similar to: [PATCH 12/12] bug fix: openssh 4.3p2 ssh-rand-helper bugs

Displaying 20 results from an estimated 300 matches similar to: "[PATCH 12/12] bug fix: openssh 4.3p2 ssh-rand-helper bugs"

2001 Jan 16
1
ssh drops privs when it can't find ~/.ssh/prng_seed
I'm using OpenSSH 2.3.0p1. When my users use ssh for the first time, using rhosts authentication, entropy.c drops the privs in prng_write_seedfile() at the setuid(original_uid) line (line 550, approx): void prng_write_seedfile(void) { int fd; char seed[1024]; char filename[1024]; struct passwd *pw; /* Don't bother if we have already saved a seed */ if (prng_seed_saved) return;
2001 Sep 28
1
openssh-2.9.9p2 assumes pid_t, uid_t, etc. are not 'long'
openssh-2.9.9p2 assumes that pid_t, uid_t, gid_t, and mode_t are no wider than int. GCC complains about this assumption on 32-bit Solaris 8 sparc, where these types are 'long', not 'int'. This isn't an actual problem at runtime on this host, as long and int are the same width, but it is a problem on other hosts where pid_t is wider than int. E.g., I've heard that 64-bit
2001 Oct 16
6
program-prefix does not work
the configure option --program-prefix does not work although it is listed in teh configure --help output. The attached patch fixes these issues: 1) program prefix is not substituted in configure 2) program prefix is not present in Makefile 3) scp requires use of a known "scp" program -- bryan diff -cr openssh-2.9.9p2.orig/Makefile.in openssh-2.9.9p2/Makefile.in ***
2006 May 04
2
xmalloc(foo*bar) -> xcalloc(foo, bar) for Portable
Hi All. While wandering in auth-pam.c I noticed that there's a few Portable-specific escapees from the xmalloc(foo * bar) cleanup. There's also a "probably can't happen" integer overflow in ssh-rand-helper.c with the memset: num_cmds = 64; - entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t)); + entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
2001 Mar 11
4
prng_cmds/init_rng() question/patch
I have a need to provide ssh client binaries for use elsewhere on several platforms, some without /dev/random support. I can't assume that users will know how to install/run prngd or egd, so I was planning to rely on the builtin prng code. However this require the ssh_prng_cmds file to exist in a fixed location -- which would mean making binaries which either look for it in . or other
2000 Aug 25
1
[patch] configurable ssh_prng_cmds
The following patch against openssh-SNAP-20000823 allows to override the compile-time "ssh_prng_cmds" file at run time by adding new options to the server and client configurations. (We move binaries around a bit, and this was the only absolute path that couldn't be fixed at run-time). Regards Jan diff -ur openssh-SNAP-20000823.orig/entropy.c openssh-SNAP-20000823.new/entropy.c
2006 May 15
1
[PATCH 2/12] bug fix: openssh-4.3p2 NULL dereference
The variable IV does can be NULL when passed into the function. However, IV is dereferenced in CMP, therefore, IV should be checked before sending it to this macro. This patch adds what is common in other parts of the code but is missing on this particular check. This entire set of patches passed the regression tests on my system. Null dereference bug found by Coverity. Signed-off-by: Kylene
2006 May 15
2
[PATCH 10/12 bugfix: openssh-4.3p2: memory leak
The variable local_user was allocated by xstrdup and is not freed or pointed to in this branch. This patch adds the xfree. This entire set of patches passed the regression tests on my system. Bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- sshconnect.c | 1 + 1 files changed, 1 insertion(+) diff -uprN openssh-4.3p2/sshconnect.c
2006 May 15
0
[PATCH 11/12] bugfix: openssh-4.3p2 variable reuse bug
Since the comment variable is used later in the function for other purposes. It is necessary to NULL the variable so it can be differentiated as a new allocation from the previous use remenants (which have already been freed) to avoid using an already freed pointer in the assignment comment = cp ? *cp : comment. When the code path is such that comment has not been reset. This entire set of
2006 May 15
0
[PATCH 1/12] bug fix: openssh-4.3p2 memory leak
The variable cmd is xmalloc'd by buffer_get_string. It is then used in some places but never freed. This patch places the xfree after the last usage and within the confines of all paths. This entire set of patches passed the regression tests on my system. Memory leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- clientloop.c | 2 ++ 1 files changed,
