[SECURITY-L] ***IMPORTANTE***[cais em cais.rnp.br: CAIS-Alerta: Vulnerabilidade remota no OpenSSH]

[Security Team - UNICAMP]

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no OpenSSH
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 16 Sep 2003 14:23:37 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta repassando o alerta da OpenSSH, OpenSSH Security Advisory:
buffer.adv, que trata de uma vulnerabilidade existente no sshd devido a um
erro no gerenciamento de buffer, que pode permitir a um atacante remoto
executar codigo arbitrario.

* Sistemas afetados

	. Todos os sitemas UNIX/Linux rodando versoes anteriores a 3.7

* Correcoes disponiveis:

	. OpenBSD
	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.7.tgz

	. Demais sistemas UNIX/Linux
	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz

Caso nao seja possivel atualizar o OpenSSH para a versao 3.7, o patch em
anexo devera ser aplicado no codigo-fonte da versao anterior. Apos a
aplicacao do patch, os binarios do OpenSSH deverao ser recompilados.

* Maiores informacoes

	http://www.openssh.com/txt/buffer.adv
	http://www.openssh.com/security.html

O CAIS recomenda aos administradores manterem seus sistemas e aplicativos
sempre atualizados, de acordo com as ultimas versoes e correcoes
disponibilizadas pelos fabricantes.

Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


This is the 1st revision of the Advisory.

This document can be found at:  http://www.openssh.com/txt/buffer.adv

1. Versions affected:

        All versions of OpenSSH's sshd prior to 3.7 contain a buffer
        management error.  It is uncertain whether this error is
        potentially exploitable, however, we prefer to see bugs
        fixed proactively.

2. Solution:

        Upgrade to OpenSSH 3.7 or apply the following patch.

Appendix:

Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
- --- buffer.c    26 Jun 2002 08:54:18 -0000      1.16
+++ buffer.c    16 Sep 2003 03:03:47 -0000      1.17
@@ -69,6 +69,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+       u_int newlen;
        void *p;

        if (len > 0x100000)
@@ -98,11 +99,13 @@
                goto restart;
        }
        /* Increase the size of the buffer and retry. */
- -       buffer->alloc += len + 32768;
- -       if (buffer->alloc > 0xa00000)
+
+       newlen = buffer->alloc + len + 32768;
+       if (newlen > 0xa00000)
                fatal("buffer_append_space: alloc %u not supported",
- -                   buffer->alloc);
- -       buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+                   newlen);
+       buffer->buf = xrealloc(buffer->buf, newlen);
+       buffer->alloc = newlen;
        goto restart;
        /* NOTREACHED */
 }



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP2dHIekli63F4U8VAQHn+wQAwU1vUg/mHIp5t31S303zDeZYkSSLRUN2
RZewff2ESghfPI3s7UZTskxttghBNp3ZWolBcmfAAvTPx3AF2RsuGo0t6woPCloP
USrqWZMm6shmtxpd/ivTyUAhHkNwwUcfmzg6FLgNmRPx+UK0LcnQV37RRCKtE6iD
72+mqecw1/Q=
=hAB6
-----END PGP SIGNATURE-----


----- End forwarded message -----