8109106 2002-03-07 12:56 +0100  /50 rader/ Markus Friedl <markus@openbsd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-08  03:44  av Brevbäraren
Extern mottagare: announce@openbsd.org
Extern mottagare: security-announce@openbsd.org
Extern mottagare: openssh-unix-dev@mindrot.org
Extern mottagare: openssh-unix-announce@mindrot.org
Extern kopiemottagare: BUGTRAQ@SECURITYFOCUS.COM
Extern kopiemottagare: misc@openbsd.org
Extern kopiemottagare: lwn@lwn.net
Mottagare: Bugtraq (import) <21315>
Ärende: OpenSSH Security Advisory (adv.channelalloc)
------------------------------------------------------------
From: Markus Friedl <markus@openbsd.org>
To: announce@openbsd.org, security-announce@openbsd.org,
 openssh-unix-dev@mindrot.org, openssh-unix-announce@mindrot.org
Cc: BUGTRAQ@SECURITYFOCUS.COM, misc@openbsd.org, lwn@lwn.net
Message-ID: <20020307115633.GA8924@faui02>


1. Systems affected:

	All versions of OpenSSH between 2.0 and 3.0.2 contain
	an off-by-one error in the channel code.

	OpenSSH 3.1 and later are not affected.

2. Impact:

        This bug can be exploited locally by an authenticated user
        logging into a vulnerable OpenSSH server or by a malicious
        SSH server attacking a vulnerable OpenSSH client.
	
3. Solution:

	Upgrade to OpenSSH 3.1 or apply the following patch.

4. Credits:

	This bug was discovered by Joost Pol <joost@pine.nl>


Appendix:

Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.170
retrieving revision 1.171
diff -u -r1.170 -r1.171
--- channels.c	27 Feb 2002 21:23:13 -0000	1.170
+++ channels.c	4 Mar 2002 19:37:58 -0000	1.171
@@ -146,7 +146,7 @@
 {
 	Channel *c;
 
-	if (id < 0 || id > channels_alloc) {
+	if (id < 0 || id >= channels_alloc) {
 		log("channel_lookup: %d: bad id", id);
 		return NULL;
 	}
(8109106) /Markus Friedl <markus@openbsd.org>/------