All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, but the ebuild should be updated ASAP, since are possibly already exploits around (according to bugtraq). 3.7 also fixes the reverse DNS problem, discussed earlier this year (now called "UseDNS"). The original advisory should become available at <http://www.openssh.com/txt/buffer.adv>. Since it's not available yet, here's the original post: From: Markus Friedl <markus@openbsd.org> This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17 @@ -69,6 +69,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +99,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ }
There's already a new archive up at ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz. A simple version bump should be enough to get that version out in Portage (works perfectly here).
Blizzy! long time no see ;) Too bad their ftp site is overloaded ATM :/
http://wh0rd.de/gentoo/distfiles/openssh-3.7p1.tar.gz ... i'll scp it to dev.gentoo.org to get to our mirrors even faster :D
hardened: you guys are gonna wanna update the selinux patch for this :)
!!! Couldn't download openssh-3.7p1+x509g2.diff.gz. Aborting. The patch isn't available and is commented out in the ebuild, but Portage 2.0.49-r3 still tries to fetch it!?
I have -selinux in my use flags and when doing an ebuild openssh-3.7_p1.ebuild fetch unpack compile. It would die a really bad death this SRC_URI fix/workaround should be added to portage shortly. - selinux? http://lostlogicx.com/gentoo/openssh_3.6p1-5.se1.diff.bz2" + selinux? ( http://lostlogicx.com/gentoo/openssh_3.6p1-5.se1.diff.bz2 )" I'm guessing this will still fail to build correctly for people using selinux. I'm adding pebenito@g.o directly to the CC list in case he did not get/see this bug already.
i added () to all SRC_URIs for sake of completeness pebenito already knows ... i talked to him on irc about this ... as it stands now, 3.7 has been masked in selinux profiles
I dont think this should of marked stable reguardless of of any security problems. repoman --pretend scan shows us.. DEPEND.bad 1 net-misc/openssh/openssh-3.7_p1.ebuild: ['app-admin/skey'] RDEPEND.bad 1 net-misc/openssh/openssh-3.7_p1.ebuild: ['app-admin/skey']
Already fixed in CVS. Also very few people have skey in USE anyway. It's a local flag.
This package is in stable but fails to emerge. I will post bug once I have captured output.
The issue of openssh 3.7_p1 failing to compile has been filed on bug 28909. Any help would be appreciated as this is a critical security update.
openssh-3.7.1_p1 just hit the stores.. Anybody care to bump? SpanKY?
already done :) just need GLSA
GLSA has been sent for this version