Debian Bug report logs - #211662
lsh-server: heap overrun, possible remote root exploit

version graph

Package: lsh-server; Maintainer for lsh-server is Magnus Holmgren <holmgren@debian.org>; Source for lsh-server is src:lsh-utils.

Reported by: Andreas Bogk <andreas@andreas.org>

Date: Fri, 19 Sep 2003 09:33:10 UTC

Severity: critical

Tags: patch, security, upstream

Found in version 1.4.2-2

Fixed in version lsh-utils/1.4.2-6

Done: Timshel Knoll <timshel@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Timshel Knoll <timshel@debian.org>:
Bug#211662; Package lsh-server. Full text and rfc822 format available.

Acknowledgement sent to Andreas Bogk <andreas@andreas.org>:
New Bug report received and forwarded. Copy sent to Timshel Knoll <timshel@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Bogk <andreas@andreas.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lsh-server: heap overrun, possible remote root exploit
Date: Fri, 19 Sep 2003 09:30:04 +0000
Package: lsh-server
Version: 1.4.2-2
Severity: critical
Tags: security patch upstream
Justification: root security hole

There's a heap overrun problem in lsh. See:

http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000120.html

A patch is given in the above URL, here it is again:

diff -u -a -r1.31 read_line.c
--- src/read_line.c	16 Feb 2003 21:30:11 -0000	1.31
+++ src/read_line.c	18 Sep 2003 20:02:48 -0000
@@ -100,6 +100,7 @@
       /* Too long line */
       EXCEPTION_RAISE(self->e,
       		      make_protocol_exception(0, "Line too long."));
+      return available;
     }

     /* Ok, now we have a line. Copy it
      * into the buffer. */

It is not known if this is exploitable, but the author cannot say for
sure.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux meo-dipt 2.4.20cryptoapi-freeswan-ab #1 Thu May 15 13:30:13 UTC 2003 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages lsh-server depends on:
ii  libc6                     2.3.2-7        GNU C Library: Shared libraries an
ii  libgmp3                   4.1.2-3        Multiprecision arithmetic library
ii  libncurses5               5.3.20030719-1 Shared libraries for terminal hand
ii  liboop3                   0.8-2          Event loop management library
ii  libpam0g                  0.76-13        Pluggable Authentication Modules l
ii  libreadline4              4.3-5          GNU readline and history libraries
ii  libwrap0                  7.6-ipv6.1-3   Wietse Venema's TCP wrappers libra
ii  lsh-utils                 1.4.2-2        Secure Shell v2 (SSH2) protocol ut
ii  zlib1g                    1:1.1.4-14     compression library - runtime

-- debconf information:
* lsh-server/purge_hostkey: false
* lsh-server/ssh1_migration: 
* lsh-server/lshd_port: 2222
  lsh-server/random_seed: 
  lsh-server/ssh1_fallback: true




Information forwarded to debian-bugs-dist@lists.debian.org, Timshel Knoll <timshel@debian.org>:
Bug#211662; Package lsh-server. Full text and rfc822 format available.

Acknowledgement sent to Andreas Bogk <andreas@andreas.org>:
Extra info received and forwarded to list. Copy sent to Timshel Knoll <timshel@debian.org>. Full text and rfc822 format available.

Message #10 received at 211662@bugs.debian.org (full text, mbox):

From: Andreas Bogk <andreas@andreas.org>
To: 211662@bugs.debian.org
Subject: Working exploit confirmed
Date: Fri, 19 Sep 2003 13:09:05 +0000
A posting by Haggis on full-disclosure presents an implementation of
an exploit for the referenced bug:

http://lists.netsys.com/pipermail/full-disclosure/2003-September/010489.html

I have confirmed that it works (modulo tweaking the offsets for
Debian).

Andreas

-- 
"The Board views the endemic use of PowerPoint briefing slides instead 
 of technical papers as an illustration of the problematic methods of 
 technical communication at NASA."
  -- Official report on the Columbia shuttle disaster.



