Contributed by jose on from the fixing-the-ints dept.
"Markus Friedl just bumped the OpenSSH version to 3.4, and commited a fix for the "int overflow; from ISS", the commit message should be here "The commit message from Markus is
From: Markus FriedlDate: Wed, 26 Jun 2002 07:55:38 -0600 (MDT) Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: markus@cvs.openbsd.org 2002/06/26 07:55:37 Modified files: usr.bin/ssh : auth2-chall.c Log message: make sure # of response matches # of queries, fixes int overflow; from ISS
The ISS advisory contains additional information on the vulnerability.
As the commit message said , nearly six years ... not bad. Update The OpenSSH advisory is now also available.
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
its not useless, its svelte. plus when you turn on named you're not going to bite your nails, they're audited it (granted its missing some bind 8 and 9 features, but ...).
as for getting it right, if you dont like it, dont use it or start helping.
By DieNadel () on
Now stop bugging and try to find some more bugs! :-)
By Anonymous Coward () on
By pravus () on
yeah, you are right. 70MB of kernel source is trivial to maintain.
please... for the sake of humanity, put the crack pipe down.
By Anonymous Coward () on
By lx () asdf on mailto:asdf
Comments
By pravus () on
check your history. the statement is true. take a release from 5 years ago... use the default installation... how many remote exploits do you have? at most, 1: this new OpenSSH exploit.
what is so hard to understand about this? i just don't get it. maybe the people that complain so much about this statement don't speak english very well?
By Ken Wronkiewicz () on http://www.wirewd.com/wh/
By Anonymous Coward () on
Check the errata for 3.1
holy crap.
Comments
By Anonymous Coward () on
There are a few ways to achieve security by design. Fine-grained capabilities is an excellent approach. Privsep in the new OpenSSH takes this idea. We need to use this kind of thing all over the place. The other approach is to stop using languages like C for network services. It just isn't humanly possible to write a large body of C code without the occasional overflow. The OpenBSD team is the best in the world, and yet bugs still get through, as we have seen recently.
Comments
By Anonymous Coward () on
How soon can you have a spec written up?
By couderc () on
By M Shannon () on
Way to go guys, you've done great work release after release. I expect to see a new streak start again.
It was a hard week for OpenBSD, Apache exploit toolkits, Openssh vulnerabilites, bad press everywhere you turn.
Well, just so there's no mis-understanding, put me down for a 3.2 CD!
-M
Comments
By Anonymous Coward () on
2.9.tar.gz---314934
3.0.tar.gz --249440
3.1.tar.gz - 7267
-This is a walk in the park compared to my other
-platforms. They fit on one floppy!!!
Do you have any idea how long it would take for
the updates for the last 3 releases of SuSE? or redhat?
HOURS. Really. hours. They fill up a whole CD.
OpenBSD kicks butt.
Comments
By Anonymous Coward () on
It seems like somebody is gunning for theo.
Well as they will find out, We are very loyal.
Comments
By Jeff Flowers () jeffrey@jeffreyf.net on mailto:jeffrey@jeffreyf.net
I think some of that has to do with Theo himself. I have no problem with Theo as I appreciate his bluntness but I can see how some would. I suspect that makes him, and OpenBSD, a target for some.
Regardless, Theo and his fellows have shown what can be accomplished if one is willing to work.
By Anonymous Coward () on
By pravus () on
Comments
By john doe () on http://www.theregister.co.uk/content/4/25891.html
By Ben Johnson () ben@remove.johnsonworld.this.com on www.johnsonworld.com
Comments
By <font color="#336666"><b>Re:<3.0 Not Affected?</b><br>by<font c () on
By <font color="#336666"><b><3.0 Not Supported</b><br>by<font colo () on
By Matt Liggett () mml@pobox.com on http://pobox.com/~mml
I'm running 2.8, and ssh -V reports that I'm using OpenSSH 2.3.0, so I appear to be safe. ssh -V might provide useful for you, too.
Comments
By francisco () on http://www.blackant.net/
as long as you trust your local users, and there is nothing else exploitable on that box (like unpatched apache c.f. http://www.openbsd.org/advisories/ssh_channelalloc.txt
Comments
By Ben Johnson () ben-openbsd@remove.johnsonworld.this.com on mailto:ben-openbsd@remove.johnsonworld.this.com
I put on my paranoid-tin-foil-hat and took the precaution of considering OpenSSH possibly vunerable - even after the curent patches and have set all my firewalls to block any port 22 trafic with an eception of allowing my static home IP addess in.
Thanks to OpenBSD and OpenSSH for the 5 years of worry free computing. This incident only reminds my of why I moved over to OpenBSD in the first place, and you have my confidence. Heres to the next 5 years.
Cheers.
By RC () on
If S/Key and/or BSD_Auth were disabled, this wouldn't have been the end of OpenBSD's reign without a remote Root hole. Most users wouldn't have been affected by disabling S/Key by default, and those few who use it could have re-enabled it.
Anyone care to say why S/Key was enabled? Or better yet, why it was enabled on OpenBSD, but other distros were smart enough to disable it by default.
Additionally, why didn't Theo just let the world know that disabling S/Key would have neutralized the exploit? That's even better than priv seperation, as it would prevent them ANY access!
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Aasmund () on
1. The good-old XML::Parser problem, fixed with --disable-rule=EXPAT (I thought it was officially fixed)
2. $r->print requires full scalar not ref anymore. (for mod_perl)
3. cvs'upping to stable is fine, however, making obj/build fails on "/bin/sh: cd: /usr/src/usr.bin/ssh/ssh-keysign - No such file or directory" any ideas?
4. How easy the upgrade system is, I love it!
5. My system hangs 50% of the time on SCSI detection, I don't have any SCSI units. So I guess I will have to alter GENERIC and recompile.
Thank You,
Aasmund.
Comments
By Sam () on
Read and follow the upgrading instructions?
Comments
By Aasmund () on
Also my system has started to behave erratically. Suddenly it can't find libraries and loses all it's 512 memory. 2 mins later it's ok.
Strange.
By Anonymous Coward () on
Use config instead and disable unwanted devs.
By francisco () on http://www.blackant.net/
i bet it's looking for cd drives. are you seeing something like:
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
yours will vary slightly, of course. if this is similar to the problem you are referring to, then you will want to see atapiscsi(4), scsibus(4), and cd(4), which will explain to you what all those drivers are. If you have a Sony cd drive and are running 3.1-release, then you may notice some problems during detection. refer to the mailing lists for more information, and upgrade to the recent stable kernel.
my machine didnt recognize the cd drive with 3.1-release, though the same drive worked fine with 2.9. it started working in -current a few weeks ago. thank you developers!
By Anonymous Coward () on
The CVS log mentions an int overflow.
Referring to this snippet of code
=====
nresp = packet_get_int();
if (nresp != kbdintctxt->nreq)
fatal("input_userauth_info_response: wrong number of replies");
if (nresp > 100)
fatal("input_userauth_info_response: too many replies");
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i 100) check was the patch.
But if nresp was very large where does the overflow occur? I could see the kernel thrashing for a while since it's been requested to malloc an obscene amount of memory, but I can't see where a write to unmanaged memory occurs.
Can anyone shed some light on this?
Comments
By Anonymous Coward () on
The for loop looks like this
=====
for (i = 0; i 100) was the patch
By Anonymous Coward () on
1) Checking nresp <100 prevents a DoS, as you noted.
2) If nresp is very large and unsigned, and if the value in nresp is later assigned to a signed variable, the signed variable may be negative when it should not be. Careful packet construction could cause a server to believe it's writing into a buffer when it's actually overwriting its stack or heap. Since I saw a lot of signed/unsigned cleanup commit messages around the time this vulnerability was announced, I think this is it. 100>
By grendel () on
add in one part integer overflow, stir, and get a small number, happily malloced. the loop below then proceeds to use the large value and run willy-nilly over memory.
like theo said, it's a kinda new class of vulnerability. everyone knows ints overflow. they don't know that can be bad. :(
By Anonymous Coward () on
(btw .net ISNT just for MS ;).
Comments
By Anonymous Coward () on
I no of no advantages of .net over Java/JVM. You can get Scheme, Ada, Python, and litterlally over one hundered other language compilers/interpreters tagreted at/running in JVM byte code. Sun might not be that great, but they beat teh crap out of M$ for my security dollar.