Bug#392669: marked as done (/usr/sbin/sshd: off-by-one error in function 'xmmap')

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 14 Oct 2006 00:54:09 +0100
with message-id <20061013235408.GA9592@burmah.seehuhn.de>
and subject line Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: /usr/sbin/sshd: off-by-one error in function 'xmmap'
• From: Jochen Voss <voss@debian.org>
• Date: Thu, 12 Oct 2006 20:39:22 +0100
• Message-id: <[🔎] 20061012193922.11553.14354.reportbug@burmah.maths.warwick.ac.uk>

Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
File: /usr/sbin/sshd

Hello,

recently I discovered the following bit of code in the source file
"openssh-4.3p2/openbsd-compat/xmmap.c" (function 'xmmap', around line
51):

    #define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX"
        if (address == (void *)MAP_FAILED) {
                char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE;
                int tmpfd;
                mode_t old_umask;

                old_umask = umask(0177);
                tmpfd = mkstemp(tmpname);

The array 'tmpname' has enough space to contain the string
MM_SWAP_TEMPLATE, but not the terminating '\0' byte.  Therefore
'mkstemp' is called with an unterminated string.

I did not check whether this bug is exploitable in any form, but it
should be fixed anyway.

I hope this helps,
Jochen

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)

Versions of packages openssh-server depends on:
ii  adduser  3.97                            Add and remove users and groups
ii  debconf  1.5.6                           Debian configuration management sy
ii  dpkg     1.13.22                         package maintenance system for Deb
ii  libc6    2.3.6.ds1-6                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii  libkrb53 1.4.4-3                         MIT Kerberos runtime libraries
ii  libpam-m 0.79-3.2                        Pluggable Authentication Modules f
ii  libpam-r 0.79-3.2                        Runtime support for the PAM librar
ii  libpam0g 0.79-3.2                        Pluggable Authentication Modules l
ii  libselin 1.30.28-2                       SELinux shared libraries
ii  libssl0. 0.9.8c-3                        SSL shared libraries
ii  libwrap0 7.6.dbs-11                      Wietse Venema's TCP wrappers libra
ii  openssh- 1:4.3p2-5                       Secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-13                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: true
  ssh/encrypted_host_key_but_no_keygen:

--- End Message ---

--- Begin Message ---

• To: Justin Pryzby <pryzbyj@justinpryzby.com>
• Cc: 392669-done@bugs.debian.org
• Subject: Re: Bug#392669: /usr/sbin/sshd: off-by-one error in function 'xmmap'
• From: Jochen Voss <voss@seehuhn.de>
• Date: Sat, 14 Oct 2006 00:54:09 +0100
• Message-id: <20061013235408.GA9592@burmah.seehuhn.de>
• In-reply-to: <[🔎] 2403.69.6.100.93.1160783144.squirrel@69.6.100.93>
• References: <[🔎] 20061012193922.11553.14354.reportbug@burmah.maths.warwick.ac.uk> <[🔎] 2302.69.6.100.93.1160780511.squirrel@69.6.100.93> <[🔎] 20061013231430.GA9345@burmah.seehuhn.de> <[🔎] 2403.69.6.100.93.1160783144.squirrel@69.6.100.93>

Hi Justin,

On Fri, Oct 13, 2006 at 07:45:44PM -0400, Justin Pryzby wrote:
> > The problem, reduced to a simpler form, is shown in the following
> > example:
> >
> >     voss@burmah [~] cat t.c
> >     #include <stdio.h>
> >     int
> >     main()
> >     {
> >       char string[4]="1234";
> >       puts(string);
> >       return 0;
> >     }
> >     voss@burmah [~] gcc t.c
> >     voss@burmah [~] ./a.out
> >     1234@o?=o?
> > Clearly 'string' was not terminated there.  Why do you think that the
> > original issue is different?
> Whether you use
> 
>   #define FOO "1234"
> 
> or
> 
>   char foo[]="1234";
> 
> strlen(foo) = 4 (does not include the null byte); and,
> sizeof(foo) = 5 (includes the null byte).
> 
> Your example doesn't use sizeof; try sizeof("1234"), which, it is my
> recollection, will evaluate to 5.

Sorry, of course you are right.
My sincere apologies for the confusion.

All the best,
Jochen
-- 
http://seehuhn.de/

Attachment: signature.asc
Description: Digital signature

--- End Message ---