Information forwarded to debian-bugs-dist@lists.debian.org, Timshel Knoll <timshel@debian.org>:
Bug#211662; Package lsh-server. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Timshel Knoll <timshel@debian.org>. Full text and rfc822 format available.

Message #15 received at 211662@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 211662@bugs.debian.org
Subject: CVE assignment
Date: Sat, 20 Sep 2003 11:45:26 -0400
This is CAN-2003-0826.

-- 
 - mdz



Reply sent to Timshel Knoll <timshel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Andreas Bogk <andreas@andreas.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 211662-close@bugs.debian.org (full text, mbox):

From: Timshel Knoll <timshel@debian.org>
To: 211662-close@bugs.debian.org
Subject: Bug#211662: fixed in lsh-utils 1.4.2-6
Date: Mon, 06 Oct 2003 09:17:18 -0400
Source: lsh-utils
Source-Version: 1.4.2-6

We believe that the bug you reported is fixed in the latest version of
lsh-utils, which is due to be installed in the Debian FTP archive:

lsh-client_1.4.2-6_i386.deb
  to pool/main/l/lsh-utils/lsh-client_1.4.2-6_i386.deb
lsh-server_1.4.2-6_i386.deb
  to pool/main/l/lsh-utils/lsh-server_1.4.2-6_i386.deb
lsh-utils-doc_1.4.2-6_all.deb
  to pool/main/l/lsh-utils/lsh-utils-doc_1.4.2-6_all.deb
lsh-utils_1.4.2-6.diff.gz
  to pool/main/l/lsh-utils/lsh-utils_1.4.2-6.diff.gz
lsh-utils_1.4.2-6.dsc
  to pool/main/l/lsh-utils/lsh-utils_1.4.2-6.dsc
lsh-utils_1.4.2-6_i386.deb
  to pool/main/l/lsh-utils/lsh-utils_1.4.2-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 211662@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timshel Knoll <timshel@debian.org> (supplier of updated lsh-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 20 Sep 2003 11:42:27 +1000
Source: lsh-utils
Binary: lsh-utils lsh-client lsh-utils-doc lsh-server
Architecture: source all i386
Version: 1.4.2-6
Distribution: unstable
Urgency: high
Maintainer: Timshel Knoll <timshel@debian.org>
Changed-By: Timshel Knoll <timshel@debian.org>
Description: 
 lsh-client - Secure Shell v2 (SSH2) protocol client
 lsh-server - Secure Shell v2 (SSH2) protocol server
 lsh-utils  - Secure Shell v2 (SSH2) protocol utilities
 lsh-utils-doc - Secure Shell v2 (SSH2) client / server / utilities documentation
Closes: 199067 211662
Changes: 
 lsh-utils (1.4.2-6) unstable; urgency=HIGH
 .
   * Applied patch to fix root security hole (closes: #211662)
   * Build kerberos support against heimdal rather than krb (closes: #199067)
Files: 
 0cf3c7780986605da5cd636118573ae0 815 net extra lsh-utils_1.4.2-6.dsc
 f3c619abe391cd38a30a710e43668465 55460 net extra lsh-utils_1.4.2-6.diff.gz
 6ef40e3cf3a9f6b5f617add65767368a 134924 doc extra lsh-utils-doc_1.4.2-6_all.deb
 e54b773347bfe927d932652f2a4b9c7d 653768 net extra lsh-utils_1.4.2-6_i386.deb
 67142c7f914125b308dc46bc80c35dee 352792 net extra lsh-server_1.4.2-6_i386.deb
 2b6fc1c92d27c18662176606c8afd4f5 256776 net extra lsh-client_1.4.2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/gWeHXfqTkd4+iqcRAqH2AJ0XIaaSinYi5SP4nFQximMTP+Cw0gCdFC+q
nQtZdSDq4smMOLUJ6/OlP6c=
=ICc5
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:25:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.