-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-004 ================================= Topic: Off-by-one error in openssh session Version: NetBSD-current: source prior to March 7, 2002 NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not included in base system pkgsrc: packages prior to 3.0.2.1nb2 Severity: local exploit (against sshd) by an authenticated user remote exploit (against ssh) by a malicious SSH server Fixed: NetBSD-current: March 7, 2002 NetBSD-1.5 branch: March 7, 2002 (1.5.3 will include the fix) pkgsrc: openssh-3.0.2.1nb2 corrects this issue Abstract ======== OpenSSH prior to version 3.1 has an off-by-one error in the channel code. This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or remotely by a malicious SSH server attacking a vulnerable OpenSSH client. Technical Details ================= http://www.pine.nl/advisories/pine-cert-20020301.html Solutions and Workarounds ========================= To identify if your binary is vulnerable, you can use "ssh -V" and "sshd -V" command. On NetBSD-current, the following version string identifies the fixed version. If you see version string prior to this date, the binary is vulnerable. sshd version OpenSSH_3.1 NetBSD_Secure_Shell-20020308 On NetBSD 1.5 branch, the following string identifies the fixed version. If you see version string prior to this date, the binary is vulnerable. sshd version OpenSSH_3.0.2 NetBSD_Secure_Shell-20020307 With pkgsrc, use pkg_info(1) to identify the version. The following version is not vulnerable. Versions prior to this is vulnerable. openssh-3.0.2.1nb2 * NetBSD-current: Systems running NetBSD-current dated from before 2002-03-06 should be upgraded to NetBSD-current dated 2002-03-07 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/ssh usr.bin/ssh To update from CVS, re-build, and re-install the ssh suite: # cd src # cvs update -d -P crypto/dist/ssh usr.bin/ssh # cd usr.bin/ssh # make cleandir dependall # make install Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd). * NetBSD 1.5, 1.5.1, 1.5.2: Systems running NetBSD 1.5, 1.5.1 or 1.5.2 sources dated from before 2002-03-06 should be upgraded from NetBSD 1.5.* sources dated 2002-03-07 or later. NetBSD 1.5.3 will include the fix. The following directories need to be updated from the netbsd-1-5 CVS branch: crypto/dist/ssh usr.bin/ssh To update from CVS, re-build, and re-install the ssh suite: # cd src # cvs update -d -P crypto/dist/ssh usr.bin/ssh # cd usr.bin/ssh # make cleandir dependall # make install Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd). Alternatively, apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-004-sshd-1.5.patch To patch, re-build and re-install the ssh suite: # cd src/crypto/dist/ssh # patch < /path/to/SA2002-004-sshd-1.5.patch # cd ../../../usr.bin/ssh # make cleandir dependall # make install Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd). Alternatively, you can install openssh newer than openssh-3.1.0.1 from pkgsrc and use them instead. Be certain to remove the old executables in /usr/bin and /usr/sbin if you choose this method, so that the /usr/pkg/ binaries will be used. * pkgsrc OpenSSH pkgsrc prior to openssh-3.0.2.1nb2 must be upgraded to openssh-3.0.2.1nb2 or later. Thanks To ========= Markus Friedl Jun-ichiro itojun Hagino for patches, and preparing advisory text. Revision History ================ 2002-03-11 Initial release 2002-03-12 Add patch file information for 1.5.x More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-004.txt,v 1.6 2002/03/13 05:03:11 groo Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPJI7Wz5Ru2/4N2IFAQEa7gP+Nvi1cbUCLRUDMA8otNH7KL6OU693LKIC sGYo+EKhRUOw9FVaYAQI0k2cHtv7RqIfzsKzHZqiU/S0Eu+wdinZ8cCZ5+lO/0Il eRUaW7a9a5+kVsOWAEprDphHuyJsjsOpiUMhFdMqs4osc4MtBP2AkkFoKfT8mUoH FAE8TD/muLU= =5Fzs -----END PGP SIGNATURE-----