[lug] SSH Vulnerability

Fri Feb 9 16:29:03 MST 2001

"Scott A. Herod" wrote:
> 
> Hi Nate,
> 
> Just saw that.  How does one interpret the patch by hand?
> 
>   --- deattack.c.orig     Wed Feb  7 13:53:47 2001
>   +++ deattack.c  Wed Feb  7 13:54:24 2001
>   @@ -79,7 +79,7 @@
>    detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
>    {
>      static word16  *h = (word16 *) NULL;
>   -  static word16   n = HASH_MINSIZE / HASH_ENTRYSIZE;
>   +  static word32   n = HASH_MINSIZE / HASH_ENTRYSIZE;
>      register word32 i, j;
>      word32          l;
>      register unsigned char *c;
> 
> This means replace the "static word16" with "static word32", correct?
> 
> Do you trust the razor.bindview.com website?  There's nothing so
> far on www.cert.org or www.nipc.gov.
> 
> Scott
> 
> Nate Duehr wrote:
> >
> > Slashdot and other sources are reporting that there is a new published
> > exploit for pretty much all versions of SSH, not including OpenSSH
> > 2.4.0.
> >
> > The page below also details various vendor responses with F-Secure being
> > the worst.  (No response at all so far back to the reporting party.)
> >
> > Here's the people reporting it:
> >
> > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> >
> > --
> > Nate Duehr <nate at natetech.com>

FYI, I looked at the deattack.c patch posted at:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html

And compared one portion of that file (deattack.c) to the "portable"
source distributed at a USA mirror listed by www.openssh.org, and found
one of the patch changes had been applied (for version 2.3.0p1). I did
not check if all changes listed were applied, but the 2.3.0p1 that I
have does use at least part of the patch listed. So at least some
portion of this published patch is accepted for 2.3.0p1.