[rescue] OpenSSH vulnerability

[Kevin]

There is apparently a potential vulnerability with
OpenSSH before 3.7.  Doesn't look too exploitable but
just in case...

/KRM

Begin forwarded message:

Date: Tue, 16 Sep 2003 16:02:08 +0000 (GMT)
From: Chris Wysopal <weld at vulnwatch.org>
To: vulnwatch at vulnwatch.org
Subject: [VulnWatch] OpenSSH Security Advisory:
buffer.adv



List:     openbsd-misc
Subject:  OpenSSH Security Advisory: buffer.adv
From:     Markus Friedl <markus () openbsd ! org>
Date:     2003-09-16 12:32:15
[Download message RAW]

This is the 1st revision of the Advisory.

This document can be found at: 
http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7
contain a buffer
        management error.  It is uncertain whether this
error is
        potentially exploitable, however, we prefer to
see bugs
        fixed proactively.

2. Solution:

	Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
======================================================
=============
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
+++ buffer.c	16 Sep 2003 03:03:47 -0000	1.17
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;

 	if (len > 0x100000)
@@ -98,11 +99,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry.
*/
-	buffer->alloc += len + 32768;
-	if (buffer->alloc > 0xa00000)
+
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
 		fatal("buffer_append_space: alloc %u not
supported",
-		    buffer->alloc);
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }