Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 148228 - net-misc/openssh Multiple minor issues CVE-2006-4924 CVE-2006-4925
Summary: net-misc/openssh Multiple minor issues CVE-2006-4924 CVE-2006-4925
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-09-19 11:35 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-09-28 03:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
openssh-4.3_p2-identical-simple-dos.patch (openssh-4.3_p2-identical-simple-dos.patch,3.44 KB, patch)
2006-09-19 21:23 UTC, SpanKY
no flags Details | Diff
demonstration exploit (openssh-exploit.sh,4.86 KB, text/plain)
2006-09-24 07:13 UTC, Tavis Ormandy (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-09-19 11:35:30 UTC
Hi there, some minor issues have been discovered during an examination
of openssh. These vulnerabilities have limited practical impact, but
some vendors may be interested in the details. The upstream developers
have already been informed, and report they are investigating possible
solutions, however no official patch is available at present.

A DoS vulnerability exists in sshd servers with ssh protocol version 1
enabled (Protocol 1, or Protocol 2,1 in sshd_config), this setting is
the default. A remote attacker can send a pathological ssh message
with multiple identical blocks, causing the O(N^3) compensation attack
detector to use 100% available CPU until LoginGraceTime expires. The
impact of this attack is low, but allows a very small amount of
traffic to saturate the host CPU. An example exploit written in bash
is attached, it should be possible to execute the script and monitor
the sshd process using top.

An error while checking for NULL in the openssh client allows an mitm,
or attacker on the same network segment to crash the client. The error
is due to this check in packet.c

   671   for (mode = 0; mode < MODE_MAX; mode++) {
   672     comp = &newkeys[mode]->comp;
   673     if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
   674       packet_init_compression();

if newkeys[mode] is NULL, comp is going to be offsetof comp, which
will not be NULL, thus satisifying the condition if (comp). Therefore
the test should probably be (newkeys[mode] && ...)

You can reproduce the bug with the testcase attached like this:

$ gzip -d < testcase.gz | nc -lp 8080 &
$ gdb -q ssh
(gdb) r -p 8080 localhost
Program received signal SIGSEGV, Segmentation fault.
0x0806aa88 in packet_enable_delayed_compress () at packet.c:673
673                     if (comp && !comp->enabled && comp->type ==
COMP_DELAYED) {
(gdb) list
668              * with COMP_DELAYED will turn on compression immediately.
669              */
670             after_authentication = 1;
671             for (mode = 0; mode < MODE_MAX; mode++) {
672                     comp = &newkeys[mode]->comp;
673                     if (comp && !comp->enabled && comp->type ==
COMP_DELAYED) {
674                             packet_init_compression();
675                             if (mode == MODE_OUT)
676                                     buffer_compress_init_send(6);
677                             else
(gdb) ptype newkeys[mode]
type = struct Newkeys {
   Enc enc;
   Mac mac;
   Comp comp;
} *
(gdb) p/x offsetof(struct Newkeys, comp)
No symbol "__builtin_offsetof" in current context.
(gdb) p/x sizeof(struct Newkeys) - sizeof(Comp)
$1 = 0x34
(gdb) p/x comp
$2 = 0x34
(gdb) x/i $pc
0x806aa88 <packet_enable_delayed_compress+57>:  mov    eax,DWORD PTR [eax+4]
(gdb) p/x $eax
$3 = 0x34

Please credit "Tavis Ormandy, Google Security Team" in any advisories
relating to these issues.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-19 11:38:19 UTC
Hello, a patch has been committed to cvs, so this issue can be
considered public now.

(a description of the attack exists in the comments in the first diff below)

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.c.diff?r1=1.29&r2=1.30&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c.diff?r1=1.143&r2=1.144&sortby=date&f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/deattack.h.diff?r1=1.9&r2=1.10&sortby=date&f=h

A patch hasnt been committed to fix the client crash, but the fix is obvious.
Comment 2 SpanKY gentoo-dev 2006-09-19 21:23:35 UTC
Created attachment 97507 [details, diff]
openssh-4.3_p2-identical-simple-dos.patch

required a little tweaking to apply against 4.3p2 ... anyone care to clue me in on what it'll take for the client ?
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-19 22:47:24 UTC
This should solve it

--- openssh-4.3p2/packet.c  2005-11-05 04:15:00.000000000 +0000
+++ openssh-4.3p2/packet.c       2006-09-20 07:45:34.000000000 +0100
@@ -670,7 +670,7 @@ packet_enable_delayed_compress(void)
        after_authentication = 1;
        for (mode = 0; mode < MODE_MAX; mode++) {
                comp = &newkeys[mode]->comp;
-               if (comp && !comp->enabled && comp->type == COMP_DELAYED) {
+               if (newkeys[mode] && !comp->enabled && comp->type == COMP_DELAYED) {
                        packet_init_compression();
                        if (mode == MODE_OUT)
                                buffer_compress_init_send(6);
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-09-19 23:18:34 UTC
taviso:
shouldn't the 'if(newkeys[mode]' portion be one line further up, above the usage of newkeys[mode] as a pointer?
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-20 02:10:52 UTC
Robin: taking an objects address doesnt dereference it, so this fix should be fine.
Comment 6 SpanKY gentoo-dev 2006-09-20 10:17:26 UTC
is that fix going upstream ?  if not then i wont bother with it in Gentoo either
Comment 8 SpanKY gentoo-dev 2006-09-20 16:10:30 UTC
4.3_p2-r3 in portage w/fixes
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-20 21:01:37 UTC
Thx Mike.

Arches please test and mark stable. Target keywords are:

openssh-4.3_p2-r3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-09-20 23:23:53 UTC
ppc64 stable
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2006-09-20 23:35:00 UTC
    1) emerges fine
    2) passes collision test
    3) works

    Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
    =================================================================
    System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
    Gentoo Base System version 1.12.5
    Last Sync: Thu, 21 Sep 2006 05:20:01 +0000
    app-admin/eselect-compiler: [Not Present]
    dev-java/java-config: 1.2.11-r1
    dev-lang/python:     2.4.3-r1
    dev-python/pycrypto: 2.0.1-r5
    dev-util/ccache:     [Not Present]
    dev-util/confcache:  [Not Present]
    sys-apps/sandbox:    1.2.17
    sys-devel/autoconf:  2.13, 2.59-r7
    sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
    sys-devel/binutils:  2.16.1-r3
    sys-devel/gcc-config: 1.3.13-r3
    sys-devel/libtool:   1.5.22
    virtual/os-headers:  2.6.17-r1
    ACCEPT_KEYWORDS="x86"
    AUTOCLEAN="yes"
    CBUILD="i686-pc-linux-gnu"
    CFLAGS="-O2"
    CHOST="i686-pc-linux-gnu"
    CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
    CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
    CXXFLAGS="-O2"
    DISTDIR="/usr/portage/distfiles"
    FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
    GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
    LANG="de_DE@euro"
    LC_ALL="de_DE@euro"
    LINGUAS="de"
    MAKEOPTS="-j2"
    PKGDIR="/usr/portage/packages"
    PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
    PORTAGE_TMPDIR="/var/tmp"
    PORTDIR="/usr/portage"
    PORTDIR_OVERLAY="/usr/local/portage"
    SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
    USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
    Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 12 Christoph Mende (RETIRED) gentoo-dev 2006-09-21 03:51:59 UTC
- emerges fine on amd64
- passes collision-test
- passes multilib-strict
- works

Portage 2.1.1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-gentoo x86_64)
=================================================================
System uname: 2.6.18-gentoo x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.5
Last Sync: Wed, 20 Sep 2006 18:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.6-r1, 2.0.29
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO8859-1"
LC_ALL="en_US.ISO8859-1"
LINGUAS=""
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa amr avi berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam firefox fortran gdbm gif glut gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly offensive ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection reiserfs rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx vorbis wmp x264 xfs xine xinerama xml xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS
Comment 13 Andrej Kacian (RETIRED) gentoo-dev 2006-09-21 04:05:42 UTC
x86 done
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2006-09-21 06:52:55 UTC
sparc stable.
Comment 15 Mike Doty (RETIRED) gentoo-dev 2006-09-21 07:50:21 UTC
amd64 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-21 11:53:31 UTC
ppc stable
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-22 15:08:50 UTC
hppa stable
Comment 18 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-24 07:13:20 UTC
Created attachment 97942 [details]
demonstration exploit

Attaching a demonstration exploit for the DoS, with the fix applied this should do nothing.
Comment 19 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-24 08:48:18 UTC
The patch doesnt look correct, I've tested the script attached on a patched system and it still works. I guess it should be something like this:

@@ -122,11 +140,13 @@
    if (IV)
        h[HASH(IV) & (n - 1)] = HASH_IV;

-   for (c = buf, j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
+   for (c = buf, same = j = 0; c < (buf + len); c += SSH_BLOCKSIZE, j++) {
        for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED;
            i = (i + 1) & (n - 1)) {
+           if (!CMP(c, buf + h[i] * SSH_BLOCKSIZE) && ++same > MAX_IDENTICAL)
+              return (DEATTACK_DOS_DETECTED);
            if (h[i] == HASH_IV) {
                if (!CMP(c, IV)) {
                    if (check_crc(c, buf, len, IV))
                        return (DEATTACK_DETECTED);
                    else
Comment 20 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-25 07:18:33 UTC
openssh-4.3_p2-r5 has been committed and fixes this issue.

