(Slackware Issues Fix) Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
|
|
SecurityTracker Alert ID: 1007813 |
|
SecurityTracker URL: http://securitytracker.com/id/1007813
|
|
CVE Reference:
CAN-2003-0786, CAN-2003-0787
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Sep 25 2003
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Portable Version Only; 3.7p1 and 3.7.1p1
|
Description:
A vulnerability was reported in two specific portable versions of OpenSSH in the PAM implementation. A remote user may be able to execute arbitrary code.
It is reported that there are multiple flaws in the new PAM code in portable OpenSSH versions 3.7p1 and 3.7.1p1. In at least one bug, a remote user can cause arbitrary code to be executed on the target system when the target system is in a non-standard configuration (with privsep disabled).
The vendor notes that the OpenBSD releases of OpenSSH do not contain this code and, therefore, are not vulnerable. Also, portable OpenSSH versions prior to 3.6.1p2 are also not affected.
|
Impact:
A remote user may be able to execute arbitrary code on the target system wtih root privileges.
|
Solution:
Slackware has released a fix.
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.7.1p2-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-3.7.1p2-i386-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-3.7.1p2-i486-1.tgz
The MD5 signatures are:
Slackware 8.1 package:
7ee5b3d42fc539325afe1c5c9bb75e95 openssh-3.7.1p2-i386-1.tgz
Slackware 9.0 package:
a8869a2c33e62075eed6a5ed03600bfa openssh-3.7.1p2-i386-1.tgz
Slackware -current package:
9b5c5f292809524b1b54466e9c98407f openssh-3.7.1p2-i486-1.tgz
|
Vendor URL: www.openssh.com/txt/sshpam.adv (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Slackware)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 23 Sep 2003 23:06:10 -0700 (PDT)
Subject: [slackware-security] New OpenSSH packages (SSA:2003-266-01)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] New OpenSSH packages (SSA:2003-266-01)
Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1,
9.0 and -current. This fixes security problems with PAM
authentication. It also includes several code cleanups from Solar
Designer.
Slackware is not vulnerable to the PAM problem, and it is not
believed that any of the other code cleanups fix exploitable
security problems, not nevertheless sites may wish to upgrade.
These are some of the more interesting entries from OpenSSH's
ChangeLog so you can be the judge:
[buffer.c]
protect against double free; #660; zardoz at users.sf.net
- markus@cvs.openbsd.org 2003/09/18 08:49:45
[deattack.c misc.c session.c ssh-agent.c]
more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
ok millert@
- (djm) Bug #676: Fix PAM stack corruption
- (djm) Fix bad free() in PAM code
WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.7.1p2-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-3.7.1p2-i386-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-3.7.1p2-i486-1.tgz
MD5 SIGNATURES:
+-------------+
Slackware 8.1 package:
7ee5b3d42fc539325afe1c5c9bb75e95 openssh-3.7.1p2-i386-1.tgz
Slackware 9.0 package:
a8869a2c33e62075eed6a5ed03600bfa openssh-3.7.1p2-i386-1.tgz
Slackware -current package:
9b5c5f292809524b1b54466e9c98407f openssh-3.7.1p2-i486-1.tgz
INSTALLATION INSTRUCTIONS:
+------------------------+
(This procedure is safe to do while logged in through OpenSSH)
Upgrade using upgradepkg (as root):
# upgradepkg openssh-3.7.1p2-i386-1.tgz
Restart OpenSSH:
. /etc/rc.d/rc.sshd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/cS0KakRjwEAQIjMRAq9gAJ9XkFO99GlW5sWUAagtqDtg8FFW3QCgh4cq
0HYC+kLYqgttgIT5wLJ4QZI=
=hnDZ
-----END PGP SIGNATURE-----
|
|
