Bug 104573

Summary: Buffer managment errors in OpenSSH < 3.7.1
Product: [Retired] Red Hat Raw Hide Reporter: Alan Sanderson <u2561633>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: u2561633
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 18:58:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Alan Sanderson 2003-09-17 13:34:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-AU; rv:1.5a) Gecko/20030801
Mozilla Firebird/0.6.1

Description of problem:
Buffer managment errors have been discorever in OpenSSH 3.7.0 and below, this
has been said to be remotely exploitable.
OpenSSH should therefore be upgraded to 3.7.1 in rawhide and no doubt in RedHat
Linux 9.0, 8.0, 7.3, 7.2, 7.1.

Version-Release number of selected component (if applicable):
openssh-3.6.1p2-4

How reproducible:
Always

Steps to Reproduce:
1.See description
2.
3.
    

Actual Results:  See description

Expected Results:  See description

Additional info:

http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://slashdot.org/article.pl?sid=03/09/16/1327248&mode=nested&tid=126&tid=172

Comment 1 Hrunting Johnson 2003-09-17 14:37:16 UTC
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.194&r2=1.195&f=h

These are the changes that need to be made.  This is a very similar fix to
yesterday's buffer.c patch which does need to be applied to yesterday's errata.

Comment 2 Mark J. Cox 2003-09-17 15:45:56 UTC

*** This bug has been marked as a duplicate of 104551 ***

Comment 3 Red Hat Bugzilla 2006-02-21 18:58:36 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.