aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssh-portable
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2003-09-17 20:03:12 +0800
committerdinoex <dinoex@FreeBSD.org>2003-09-17 20:03:12 +0800
commitea3a16f7c51d6249b252a362627f4df7dfcdb5dd (patch)
tree92f9c170d87a60fc7c06e58e6800d156c64e61b5 /security/openssh-portable
parent792f19e590f3fba4dd0bbb9f7f5aed9e7407cc9d (diff)
downloadfreebsd-ports-gnome-ea3a16f7c51d6249b252a362627f4df7dfcdb5dd.tar.gz
freebsd-ports-gnome-ea3a16f7c51d6249b252a362627f4df7dfcdb5dd.tar.zst
freebsd-ports-gnome-ea3a16f7c51d6249b252a362627f4df7dfcdb5dd.zip
- Securitry Fix revision 2
http://www.openssh.com/txt/buffer.adv Approved by: lioux (portmgr)
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile2
-rw-r--r--security/openssh-portable/files/patch-buffer.c149
2 files changed, 111 insertions, 40 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index e5be325edfb4..069488921658 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -7,7 +7,7 @@
PORTNAME= openssh
PORTVERSION= 3.6.1p2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
diff --git a/security/openssh-portable/files/patch-buffer.c b/security/openssh-portable/files/patch-buffer.c
index 80fcad726108..093e83c586a3 100644
--- a/security/openssh-portable/files/patch-buffer.c
+++ b/security/openssh-portable/files/patch-buffer.c
@@ -1,39 +1,110 @@
-*** buffer.c.orig Sat Jun 29 06:33:59 2002
---- buffer.c Tue Sep 16 00:33:54 2003
-***************
-*** 69,74 ****
---- 69,75 ----
- void *
- buffer_append_space(Buffer *buffer, u_int len)
- {
-+ u_int newlen;
- void *p;
-
- if (len > 0x100000)
-***************
-*** 98,108 ****
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-! buffer->alloc += len + 32768;
-! if (buffer->alloc > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! buffer->alloc);
-! buffer->buf = xrealloc(buffer->buf, buffer->alloc);
- goto restart;
- /* NOTREACHED */
- }
---- 99,111 ----
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-!
-! newlen = buffer->alloc + len + 32768;
-! if (newlen > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-! newlen);
-! buffer->buf = xrealloc(buffer->buf, newlen);
-! buffer->alloc = newlen;
- goto restart;
- /* NOTREACHED */
- }
+Subject: OpenSSH Security Advisory: buffer.adv
+
+This is the 2nd revision of the Advisory.
+
+This document can be found at: http://www.openssh.com/txt/buffer.adv
+
+1. Versions affected:
+
+ All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
+ management errors. It is uncertain whether these errors are
+ potentially exploitable, however, we prefer to see bugs
+ fixed proactively.
+
+ Other implementations sharing common origin may also have
+ these issues.
+
+2. Solution:
+
+ Upgrade to OpenSSH 3.7.1 or apply the following patch.
+
+===================================================================
+Appendix A: patch for OpenSSH 3.6.1 and earlier
+
+Index: buffer.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
+retrieving revision 1.16
+retrieving revision 1.18
+diff -u -r1.16 -r1.18
+--- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
++++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+- buffer->alloc = 4096;
+- buffer->buf = xmalloc(buffer->alloc);
++ const u_int len = 4096;
++
++ buffer->alloc = 0;
++ buffer->buf = xmalloc(len);
++ buffer->alloc = len;
+ buffer->offset = 0;
+ buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+- memset(buffer->buf, 0, buffer->alloc);
+- xfree(buffer->buf);
++ if (buffer->alloc > 0) {
++ memset(buffer->buf, 0, buffer->alloc);
++ xfree(buffer->buf);
++ }
+ }
+
+ /*
+@@ -69,6 +74,7 @@
+ void *
+ buffer_append_space(Buffer *buffer, u_int len)
+ {
++ u_int newlen;
+ void *p;
+
+ if (len > 0x100000)
+@@ -98,11 +104,13 @@
+ goto restart;
+ }
+ /* Increase the size of the buffer and retry. */
+- buffer->alloc += len + 32768;
+- if (buffer->alloc > 0xa00000)
++
++ newlen = buffer->alloc + len + 32768;
++ if (newlen > 0xa00000)
+ fatal("buffer_append_space: alloc %u not supported",
+- buffer->alloc);
+- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++ newlen);
++ buffer->buf = xrealloc(buffer->buf, newlen);
++ buffer->alloc = newlen;
+ goto restart;
+ /* NOTREACHED */
+ }
+Index: channels.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/channels.c,v
+retrieving revision 1.194
+retrieving revision 1.195
+diff -u -r1.194 -r1.195
+--- channels.c 29 Aug 2003 10:04:36 -0000 1.194
++++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
+@@ -228,12 +228,13 @@
+ if (found == -1) {
+ /* There are no free slots. Take last+1 slot and expand the array. */
+ found = channels_alloc;
+- channels_alloc += 10;
+ if (channels_alloc > 10000)
+ fatal("channel_new: internal error: channels_alloc %d "
+ "too big.", channels_alloc);
++ channels = xrealloc(channels,
++ (channels_alloc + 10) * sizeof(Channel *));
++ channels_alloc += 10;
+ debug2("channel: expanding %d", channels_alloc);
+- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ for (i = found; i < channels_alloc; i++)
+ channels[i] = NULL;
+ }
+
+