-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-004
		 =================================

Topic:		Off-by-one error in openssh session

Version:	NetBSD-current:	source prior to March 7, 2002
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not included in base system
		pkgsrc:		packages prior to 3.0.2.1nb2

Severity:	local exploit (against sshd) by an authenticated user
		remote exploit (against ssh) by a malicious SSH server

Fixed:		NetBSD-current:		March 7, 2002
		NetBSD-1.5 branch:	March 7, 2002 (1.5.3 will include the fix)
		pkgsrc:			openssh-3.0.2.1nb2 corrects this issue


Abstract
========

OpenSSH prior to version 3.1 has an off-by-one error in the channel code.

This bug can be exploited locally by an authenticated user
logging into a vulnerable OpenSSH server or remotely by a malicious
SSH server attacking a vulnerable OpenSSH client.


Technical Details
=================

http://www.pine.nl/advisories/pine-cert-20020301.html


Solutions and Workarounds
=========================

To identify if your binary is vulnerable, you can use "ssh -V" and "sshd -V"
command.

On NetBSD-current, the following version string identifies the fixed version.
If you see version string prior to this date, the binary is vulnerable.
	sshd version OpenSSH_3.1 NetBSD_Secure_Shell-20020308

On NetBSD 1.5 branch, the following string identifies the fixed version.
If you see version string prior to this date, the binary is vulnerable.
	sshd version OpenSSH_3.0.2 NetBSD_Secure_Shell-20020307

With pkgsrc, use pkg_info(1) to identify the version.  The following version
is not vulnerable.  Versions prior to this is vulnerable.
	openssh-3.0.2.1nb2

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-03-06
	should be upgraded to NetBSD-current dated 2002-03-07 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/ssh
		usr.bin/ssh

	To update from CVS, re-build, and re-install the ssh suite:
		# cd src
		# cvs update -d -P crypto/dist/ssh usr.bin/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install

	Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd).

* NetBSD 1.5, 1.5.1, 1.5.2:

	Systems running NetBSD 1.5, 1.5.1 or 1.5.2 sources dated from
	before 2002-03-06 should be upgraded from NetBSD 1.5.*
	sources dated 2002-03-07 or later.

	NetBSD 1.5.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/ssh
		usr.bin/ssh

	To update from CVS, re-build, and re-install the ssh suite:

		# cd src
		# cvs update -d -P crypto/dist/ssh usr.bin/ssh
		# cd usr.bin/ssh

		# make cleandir dependall
		# make install

	Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd).

        Alternatively, apply the following patch (with potential offset
        differences):

                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-004-sshd-1.5.patch

        To patch, re-build and re-install the ssh suite:

                # cd src/crypto/dist/ssh
                # patch < /path/to/SA2002-004-sshd-1.5.patch
		# cd ../../../usr.bin/ssh

                # make cleandir dependall
                # make install

	Be sure to restart a running instance of ssh daemon (/usr/sbin/sshd).

	Alternatively, you can install openssh newer than openssh-3.1.0.1
	from pkgsrc and use them instead. Be certain to remove the old executables
	in /usr/bin and /usr/sbin if you choose this method, so that the /usr/pkg/
	binaries will be used.

* pkgsrc

	OpenSSH pkgsrc prior to openssh-3.0.2.1nb2 must be upgraded to
	openssh-3.0.2.1nb2 or later.


Thanks To
=========

Markus Friedl

Jun-ichiro itojun Hagino for patches, and preparing advisory text.


Revision History
================

	2002-03-11	Initial release
	2002-03-12	Add patch file information for 1.5.x

More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-004.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-004.txt,v 1.6 2002/03/13 05:03:11 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPJI7Wz5Ru2/4N2IFAQEa7gP+Nvi1cbUCLRUDMA8otNH7KL6OU693LKIC
sGYo+EKhRUOw9FVaYAQI0k2cHtv7RqIfzsKzHZqiU/S0Eu+wdinZ8cCZ5+lO/0Il
eRUaW7a9a5+kVsOWAEprDphHuyJsjsOpiUMhFdMqs4osc4MtBP2AkkFoKfT8mUoH
FAE8TD/muLU=
=5Fzs
-----END PGP SIGNATURE-----