similar to: BindView advisory: sshd remote root (bug in deattack.c)

CORE SDI http://www.core-sdi.com SSH1 CRC-32 compensation attack detector vulnerability Date Published: 2001-02-08 Advisory ID: CORE-20010207 Bugtraq ID: 2347 CVE CAN: CAN-2001-0144 Title: SSH1 CRC-32 compensation attack detector vulnerability Class: Boundary Error Condition Remotely Exploitable: Yes Locally Exploitable: Yes Release Mode:

The variable IV does can be NULL when passed into the function. However, IV is dereferenced in CMP, therefore, IV should be checked before sending it to this macro. This patch adds what is common in other parts of the code but is missing on this particular check. This entire set of patches passed the regression tests on my system. Null dereference bug found by Coverity. Signed-off-by: Kylene

Hi, I recently ported OpenSSH to my hobbyist operating system. The portable release is very straightforward to work with, but it had a few minor issues where it assumes the existence of things that might not be on a POSIX 2008 system. This are the list of issues I encountered that I believe makes sense to upstream. * <sys/param.h> is included in many files and isn't a standard

Hi All, Did anybody ever had problems created by static h in function detect_attack() in deattack.c? In our system which is based on pSOS OS, this static h is causing a crash, because after closing first ssh session, it pSOS system is allocating same memory to another ssh session and this static h is overwriting that memory. I would appreciate if you know why h is statically allocated.

Index: openssh/deattack.c =================================================================== RCS file: /cvs/openssh/deattack.c,v retrieving revision 1.15 diff -u -r1.15 deattack.c --- openssh/deattack.c 5 Mar 2002 01:53:05 -0000 1.15 +++ openssh/deattack.c 22 Aug 2003 05:34:05 -0000 @@ -112,20 +112,26 @@ if (len <= HASH_MINBLOCKS) { for (c = buf; c < buf + len; c += SSH_BLOCKSIZE) {

each pass afterwards looks to see if the hash table has grown. If pSOS OS is having issues I'd question your compiler or OS for reallocating memory that should be tagged as used. - Ben On Wed, 15 May 2002, Amandeep Singh wrote: > Hi All, > > Did anybody ever had problems created by static h in function > detect_attack() in deattack.c? In our system which is based on pSOS OS,

This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH

This patch fixes my botched attempted to patch deattack.c. I created a bsd-cray.h file and cleaned up a few error cases in bsd-cray.c. Fixed cray_setup call to pass uid and login name in session.c and moved its call so that its called with root privs. Its been tested on a irix, sun, aix, unicos(SV1) and unicosmk(T3E) systems. If you are building this on a T3E you may have to edit the Makefile

Significant changes since last patch. Deleted patches to packet.c and channel.c - not needed. Add small patch to sshd.c and openbsd/ssh-cray.c to disable cray process privileges. Depending on how a cray unicos/unicosmk system is configured user could su to root without a password with out this mod. Add no_sco flag to noop check for -lrpc which assumes that their was a -lyp library.

http://bugzilla.mindrot.org/show_bug.cgi?id=97 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-04-23 08:39

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was

This is about 90% of the core work. I omited a few files from the patch set since they are basicly small blocks of #ifndef HAVE_NEXT/#endif to get it to compile. Daimen, feel free to let me know what you applied and what your rejecting and why.. so I can work on cleaning things up. Andre, Only thing of note you may want to look into is NeXT does not use "ut_user" in it's lastlog.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

>That's a totally different topic. I do intend to reduce the wb memory >usage, just like I did with the narrowband for 1.2beta1. Still, don't >know where you take this 160k Word32 number (640 kB). I don't think >wideband requires anywhere near that amount of memory. Sorry, it's 160kB. What do you think? and any suggestions for memory reduction? Lianghu On 11/16/06,

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:22.openssh Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSH Category: contrib Module: openssh Announced:

ssh won't compile on this platform log: gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c atomicio.c -o atomicio.o In file included from config.h:294, from bsd-misc.h:39, from includes.h:91,

configure appears to be setting things right: dragon:/var/src/openssh-1.2.1pre23> grep INTXX config.h #define HAVE_INTXX_T 1 /* #undef HAVE_U_INTXX_T */ #define HAVE_UINTXX_T 1 Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh,

> Another issue is the memory allocations distributed so many places that > it's hard to provide a single memory initial function interface. > > In a VoIP case on ARM, the total memory size for speex codec should be > known at the inital stage since all the memories are allocated > at the initial stage. If you want everything in the same big block, all you need to do is