[ilugd]: (fwd) OpenSSH Security Advisory (adv.channelalloc)

Fri, 08 Mar 2002 00:05:30 -0800 

[This is serious enough to merit a resend, with more information.  I'm
upgrading the machines under my control to OpenSSH 3.1p1, and
recommending the same to all my clients whose machines I don't control
directly.  Please either patch if you're running 3.0.2 or a lower
version, or upgrade to 3.1p1.  I'd recommend the latter.

Note that while the current exploits only claim to succeed when a user
account is available, it's possible that a new generation of exploits
will be able to use this vulnerability to gain remote root access
without a user account too.  To repeat, this is *serious*. -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Return-Path: <[EMAIL PROTECTED]>
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Message-ID: <20020307115633.GA8924@faui02>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.25i
From: Markus Friedl <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
   [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: OpenSSH Security Advisory (adv.channelalloc)
Date: Thu, 7 Mar 2002 12:56:33 +0100


1. Systems affected:

        All versions of OpenSSH between 2.0 and 3.0.2 contain
        an off-by-one error in the channel code.

        OpenSSH 3.1 and later are not affected.

2. Impact:

        This bug can be exploited locally by an authenticated user
        logging into a vulnerable OpenSSH server or by a malicious
        SSH server attacking a vulnerable OpenSSH client.
        
3. Solution:

        Upgrade to OpenSSH 3.1 or apply the following patch.

4. Credits:

        This bug was discovered by Joost Pol <[EMAIL PROTECTED]>


Appendix:

Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c  27 Feb 2002 21:23:13 -0000      1.170
+++ channels.c  4 Mar 2002 19:37:58 -0000       1.171
@@ -146,7 +146,7 @@
 {
        Channel *c;
 
-       if (id < 0 || id > channels_alloc) {
+       if (id < 0 || id >= channels_alloc) {
                log("channel_lookup: %d: bad id", id);
                return NULL;
        }

------------------------------

End of this Digest
******************

-- 
Raju Mathur          [EMAIL PROTECTED]           http://kandalaya.org/
                     It is the mind that moves

          ================================================
To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header
Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org
          =================================================

Reply via email to