Displaying 20 results from an estimated 300 matches similar to: "[PATCH 12/12] bug fix: openssh 4.3p2 ssh-rand-helper bugs"
2001 Jan 16
1
ssh drops privs when it can't find ~/.ssh/prng_seed
I'm using OpenSSH 2.3.0p1. When my users use ssh for the first
time, using rhosts authentication, entropy.c drops the privs in
prng_write_seedfile() at the setuid(original_uid) line (line 550,
approx):
void
prng_write_seedfile(void) {
int fd;
char seed[1024];
char filename[1024];
struct passwd *pw;
/* Don't bother if we have already saved a seed */
if (prng_seed_saved)
return;
2001 Sep 28
1
openssh-2.9.9p2 assumes pid_t, uid_t, etc. are not 'long'
openssh-2.9.9p2 assumes that pid_t, uid_t, gid_t, and mode_t are no
wider than int. GCC complains about this assumption on 32-bit Solaris
8 sparc, where these types are 'long', not 'int'. This isn't an
actual problem at runtime on this host, as long and int are the same
width, but it is a problem on other hosts where pid_t is wider than
int. E.g., I've heard that 64-bit
2001 Oct 16
6
program-prefix does not work
the configure option --program-prefix does not work although it is
listed in teh configure --help output.
The attached patch fixes these issues:
1) program prefix is not substituted in configure
2) program prefix is not present in Makefile
3) scp requires use of a known "scp" program
-- bryan
diff -cr openssh-2.9.9p2.orig/Makefile.in openssh-2.9.9p2/Makefile.in
***
2006 May 04
2
xmalloc(foo*bar) -> xcalloc(foo, bar) for Portable
Hi All.
While wandering in auth-pam.c I noticed that there's a few Portable-specific
escapees from the xmalloc(foo * bar) cleanup.
There's also a "probably can't happen" integer overflow in
ssh-rand-helper.c with the memset:
num_cmds = 64;
- entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t));
+ entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
2001 Mar 11
4
prng_cmds/init_rng() question/patch
I have a need to provide ssh client binaries for use elsewhere on
several platforms, some without /dev/random support. I can't assume
that users will know how to install/run prngd or egd, so I was
planning to rely on the builtin prng code. However this require the
ssh_prng_cmds file to exist in a fixed location -- which would mean
making binaries which either look for it in . or other
2000 Aug 25
1
[patch] configurable ssh_prng_cmds
The following patch against openssh-SNAP-20000823 allows to override the
compile-time "ssh_prng_cmds" file at run time by adding new options to the
server and client configurations. (We move binaries around a bit, and this was
the only absolute path that couldn't be fixed at run-time).
Regards
Jan
diff -ur openssh-SNAP-20000823.orig/entropy.c openssh-SNAP-20000823.new/entropy.c
2006 May 15
1
[PATCH 2/12] bug fix: openssh-4.3p2 NULL dereference
The variable IV does can be NULL when passed into the function. However,
IV is dereferenced in CMP, therefore, IV should be checked before
sending it to this macro. This patch adds what is common in other parts
of the code but is missing on this particular check. This entire set of
patches passed the regression tests on my system. Null dereference bug
found by Coverity.
Signed-off-by: Kylene
2006 May 15
2
[PATCH 10/12 bugfix: openssh-4.3p2: memory leak
The variable local_user was allocated by xstrdup and is not freed or
pointed to in this branch. This patch adds the xfree. This entire set
of patches passed the regression tests on my system. Bug found by
Coverity.
Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
sshconnect.c | 1 +
1 files changed, 1 insertion(+)
diff -uprN openssh-4.3p2/sshconnect.c
2006 May 15
0
[PATCH 11/12] bugfix: openssh-4.3p2 variable reuse bug
Since the comment variable is used later in the function for other
purposes. It is necessary to NULL the variable so it can be
differentiated as a new allocation from the previous use remenants
(which have already been freed) to avoid using an already freed pointer
in the assignment comment = cp ? *cp : comment. When the code path is
such that comment has not been reset. This entire set of
2006 May 15
0
[PATCH 1/12] bug fix: openssh-4.3p2 memory leak
The variable cmd is xmalloc'd by buffer_get_string. It is then used in
some places but never freed. This patch places the xfree after the last
usage and within the confines of all paths. This entire set of patches
passed the regression tests on my system. Memory leak bug found by
Coverity.
Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
clientloop.c | 2 ++
1 files changed,
2006 May 15
0
[PATCH 3/12] bug fix: openssh-4.3p2 resource leak
The file descriptor f is not closed in this error path. This patch adds
the fclose as is customary in the rest of the function. This entire set
of patches passed the regression tests on my system. Resource leak bug
found by Coverity.
Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
hostfile.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff -uprN
2006 May 15
0
[PATCH 4/12] bug fix: openssh-4.3p2 memory leak
If the operation in the function is not allowed memory is leaked in
three variables which were xmalloc'ed with buffer_get_string. In the
allowed case these variables are pointed to by variables with a greater
scope thus the reason this is a condtional leak. This entire set of
patches passed the regression tests on my system. Resource leak bugs
found by Coverity.
Signed-off-by:
2006 May 15
0
[PATCH 5/12] bug fix: openssh-4.3p2 scp bugs
There are 2 bugs here. The first is pipe's return code is not checked
in this instance and it can return a negative value. The purpose of the
call is to make sure 0 and 1 are not assigned to the pin and pout
descriptors because those values won't work for later calls. If the
pipe call fails the correct behavior cannot be ensured. This patch adds
an error case consistent with the rest
2006 May 15
0
[PATCH 6/12] bug fix: openssh-4.3p2 memory leak
cancel_address is allocated in packet_get_string and used in the call to
channel_cancel_rport_listener and then it goes out of scope. This patch
adds the xfree. This entire set of patches passed the regression tests
on my system. Resource leak bug found by Coverity.
Signed-off-by: Kylene Hall <kjhall at us.ibm.com>
---
serverloop.c | 1 +
1 files changed, 1 insertion(+)
diff -uprN
2006 May 15
0
[PATCH 7/12] bugfix: openssh-4.3p2
There are several memory management bugs here. First, the variable tmp
is allocated by infer_path. In one path this allocating function is
called again on the same variable without freeing the first instance.
In another path the variable is just not freed. The fix is to add the
xfree before the second call to infer_path and to move the existing
xfree to cover both paths (in one case this is on
2006 May 15
0
[PATCH 9/12] bug fix: openssh 4.3p2 possible NULL dereference
key is freed outside of the if that checks if key is NULL therefore,
NULL could be sent to the key_free function which will not handle it
correctly. The fix is to move key_free to a place where you know key is
not NULL. This patch moves the key_free call. This entire set of
patches passed the regression tests on my system. Bug found by Coverity.
Signed-off-by: Kylene Hall <kjhall at
2016 Nov 07
2
imapsieve pigeonhole plugin?
Op 11/6/2016 om 6:35 PM schreef Larry Rosenman:
> also, with NO scripts defined, but imapsieve active, marking a large virtual
> mailbox all seen garners:
>
> Nov 6 11:30:59 thebighonker dovecot: imap(ler): Panic: file
> imap-sieve-storage.c: line 616: unreached
>
> I can provide more logs, but doing the same to (one of) the base
> mailbox(es) does NOT garner
> the
2006 May 15
1
[PATCH 8/12] openssh-4.3p2 return code check bugs
The get_handle function can return a negative value. The variable that
value is assigned to is eventually passed to handle_close which uses the
value as an array index thus not being able to handle negative values.
This patch adds the return code check and provides an appropriate error
exit in the event of a negative return code. This entire set of patches
passed the regression tests on my
2016 Nov 07
0
imapsieve pigeonhole plugin?
additional info. This happens when the mailbox definition includes the
seen flag:
thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $ cat
list-unseen/dovecot-virtual
lists/*
unseen
thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $ cat
other-unseen/dovecot-virtual
*
-lists/*
unseen
thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $
not sure if that makes a difference.
On Mon, Nov 7, 2016 at 3:31
2016 Nov 06
0
imapsieve pigeonhole plugin?
also, with NO scripts defined, but imapsieve active, marking a large virtual
mailbox all seen garners:
Nov 6 11:30:59 thebighonker dovecot: imap(ler): Panic: file
imap-sieve-storage.c: line 616: unreached
I can provide more logs, but doing the same to (one of) the base
mailbox(es) does NOT garner
the message.
600 can_discard = FALSE;
601 switch (isuser->cur_cmd) {