lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200310032252.h93Mq4E08799@rafiki.ca.caldera.com>
From: security at sco.com (security@....com)
Subject: OpenLinux: OpenSSH: multiple buffer handling problems

To: announce@...ts.sco.com bugtraq@...urityfocus.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: OpenSSH: multiple buffer handling problems
Advisory number: 	CSSA-2003-027.0
Issue date: 		2003 October 02
Cross reference: 	sr884647 fz528312 erg712429 CERT VU#333628 CERT VU#602204  CAN-2003-0693 CAN-2003-0695 CAN-2003-0682 CAN-2003-0786 
______________________________________________________________________________


1. Problem Description

	Several buffer management errors and memory bugs are corrected
	by this patch. 
	
	The Common Vulnerabilities and Exposures project (cve.mitre.org) 
	has assigned the following names to these issues. CAN-2003-0693, 
	CAN-2003-0695, CAN-2003-0682, CAN-2003-0786. 
	
	The CERT Coordination Center has assigned the following names 
	VU#333628, and VU#602204. 
	
	CERT VU#333628 / CAN-2003-0693: A "buffer management error" in 
	buffer_append_space of buffer.c for OpenSSH before 3.7 may allow 
	remote attackers to execute arbitrary code by causing an incorrect 
	amount of memory to be freed and corrupting the heap, a different 
	vulnerability than CAN-2003-0695. 
	
	CAN-2003-0695: Multiple "buffer management errors" in OpenSSH before 
	3.7.1 may allow attackers to cause a denial of service or execute 
	arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free 
	in buffer.c, or (3) a separate function in channels.c, a different 
	vulnerability than CAN-2003-0693. 
	
	CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier, with 
	unknown impact, a different set of vulnerabilities than CAN-2003-0693 
	and CAN-2003-0695. 
	
	CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 3.7p1
	and 3.7.1p1 contain multiple vulnerabilities in the new PAM
	code. At least one of these bugs is remotely exploitable (under
	a non-standard configuration, with privsep disabled).


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to openssh-3.7.1p2-1.i386.rpm
					prior to openssh-askpass-3.7.1p2-1.i386.rpm
					prior to openssh-server-3.7.1p2-1.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to openssh-3.7.1p2-1.i386.rpm
					prior to openssh-askpass-3.7.1p2-1.i386.rpm
					prior to openssh-server-3.7.1p2-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-027.0/RPMS
	4.2 Packages

	b221123334fd2dbe93d049038175f91b	openssh-3.7.1p2-1.i386.rpm
	3290dd2b9cacfc1c7188b9a744645123	openssh-askpass-3.7.1p2-1.i386.rpm
	e5f5d9bbbfeb4e97629dae7b2446418f	openssh-server-3.7.1p2-1.i386.rpm

	4.3 Installation

	rpm -Fvh openssh-3.7.1p2-1.i386.rpm
	rpm -Fvh openssh-askpass-3.7.1p2-1.i386.rpm
	rpm -Fvh openssh-server-3.7.1p2-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-027.0/SRPMS

	4.5 Source Packages

	19fba72b17344b49390210f7988c3d0f	openssh-3.7.1p2-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-027.0/RPMS

	5.2 Packages

	ecae4ebd7d44036200fca7f4e7a00c85	openssh-3.7.1p2-1.i386.rpm
	086fd39a605fb8e5332ddeb9ad57d271	openssh-askpass-3.7.1p2-1.i386.rpm
	d1bf2e78daf806738bdedfcef9587830	openssh-server-3.7.1p2-1.i386.rpm

	5.3 Installation

	rpm -Fvh openssh-3.7.1p2-1.i386.rpm
	rpm -Fvh openssh-askpass-3.7.1p2-1.i386.rpm
	rpm -Fvh openssh-server-3.7.1p2-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-027.0/SRPMS

	5.5 Source Packages

	3cb08e4470041e84b893618a2df75bf1	openssh-3.7.1p2-1.src.rpm


6. References

	Specific references for this advisory:

	http://www.openssh.com/txt/buffer.adv
	http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
	http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
	http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
	http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840
		
	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr884647 fz528312
	erg712429.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj98mhUACgkQbluZssSXDTGZygCgvZzjkuPGLdxI5isCr53CqcwI
qSMAn3h8zJBLu8JbvQCvF8ALp078b9OO
=71ME
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