[rescue] OpenSSH vulnerability (patched again, remote restart)

Kevin kevin at mpcf.com
Wed Sep 17 13:13:14 CDT 2003 

For all those who ran around patching yesterday (myself
included) there is a new version now, 3.7.1p1. 
Apparently all the issues were not corrected in 3.1p1.

This brings me to a question, how can i restart sshd
remotely without rebooting the machine?  A HUP signal
only seems to restart the version that is already
running?

/KRM

On Tue, 16 Sep 2003 12:28:39 -0400
Kevin <kevin at mpcf.com> wrote:

> There is apparently a potential vulnerability with
> OpenSSH before 3.7.  Doesn't look too exploitable but
> just in case...
> 
> /KRM
> 
> Begin forwarded message:
> 
> Date: Tue, 16 Sep 2003 16:02:08 +0000 (GMT)
> From: Chris Wysopal <weld at vulnwatch.org>
> To: vulnwatch at vulnwatch.org
> Subject: [VulnWatch] OpenSSH Security Advisory:
> buffer.adv
> 
> 
> 
> List:     openbsd-misc
> Subject:  OpenSSH Security Advisory: buffer.adv
> From:     Markus Friedl <markus () openbsd ! org>
> Date:     2003-09-16 12:32:15
> [Download message RAW]
> 
> This is the 1st revision of the Advisory.
> 
> This document can be found at: 
> http://www.openssh.com/txt/buffer.adv
> 
> 1. Versions affected:
> 
>         All versions of OpenSSH's sshd prior to 3.7
> contain a buffer
>         management error.  It is uncertain whether
>         this
> error is
>         potentially exploitable, however, we prefer
>         to
> see bugs
>         fixed proactively.
> 
> 2. Solution:
> 
> 	Upgrade to OpenSSH 3.7 or apply the following
> 	patch.
> 
> Appendix:
> 
> Index: buffer.c
> ====================================================
> ===============
> RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
> retrieving revision 1.16
> retrieving revision 1.17
> diff -u -r1.16 -r1.17
> --- buffer.c	26 Jun 2002 08:54:18 -0000	1.16
> +++ buffer.c	16 Sep 2003 03:03:47 -0000	1.17
> @@ -69,6 +69,7 @@
>  void *
>  buffer_append_space(Buffer *buffer, u_int len)
>  {
> +	u_int newlen;
>  	void *p;
> 
>  	if (len > 0x100000)
> @@ -98,11 +99,13 @@
>  		goto restart;
>  	}
>  	/* Increase the size of the buffer and retry.
> */
> -	buffer->alloc += len + 32768;
> -	if (buffer->alloc > 0xa00000)
> +
> +	newlen = buffer->alloc + len + 32768;
> +	if (newlen > 0xa00000)
>  		fatal("buffer_append_space: alloc %u not
> supported",
> -		    buffer->alloc);
> -	buffer->buf = xrealloc(buffer->buf,
> buffer->alloc);+		    newlen);
> +	buffer->buf = xrealloc(buffer->buf, newlen);
> +	buffer->alloc = newlen;
>  	goto restart;
>  	/* NOTREACHED */
>  }
> _______________________________________________
> rescue list -
> http://www.sunhelp.org/mailman/listinfo/rescue


-- 
keyserver: http://pgp.mit.edu/

More information about the rescue mailing list