[lug] SSH Vulnerability
D. Stimits
stimits at idcomm.com
Fri Feb 9 16:29:03 MST 2001
"Scott A. Herod" wrote:
>
> Hi Nate,
>
> Just saw that. How does one interpret the patch by hand?
>
> --- deattack.c.orig Wed Feb 7 13:53:47 2001
> +++ deattack.c Wed Feb 7 13:54:24 2001
> @@ -79,7 +79,7 @@
> detect_attack(unsigned char *buf, word32 len, unsigned char *IV)
> {
> static word16 *h = (word16 *) NULL;
> - static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> + static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE;
> register word32 i, j;
> word32 l;
> register unsigned char *c;
>
> This means replace the "static word16" with "static word32", correct?
>
> Do you trust the razor.bindview.com website? There's nothing so
> far on www.cert.org or www.nipc.gov.
>
> Scott
>
> Nate Duehr wrote:
> >
> > Slashdot and other sources are reporting that there is a new published
> > exploit for pretty much all versions of SSH, not including OpenSSH
> > 2.4.0.
> >
> > The page below also details various vendor responses with F-Secure being
> > the worst. (No response at all so far back to the reporting party.)
> >
> > Here's the people reporting it:
> >
> > http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
> >
> > --
> > Nate Duehr <nate at natetech.com>
FYI, I looked at the deattack.c patch posted at:
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
And compared one portion of that file (deattack.c) to the "portable"
source distributed at a USA mirror listed by www.openssh.org, and found
one of the patch changes had been applied (for version 2.3.0p1). I did
not check if all changes listed were applied, but the 2.3.0p1 that I
have does use at least part of the patch listed. So at least some
portion of this published patch is accepted for 2.3.0p1.
More information about the LUG
mailing list