[CLUE-Tech] OpenSSH Security Advisory (adv.channelalloc) (fwd)
Randy Arabie
rrarabie at arabie.org
Thu Mar 7 09:49:05 MST 2002
Just in from the folks at OpenSSH.
--
Cheers!
Randy
================================================================
Randy Arabie
GnuPG Key Info --
Fingerprint: 7E25 DFA2 EF72 9551 9C6C 8AA6 6E8C A0F5 7E33 D981
Key ID: 7C603AEF
http://www.arabie.org/keys/rrarabie.gnupg
================================================================
---------- Forwarded message ----------
Date: Thu, 7 Mar 2002 12:56:33 +0100
From: Markus Friedl <markus at openbsd.org>
To: announce at openbsd.org, security-announce at openbsd.org,
openssh-unix-dev at mindrot.org, openssh-unix-announce at mindrot.org
Cc: BUGTRAQ at SECURITYFOCUS.COM, misc at openbsd.org, lwn at lwn.net
Subject: OpenSSH Security Advisory (adv.channelalloc)
1. Systems affected:
All versions of OpenSSH between 2.0 and 3.0.2 contain
an off-by-one error in the channel code.
OpenSSH 3.1 and later are not affected.
2. Impact:
This bug can be exploited locally by an authenticated user
logging into a vulnerable OpenSSH server or by a malicious
SSH server attacking a vulnerable OpenSSH client.
3. Solution:
Upgrade to OpenSSH 3.1 or apply the following patch.
4. Credits:
This bug was discovered by Joost Pol <joost at pine.nl>
Appendix:
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c 27 Feb 2002 21:23:13 -0000 1.170
+++ channels.c 4 Mar 2002 19:37:58 -0000 1.171
@@ -146,7 +146,7 @@
{
Channel *c;
- if (id < 0 || id > channels_alloc) {
+ if (id < 0 || id >= channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}
More information about the clue-tech
mailing list