- -----------------------------------------------------------------------------
 Pine Internet Security Advisory

- -----------------------------------------------------------------------------
 Advisory ID       : PINE-CERT-20020301
 Authors           : Joost Pol <joost@pine.nl>
 Issue date        : 2002-03-07
 Application       : OpenSSH
 Version(s)        : All versions between 2.0 and 3.0.2
 Platforms         : multiple
 Vendor informed   : 20020304
 Availability      : http://www.pine.nl/advisories/pine-cert-20020301.txt

- -----------------------------------------------------------------------------

Synopsis

        A bug exists in the channel code of OpenSSH versions 2.0 - 3.0.2

        Users with an existing user account can abuse this bug to
        gain root privileges. A malicious ssh server could also use
        this bug to exploit a connecting vulnerable client.

Impact

        HIGH: Existing users will gain root privileges.

Description

        Simple off by one error. Patch included.

Solution

        The OpenSSH project will shortly release version 3.1.

        Upgrading to this version is highly recommended.

        This version will be made available at http://www.openssh.com

        The FreeBSD port of OpenSSH has been updated to reflect the
        patches as supplied in this document.

        OpenSSH CVS has been updated, see

        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ \
        channels.c.diff?r1=1.170&r2=1.171

        Or apply the attached patch as provided by PINE Internet:

        http://www.pine.nl/advisories/pine-cert-20020301.patch


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPIj+V+kli63F4U8VAQEmmgQAqE6hNd1y7lQhTfYrZwAMymjTLQDgDLbr
54DAJd2nwseW9QZzH4oNWJw9cirknsppPme/na7Hkwc3qF3wkOYUer5DI0HnTbBe
3bj/ZgDv2OGvOcYupHX4BoFx/E8FUTmbNmAS8uurg65qv6i2qhMryS5QhZg8+IIT
73Oor36wgW8=
=uoJI
-----END PGP SIGNATURE-----