Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 28873 - OpenSSH 3.7p1 fixes potential security problem
Summary: OpenSSH 3.7p1 fixes potential security problem
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest critical (vote)
Assignee: Gentoo Security
Depends on:
Blocks: 28927
  Show dependency tree
Reported: 2003-09-16 05:39 UTC by fbusse
Modified: 2003-09-16 18:01 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description fbusse 2003-09-16 05:39:51 UTC
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error.  It is 
uncertain whether this error is potentially exploitable, but the ebuild should be 
updated ASAP, since are possibly already exploits around (according to bugtraq). 
3.7 also fixes the reverse DNS problem, discussed earlier this year (now called 
The original advisory should become available at 
Since it's not available yet, here's the original post: 
From: Markus Friedl <> 
This is the 1st revision of the Advisory. 
This document can be found at: 
1. Versions affected: 
        All versions of OpenSSH's sshd prior to 3.7 contain a buffer 
        management error.  It is uncertain whether this error is 
        potentially exploitable, however, we prefer to see bugs 
        fixed proactively. 
2. Solution: 
        Upgrade to OpenSSH 3.7 or apply the following patch. 
Index: buffer.c 
RCS file: /cvs/src/usr.bin/ssh/buffer.c,v 
retrieving revision 1.16 
retrieving revision 1.17 
diff -u -r1.16 -r1.17 
--- buffer.c    26 Jun 2002 08:54:18 -0000      1.16 
+++ buffer.c    16 Sep 2003 03:03:47 -0000      1.17 
@@ -69,6 +69,7 @@ 
 void * 
 buffer_append_space(Buffer *buffer, u_int len) 
+       u_int newlen; 
        void *p; 
        if (len > 0x100000) 
@@ -98,11 +99,13 @@ 
                goto restart; 
        /* Increase the size of the buffer and retry. */ 
-       buffer->alloc += len + 32768; 
-       if (buffer->alloc > 0xa00000) 
+       newlen = buffer->alloc + len + 32768; 
+       if (newlen > 0xa00000) 
                fatal("buffer_append_space: alloc %u not supported", 
-                   buffer->alloc); 
-       buffer->buf = xrealloc(buffer->buf, buffer->alloc); 
+                   newlen); 
+       buffer->buf = xrealloc(buffer->buf, newlen); 
+       buffer->alloc = newlen; 
        goto restart; 
        /* NOTREACHED */ 
Comment 1 Maik Schreiber 2003-09-16 06:59:30 UTC
There's already a new archive up at

A simple version bump should be enough to get that version out in Portage (works perfectly here).
Comment 2 Mark Guertin 2003-09-16 09:02:54 UTC
Blizzy! long time no see ;)

Too bad their ftp site is overloaded ATM :/
Comment 3 SpanKY gentoo-dev 2003-09-16 09:20:08 UTC ... i'll scp it to to get to our mirrors even faster :D
Comment 4 SpanKY gentoo-dev 2003-09-16 09:27:34 UTC
hardened: you guys are gonna wanna update the selinux patch for this :)
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2003-09-16 12:09:24 UTC
!!! Couldn't download openssh-3.7p1+x509g2.diff.gz. Aborting.

The patch isn't available and is commented out in the ebuild, but Portage 2.0.49-r3 still tries to fetch it!?
Comment 6 solar (RETIRED) gentoo-dev 2003-09-16 12:21:48 UTC
I have -selinux in my use flags and when doing an 
ebuild openssh-3.7_p1.ebuild fetch unpack compile.

It would die a really bad death this SRC_URI fix/workaround should be added to portage shortly.

-	selinux?"
+	selinux? ( )"

I'm guessing this will still fail to build correctly for people using selinux.
I'm adding pebenito@g.o directly to the CC list in case he did not get/see this bug already.
Comment 7 SpanKY gentoo-dev 2003-09-16 12:33:22 UTC
i added () to all SRC_URIs for sake of completeness

pebenito already knows ... i talked to him on irc about this ... as it stands now, 3.7 has been masked in selinux profiles
Comment 8 solar (RETIRED) gentoo-dev 2003-09-16 12:37:37 UTC
I dont think this should of marked stable reguardless of of any security problems.

repoman --pretend scan  shows us..
 DEPEND.bad           1
   net-misc/openssh/openssh-3.7_p1.ebuild: ['app-admin/skey']
  RDEPEND.bad          1
   net-misc/openssh/openssh-3.7_p1.ebuild: ['app-admin/skey']
Comment 9 Jon Portnoy (RETIRED) gentoo-dev 2003-09-16 12:43:35 UTC
Already fixed in CVS.

Also very few people have skey in USE anyway. It's a local flag.
Comment 10 Narada Sage 2003-09-16 13:55:03 UTC
This package is in stable but fails to emerge.  I will post bug once I have captured output.
Comment 11 Narada Sage 2003-09-16 14:03:26 UTC
The issue of openssh 3.7_p1 failing to compile has been filed on bug 28909.  Any help would be appreciated as this is a critical security update.
Comment 12 solar (RETIRED) gentoo-dev 2003-09-16 17:51:45 UTC
openssh-3.7.1_p1 just hit the stores.. Anybody care to bump? SpanKY?
Comment 13 SpanKY gentoo-dev 2003-09-16 18:00:07 UTC
already done :)

just need GLSA
Comment 14 SpanKY gentoo-dev 2003-09-16 18:01:19 UTC
GLSA has been sent for this version