OpenSSH Buffer Management Vulnerability
by Berislav Kucan - Tuesday, 16 September 2003.
Early today we received a note that there are rumblings in the underground related to a new OpenSSH vulnerability. The official web site says that a new version of OpenSSH was released and the following security advisory was published. Below the official OpenSSH patch, you can see the vendor advisories on this issue. Note: The advisory in question has been updated with new patches, so please do visit: http://www.openssh.com/txt/buffer.adv for the latest patches.Subject: OpenSSH Security Advisory: buffer.adv This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================

RCS file: /cvs/src/usr.bin/ssh/buffer.c,v

retrieving revision 1.16

retrieving revision 1.18

diff -u -r1.16 -r1.18

--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16

+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18

@@ -23,8 +23,11 @@

void

buffer_init(Buffer *buffer)

{

- buffer->alloc = 4096;

- buffer->buf = xmalloc(buffer->alloc);

+ const u_int len = 4096;

+

+ buffer->alloc = 0;

+ buffer->buf = xmalloc(len);

+ buffer->alloc = len;

buffer->offset = 0;

buffer->end = 0;

}

@@ -34,8 +37,10 @@

void

buffer_free(Buffer *buffer)

{

- memset(buffer->buf, 0, buffer->alloc);

- xfree(buffer->buf);

+ if (buffer->alloc > 0) {

+ memset(buffer->buf, 0, buffer->alloc);

+ xfree(buffer->buf);

+ }

}

/*

@@ -69,6 +74,7 @@

void *

buffer_append_space(Buffer *buffer, u_int len)

{

+ u_int newlen;

void *p;

if (len > 0x100000)

@@ -98,11 +104,13 @@

goto restart;

}

/* Increase the size of the buffer and retry. */

- buffer->alloc += len + 32768;

- if (buffer->alloc > 0xa00000)

+

+ newlen = buffer->alloc + len + 32768;

+ if (newlen > 0xa00000)

fatal("buffer_append_space: alloc %u not supported",

- buffer->alloc);

- buffer->buf = xrealloc(buffer->buf, buffer->alloc);

+ newlen);

+ buffer->buf = xrealloc(buffer->buf, newlen);

+ buffer->alloc = newlen;

goto restart;

/* NOTREACHED */

}



Related vendor advisories

Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //