diff options
author | dinoex <dinoex@FreeBSD.org> | 2003-09-17 12:03:12 +0000 |
---|---|---|
committer | dinoex <dinoex@FreeBSD.org> | 2003-09-17 12:03:12 +0000 |
commit | ea3a16f7c51d6249b252a362627f4df7dfcdb5dd (patch) | |
tree | 92f9c170d87a60fc7c06e58e6800d156c64e61b5 /security | |
parent | 792f19e590f3fba4dd0bbb9f7f5aed9e7407cc9d (diff) | |
download | FreeBSD-ports-ea3a16f7c51d6249b252a362627f4df7dfcdb5dd.zip FreeBSD-ports-ea3a16f7c51d6249b252a362627f4df7dfcdb5dd.tar.gz |
- Securitry Fix revision 2
http://www.openssh.com/txt/buffer.adv
Approved by: lioux (portmgr)
Diffstat (limited to 'security')
-rw-r--r-- | security/hpn-ssh/Makefile | 2 | ||||
-rw-r--r-- | security/hpn-ssh/files/patch-buffer.c | 149 | ||||
-rw-r--r-- | security/openssh-portable/Makefile | 2 | ||||
-rw-r--r-- | security/openssh-portable/files/patch-buffer.c | 149 | ||||
-rw-r--r-- | security/openssh/Makefile | 2 | ||||
-rw-r--r-- | security/openssh/files/patch-buffer.c | 149 |
6 files changed, 333 insertions, 120 deletions
diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile index e5be325..0694889 100644 --- a/security/hpn-ssh/Makefile +++ b/security/hpn-ssh/Makefile @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.6.1p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ diff --git a/security/hpn-ssh/files/patch-buffer.c b/security/hpn-ssh/files/patch-buffer.c index 80fcad7..093e83c 100644 --- a/security/hpn-ssh/files/patch-buffer.c +++ b/security/hpn-ssh/files/patch-buffer.c @@ -1,39 +1,110 @@ -*** buffer.c.orig Sat Jun 29 06:33:59 2002 ---- buffer.c Tue Sep 16 00:33:54 2003 -*************** -*** 69,74 **** ---- 69,75 ---- - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -*************** -*** 98,108 **** - goto restart; - } - /* Increase the size of the buffer and retry. */ -! buffer->alloc += len + 32768; -! if (buffer->alloc > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! buffer->alloc); -! buffer->buf = xrealloc(buffer->buf, buffer->alloc); - goto restart; - /* NOTREACHED */ - } ---- 99,111 ---- - goto restart; - } - /* Increase the size of the buffer and retry. */ -! -! newlen = buffer->alloc + len + 32768; -! if (newlen > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! newlen); -! buffer->buf = xrealloc(buffer->buf, newlen); -! buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } +Subject: OpenSSH Security Advisory: buffer.adv + +This is the 2nd revision of the Advisory. + +This document can be found at: http://www.openssh.com/txt/buffer.adv + +1. Versions affected: + + All versions of OpenSSH's sshd prior to 3.7.1 contain buffer + management errors. It is uncertain whether these errors are + potentially exploitable, however, we prefer to see bugs + fixed proactively. + + Other implementations sharing common origin may also have + these issues. + +2. Solution: + + Upgrade to OpenSSH 3.7.1 or apply the following patch. + +=================================================================== +Appendix A: patch for OpenSSH 3.6.1 and earlier + +Index: buffer.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.16 +retrieving revision 1.18 +diff -u -r1.16 -r1.18 +--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 ++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 +@@ -23,8 +23,11 @@ + void + buffer_init(Buffer *buffer) + { +- buffer->alloc = 4096; +- buffer->buf = xmalloc(buffer->alloc); ++ const u_int len = 4096; ++ ++ buffer->alloc = 0; ++ buffer->buf = xmalloc(len); ++ buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +@@ -34,8 +37,10 @@ + void + buffer_free(Buffer *buffer) + { +- memset(buffer->buf, 0, buffer->alloc); +- xfree(buffer->buf); ++ if (buffer->alloc > 0) { ++ memset(buffer->buf, 0, buffer->alloc); ++ xfree(buffer->buf); ++ } + } + + /* +@@ -69,6 +74,7 @@ + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +@@ -98,11 +104,13 @@ + goto restart; + } + /* Increase the size of the buffer and retry. */ +- buffer->alloc += len + 32768; +- if (buffer->alloc > 0xa00000) ++ ++ newlen = buffer->alloc + len + 32768; ++ if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +- buffer->alloc); +- buffer->buf = xrealloc(buffer->buf, buffer->alloc); ++ newlen); ++ buffer->buf = xrealloc(buffer->buf, newlen); ++ buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: channels.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/channels.c,v +retrieving revision 1.194 +retrieving revision 1.195 +diff -u -r1.194 -r1.195 +--- channels.c 29 Aug 2003 10:04:36 -0000 1.194 ++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 +@@ -228,12 +228,13 @@ + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } + + diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index e5be325..0694889 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.6.1p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/ diff --git a/security/openssh-portable/files/patch-buffer.c b/security/openssh-portable/files/patch-buffer.c index 80fcad7..093e83c 100644 --- a/security/openssh-portable/files/patch-buffer.c +++ b/security/openssh-portable/files/patch-buffer.c @@ -1,39 +1,110 @@ -*** buffer.c.orig Sat Jun 29 06:33:59 2002 ---- buffer.c Tue Sep 16 00:33:54 2003 -*************** -*** 69,74 **** ---- 69,75 ---- - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -*************** -*** 98,108 **** - goto restart; - } - /* Increase the size of the buffer and retry. */ -! buffer->alloc += len + 32768; -! if (buffer->alloc > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! buffer->alloc); -! buffer->buf = xrealloc(buffer->buf, buffer->alloc); - goto restart; - /* NOTREACHED */ - } ---- 99,111 ---- - goto restart; - } - /* Increase the size of the buffer and retry. */ -! -! newlen = buffer->alloc + len + 32768; -! if (newlen > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! newlen); -! buffer->buf = xrealloc(buffer->buf, newlen); -! buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } +Subject: OpenSSH Security Advisory: buffer.adv + +This is the 2nd revision of the Advisory. + +This document can be found at: http://www.openssh.com/txt/buffer.adv + +1. Versions affected: + + All versions of OpenSSH's sshd prior to 3.7.1 contain buffer + management errors. It is uncertain whether these errors are + potentially exploitable, however, we prefer to see bugs + fixed proactively. + + Other implementations sharing common origin may also have + these issues. + +2. Solution: + + Upgrade to OpenSSH 3.7.1 or apply the following patch. + +=================================================================== +Appendix A: patch for OpenSSH 3.6.1 and earlier + +Index: buffer.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.16 +retrieving revision 1.18 +diff -u -r1.16 -r1.18 +--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 ++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 +@@ -23,8 +23,11 @@ + void + buffer_init(Buffer *buffer) + { +- buffer->alloc = 4096; +- buffer->buf = xmalloc(buffer->alloc); ++ const u_int len = 4096; ++ ++ buffer->alloc = 0; ++ buffer->buf = xmalloc(len); ++ buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +@@ -34,8 +37,10 @@ + void + buffer_free(Buffer *buffer) + { +- memset(buffer->buf, 0, buffer->alloc); +- xfree(buffer->buf); ++ if (buffer->alloc > 0) { ++ memset(buffer->buf, 0, buffer->alloc); ++ xfree(buffer->buf); ++ } + } + + /* +@@ -69,6 +74,7 @@ + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +@@ -98,11 +104,13 @@ + goto restart; + } + /* Increase the size of the buffer and retry. */ +- buffer->alloc += len + 32768; +- if (buffer->alloc > 0xa00000) ++ ++ newlen = buffer->alloc + len + 32768; ++ if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +- buffer->alloc); +- buffer->buf = xrealloc(buffer->buf, buffer->alloc); ++ newlen); ++ buffer->buf = xrealloc(buffer->buf, newlen); ++ buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: channels.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/channels.c,v +retrieving revision 1.194 +retrieving revision 1.195 +diff -u -r1.194 -r1.195 +--- channels.c 29 Aug 2003 10:04:36 -0000 1.194 ++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 +@@ -228,12 +228,13 @@ + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } + + diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 594071e..1047bd5 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -7,7 +7,7 @@ PORTNAME= openssh PORTVERSION= 3.6.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ diff --git a/security/openssh/files/patch-buffer.c b/security/openssh/files/patch-buffer.c index 80fcad7..093e83c 100644 --- a/security/openssh/files/patch-buffer.c +++ b/security/openssh/files/patch-buffer.c @@ -1,39 +1,110 @@ -*** buffer.c.orig Sat Jun 29 06:33:59 2002 ---- buffer.c Tue Sep 16 00:33:54 2003 -*************** -*** 69,74 **** ---- 69,75 ---- - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -*************** -*** 98,108 **** - goto restart; - } - /* Increase the size of the buffer and retry. */ -! buffer->alloc += len + 32768; -! if (buffer->alloc > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! buffer->alloc); -! buffer->buf = xrealloc(buffer->buf, buffer->alloc); - goto restart; - /* NOTREACHED */ - } ---- 99,111 ---- - goto restart; - } - /* Increase the size of the buffer and retry. */ -! -! newlen = buffer->alloc + len + 32768; -! if (newlen > 0xa00000) - fatal("buffer_append_space: alloc %u not supported", -! newlen); -! buffer->buf = xrealloc(buffer->buf, newlen); -! buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } +Subject: OpenSSH Security Advisory: buffer.adv + +This is the 2nd revision of the Advisory. + +This document can be found at: http://www.openssh.com/txt/buffer.adv + +1. Versions affected: + + All versions of OpenSSH's sshd prior to 3.7.1 contain buffer + management errors. It is uncertain whether these errors are + potentially exploitable, however, we prefer to see bugs + fixed proactively. + + Other implementations sharing common origin may also have + these issues. + +2. Solution: + + Upgrade to OpenSSH 3.7.1 or apply the following patch. + +=================================================================== +Appendix A: patch for OpenSSH 3.6.1 and earlier + +Index: buffer.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/buffer.c,v +retrieving revision 1.16 +retrieving revision 1.18 +diff -u -r1.16 -r1.18 +--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 ++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 +@@ -23,8 +23,11 @@ + void + buffer_init(Buffer *buffer) + { +- buffer->alloc = 4096; +- buffer->buf = xmalloc(buffer->alloc); ++ const u_int len = 4096; ++ ++ buffer->alloc = 0; ++ buffer->buf = xmalloc(len); ++ buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +@@ -34,8 +37,10 @@ + void + buffer_free(Buffer *buffer) + { +- memset(buffer->buf, 0, buffer->alloc); +- xfree(buffer->buf); ++ if (buffer->alloc > 0) { ++ memset(buffer->buf, 0, buffer->alloc); ++ xfree(buffer->buf); ++ } + } + + /* +@@ -69,6 +74,7 @@ + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +@@ -98,11 +104,13 @@ + goto restart; + } + /* Increase the size of the buffer and retry. */ +- buffer->alloc += len + 32768; +- if (buffer->alloc > 0xa00000) ++ ++ newlen = buffer->alloc + len + 32768; ++ if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +- buffer->alloc); +- buffer->buf = xrealloc(buffer->buf, buffer->alloc); ++ newlen); ++ buffer->buf = xrealloc(buffer->buf, newlen); ++ buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: channels.c +=================================================================== +RCS file: /cvs/src/usr.bin/ssh/channels.c,v +retrieving revision 1.194 +retrieving revision 1.195 +diff -u -r1.194 -r1.195 +--- channels.c 29 Aug 2003 10:04:36 -0000 1.194 ++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 +@@ -228,12 +228,13 @@ + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } + + |