the null byte); and, > sizeof(foo) = 5 (includes the null byte). > > Your example doesn't use sizeof; try sizeof("1234"), which, it is my > recollection, will evaluate to 5. Sorry, of course you are right. My sincere apologies for the confusion. All the best, Jochen -- http://seehuhn.de/Attachment: signature.asc
Description: Digital signature
--- End Message ---