Testing procedure: 

Make sure Protcol 1 is enabled in sshd_config, if you have the line `Protocol 2`, temporarily change it to `Protocol 2,1` and restart. download the attached script and run it like this:

$ bash openssh-exploit.sh 
[*] OpenSSH Pre-Auth DoS PoC by taviso@google.com
[*] Attacking localhost...
[*] remote server identifies as SSH-1.99-OpenSSH_4.3.
[*] IP spoofing cookie was ba ae 11 45 a0 ac 3d 42.
[*] checksum should be 0x3f315cff
[*] All done.

Use top to verify there isnt a sshd process using 100% CPU. Now connect using protocol version 1 to ensure it works correctly:

$ ssh -1 localhost

If everything looks okay, please mark stable.
Comment 21 Christoph Mende (RETIRED) gentoo-dev 2006-09-25 08:44:46 UTC
- emerges fine on amd64
- passes collision-test
- passes multilib-strict
- works

angelos@hellbox ~ % ssh -1 localhost
Password:
Response:
Last login: Mon Sep 25 17:42:03 2006 from localhost
angelos@hellbox ~ % sh openssh-exploit.sh
[*] OpenSSH Pre-Auth DoS PoC by taviso@google.com
[*] Attacking localhost...
[*] remote server identifies as SSH-1.99-OpenSSH_4.3.
[*] IP spoofing cookie was 77 62 a6 b2 fa 61 80 57.
[*] checksum should be 0x4726377a
[*] All done.

no unusual cpu usage

Portage 2.1.2_pre1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18-ck1 x86_64)
=================================================================
System uname: 2.6.18-ck1 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.5
Last Sync: Mon, 25 Sep 2006 15:20:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r3
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/qmail/alias /var/qmail/control /var/vpopmail/domains /var/vpopmail/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO8859-1"
LC_ALL="en_US.ISO8859-1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa amr avi berkdb bitmap-fonts branding bzip2 cairo cdinstall cdparanoia cdr cli crypt cups dbus divx dlloader dri dvd dvdr dvdread elibc_glibc emboss encode expat fam firefox foomaticdb fortran gdbm gif glut gnutls gpm gstreamer gtk gtk2 hal imagemagick input_devices_evdev input_devices_keyboard isdnlog jpeg kernel_linux lcms ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly offensive ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection reiserfs rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp x264 xfs xine xinerama xml xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 22 Christian Faulhammer (RETIRED) gentoo-dev 2006-09-25 10:00:52 UTC
1) emerges fine
2) passes collision test
3) works (not vulnerable to demonstration exploit)


Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Mon, 25 Sep 2006 05:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.2.11-r1
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 23 Paul Varner (RETIRED) gentoo-dev 2006-09-25 12:11:53 UTC
Stable on x86. Opfer, thanks for testing.
Comment 24 Jason Wever (RETIRED) gentoo-dev 2006-09-25 16:23:30 UTC
Stable on SPARC
Comment 25 Tobias Scherbaum (RETIRED) gentoo-dev 2006-09-26 06:15:59 UTC
ppc stable
Comment 26 Simon Stelling (RETIRED) gentoo-dev 2006-09-26 06:26:08 UTC
amd64 stable, the second
Comment 27 Gustavo Zacarias (RETIRED) gentoo-dev 2006-09-26 14:27:26 UTC
hppa stable even though they forgot about us again booo!!! ;)
Comment 28 Fernando J. Pereda (RETIRED) gentoo-dev 2006-09-27 08:55:45 UTC
Stable on alpha.

- ferdy
Comment 29 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-27 10:46:13 UTC
GLSA 200609-17
Comment 30 SpanKY gentoo-dev 2006-09-28 02:40:31 UTC
the patch i added is from upstream ... if there is a problem with the upstream code, then it needs to be fixed there
Comment 31 SpanKY gentoo-dev 2006-09-28 02:41:06 UTC
also, if you bump a package, you need a ChangeLog entry
Comment 32 Tavis Ormandy (RETIRED) gentoo-dev 2006-09-28 03:21:12 UTC
(In reply to comment #30)
> the patch i added is from upstream ... if there is a problem with the upstream
> code, then it needs to be fixed there
> 

No, your patch was nonsensical and didnt work.

Upstream's patch was correct, I backported it to 4.3.p2.

Apologies for the missing ChangeLog entry.