OpenSSH 3.7 released
Markus Friedl
markus at openbsd.org
Wed Sep 17 05:46:36 EST 2003
On Tue, Sep 16, 2003 at 05:18:10PM +0200, Serge Droz wrote:
> ...
> >Security Changes:
> >=================
> >
> > All versions of OpenSSH's sshd prior to 3.7 contain a buffer
> > management error. It is uncertain whether this error is
> > potentially exploitable, however, we prefer to see bugs
> > fixed proactively.
> >
> > OpenSSH 3.7 fixes this bug.
> >
> Great !
>
> >Changes since OpenSSH 3.6.1:
> >============================
> .> * Changes in Kerberos support:
> >
> > - KerberosV password support now uses a file cache instead of
> > a memory cache.
> >
> > - KerberosIV and AFS support has been removed.
>
> Could you release just the patch for the security fix?
> We do need AFS support and thus can't just roll out 3.7
there was an additional advisory, here's the patch:
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
+++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17
@@ -69,6 +69,7 @@
void *
buffer_append_space(Buffer *buffer, u_int len)
{
+ u_int newlen;
void *p;
if (len > 0x100000)
@@ -98,11 +99,13 @@
goto restart;
}
/* Increase the size of the buffer and retry. */
- buffer->alloc += len + 32768;
- if (buffer->alloc > 0xa00000)
+
+ newlen = buffer->alloc + len + 32768;
+ if (newlen > 0xa00000)
fatal("buffer_append_space: alloc %u not supported",
- buffer->alloc);
- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+ newlen);
+ buffer->buf = xrealloc(buffer->buf, newlen);
+ buffer->alloc = newlen;
goto restart;
/* NOTREACHED */
}
More information about the openssh-unix-dev
mailing list