nils at eircom.net
Wed Sep 17 15:54:24 IST 2003
quote from main Ilug list
> More detail (from FreeBSD-announce, don't know how relevant to Linux):
> II. Problem Description
> When a packet is received that is larger than the space remaining the
> allocated buffer, OpenSSH's buffer management attempts to reallocate a
> buffer. During this process, the recorded size of the buffer is
> increased. The
> new size is then range checked. If the range check fails, then
> fatal() is
> called to cleanup and exit. In some cases the cleanup code will
> attempt to zero
> and free the buffer that just had its recorded size (but not actual
> increased. As a result, memory outside of the allocated buffer will
> overwritten with NUL bytes.
> III. Impact
> A remote attacker can cause OpenSSH to crash. The bug is not believed
> to be
> exploitable for code execution on FreeBSD.
> (From FreeBSD-SA-03:12)
So update your OpenSSH server,now!
More information about the Southeast