Mailing-List: contact cygwin-announce-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-announce-owner AT cygwin DOT com Delivered-To: mailing list cygwin-announce AT cygwin DOT com Delivered-To: moderator for cygwin-announce AT cygwin DOT com Date: Thu, 7 Mar 2002 17:51:14 +0100 From: Corinna Vinschen To: cygann Subject: OpenSSH Security Advisory (adv.channelalloc) Message-ID: <20020307175114.A22802@cygbert.vinschen.de> Reply-To: cygwin Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.22.1i 1. Systems affected: All versions of OpenSSH between 2.0 and 3.0.2 contain an off-by-one error in the channel code. OpenSSH 3.1 and later are not affected. 2. Impact: This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client. 3. Solution: Upgrade to OpenSSH 3.1 or apply the following patch. 4. Credits: This bug was discovered by Joost Pol Appendix: Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.170 retrieving revision 1.171 diff -u -r1.170 -r1.171 --- channels.c 27 Feb 2002 21:23:13 -0000 1.170 +++ channels.c 4 Mar 2002 19:37:58 -0000 1.171 @@ -146,7 +146,7 @@ { Channel *c; - if (id < 0 || id > channels_alloc) { + if (id < 0 || id >= channels_alloc) { log("channel_lookup: %d: bad id", id); return NULL; } -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc.