tech-security: [PINE-CERT-20020301] OpenSSH off-by-one

Subject: [PINE-CERT-20020301] OpenSSH off-by-one
To: None <tech-security@netbsd.org>
From: Jan Schaumann <jschauma@netbsd.org>
List: tech-security
Date: 03/07/2002 12:38:13
--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

It appears, NetBSD's ssh is affected by this
(/usr/src/crypto/dist/channels.c)...

--LQksG6bCIzRHxTLp
Content-Type: message/rfc822
Content-Disposition: inline

Return-path: <bugtraq-return-3978-jschauma=netmeister.org@securityfocus.com>
Envelope-to: jschauma@netmeister.org
Delivery-date: Thu, 07 Mar 2002 12:02:49 -0500
	by www.netmeister.org with esmtp (Exim 3.34 #1 (Debian))
	id 16j1I1-000388-00
	for <jschauma@netmeister.org>; Thu, 07 Mar 2002 12:02:49 -0500
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 294C78F29C; Thu,  7 Mar 2002 10:01:23 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Date: Thu, 7 Mar 2002 13:25:20 +0000
From: Joost Pol <joost@pine.nl>
To: bugtraq@securityfocus.com
Cc: vulnwatch@vulnwatch.org
Subject: [PINE-CERT-20020301] OpenSSH off-by-one
Message-ID: <20020307132520.A5010@badcoding.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

See attached advisory.

-- 
Joost Pol alias 'Nohican' <joost@pine.nl> PGP 584619BD
PGP fingerprint B1FA EE66 CFAA A492 D5F8 9A8A 0CDA D2CA 5846 19BD
PINE Internet BV - Tel +31-50-5731111 - Fax +31-70-3111011

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pine-cert-20020301.txt.asc"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------------
 Pine Internet Security Advisory
- -----------------------------------------------------------------------------
 Advisory ID       : PINE-CERT-20020301
 Authors           : Joost Pol <joost@pine.nl>
 Issue date        : 2002-03-07
 Application       : OpenSSH
 Version(s)        : All versions between 2.0 and 3.0.2
 Platforms         : multiple
 Vendor informed   : 20020304
 Availability      : http://www.pine.nl/advisories/pine-cert-20020301.txt
- -----------------------------------------------------------------------------

Synopsis

        A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2

        Users with an existing user account can abuse this bug to
        gain root privileges. Exploitability without an existing
        user account has not been proven but is not considered
        impossible. A malicious ssh server could also use this bug 
	to exploit a connecting vulnerable client.

Impact

        HIGH: Existing users will gain root privileges.

Description

        Simple off by one error. Patch included.

Solution

        The OpenSSH project will shortly release version 3.1. 
	
	Upgrading to this version is highly recommended. 

	This version will be made available at http://www.openssh.com

	The FreeBSD port of OpenSSH has been updated to reflect the 
	patches as supplied in this document.

	OpenSSH CVS has been updated, see
	
	http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ \
	channels.c.diff?r1=1.170&r2=1.171

	Or apply the attached patch as provided by PINE Internet:

	http://www.pine.nl/advisories/pine-cert-20020301.patch


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyHaKkACgkQDNrSylhGGb3p2ACfXZu3WShzGT4Mp/LgwA6AZStu
rtkAn3O83WzyNijdJ9+9OwLJxUcVj4Ld
=j+Hz
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--

--LQksG6bCIzRHxTLp--