2006 May 15
0
[PATCH 3/12] bug fix: openssh-4.3p2 resource leak
The file descriptor f is not closed in this error path. This patch adds the fclose as is customary in the rest of the function. This entire set of patches passed the regression tests on my system. Resource leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- hostfile.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletion(-) diff -uprN
2006 May 15
0
[PATCH 4/12] bug fix: openssh-4.3p2 memory leak
If the operation in the function is not allowed memory is leaked in three variables which were xmalloc'ed with buffer_get_string. In the allowed case these variables are pointed to by variables with a greater scope thus the reason this is a condtional leak. This entire set of patches passed the regression tests on my system. Resource leak bugs found by Coverity. Signed-off-by:
2006 May 15
0
[PATCH 5/12] bug fix: openssh-4.3p2 scp bugs
There are 2 bugs here. The first is pipe's return code is not checked in this instance and it can return a negative value. The purpose of the call is to make sure 0 and 1 are not assigned to the pin and pout descriptors because those values won't work for later calls. If the pipe call fails the correct behavior cannot be ensured. This patch adds an error case consistent with the rest
2006 May 15
0
[PATCH 6/12] bug fix: openssh-4.3p2 memory leak
cancel_address is allocated in packet_get_string and used in the call to channel_cancel_rport_listener and then it goes out of scope. This patch adds the xfree. This entire set of patches passed the regression tests on my system. Resource leak bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at us.ibm.com> --- serverloop.c | 1 + 1 files changed, 1 insertion(+) diff -uprN
2006 May 15
0
[PATCH 7/12] bugfix: openssh-4.3p2
There are several memory management bugs here. First, the variable tmp is allocated by infer_path. In one path this allocating function is called again on the same variable without freeing the first instance. In another path the variable is just not freed. The fix is to add the xfree before the second call to infer_path and to move the existing xfree to cover both paths (in one case this is on
2006 May 15
0
[PATCH 9/12] bug fix: openssh 4.3p2 possible NULL dereference
key is freed outside of the if that checks if key is NULL therefore, NULL could be sent to the key_free function which will not handle it correctly. The fix is to move key_free to a place where you know key is not NULL. This patch moves the key_free call. This entire set of patches passed the regression tests on my system. Bug found by Coverity. Signed-off-by: Kylene Hall <kjhall at
2016 Nov 07
2
imapsieve pigeonhole plugin?
Op 11/6/2016 om 6:35 PM schreef Larry Rosenman: > also, with NO scripts defined, but imapsieve active, marking a large virtual > mailbox all seen garners: > > Nov 6 11:30:59 thebighonker dovecot: imap(ler): Panic: file > imap-sieve-storage.c: line 616: unreached > > I can provide more logs, but doing the same to (one of) the base > mailbox(es) does NOT garner > the
2006 May 15
1
[PATCH 8/12] openssh-4.3p2 return code check bugs
The get_handle function can return a negative value. The variable that value is assigned to is eventually passed to handle_close which uses the value as an array index thus not being able to handle negative values. This patch adds the return code check and provides an appropriate error exit in the event of a negative return code. This entire set of patches passed the regression tests on my
2016 Nov 07
0
imapsieve pigeonhole plugin?
additional info. This happens when the mailbox definition includes the seen flag: thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $ cat list-unseen/dovecot-virtual lists/* unseen thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $ cat other-unseen/dovecot-virtual * -lists/* unseen thebighonker.lerctr.org /home/ler/MAIL-VIRTUAL $ not sure if that makes a difference. On Mon, Nov 7, 2016 at 3:31
2016 Nov 06
0
imapsieve pigeonhole plugin?
also, with NO scripts defined, but imapsieve active, marking a large virtual mailbox all seen garners: Nov 6 11:30:59 thebighonker dovecot: imap(ler): Panic: file imap-sieve-storage.c: line 616: unreached I can provide more logs, but doing the same to (one of) the base mailbox(es) does NOT garner the message. 600 can_discard = FALSE; 601 switch (isuser->cur_cmd) {